search

prometheus-community / helm-charts

Prometheus community Helm charts
Apache License 2.0
5k stars 5k forks source link

[kube-prometheus-stack] Enable basic auth without the use of ingress #4199

Open rosh0450 opened 8 months ago

rosh0450 commented 8 months ago

Is your feature request related to a problem ?

No way to enable basic auth for prometheus http api and ui endpoints.

Describe the solution you'd like.

To be able to use basic auth with prometheus http api and ui without setting up ingress or TLS.

Describe alternatives you've considered.

Other alternative are setting up ingress or TLS.

Additional context.

When i deployed the helm chart with release name kps, i see a secret has been created - prometheus-kps-kube-prometheus-stack-prometheus-web-config

[rishavkumarj@sigdev00 grafana-agent-poc]$ kg get secrets prometheus-kps-kube-prometheus-stack-prometheus-web-config -o yaml
apiVersion: v1
data:
  web-config.yaml: ""
kind: Secret
metadata:
  labels:
    managed-by: prometheus-operator
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:web-config.yaml: {}
      f:metadata:
        f:labels:
          .: {}
          f:managed-by: {}
        f:ownerReferences:
          .: {}
          k:{"uid":"8397654b-bffb-4aac-be9a-052f0bcc98af"}:
            .: {}
            f:apiVersion: {}
            f:blockOwnerDeletion: {}
            f:controller: {}
            f:kind: {}
            f:name: {}
            f:uid: {}
      f:type: {}
    manager: PrometheusOperator
    operation: Update
    time: "2024-01-30T10:10:19Z"
  name: prometheus-kps-kube-prometheus-stack-prometheus-web-config
  namespace: grafana-agent
  ownerReferences:
  - apiVersion: monitoring.coreos.com/v1
    blockOwnerDeletion: true
    controller: true
    kind: Prometheus
    name: kps-kube-prometheus-stack-prometheus
    uid: 8397654b-bffb-4aac-be9a-052f0bcc98af
  resourceVersion: "38123538"
  uid: cda0efec-df47-4dc1-9636-ee56355aa428
type: Opaque

And this secert is being used to create volume web-config in the prometheus pod

volumes:
- name: web-config
    secret:
      defaultMode: 420
      secretName: prometheus-kps-kube-prometheus-stack-prometheus-web-config

and this is again used to create a volume mount in the pod

volumeMounts:
- mountPath: /etc/prometheus/web_config/web-config.yaml
      name: web-config
      readOnly: true
      subPath: web-config.yaml

which is in turn used in setting up the value for web.config.file flag

spec:
  automountServiceAccountToken: true
  containers:
  - args:
    - --web.console.templates=/etc/prometheus/consoles
    - --web.console.libraries=/etc/prometheus/console_libraries
    - --config.file=/etc/prometheus/config_out/prometheus.env.yaml
    - --web.enable-lifecycle
    - --web.external-url=http://kps-kube-prometheus-stack-prometheus.grafana-agent:9090
    - --web.route-prefix=/
    - --storage.tsdb.retention.time=7d
    - --storage.tsdb.path=/prometheus
    - --storage.tsdb.wal-compression
    - --web.config.file=/etc/prometheus/web_config/web-config.yaml
    image: boartifactory.com/prometheus/prometheus:v2.49.1

So some how this basic auth is being setup but the secret value is empty and now i am unable to figure out how to set the username and password for the above secret.

spines83 commented 7 months ago

Interested in this as well -- setting up basic auth at the ingress level is a little more involved than we'd like it to be for our current setup.

https://github.com/prometheus-operator/prometheus-operator/issues/4200 seems to have some more detail on why it's not readily supported