AEROGEAR-1917 document how to give user permissions to access metrics #7
Conversation
@finp I've changed the content of the doc to be about giving an Openshift user access to the metrics service. Could you take a look again? |
@finp any feedback on this PR? |
provisioning of the metrics service. You can refer to the documentation for the proxy container link:https://github.com/openshift/oauth-proxy[here] for | ||
more detailed information on how the proxy can be configured. | ||
|
||
The configuration for the metrics service is made up of two parts: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is that the only configuration for metrics?
|
||
== OAuth proxy usage | ||
|
||
When the metrics service has been provisioned there will be a route for Grafana and a route for Prometheus. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
passive and future tense
|
||
== Introduction | ||
|
||
The metrics service creates routes to access Grafana and Prometheus. To protect these routes there is an OAuth reverse proxy sidecar container in front |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@StevenTobin I feel like we're missing a couple of scenarios here, eg
If you are ... you might want to protect these routes..
or
If you are ... you might not need to protect ...
== About OAuth proxy permissions | ||
The OAuth proxy, uses a Subject Access Review rule defined in the *deploymentConfig* resource to specify which permissions are required to access the protected | ||
routes. This rule is defined by the `openshift-sar` option. For the Prometheus service, the *deploymentConfig* resource in the metrics service default definition is: | ||
//need to follow up on this, would expect this to be output of `oc deploy prometheus` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@StevenTobin this is a bit weird, ping me to discuss
The deploymentConfig for Grafana contains the same Subject Access Review rule for Grafana. | ||
To authenticate against the OAuth proxy, a user must have | ||
sufficient permissions to update the *deploymentConfig* resource named `prometheus` in the current Openshift namespace. | ||
The *deploymentConfig* resource for Grafana contains the same Subject Access Review rule for the resource named `grafana`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@StevenTobin not sure about the end of this sentence
Adding documentation explaining how the metrics OAuth proxy is configured.