feat: Support OAuth2 for prometheus and web providers (#3038)

Signed-off-by: Guillaume Doussin <[email protected]> Signed-off-by: zachaller <[email protected]> Co-authored-by: zachaller <[email protected]>
argoproj · Oct 13, 2023 · a9a51f2 · a9a51f2
1 parent 69c697c
commit a9a51f2
Show file tree

Hide file tree

Showing 19 changed files with 2,320 additions and 854 deletions.
diff --git a/docs/analysis/prometheus.md b/docs/analysis/prometheus.md
@@ -39,7 +39,9 @@ you validate your [PromQL expression](https://prometheus.io/docs/prometheus/late
 
 See the [Analysis Overview page](../../features/analysis) for more details on the available options.
 
-## Utilizing Amazon Managed Prometheus
+## Authorization
+
+### Utilizing Amazon Managed Prometheus
 
 Amazon Managed Prometheus can be used as the prometheus data source for analysis. In order to do this the namespace where your analysis is running will have to have the appropriate [IRSA attached](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-onboard-ingest-metrics-new-Prometheus.html#AMP-onboard-new-Prometheus-IRSA) to allow for prometheus queries. Once you ensure the proper permissions are in place to access AMP, you can use an AMP workspace url in your ```provider``` block and add a SigV4 config for Sigv4 signing:
 
@@ -61,6 +63,55 @@ provider:
         roleArn: $ROLEARN
 ```
 
+### With OAuth2
+
+You can setup an [OAuth2 client credential](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) flow using the following values:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: success-rate
+spec:
+  args:
+  - name: service-name
+  # from secret
+  - name: oauthSecret  # This is the OAuth2 shared secret
+    valueFrom:
+      secretKeyRef:
+        name: oauth-secret
+        key: secret
+  metrics:
+  - name: success-rate
+    interval: 5m
+    # NOTE: prometheus queries return results in the form of a vector.
+    # So it is common to access the index 0 of the returned array to obtain the value
+    successCondition: result[0] >= 0.95
+    failureLimit: 3
+    provider:
+      prometheus:
+        address: http://prometheus.example.com:9090
+        # timeout is expressed in seconds
+        timeout: 40
+        authentication:
+          oauth2:
+            tokenUrl: https://my-oauth2-provider/token
+            clientId: my-cliend-id
+            clientSecret: "{{ args.oauthSecret }}"
+            scopes: [
+              "my-oauth2-scope"
+            ]
+        query: |
+          sum(irate(
+            istio_requests_total{reporter="source",destination_service=~"{{args.service-name}}",response_code!~"5.*"}[5m]
+          )) /
+          sum(irate(
+            istio_requests_total{reporter="source",destination_service=~"{{args.service-name}}"}[5m]
+          ))
+```
+
+The AnalysisRun will first get an access token using that information, and provide it as an `Authorization: Bearer` header for the metric provider call.
+
 ## Additional Metadata
 
 Any additional metadata from the Prometheus controller, like the resolved queries after substituting the template's

diff --git a/docs/analysis/web.md b/docs/analysis/web.md
@@ -49,7 +49,7 @@ NOTE: if the result is a string, two convenience functions `asInt` and `asFloat`
 to convert a result value to a numeric type so that mathematical comparison operators can be used
 (e.g. >, <, >=, <=).
 
-### Optional web methods
+## Optional web methods
 It is possible to use a POST or PUT requests, by specifying the `method` and either `body` or `jsonBody` fields
 
 ```yaml
@@ -96,7 +96,7 @@ It is possible to use a POST or PUT requests, by specifying the `method` and eit
         jsonPath: "{$.data.ok}"
 ```
 
-### Skip TLS verification
+## Skip TLS verification
 
 You can skip the TLS verification of the web host provided by setting the options `insecure: true`.
 
@@ -112,4 +112,47 @@ You can skip the TLS verification of the web host provided by setting the option
           - key: Authorization
             value: "Bearer {{ args.api-token }}"
         jsonPath: "{$.data}"
-```
+```
+## Authorization
+
+### With OAuth2
+
+You can setup an [OAuth2 client credential](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) flow using the following values:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: success-rate
+spec:
+  args:
+  - name: service-name
+  # from secret
+  - name: oauthSecret  # This is the OAuth2 shared secret
+    valueFrom:
+      secretKeyRef:
+        name: oauth-secret
+        key: secret
+  metrics:
+  - name: webmetric
+    successCondition: result == true
+    provider:
+      web:
+        url: "http://my-server.com/api/v1/measurement?service={{ args.service-name }}"
+        timeoutSeconds: 20 # defaults to 10 seconds
+        authentication:
+          oauth2:
+            tokenUrl: https://my-oauth2-provider/token
+            clientId: my-cliend-id
+            clientSecret: "{{ args.oauthSecret }}"
+            scopes: [
+              "my-oauth2-scope"
+            ]
+        headers:
+          - key: Content-Type # if body is a json, it is recommended to set the Content-Type
+            value: "application/json"
+        jsonPath: "{$.data.ok}"
+```
+
+In that case, no need to provide specifically the `Authentication` header.
+The AnalysisRun will first get an access token using that information, and provide it as an `Authorization: Bearer` header for the metric provider call.