Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/thanos] Add support for HTTPS and basic auth experimental settings #12404

Merged
merged 8 commits into from
Sep 14, 2022
Merged

[bitnami/thanos] Add support for HTTPS and basic auth experimental settings #12404

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
dac1ec7
[bitnami/thanos] Add support for HTTPS and basic auth experimental se…
migruiz4 Sep 13, 2022
7c911de
Update README.md with readme-generator-for-helm
bitnami-bot Sep 13, 2022
1091cd6
Add Readme section for https and basic authentication
migruiz4 Sep 14, 2022
22a50c7
Fix minor issue
migruiz4 Sep 14, 2022
cdb9bd0
Fix typo
migruiz4 Sep 14, 2022
996a577
Use tcpSocket instead of httpGet when basic auth enabled
migruiz4 Sep 14, 2022
7a0d83a
Fix typo
migruiz4 Sep 14, 2022
7777b18
Merge branch 'master' into thanos-auth-https-experimental
migruiz4 Sep 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion bitnami/thanos/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,4 @@ name: thanos
sources:
- https://github.com/bitnami/containers/tree/main/bitnami/thanos
- https://thanos.io
version: 11.4.1
version: 11.5.0
36 changes: 34 additions & 2 deletions bitnami/thanos/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Thanos is a highly available metrics system that can be added on top of existing
[Overview of Thanos](https://thanos.io/)

Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.

