monitoring: allow setting profiler auth credentials
Problem
Currently, the monitoring
package has no options to set credentials explicitly, relying exclusively on Application Default Credentials (ADC) for the Stackdriver profiler client (e.g. looking for the GOOGLE_APPLICATION_CREDENTIALS
env var).
This becomes a limitation if an application has multiple Google Cloud clients, as we don't have the option to provide different service account credentials for various services. This occurs with the GitLab Container Registry, as it has a client for GCS. For additional context, please see gitlab-com/gl-infra/scalability#512 (comment 388707067).
Solution
Provide an option to set credentials explicitly. When set, the provided credentials should have precedence over ADC. Given that we want to keep the monitoring service as generic as possible, avoiding provider-specific attributes at the API level, I propose that we do this with the following option:
WithProfilerCredentialsFile(path string) Option
This is then used to set the Google SDK WithCredentialsFile(filename string)
option.
Futureproofing
Looking at Go clients for other monitoring service providers, DataDog requires credentials to be set using WithAPIKey(key string)
and NewRelic using ConfigLicense(license string)
.
Considering the above, it seems that the two most common options to provide credentials is either to pass the path to a file or the content as a string. If we ever need to add a new provider that relies on credentials passed as a string, we can add a WithProfilerCredentials(key string)
option.
Related to gitlab-com/gl-infra/scalability#512 (closed).