Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add `bearer_token_file` paramter to HTTP helper #7527

Merged
merged 7 commits into from Jul 12, 2018

Conversation

Projects
None yet
4 participants
@exekias
Copy link
Member

commented Jul 6, 2018

This change allows to load bearer tokens from files in modules using
the HTTP helper. This is especially useful for Kubernetes and Prometheus, as some deployments enforce SSL access (like OpenShift):

- module: kubernetes
  metricsets:
    - pod
  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
  ssl.certificate_authorities:
    - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt

Closes #7518

@exekias

This comment has been minimized.

Copy link
Member Author

commented Jul 6, 2018

@vjsamuel, I think this should deprecate the kubernetes.token appender (in 7.0) in favor of this + config appender, anything against that?

@exekias exekias removed the in progress label Jul 6, 2018

@andrewkroh
Copy link
Member

left a comment

Are these HTTP options documented in Asciidoc somewhere? It would be nice if we could point people to bearer_token_file on the website if needed.

@@ -7,3 +7,8 @@
#namespace: example
#username: "user"
#password: "secret"

# This can be used for service account based authorization:

This comment has been minimized.

Copy link
@andrewkroh

andrewkroh Jul 8, 2018

Member

I think it would be useful to say what it does. Something like

It reads the contents of the file once at initialization and then uses the value in an HTTP Authorization header.

This comment has been minimized.

Copy link
@exekias

exekias Jul 9, 2018

Author Member

Makes sense, I updated docs to include this longer explanation

@ruflin

This comment has been minimized.

Copy link
Collaborator

commented Jul 9, 2018

Needs a changelog entry?

@exekias

This comment has been minimized.

Copy link
Member Author

commented Jul 9, 2018

Thanks for the reviews, I have added more docs & changelog entry

@exekias exekias force-pushed the exekias:bearer-token branch from b51b0c1 to 588dc72 Jul 9, 2018

@@ -0,0 +1,54 @@
package helper

This comment has been minimized.

Copy link
@exekias

exekias Jul 9, 2018

Author Member

I realize now this is a new file without license headers, but CI is not complaining. Are we checking that somewhere @andrewkroh?

This comment has been minimized.

Copy link
@ruflin

ruflin Jul 9, 2018

Collaborator

@exekias Was also looking into this this morning. We check but return 0 after the check. Not sure if that was on purpose (probably not).

This comment has been minimized.

Copy link
@exekias

exekias Jul 9, 2018

Author Member

In the meanwhile, I've pushed the header to this file

@exekias

This comment has been minimized.

Copy link
Member Author

commented Jul 9, 2018

Latest K8s version (1.11, just released) makes the safe port mandatory, so Metricbeat kubernetes module cannot work without this. I'm adding the needs_backport label here. I think it would be nice to have this in 6.3.2

@@ -41,7 +41,7 @@ type tokenAppender struct {
// NewTokenAppender creates a token appender that can append a bearer token required to authenticate with
// protected endpoints
func NewTokenAppender(cfg *common.Config) (autodiscover.Appender, error) {
cfgwarn.Beta("The token appender is beta")
cfgwarn.Deprecate("7.0.0", "token appender is deprecated in favor of bearer_token_file config parameter")

This comment has been minimized.

Copy link
@vjsamuel

vjsamuel Jul 9, 2018

Contributor

Do you suggest moving to config appender for use cases that require a bearer token then? I wouldnt do a blanket token path on all configs with the hints builder.

This comment has been minimized.

Copy link
@exekias

exekias Jul 9, 2018

Author Member

Yeah, my thought was to use the config appender to set bearer_token_file wherever you were using the token appender before. No need to create new hints for this.
Would that work for you?

This comment has been minimized.

Copy link
@vjsamuel

vjsamuel Jul 9, 2018

Contributor

im ok with that. we will do the needful once this is merged.

@@ -7,3 +7,8 @@
#namespace: example
#username: "user"
#password: "secret"

# This can be used for service account based authorization:

This comment has been minimized.

Copy link
@ruflin

ruflin Jul 10, 2018

Collaborator

Should there also be an update to the reference config files? Also applies to the k8s one.

For the paths here for the prometheus config: Should we have k8s as default ones?

This comment has been minimized.

Copy link
@exekias

exekias Jul 10, 2018

Author Member

I think Prometheus is mostly used in k8s scenarios, it should not harm other use cases anyway? I've pushed a commit to include it in

@exekias exekias force-pushed the exekias:bearer-token branch from 77938b7 to c126027 Jul 11, 2018

exekias added some commits Jul 6, 2018

Add `bearer_token_file` paramter to HTTP helper
This change allows to load barer tokens from files in modules using
the HTTP helper. For instance:

```
- module: kubernetes
  metricsets:
    - pod
  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
  ssl.certificate_authorities:
    - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
```

@exekias exekias force-pushed the exekias:bearer-token branch from c126027 to 0fb7af1 Jul 11, 2018

@ruflin

This comment has been minimized.

Copy link
Collaborator

commented Jul 11, 2018

Seems like something in prometheus breaks the doc build :-(

@exekias

This comment has been minimized.

Copy link
Member Author

commented Jul 11, 2018

ups, my bad, should be ok now, sorry

@exekias exekias force-pushed the exekias:bearer-token branch 2 times, most recently from 2c5c381 to bac35e7 Jul 11, 2018

@exekias exekias force-pushed the exekias:bearer-token branch from bac35e7 to 833d0a5 Jul 11, 2018

@ruflin ruflin merged commit 1d3109f into elastic:master Jul 12, 2018

6 checks passed

CLA Commit author is a member of Elasticsearch
Details
Hound No violations found. Woof!
beats-ci Build finished.
Details
codecov/patch 75% of diff hit (target 64.69%)
Details
codecov/project Absolute coverage decreased by -0.02% but relative coverage increased by +10.3% compared to 4e34924
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

exekias added a commit to exekias/beats that referenced this pull request Jul 12, 2018

Add `bearer_token_file` paramter to HTTP helper (elastic#7527)
This change allows to load bearer tokens from files in modules using
the HTTP helper. This is especially useful for Kubernetes and Prometheus, as some deployments enforce SSL access (like OpenShift):

```
- module: kubernetes
  metricsets:
    - pod
  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
  ssl.certificate_authorities:
    - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
```

Closes elastic#7518

(cherry picked from commit 1d3109f)

@exekias exekias added v6.3.2 and removed needs_backport labels Jul 12, 2018

jsoriano added a commit that referenced this pull request Jul 12, 2018

Cherry-pick #7527 to 6.3: Add `bearer_token_file` paramter to HTTP he…
…lper (#7577)

* Add `bearer_token_file` paramter to HTTP helper (#7527)

This change allows to load bearer tokens from files in modules using
the HTTP helper. This is especially useful for Kubernetes and Prometheus, as some deployments enforce SSL access (like OpenShift):

```
- module: kubernetes
  metricsets:
    - pod
  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
  ssl.certificate_authorities:
    - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
```

Closes #7518

(cherry picked from commit 1d3109f)

* Update CHANGELOG.asciidoc

cwray added a commit to cwray/beats that referenced this pull request Jul 17, 2018

Add `bearer_token_file` paramter to HTTP helper (elastic#7527)
This change allows to load bearer tokens from files in modules using
the HTTP helper. This is especially useful for Kubernetes and Prometheus, as some deployments enforce SSL access (like OpenShift):

```
- module: kubernetes
  metricsets:
    - pod
  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
  ssl.certificate_authorities:
    - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
```

Closes elastic#7518
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.