linkerd · adleong · Sep 11, 2024 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024
@@ -102,6 +102,7 @@ require (
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
@@ -116,6 +117,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc6 // indirect

@@ -160,6 +160,7 @@ Kubernetes: `>=1.22.0-0`
 | prometheus.scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. |
 | prometheus.sidecarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems |
 | prometheus.tolerations | string | `nil` | Tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information |
+| prometheusCredsSecret | string | `""` | name of the prometheus credentials secret If this is set, the metrics-api will use basic auth to connect to prometheus and load the user and password from the "user" and "password" keys respectively in the given secret. The secret must be in the same namespace and must exist before the metrics-api is deployed. |
 | prometheusUrl | string | `""` | url of external prometheus instance |
 | revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. |
 | tap.GID | string | `nil` | GID for the tap component |

diff --git a/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml b/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml
@@ -44,6 +44,43 @@ subjects:
   name: metrics-api
   namespace: {{.Release.Namespace}}
 ---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: prometheus-credentials
+  namespace: {{.Release.Namespace}}
+  labels:
+    linkerd.io/extension: viz
+    component: metrics-api
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: metrics-api-prometheus-credentials
+  namespace: {{.Release.Namespace}}
+  labels:
+    linkerd.io/extension: viz
+    component: metrics-api
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus-credentials
+subjects:
+- kind: ServiceAccount
+  name: metrics-api
+  namespace: {{.Release.Namespace}}
+---
 kind: ServiceAccount
 apiVersion: v1
 metadata:

@@ -88,7 +88,11 @@ spec:
         {{- else }}
         {{ fail "Please enable `linkerd-prometheus` or provide `prometheusUrl` for the viz extension to function properly"}}
         {{- end }}
+        {{- if .Values.prometheusCredsSecret }}
+        - -prometheus-creds-secret={{.Values.prometheusCredsSecret}}
+        {{- end}}
         - -enable-pprof={{.Values.enablePprof | default false}}
+        - -viz-namespace={{.Release.Namespace}}
         image: {{.Values.metricsAPI.image.registry | default .Values.defaultRegistry}}/{{.Values.metricsAPI.image.name}}:{{.Values.metricsAPI.image.tag | default .Values.linkerdVersion}}
         imagePullPolicy: {{.Values.metricsAPI.image.pullPolicy | default .Values.defaultImagePullPolicy}}
         livenessProbe:

@@ -75,6 +75,13 @@ enablePSP: false
 # -- url of external prometheus instance
 prometheusUrl: ""
 
+# -- name of the prometheus credentials secret
+# If this is set, the metrics-api will use basic auth to connect to prometheus
+# and load the user and password from the "user" and "password" keys
+# respectively in the given secret. The secret must be in the same namespace
+# and must exist before the metrics-api is deployed.
+prometheusCredsSecret: ""
+
 # -- url of external jaeger instance
 # Set this to `jaeger.linkerd-jaeger.svc.<clusterDomain>:16686` if you plan to use jaeger extension
 jaegerUrl: ""

diff --git a/viz/cmd/testdata/install_default.golden b/viz/cmd/testdata/install_default.golden
diff --git a/viz/cmd/testdata/install_default_overrides.golden b/viz/cmd/testdata/install_default_overrides.golden
diff --git a/viz/cmd/testdata/install_prometheus_disabled.golden b/viz/cmd/testdata/install_prometheus_disabled.golden
diff --git a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden
diff --git a/viz/cmd/testdata/install_proxy_resources.golden b/viz/cmd/testdata/install_proxy_resources.golden