Basic Auth for Upstream

[jzelinskie]

I'm not sure if things will just work out of the box if I use the https://user:[email protected] format for the upstream URL. If it does, it should get documented in the README because popular platforms like Grafana Cloud secure their Prometheus with this strategy. If this does not work, it's going to have to be explicitly added upstream, which I don't mind implementing with some direction from the maintainers.

[simonpasquier]

I did a quick check and http://user:[email protected] doesn't work (which looking at httputil.NewSingleHostReverseProxy is logical). I think that your request makes sense.
Maybe users should be able to configure additional headers that would be injected in the incoming request?

[simonpasquier]

This is kind of related to #136 which asks for TLS transport configuration. We might be able to rely on https://pkg.go.dev/github.com/prometheus/[email protected]/config primitives to avoid reinventing the wheel.

[joedborg]

Unsure whether or not this is in the purview of this issue, but it would be good to be able to set an upstream secret in order to specify either a user:pass or a token that's added to the upstream header. I think this is much nicer than having exposed user:pass in the URL and means we could inject a token into the header.