-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support basic_auth_users in web configuration for Prometheus and Alertmanager #4200
Comments
Currently the prometheus operator cannot configure basic auth for the prometheus HTTP endpoints. There are two options I see
|
Configuring at the ingress level will work for now but ideally a solution directly on prometheus would be ideal. NGINX does unblock me for this but if its possible to extend the prometheus object to include some form of basic auth (pulling the password from a secret) that would be great. The TLS side of things would again ideally be handled by an ingress as this is a common setup for most applications. Thanks for the help though, let me know if it would be possible to extend the specs to include |
We are always looking for contributors and if you are interested in implementing the feature, I'd be more than happy to help with reviewing PR and answering any questions you might have. As you indicated, we need to extend the web spec to accept basic auth configuration. There is already a |
Also related to #4274 |
This issue has been automatically marked as stale because it has not had any activity in the last 60 days. Thank you for your contributions. |
I am working on it. |
Fixes: prometheus-operator#4200 Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
Fixes: prometheus-operator#4200 Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
I am using |
@a0s If I am not mistaken, currently prometheus-operator don't support the mounting of a custom web-config. |
Any movement on this? I would like to be able to set basic_auth directly in prometheus. If there is no immediate plan to support |
@nbjohnson it should be possible to provide your own web config file via |
If I'm not wrong me and @ArthurSens last week went over an issue about basic auth and prometheus. |
prometheus/exporter-toolkit#151, someone is working hard on this 😄 |
I guess it makes sense you are waiting on the ability to exclude a health endpoint from the auth as that is the cleaner method, but I thought I saw it was possible to set |
I wouldn't set HTTP headers in the probe config because it would expose sensitive information in clear-text. Instead I agree that Prometheus should allow /-/ready and /-/healthy endpoints without authentication. |
dude,is there any progress on prometheus operator basic_auth? i saw you committed some code,was that workable for this issue? |
Hi @simonpasquier I tried to specify the above, but the operator fails to create a prometheus statefulset with the following error:
|
unfortunately not. |
What did you do?
Looked at previous issues but
basic-auth
flags a few but they all appear to be prometheus -> endpoint rather than say grafana -> prometheus.I'm looking to setup prometheus per cluster i have and then have a single grafana instance hit the prometheuses as seperate data-sources. In order for me to feel comfortable about exposing prometheus apis externally (even behind a whitelist) i would ideally configure basic-auth on prometheus itself. See https://prometheus.io/docs/guides/basic-auth/
Did you expect to see some different?
I was expecting to see something around setting a user/password combo or list of usernames passwords for an instance of prometheus.
Anything else we need to know?:
Documentation that states its possible to enable basic auth on prometheus itself (again not endpoints prometheus hits). https://prometheus.io/docs/guides/basic-auth/
I can also see in Grafana that it is possible to configure basic auth for the prometheus data source:
The text was updated successfully, but these errors were encountered: