Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add ability to read prometheus basic auth creds from secret #13035

Merged
merged 7 commits into from
Sep 11, 2024
Merged

add ability to read prometheus basic auth creds from secret #13035

merged 7 commits into from
Sep 11, 2024

Conversation

adleong
Copy link
Member

@adleong adleong commented Sep 6, 2024

If a Prometheus instance is configured with basic auth, the linkerd-viz metric-api is unable to access it. It is possible to provide basic auth credentials in the prometheusUrl Helm value, but this leaks the credentials into the deployment manifest.

We add a Helm value called prometheusCredsSecret to the Linkerd-viz helm chart. When set, this causes the metrics-api to read user and password fields from a secret with the given name in the Linkerd-viz namespace and to use these values for basic auth when making requests to Prometheus.

These credentials are loaded at startup and any changes to the credentials require a restart of the metrics-api to take effect.

@adleong adleong requested a review from a team as a code owner September 6, 2024 00:02
@adleong
doc-smithing
57b8162 
Signed-off-by: Alex Leong <[email protected]>
alpeb
alpeb reviewed Sep 9, 2024
View reviewed changes
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be better to mount the secret? That way we don't need the extra RBAC nor the extra flags.
Also it might make sense to extract the client creation snippet into a reusable function that the new stat-inbound and stat-outbound commands can use, given they connect to Prometheus directly.

viz/charts/linkerd-viz/templates/metrics-api.yaml Outdated
Comment on lines 91 to 93
{{- if .Values.prometheusCredsSecret }}
- -prometheus-creds-secret={{.Values.prometheusCredsSecret}}
{{- end}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIOLI: use {{- with .Values.prometheusCredsSecret}} to avoid repeating .Values.prometheusCredsSecret and just using {{ . }}

@adleong adleong merged commit b359577 into main Sep 11, 2024
41 checks passed
@adleong adleong deleted the alex/secret-prom branch September 11, 2024 01:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olix0r olix0r olix0r approved these changes

@alpeb alpeb alpeb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adleong @olix0r @alpeb