[kube-prometheus-stack] Externalsecrets options for additionalScrapeConfig.

[ravinx]

Is your feature request related to a problem ?

I wanted to pull confluentcloud metrics in Prometheus with the additonalScrapeConfig in kube-prometheus-stack helm chart. I did the configuration through additonalScrapeConfig. I am not able to pull the secrets for username and password from azure vault for confluentcloud. I didn't see any option to pull the secrets directly from any secret store into the chart.

Describe the solution you'd like.

I would like to have an option to pull the secrets from an externalsecret store which can be anything(example: azure vault, aws KMS etc.)

Describe alternatives you've considered.

NONE

Additional context.

The config passed to the prometheus.prometheusSpec.additionalScrapeConfigs `scrape_configs:

• job_name: Confluent Cloud scrape_interval: 1m scrape_timeout: 1m honor_timestamps: true static_configs:
  • targets:
    • api.telemetry.confluent.cloud scheme: https basic_auth: username: password: metrics_path: /v2/metrics/cloud/export params: "resource.kafka.id": `

[bmgante]

I am also interested in this… any idea on how to do that?

[zeritti]

I wanted to pull confluentcloud metrics in Prometheus with the additonalScrapeConfig in kube-prometheus-stack helm chart. I did the configuration through additonalScrapeConfig.

This field prometheus.prometheusSpec.additionalScrapeConfigs is not suitable for the purpose as it must contain native Prometheus' scrape configs. You could use basic_auth.password_file instead of basic_auth.password, though.

I am not able to pull the secrets for username and password from azure vault for confluentcloud. I didn't see any option to pull the secrets directly from any secret store into the chart.

No, of course not. Both the chart and Prometheus operator operate on Kubernetes resources. Amongst others, they provide support for using Secrets.

I would like to have an option to pull the secrets from an externalsecret store which can be anything(example: azure vault, aws KMS etc.)

You'd have to use tools built for that, e.g. External Secrets, Secrets Store CSI Driver. Once these tools create a Secret in a namespace, you can use it in various places in the chart.

As an example, you can store your scrape configs with credentials in an external secret manager's key, have e.g. External Secrets retrieve that key's value and create a Secret out of it. Afterwards, you can use field prometheus.prometheusSpec.additionalScrapeConfigsSecret to refer to that Secret and use its contents in your scrape configurations.