-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ability to read prometheus basic auth creds from secret #13035
Conversation
Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: Alex Leong <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it be better to mount the secret? That way we don't need the extra RBAC nor the extra flags.
Also it might make sense to extract the client creation snippet into a reusable function that the new stat-inbound and stat-outbound commands can use, given they connect to Prometheus directly.
{{- if .Values.prometheusCredsSecret }} | ||
- -prometheus-creds-secret={{.Values.prometheusCredsSecret}} | ||
{{- end}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TIOLI: use {{- with .Values.prometheusCredsSecret}}
to avoid repeating .Values.prometheusCredsSecret
and just using {{ . }}
Signed-off-by: Alex Leong <[email protected]>
If a Prometheus instance is configured with basic auth, the linkerd-viz metric-api is unable to access it. It is possible to provide basic auth credentials in the
prometheusUrl
Helm value, but this leaks the credentials into the deployment manifest.We add a Helm value called
prometheusCredsSecret
to the Linkerd-viz helm chart. When set, this causes the metrics-api to readuser
andpassword
fields from a secret with the given name in the Linkerd-viz namespace and to use these values for basic auth when making requests to Prometheus.These credentials are loaded at startup and any changes to the credentials require a restart of the metrics-api to take effect.