## TL;DR

```bash
Expand Down Expand Up @@ -120,6 +120,19 @@ Check the section [Integrate Thanos with Prometheus and Alertmanager](#integrate
| `bucketCacheConfig` | The [bucket cache configuration](https://thanos.io/tip/components/store.md/) | `""` |
| `existingObjstoreSecret` | Secret with Objstore Configuration | `""` |
| `existingObjstoreSecretItems` | Optional item list for specifying a custom Secret key. If so, path should be objstore.yml | `[]` |
| `httpConfig` | The [https and basic auth configuration](https://thanos.io/tip/operating/https.md/) | `""` |
| `existingHttpConfigSecret` | Secret containing the HTTPS and Basic auth configuration | `""` |
| `https.enabled` | Set to true to enable HTTPS. Requires a secret containing the certificate and key. | `false` |
| `https.autoGenerated` | Create self-signed TLS certificates. | `false` |
| `https.existingSecret` | Existing secret containing your own server key and certificate | `""` |
| `https.certFilename` | | `tls.crt` |
| `https.keyFilename` | | `tls.key` |
| `https.caFilename` | | `ca.crt` |
| `https.key` | TLS Key for Thanos HTTPS - ignored if existingSecret is provided | `""` |
| `https.cert` | TLS Certificate for Thanos HTTPS - ignored if existingSecret is provided | `""` |
| `https.ca` | (Optional, used for client) CA Certificate for Thanos HTTPS - ignored if existingSecret is provided | `""` |
| `https.clientAuthType` | Server policy for client authentication using certificates. Maps to ClientAuth Policies. | `""` |
| `auth.basicAuthUsers` | Object containing <user>:<passwords> key-value pairs for each user that will have access via basic authentication | `{}` |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this is containing passwords, I think we should use a secret, or at least, provide the option to use a secret instead.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The configuration file is stored in a Secret instead of a configmap because of that reason.

User can provide its configuration file using existingHttpConfigSecret.

The main issue is that, if the basic authentication is enabled, the password is also needed for the Probes to succeed, and Thanos uses a scratch container, so no logic can be added to handle the password using env variables.

Copy link
Member Author

@migruiz4 migruiz4 Sep 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refer to the README.md section below, where I tried to depict this same situation and the alternatives to that.

| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
| `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` |
| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` |
Expand Down Expand Up @@ -1191,6 +1204,25 @@ You can specify the Ruler configuration using the `ruler.config` parameter.

In addition, you can also set an external ConfigMap with the configuration file. This is done by setting the `ruler.existingConfigmap` parameter. Note that this will override the previous option.

### Running Thanos with HTTPS and basic authentication

This helm charts supports using HTTPS and basic authentication. The underlying feature is experimental and might change in the future, so are the associated settings in the chart.
For more information, please refer to [Thanos documentation](https://thanos.io/tip/operating/https.md/#running-thanos-with-https-and-basic-authentication).

This feature can be enabled by using the following values:

- `https.enabled=true`. Enabling HTTPS requires the user to provide the TLS certificate and Key for Thanos, which can be done using one of the following options:

- Provide a secret using `https.existingSecret`. The secret must contain the keys `tls.crt` or `tls.key` (key names can be renamed using the values `https.keyFilename` and `https.certFilename`).
- Provide the certificate and key in your values.yaml under the values `https.cert` and `https.key`.
- Use `https.autoGenerated=true`, using this value Helm will generate a self-signed key pair during the chart initialization. Not recommended for production environments.

- `auth.basicAuthUsers.*`. An dictionary of key / values, where the keys corresponds to the users that will have access to Thanos and the values are the plaintext passwords. Passwords will be later encrypted with bcrypt.
- Alternatively, provide your own Thanos http config file using the value `httpConfig` or `existingHttpConfigSecret`. This may cause any settings under `https.*` or `auth.*` to be ignored, except for the settings related to the TLS certificates. When providing a configuration file using these parameters, the chart Probes will fail to initialize unless one of the following fixes are applied:
- Set `https.enabled` or `auth.basicAuthUsers` with at least one user, matching the configuration file you provided. That way Probes will be configured with HTTPS and/or basic authentication accordingly.
- Configure your own Probes using `<component>.customLivenessProbe`, `<component>.customReadinessProbe` and `<component>.customStartupProbe`.
- **Not recommended**. Disable the Probes.

### Store time partitions

Thanos store supports partion based on time.
Expand Down Expand Up @@ -1537,4 +1569,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
limitations under the License.
41 changes: 41 additions & 0 deletions bitnami/thanos/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,47 @@ Return true if a secret object should be created
{{- end -}}
{{- end -}}

{{/*
Return the Thanos HTTPS and basic auth configuration secret.
*/}}
{{- define "thanos.httpConfigEnabled" -}}
{{- if or .Values.existingHttpConfigSecret .Values.https.enabled .Values.auth.basicAuthUsers .Values.httpConfig }}
{{- true -}}
{{- end -}}
{{- end -}}

{{/*
Return the Thanos HTTPS and basic auth configuration secret.
*/}}
{{- define "thanos.httpCertsSecretName" -}}
{{- if .Values.https.existingSecret -}}
{{- printf "%s" (tpl .Values.https.existingSecret $) -}}
{{- else -}}
{{- printf "%s-http-certs-secret" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}

{{/*
Return the Thanos HTTPS and basic auth configuration secret.
*/}}
{{- define "thanos.httpConfigSecretName" -}}
{{- if .Values.existingHttpConfigSecret -}}
{{- printf "%s" (tpl .Values.existingHttpConfigSecret $) -}}
{{- else -}}
{{- printf "%s-http-config-secret" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}

{{/*
Return true if a secret object should be created
*/}}
{{- define "thanos.createHttpConfigSecret" -}}
{{- if and (not .Values.existingHttpConfigSecret) (or .Values.https.enabled .Values.auth.basicAuthUsers .Values.httpConfig) }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}

{{/*
Return a YAML of either .Values.query or .Values.querier
If .Values.querier is used, we merge in the defaults from .Values.query, giving preference to .Values.querier
Expand Down
39 changes: 39 additions & 0 deletions bitnami/thanos/templates/bucketweb/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,9 @@ spec:
{{- if .Values.bucketweb.timeout }}
- --timeout={{ .Values.bucketweb.timeout }}
{{- end }}
{{- if (include "thanos.httpConfigEnabled" .) }}
- --http.config=/conf/http/http-config.yml
{{- end }}
{{- if .Values.bucketweb.extraFlags }}
{{- .Values.bucketweb.extraFlags | toYaml | nindent 12 }}
{{- end }}
Expand All @@ -127,25 +130,43 @@ spec:
protocol: TCP
{{- if .Values.bucketweb.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.livenessProbe "enabled") "context" $) | nindent 12 }}
{{- if not .Values.auth.basicAuthUsers }}
httpGet:
path: /-/healthy
port: http
scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }}
{{- else }}
tcpSocket:
port: http
{{- end }}
{{- else if .Values.bucketweb.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.bucketweb.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.readinessProbe "enabled") "context" $) | nindent 12 }}
{{- if not .Values.auth.basicAuthUsers }}
httpGet:
path: /-/ready
port: http
scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }}
{{- else }}
tcpSocket:
port: http
{{- end }}
{{- else if .Values.bucketweb.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.bucketweb.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.startupProbe "enabled") "context" $) | nindent 12 }}
{{- if not .Values.auth.basicAuthUsers }}
httpGet:
path: /-/ready
port: http
scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }}
{{- else }}
tcpSocket:
port: http
{{- end }}
{{- else if .Values.bucketweb.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -158,6 +179,14 @@ spec:
volumeMounts:
- name: objstore-config
mountPath: /conf
{{- if (include "thanos.httpConfigEnabled" .) }}
- name: http-config
mountPath: /conf/http
{{- if .Values.https.enabled }}
- name: http-certs
mountPath: /certs
{{- end }}
{{- end }}
{{- if .Values.bucketweb.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -168,6 +197,16 @@ spec:
{{- if .Values.existingObjstoreSecretItems }}
items: {{- toYaml .Values.existingObjstoreSecretItems | nindent 14 }}
{{- end }}
{{- if (include "thanos.httpConfigEnabled" .) }}
- name: http-config
secret:
secretName: {{ include "thanos.httpConfigSecretName" . }}
{{- if .Values.https.enabled }}
- name: http-certs
secret:
secretName: {{ include "thanos.httpCertsSecretName" . }}
{{- end }}
{{- end }}
{{- if .Values.bucketweb.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
39 changes: 39 additions & 0 deletions bitnami/thanos/templates/compactor/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,9 @@ spec:
- --retention.resolution-1h={{ .Values.compactor.retentionResolution1h }}
- --consistency-delay={{ .Values.compactor.consistencyDelay }}
- --objstore.config-file=/conf/objstore.yml
{{- if (include "thanos.httpConfigEnabled" .) }}
- --http.config=/conf/http/http-config.yml
{{- end }}
{{- if .Values.compactor.extraFlags }}
{{- .Values.compactor.extraFlags | toYaml | nindent 12 }}
{{- end }}
Expand All @@ -142,25 +145,43 @@ spec:
protocol: TCP
{{- if .Values.compactor.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.livenessProbe "enabled") "context" $) | nindent 12 }}
{{- if not .Values.auth.basicAuthUsers }}
httpGet:
path: /-/healthy
port: http
scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }}
{{- else }}
tcpSocket:
port: http
{{- end }}
{{- else if .Values.compactor.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.compactor.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.readinessProbe "enabled") "context" $) | nindent 12 }}
{{- if not .Values.auth.basicAuthUsers }}
httpGet:
path: /-/ready
port: http
scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }}
{{- else }}
tcpSocket:
port: http
{{- end }}
{{- else if .Values.compactor.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.compactor.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.startupProbe "enabled") "context" $) | nindent 12 }}
{{- if not .Values.auth.basicAuthUsers }}
httpGet:
path: /-/ready
port: http
scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }}
{{- else }}
tcpSocket:
port: http
{{- end }}
{{- else if .Values.compactor.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -173,6 +194,14 @@ spec:
volumeMounts:
- name: objstore-config
mountPath: /conf
{{- if (include "thanos.httpConfigEnabled" .) }}
- name: http-config
mountPath: /conf/http
{{- if .Values.https.enabled }}
- name: http-certs
mountPath: /certs
{{- end }}
{{- end }}
- name: data
mountPath: /data
{{- if .Values.compactor.extraVolumeMounts }}
Expand All @@ -185,6 +214,16 @@ spec:
{{- if .Values.existingObjstoreSecretItems }}
items: {{- toYaml .Values.existingObjstoreSecretItems | nindent 14 }}
{{- end }}
{{- if (include "thanos.httpConfigEnabled" .) }}
- name: http-config
secret:
secretName: {{ include "thanos.httpConfigSecretName" . }}
{{- if .Values.https.enabled }}
- name: http-certs
secret:
secretName: {{ include "thanos.httpCertsSecretName" . }}
{{- end }}
{{- end }}
- name: data
{{- if .Values.compactor.persistence.enabled }}
persistentVolumeClaim:
Expand Down
32 changes: 32 additions & 0 deletions bitnami/thanos/templates/http-certs-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- if and .Values.https.enabled (not .Values.https.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-http-certs-secret" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.https.autoGenerated }}
{{- $ca := genCA "thanos-ca" 365 }}
{{- $hostname := printf "%s" (include "common.names.fullname" .) }}
{{- $cert := genSignedCert $hostname nil (list $hostname) 365 $ca }}
{{ .Values.https.certFilename }}: {{ $cert.Cert | b64enc | quote }}
{{ .Values.https.keyFilename }}: {{ $cert.Key | b64enc | quote }}
{{- if .Values.https.clientAuthType }}
{{ .Values.https.caFilename }}: {{ $ca.Cert | b64enc | quote }}
{{- end }}
{{- else }}
{{ .Values.https.certFilename }}: {{ required "'https.cert' is required when 'https.enabled=true'" .Values.https.cert | b64enc | quote }}
{{ .Values.https.keyFilename }}: {{ required "'https.key' is required when 'https.enabled=true'" .Values.https.key | b64enc | quote }}
{{- if .Values.https.clientAuthType }}
{{ .Values.https.caFilename }}: {{ required "'https.ca' is required when 'https.clientAuthType' is provided" .Values.https.ca | b64enc | quote }}
{{- end }}
{{- end }}
{{ end }}
33 changes: 33 additions & 0 deletions bitnami/thanos/templates/httpconfig-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{{- if (include "thanos.createHttpConfigSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}-http-config-secret
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
stringData:
http-config.yml: |-
{{- if .Values.httpConfig }}
{{- include "common.tplvalues.render" (dict "value" .Values.httpConfig "context" $) | b64enc | nindent 4 }}
{{- else }}
{{- if .Values.https.enabled }}
tls_server_config:
cert_file: /certs/{{ .Values.https.certFilename }}
key_file: /certs/{{ .Values.https.keyFilename }}
{{- if .Values.https.clientAuthType }}
client_auth_type: {{ .Values.https.clientAuthType }}
# CA certificate for client certificate authentication to the server.
client_ca_file: /certs/{{ .Values.https.caFilename }}
{{- end }}
{{- end }}
{{- if .Values.auth.basicAuthUsers }}
basic_auth_users:
{{- range $user, $password := .Values.auth.basicAuthUsers }}
{{ $user }}: {{ (split ":" (htpasswd $user $password))._1 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
Loading