search

PureStorage-OpenConnect / pure-fa-openmetrics-exporter

Pure Storage OpenMetrics exporter for FlashArray
Apache License 2.0
18 stars 25 forks source link

[Question] How does the token file in exporter work? #143

Open agileshaw opened 1 week ago

agileshaw commented 1 week ago

Hi team. I would like to inquire about the effect of running exporter with the token file (with -t option).

From the examples and my tests, it seems that exporter can be run with our without specifying the token. where in both cases the scraping url should always have api token as bearer header.

And I'm not able to use the array_id defined in the token file as endpoint when scraping for metrics (using the actual ip address of the array works):

token.yaml

array_id:
  address: <ip-address>|<hosname1>
  api_token: <api-token1>

scrape command:

$ wget --header 'Authorization: Bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'  'https://pure-fa-exporter.your.domain:9490/metrics/array?endpoint=array_id'
wget: server returned error: HTTP/1.1 400 Bad Request

Would it be possible for you to provide some insights on this?

chrroberts-pure commented 1 week ago

Hi,

array_id is a string that if matched when passed by the endpoint query parameter, it will use the parameters set in the token.yaml file. If you are using a matched string you must NOT also pass a auth token.

chrroberts@chrroberts--MacBookPro16 bin % cat token.yaml                     
foobar:
  address: array03
  api_token: <GOOD_API_TOKEN>
chrroberts@chrroberts--MacBookPro16 bin % ./pure-fa-om-exporter -t token.yaml
2024/06/19 16:42:48 Start Pure FlashArray exporter v1.0.18 on 0.0.0.0:9490

chrroberts@chrroberts--MacBookPro16 bin % curl 'http://localhost:9490/metrics/array?endpoint=foobar' | grep purefa\_info
# HELP purefa_info FlashArray system information
# TYPE purefa_info gauge
purefa_info{array_name="ARRAY03",os="Purity//FA",subscription_type="",system_id="<sys_id>",version="6.3.15"} 1

If I pass a authorization token as well as provide a match to the tokens.yaml file, the query will fail. eg. 

chrroberts@chrroberts--MacBookPro16 bin % curl 'http://localhost:9490/metrics/array?endpoint=foobar' --header 'Authorization: Bearer <GOOD_API_TOKEN>' 
Error connecting to FlashArray. Check your management endpoint and/or api token are correct.

HOWEVER - if I provide an endpoint that does NOT match with an array_id match, the Bearer Auth token works as documented (note it matches on the array_id string, only NOT address, so i can use array03 here)

chrroberts@chrroberts--MacBookPro16 bin % curl 'http://localhost:9490/metrics/array?endpoint=array03' --header 'Authorization: Bearer <GOOD_API_TOKEN>'
# HELP purefa_info FlashArray system information
# TYPE purefa_info gauge
purefa_info{array_name="ARRAY03",os="Purity//FA",subscription_type="",system_id="<sys_id>",version="6.3.15"} 1

Should we have an error like Bearer token provided by request when endpoint is defined in tokens file as an array_id maybe, but maybe just putting in the documents that you must not provide the token may also be enough.

agileshaw commented 1 week ago

Thanks a lot for the detailed response. It would definitely be helpful to explain this more clearly in the documents.

However, in my test setup, the scrape on array_id without auth token still doesn't work. I wonder whether this has something to do with the Purity/FA version. The one in my cluster is 6.1.22, but in your example it is 6.3.15.

chrroberts-pure commented 1 week ago

Hi. It may be helpful to setup a Zoom meeting to look over your configurations.

Please email us at pure-observability@purestorage.com to set up a time to meet. Thanks!

chrroberts-pure commented 1 week ago

Hi, I just noted that in your example you're using HTTPS -- by default the exporter only exposes HTTP, unless ssl certs are provided at run time.