[prometheus] configmap-reload is not working with basic auth enabled

prometheus-community / helm-charts

Prometheus community Helm charts

Apache License 2.0

5k stars 4.99k forks source link

[prometheus] configmap-reload is not working with basic auth enabled #2007

Closed seb-h-k closed 2 years ago

seb-h-k commented 2 years ago

Is your feature request related to a problem ?

If i enable basic auth for prometheus using

serverFiles:
  web.config.yml:
    basic_auth_users:
      username: <password>

i can not configure configmap-reload accordingly to make the reload request use basic auth. This seems to be hard-coded currently:

https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus/templates/server/deploy.yaml#L61

configmap-reload seems to be aware of basic auth: https://github.com/jimmidyson/configmap-reload/blob/main/configmap-reload.go#L115

I would expect to be able to configure configmap-reload accordingly as currently the feature is not working when having basic auth enabled.

Describe the solution you'd like.

It should be possible to configure the basic auth credentials in the configmap-reload, e.g.

configmapReload:
  prometheus:
    basic_auth_user:
      username: <password>

Describe alternatives you've considered.

NONE

Additional context.

No response

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] commented 2 years ago

This issue is being automatically closed due to inactivity.

RomanBats commented 2 years ago

@seb-h-k, webhook-url is hardcoded and probably should be configurable with the default value. But there is a workaround for it! Credentials for basic authentication could be set in the URL http://user:password@127.0.0.1:9090, we just need to add an additional webhook-url (since it is an array):

 configmapReload:
    prometheus:
      enabled: true
      extraArgs:
        webhook-url: http://user:password@127.0.0.1:9090{{ ((.Values.server).prefixURL) }}/-/reload

In the result pod will have an additional parameter for the container:

spec:
  containers:
    - args:
        - '--volume-dir=/etc/config'
        - '--webhook-url=http://127.0.0.1:9090/-/reload'
        - '--webhook-url=http://user:password@127.0.0.1:9090/-/reload'

A downside of this approach is that after the configurations are updated, the reloader will use all webhook URLs thus it will call the first URL without authentication, producing "error: Received response code 401 , expected 200" in the logs, and then will successfully call Prometheus with the second URL with username and password.

haakonnessjoen commented 1 year ago

Seems like --webhook-url is not supported any longer now. And the new '--reload-url' cannot be repeated :/

zeitler commented 1 year ago

Any way to solve this?

I've enabled authentication and now the container crashes

zeritti commented 1 year ago

Any way to solve this? I've enabled authentication and now the container crashes

An example with basic auth at Prometheus and environment variables from a secret:

configmapReload:
  reloadUrl: "http://$(USERNAME):$(PASSWORD)@localhost:9090/-/reload"
  env:
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: configmap-reload
          key: password
          optional: false
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: configmap-reload
          key: username
          optional: false