New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenCost with external Azure Managed Prometheus - Workload Identity #1990
Comments
Definitely a useful feature, we'd need someone using AKS to provide support for this. |
@mattray we have just rolled out OpenCost in all our AKS clusters and would be more than happy to help out with this enhancement. |
@v-esteves happy to review any PRs you have. |
#2117 might be a start for this. Or at least related to workloadidentity |
We are looking into Opencost and would need Opencost to support workload identity. I have included the issue / merge for workload identity for external-dns if this helps. |
@dwbrown2 yes that looks relevant |
any update on this? |
should be fixed as of as part of #2363 |
Is your feature request related to a problem? Please describe.
We are starting to use OpenCost on Azure AKS and we want to avoid having Prometheus deployed on our clusters, and use a managed service for this.
Right now on OpenCost we have two options of authn/authz for external Prometheus: Basic Authentication and bearer token.
With a managed service, there isn't the option of basic auth, so we are stuck with bearer tokens. This isn't a good solution, since the token have a short lifetime and we would need to keep refreshing this value and that isn't feasible.
Describe the solution you'd like
Ideally using Workload Identity in order to avoid having to manage secrets.
Describe alternatives you've considered
Using a SPN ClientId and ClientSecret and OpenCost needs to support fetching and updating the token by itself -> Like it does for fetching the Azure Pricing Data.
While this solution is better than using bearer tokens, it isn't also ideal, since we would need to manage secrets for the SPN.
Additional context
AKS Workload Identity
The text was updated successfully, but these errors were encountered: