From 8652e14acba68412f65134c33c1c3d4f01e8efc2 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Mon, 12 Feb 2018 11:19:10 -0600 Subject: [PATCH] Add auth for prometheus This adds authentication to Prometheus with an apache reverse proxy, similar to elasticsearch, kibana and nagios. This adds an admin user and password via htpasswd along with adding ldap support. This required modifying the grafana chart to configure the prometheus datasource's basic auth credentials in the data sources provisioning configuration file by checking whether basic auth is enabled and injecting the username/password defined in the corresponding endpoint definition. This also modifies the nagios chart to use the authenticated endpoint for prometheus, which is required for nagios to successfully query the prometheus endpoint for its service checking mechanism Change-Id: Ia4ccc3c44a89b2c56594be1f4cc28ac07169bf8c --- grafana/templates/secret-prom-creds.yaml | 32 +++ .../templates/utils/_generate_datasources.tpl | 10 + grafana/values.yaml | 10 +- nagios/templates/deployment.yaml | 2 +- nagios/values.yaml | 9 +- prometheus/templates/bin/_apache.sh.tpl | 46 +++ prometheus/templates/bin/_helm-tests.sh.tpl | 9 +- prometheus/templates/configmap-bin.yaml | 2 + prometheus/templates/configmap-etc.yaml | 12 +- prometheus/templates/ingress-prometheus.yaml | 2 +- prometheus/templates/pod-helm-tests.yaml | 13 +- prometheus/templates/secret-prometheus.yaml | 29 ++ prometheus/templates/service.yaml | 4 +- prometheus/templates/statefulset.yaml | 34 +++ prometheus/values.yaml | 271 +++++++++++++++++- 15 files changed, 470 insertions(+), 15 deletions(-) create mode 100644 grafana/templates/secret-prom-creds.yaml create mode 100644 prometheus/templates/bin/_apache.sh.tpl create mode 100644 prometheus/templates/secret-prometheus.yaml diff --git a/grafana/templates/secret-prom-creds.yaml b/grafana/templates/secret-prom-creds.yaml new file mode 100644 index 000000000..b50c090e8 --- /dev/null +++ b/grafana/templates/secret-prom-creds.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_prom_creds }} +{{- $envAll := . }} +{{- $secretName := index $envAll.Values.secrets.prometheus.user }} + +{{- $prometheus_user := .Values.endpoints.monitoring.auth.user.username }} +{{- $prometheus_password := .Values.endpoints.monitoring.auth.user.password }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + PROMETHEUS_USERNAME: {{ .Values.endpoints.monitoring.auth.user.username | b64enc }} + PROMETHEUS_PASSWORD: {{ .Values.endpoints.monitoring.auth.user.password | b64enc }} +{{- end }} diff --git a/grafana/templates/utils/_generate_datasources.tpl b/grafana/templates/utils/_generate_datasources.tpl index 3343e1562..3ad695951 100644 --- a/grafana/templates/utils/_generate_datasources.tpl +++ b/grafana/templates/utils/_generate_datasources.tpl @@ -26,6 +26,16 @@ limitations under the License. {{- $datasource_url := tuple $datasource "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} {{- $_ := set $config "url" $datasource_url }} {{- end }} +{{- if and ($config.basicAuth) (empty $config.basicAuthUser) -}} +{{- $datasource_endpoint := index $envAll.Values.endpoints $datasource -}} +{{- $datasource_user := $datasource_endpoint.auth.user.username -}} +{{- $_ := set $config "basicAuthUser" $datasource_user -}} +{{- end }} +{{- if and ($config.basicAuth) (empty $config.basicAuthPassword) -}} +{{- $datasource_endpoint := index $envAll.Values.endpoints $datasource -}} +{{- $datasource_password := $datasource_endpoint.auth.user.password -}} +{{- $_ := set $config "basicAuthPassword" $datasource_password -}} +{{- end }} {{- $__datasources := append $envAll.Values.__datasources $config }} {{- $_ := set $envAll.Values "__datasources" $__datasources }} {{- end }} diff --git a/grafana/values.yaml b/grafana/values.yaml index 033c6e1bd..4260754ab 100644 --- a/grafana/values.yaml +++ b/grafana/values.yaml @@ -196,6 +196,10 @@ endpoints: monitoring: name: prometheus namespace: null + auth: + user: + username: admin + password: changeme hosts: default: prom-metrics public: prometheus @@ -207,7 +211,7 @@ endpoints: default: http port: api: - default: 9090 + default: 80 public: 80 ldap: hosts: @@ -290,6 +294,8 @@ secrets: grafana: grafana: public: grafana-tls-public + prometheus: + user: prometheus-user-creds manifests: configmap_bin: true @@ -306,6 +312,7 @@ manifests: secret_db_session: true secret_admin_creds: true secret_ingress_tls: true + secret_prom_creds: true service: true service_ingress: true @@ -365,6 +372,7 @@ conf: access: proxy orgId: 1 editable: true + basicAuth: true grafana: auth.ldap: enabled: true diff --git a/nagios/templates/deployment.yaml b/nagios/templates/deployment.yaml index 8d64442fc..a82c35d73 100644 --- a/nagios/templates/deployment.yaml +++ b/nagios/templates/deployment.yaml @@ -128,7 +128,7 @@ spec: containerPort: {{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} env: - name: PROMETHEUS_SERVICE - value: {{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + value: {{ tuple "monitoring" "internal" "admin" "http" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} - name: SNMP_NOTIF_PRIMARY_TARGET_WITH_PORT value: {{ $envAll.Values.conf.nagios.notification.snmp.primary_target }} - name: SNMP_NOTIF_SECONDARY_TARGET_WITH_PORT diff --git a/nagios/values.yaml b/nagios/values.yaml index 870b07ada..de69d4be4 100644 --- a/nagios/values.yaml +++ b/nagios/values.yaml @@ -77,6 +77,10 @@ endpoints: node: 5000 monitoring: name: prometheus + auth: + admin: + username: admin + password: changeme hosts: default: prom-metrics public: prometheus @@ -87,9 +91,8 @@ endpoints: scheme: default: http port: - api: - default: 9090 - public: 80 + http: + default: 80 nagios: name: nagios namespace: null diff --git a/prometheus/templates/bin/_apache.sh.tpl b/prometheus/templates/bin/_apache.sh.tpl new file mode 100644 index 000000000..3e1ce7084 --- /dev/null +++ b/prometheus/templates/bin/_apache.sh.tpl @@ -0,0 +1,46 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ev + +COMMAND="${@:-start}" + +function start () { + + if [ -f /etc/apache2/envvars ]; then + # Loading Apache2 ENV variables + source /etc/httpd/apache2/envvars + fi + # Apache gets grumpy about PID files pre-existing + rm -f /etc/httpd/logs/httpd.pid + + if [ -f /usr/local/apache2/conf/.htpasswd ]; then + htpasswd -b /usr/local/apache2/conf/.htpasswd "$PROMETHEUS_ADMIN_USERNAME" "$PROMETHEUS_ADMIN_PASSWORD" + else + htpasswd -cb /usr/local/apache2/conf/.htpasswd "$PROMETHEUS_ADMIN_USERNAME" "$PROMETHEUS_ADMIN_PASSWORD" + fi + + #Launch Apache on Foreground + exec httpd -DFOREGROUND +} + +function stop () { + apachectl -k graceful-stop +} + +$COMMAND diff --git a/prometheus/templates/bin/_helm-tests.sh.tpl b/prometheus/templates/bin/_helm-tests.sh.tpl index 1c9933e9a..bc2c9e448 100644 --- a/prometheus/templates/bin/_helm-tests.sh.tpl +++ b/prometheus/templates/bin/_helm-tests.sh.tpl @@ -19,7 +19,8 @@ limitations under the License. set -ex function endpoints_up () { - endpoints_result=$(curl "${PROMETHEUS_ENDPOINT}/api/v1/query?query=up" \ + endpoints_result=$(curl -K- <<< "--user ${PROMETHEUS_ADMIN_USERNAME}:${PROMETHEUS_ADMIN_PASSWORD}" \ + "${PROMETHEUS_ENDPOINT}/api/v1/query?query=up" \ | python -c "import sys, json; print json.load(sys.stdin)['status']") if [ "$endpoints_result" = "success" ]; then @@ -31,7 +32,8 @@ function endpoints_up () { } function get_targets () { - targets_result=$(curl "${PROMETHEUS_ENDPOINT}/api/v1/targets" \ + targets_result=$(curl -K- <<< "--user ${PROMETHEUS_ADMIN_USERNAME}:${PROMETHEUS_ADMIN_PASSWORD}" \ + "${PROMETHEUS_ENDPOINT}/api/v1/targets" \ | python -c "import sys, json; print json.load(sys.stdin)['status']") if [ "$targets_result" = "success" ]; then @@ -43,7 +45,8 @@ function get_targets () { } function get_alertmanagers () { - alertmanager=$(curl "${PROMETHEUS_ENDPOINT}/api/v1/alertmanagers" \ + alertmanager=$(curl -K- <<< "--user ${PROMETHEUS_ADMIN_USERNAME}:${PROMETHEUS_ADMIN_PASSWORD}" \ + "${PROMETHEUS_ENDPOINT}/api/v1/alertmanagers" \ | python -c "import sys, json; print json.load(sys.stdin)['status']") if [ "$alertmanager" = "success" ]; then diff --git a/prometheus/templates/configmap-bin.yaml b/prometheus/templates/configmap-bin.yaml index 08b81e265..6a7b32040 100644 --- a/prometheus/templates/configmap-bin.yaml +++ b/prometheus/templates/configmap-bin.yaml @@ -22,6 +22,8 @@ kind: ConfigMap metadata: name: prometheus-bin data: + apache.sh: | +{{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} prometheus.sh: | {{ tuple "bin/_prometheus.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} helm-tests.sh: | diff --git a/prometheus/templates/configmap-etc.yaml b/prometheus/templates/configmap-etc.yaml index 608e82b0c..38c1b2294 100644 --- a/prometheus/templates/configmap-etc.yaml +++ b/prometheus/templates/configmap-etc.yaml @@ -28,16 +28,26 @@ limitations under the License. {{- $_ := set .Values.conf.prometheus.scrape_configs "rule_files" $envAll.Values.__rule_files -}} {{- end -}} +{{- if not (empty $envAll.Values.conf.prometheus.scrape_configs.scrape_configs) }} +{{- $_ := set $envAll.Values "__updated_scrape_configs" ( list ) }} +{{- $promScrapeTarget := first $envAll.Values.conf.prometheus.scrape_configs.scrape_configs }} +{{- if (empty $promScrapeTarget.basic_auth) }} +{{- $_ := set $promScrapeTarget "basic_auth" $envAll.Values.endpoints.monitoring.auth.admin }} +{{- end }} +{{- end }} + --- apiVersion: v1 kind: ConfigMap metadata: name: prometheus-etc data: - prometheus.yml: | + prometheus.yml: |+ {{ toYaml .Values.conf.prometheus.scrape_configs | indent 4 }} {{ range $key, $value := .Values.conf.prometheus.rules }} {{ $key }}.rules: | {{ toYaml $value | indent 4 }} {{ end }} +#NOTE(srwilkers): this must be last, to work round helm ~2.7 bug. +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }} {{- end }} diff --git a/prometheus/templates/ingress-prometheus.yaml b/prometheus/templates/ingress-prometheus.yaml index ae2e9ad42..ecb04d19f 100644 --- a/prometheus/templates/ingress-prometheus.yaml +++ b/prometheus/templates/ingress-prometheus.yaml @@ -15,6 +15,6 @@ limitations under the License. */}} {{- if and .Values.manifests.ingress .Values.network.prometheus.ingress.public }} -{{- $ingressOpts := dict "envAll" . "backendService" "prometheus" "backendServiceType" "monitoring" "backendPort" "prom-metrics" -}} +{{- $ingressOpts := dict "envAll" . "backendService" "prometheus" "backendServiceType" "monitoring" "backendPort" "http" -}} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{- end }} diff --git a/prometheus/templates/pod-helm-tests.yaml b/prometheus/templates/pod-helm-tests.yaml index a256760a2..ab2142a13 100644 --- a/prometheus/templates/pod-helm-tests.yaml +++ b/prometheus/templates/pod-helm-tests.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- if .Values.manifests.helm_tests }} {{- $envAll := . }} +{{- $promUserSecret := .Values.secrets.prometheus.admin }} --- apiVersion: v1 kind: Pod @@ -34,8 +35,18 @@ spec: command: - /tmp/helm-tests.sh env: + - name: PROMETHEUS_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ $promUserSecret }} + key: PROMETHEUS_ADMIN_USERNAME + - name: PROMETHEUS_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $promUserSecret }} + key: PROMETHEUS_ADMIN_PASSWORD - name: PROMETHEUS_ENDPOINT - value: {{ tuple "monitoring" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + value: {{ tuple "monitoring" "internal" "http" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} volumeMounts: - name: prometheus-bin mountPath: /tmp/helm-tests.sh diff --git a/prometheus/templates/secret-prometheus.yaml b/prometheus/templates/secret-prometheus.yaml new file mode 100644 index 000000000..8e41346aa --- /dev/null +++ b/prometheus/templates/secret-prometheus.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_prometheus }} +{{- $envAll := . }} +{{- $secretName := index $envAll.Values.secrets.prometheus.admin }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + PROMETHEUS_ADMIN_USERNAME: {{ .Values.endpoints.monitoring.auth.admin.username | b64enc }} + PROMETHEUS_ADMIN_PASSWORD: {{ .Values.endpoints.monitoring.auth.admin.password | b64enc }} +{{- end }} diff --git a/prometheus/templates/service.yaml b/prometheus/templates/service.yaml index 5789727ee..97bdaa458 100644 --- a/prometheus/templates/service.yaml +++ b/prometheus/templates/service.yaml @@ -30,8 +30,8 @@ metadata: {{- end }} spec: ports: - - name: prom-metrics - port: {{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - name: http + port: {{ tuple "monitoring" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{ if .Values.network.prometheus.node_port.enabled }} nodePort: {{ .Values.network.prometheus.node_port.port }} {{ end }} diff --git a/prometheus/templates/statefulset.yaml b/prometheus/templates/statefulset.yaml index 7c73cde47..c4feeaf5c 100644 --- a/prometheus/templates/statefulset.yaml +++ b/prometheus/templates/statefulset.yaml @@ -19,6 +19,7 @@ limitations under the License. {{- $mounts_prometheus := .Values.pod.mounts.prometheus.prometheus }} {{- $mounts_prometheus_init := .Values.pod.mounts.prometheus.init_container }} +{{- $promUserSecret := .Values.secrets.prometheus.admin }} {{- $serviceAccountName := printf "%s-%s" .Release.Name "prometheus"}} {{ tuple $envAll "prometheus" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -106,6 +107,37 @@ spec: - name: storage mountPath: /var/lib/prometheus/data containers: + - name: apache-proxy +{{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/apache.sh + - start + ports: + - name: http + containerPort: 80 + env: + - name: PROMETHEUS_PORT + value: {{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} + - name: PROMETHEUS_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ $promUserSecret }} + key: PROMETHEUS_ADMIN_USERNAME + - name: PROMETHEUS_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $promUserSecret }} + key: PROMETHEUS_ADMIN_PASSWORD + volumeMounts: + - name: prometheus-bin + mountPath: /tmp/apache.sh + subPath: apache.sh + readOnly: true + - name: prometheus-etc + mountPath: /usr/local/apache2/conf/httpd.conf + subPath: httpd.conf + readOnly: true - name: prometheus {{ tuple $envAll "prometheus" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.prometheus | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} @@ -150,6 +182,8 @@ spec: mountPath: /var/lib/prometheus/data {{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }} volumes: + - name: pod-etc-apache + emptyDir: {} - name: etcprometheus emptyDir: {} - name: rulesprometheus diff --git a/prometheus/values.yaml b/prometheus/values.yaml index 61c62da7d..4b72af11b 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -19,6 +19,7 @@ images: tags: + apache_proxy: docker.io/httpd:2.4 prometheus: docker.io/prom/prometheus:v2.0.0 helm_tests: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 @@ -103,6 +104,10 @@ endpoints: monitoring: name: prometheus namespace: null + auth: + admin: + username: admin + password: changeme hosts: default: prom-metrics public: prometheus @@ -122,7 +127,8 @@ endpoints: port: api: default: 9090 - public: 80 + http: + default: 80 alerts: name: alertmanager namespace: null @@ -142,6 +148,22 @@ endpoints: public: 80 mesh: default: 6783 + ldap: + hosts: + default: ldap + auth: + admin: + bind: "cn=admin,dc=cluster,dc=local" + password: password + host_fqdn_override: + default: null + path: + default: "/ou=People,dc=cluster,dc=local" + scheme: + default: ldap + port: + ldap: + default: 389 dependencies: dynamic: @@ -184,6 +206,8 @@ secrets: monitoring: prometheus: public: prometheus-tls-public + prometheus: + admin: prometheus-admin-creds storage: enabled: true @@ -201,11 +225,203 @@ manifests: helm_tests: true job_image_repo_sync: true secret_ingress_tls: true + secret_prometheus: true service_ingress: true service: true statefulset_prometheus: true conf: + httpd: | + ServerRoot "/usr/local/apache2" + + Listen 80 + + LoadModule mpm_event_module modules/mod_mpm_event.so + LoadModule authn_file_module modules/mod_authn_file.so + LoadModule authn_core_module modules/mod_authn_core.so + LoadModule authz_host_module modules/mod_authz_host.so + LoadModule authz_groupfile_module modules/mod_authz_groupfile.so + LoadModule authz_user_module modules/mod_authz_user.so + LoadModule authz_core_module modules/mod_authz_core.so + LoadModule access_compat_module modules/mod_access_compat.so + LoadModule auth_basic_module modules/mod_auth_basic.so + LoadModule ldap_module modules/mod_ldap.so + LoadModule authnz_ldap_module modules/mod_authnz_ldap.so + LoadModule reqtimeout_module modules/mod_reqtimeout.so + LoadModule filter_module modules/mod_filter.so + LoadModule proxy_html_module modules/mod_proxy_html.so + LoadModule log_config_module modules/mod_log_config.so + LoadModule env_module modules/mod_env.so + LoadModule headers_module modules/mod_headers.so + LoadModule setenvif_module modules/mod_setenvif.so + LoadModule version_module modules/mod_version.so + LoadModule proxy_module modules/mod_proxy.so + LoadModule proxy_connect_module modules/mod_proxy_connect.so + LoadModule proxy_http_module modules/mod_proxy_http.so + LoadModule proxy_balancer_module modules/mod_proxy_balancer.so + LoadModule slotmem_shm_module modules/mod_slotmem_shm.so + LoadModule slotmem_plain_module modules/mod_slotmem_plain.so + LoadModule unixd_module modules/mod_unixd.so + LoadModule status_module modules/mod_status.so + LoadModule autoindex_module modules/mod_autoindex.so + + + User daemon + Group daemon + + + + AllowOverride none + Require all denied + + + + Require all denied + + + ErrorLog /dev/stderr + + LogLevel warn + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + CustomLog /dev/stdout common + + CustomLog /dev/stdout combined + + + + AllowOverride None + Options None + Require all granted + + + + RequestHeader unset Proxy early + + + + Include conf/extra/proxy-html.conf + + + + # Restrict general user (LDAP) access to the /graph endpoint, as general trusted + # users should only be able to query Prometheus for metrics and not have access + # to information like targets, configuration, flags or build info for Prometheus + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/ + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/ + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file ldap + AuthUserFile /usr/local/apache2/conf/.htpasswd + AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }} + AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }} + AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} + Require valid-user + + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/graph + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/graph + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file ldap + AuthUserFile /usr/local/apache2/conf/.htpasswd + AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }} + AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }} + AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} + Require valid-user + + # Restrict access to the /config (dashboard) and /api/v1/status/config (http) endpoints + # to the admin user + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/config + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/config + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/api/v1/status/config + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/api/v1/status/config + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + # Restrict access to the /flags (dashboard) and /api/v1/status/flags (http) endpoints + # to the admin user + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/flags + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/flags + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/api/v1/status/flags + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/api/v1/status/flags + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + # Restrict access to the /status (dashboard) endpoint to the admin user + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/status + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/status + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + # Restrict access to the /rules (dashboard) endpoint to the admin user + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/rules + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/rules + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + # Restrict access to the /targets (dashboard) and /api/v1/targets (http) endpoints + # to the admin user + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/targets + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/targets + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/api/v1/targets + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/api/v1/targets + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + # Restrict access to the /api/v1/admin/tsdb/ endpoints (http) to the admin user. + # These endpoints are disabled by default, but are included here to ensure only + # an admin user has access to these endpoints when enabled + + ProxyPass http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/api/v1/admin/tsdb/ + ProxyPassReverse http://localhost:{{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/api/v1/admin/tsdb/ + AuthName "Prometheus" + AuthType Basic + AuthBasicProvider file + Require valid-user + + prometheus: # Consumed by a prometheus helper function to generate the command line flags # for configuring the prometheus service @@ -232,6 +448,57 @@ conf: scrape_interval: 60s evaluation_interval: 60s scrape_configs: + # NOTE(srwilkers): The job definition for Prometheus should always be + # listed first, so we can inject the basic auth username and password + # via the endpoints section + - job_name: 'prometheus-metrics' + kubernetes_sd_configs: + - role: endpoints + scrape_interval: 60s + relabel_configs: + - source_labels: + - __meta_kubernetes_service_name + action: keep + regex: "prom-metrics" + - source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + action: keep + regex: true + - source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + action: replace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + action: replace + target_label: instance + - source_labels: + - __meta_kubernetes_service_name + action: replace + target_label: kubernetes_name + - source_labels: + - __meta_kubernetes_service_name + target_label: job + replacement: ${1} - job_name: kubelet scheme: https # This TLS & bearer token file config is used to connect to the actual scrape @@ -424,7 +691,7 @@ conf: - source_labels: - __meta_kubernetes_service_name action: drop - regex: "openstack-metrics" + regex: '(openstack-metrics|prom-metrics)' - source_labels: - __meta_kubernetes_service_annotation_prometheus_io_scrape action: keep