Skip to content

k8spin/prometheus-multi-tenant-proxy

master
Switch branches/tags
Code

Prometheus — Multi-tenant proxy

Build Status License: GPL v3

Twitter Join the chat at https://slack.kubernetes.io


This project aims to make it easy to deploy a Prometheus Server in a multi-tenant way.

This project has some reference from the prometheus label injector

The proxy enforces the namespace label in a given PromQL query while providing a basic auth layer.

What is it?

It is a simple golang proxy. It does basic auth, logs the requests, and serves as a Prometheus reverse proxy.

Actually, Prometheus does not check the auth of any request. By itself, it does not provide any multi-tenant mechanism. So, if you have untrusted tenants, you have to ensure a tenant uses its labels and does not use any other tenants' value.

Requirements

To use this project, place the proxy in front of your Prometheus server instance, configure the auth proxy configuration and run it.

Run it

$ prometheus-multi-tenant-proxy run --prometheus-endpoint http://localhost:9090 --port 9091 --auth-config ./my-auth-config.yaml

Where:

  • --port: Port used to expose this proxy.
  • --prometheus-endpoint: URL of your Prometheus instance.
  • --auth-config: Authentication configuration file path.

Configure the proxy

The auth configuration is straightforward. Just create a YAML file my-auth-config.yaml with the following structure:

// Authn Contains a list of users
type Authn struct {
	Users []User `yaml:"users"`
}

// User Identifies a user including the tenant
type User struct {
	Username  string `yaml:"username"`
	Password  string `yaml:"password"`
	Namespace string `yaml:"namespace"`
}

An example is available at configs/multiple.user.yaml file:

users:
  - username: User-a
    password: pass-a
    namespace: tenant-a
  - username: User-b
    password: pass-b
    namespace: tenant-b

A tenant can contain multiple users. But a user is tied to a simple tenant.

Build it

If you want to build it from this repository, follow the instructions bellow:

$ docker run -it --entrypoint /bin/bash --rm golang:1.15.8-buster
root@6985c5523ed0:/go# git clone https://github.com/k8spin/prometheus-multi-tenant-proxy.git
Cloning into 'prometheus-multi-tenant-proxy'...
remote: Enumerating objects: 96, done.
remote: Counting objects: 100% (96/96), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 96 (delta 31), reused 87 (delta 22), pack-reused 0
Unpacking objects: 100% (96/96), done.
root@6985c5523ed0:/go# cd prometheus-multi-tenant-proxy/cmd/prometheus-multi-tenant-proxy/
root@6985c5523ed0:/go# go build
go: downloading github.com/urfave/cli/v2 v2.3.0
go: downloading github.com/prometheus-community/prom-label-proxy v0.3.0
go: downloading github.com/prometheus/prometheus v1.8.2-0.20210811141203-dcb07e8eac34
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/efficientgo/tools/core v0.0.0-20210201224146-3d78f4d30648
go: downloading github.com/go-openapi/runtime v0.19.28
go: downloading github.com/go-openapi/strfmt v0.20.1
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/prometheus/alertmanager v0.22.2
go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.0
go: downloading github.com/cespare/xxhash/v2 v2.1.1
go: downloading github.com/prometheus/common v0.30.0
go: downloading github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef
go: downloading github.com/go-openapi/errors v0.20.0
go: downloading github.com/mitchellh/mapstructure v1.4.1
go: downloading github.com/oklog/ulid v1.3.1
go: downloading go.mongodb.org/mongo-driver v1.5.1
go: downloading github.com/opentracing/opentracing-go v1.2.0
go: downloading github.com/go-openapi/swag v0.19.15
go: downloading github.com/go-openapi/validate v0.20.2
go: downloading github.com/russross/blackfriday/v2 v2.0.1
go: downloading github.com/go-kit/log v0.1.0
go: downloading github.com/go-openapi/analysis v0.20.0
go: downloading github.com/go-openapi/loads v0.20.2
go: downloading github.com/go-openapi/spec v0.20.3
go: downloading github.com/mailru/easyjson v0.7.6
go: downloading github.com/shurcooL/sanitized_anchor_name v1.0.0
go: downloading github.com/go-logfmt/logfmt v0.5.0
go: downloading go.uber.org/atomic v1.9.0
go: downloading github.com/go-openapi/jsonpointer v0.19.5
go: downloading github.com/go-stack/stack v1.8.0
go: downloading github.com/josharian/intern v1.0.0
go: downloading golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c
go: downloading github.com/go-openapi/jsonreference v0.19.5
go: downloading github.com/PuerkitoBio/purell v1.1.1
go: downloading github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578
go: downloading golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985
go: downloading golang.org/x/text v0.3.6
root@6985c5523ed0:/go# ./prometheus-multi-tenant-proxy
NAME:
   Prometheus multi-tenant proxy - Makes your Prometheus server multi tenant

USAGE:
   prometheus-multi-tenant-proxy [global options] command [command options] [arguments...]

VERSION:
   dev

AUTHORS:
   Angel Barrera <angel@k8spin.cloud>
   Pau Rosello <pau@k8spin.cloud>

COMMANDS:
   run      Runs the Prometheus multi-tenant proxy
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h     show help (default: false)
   --version, -v  print the version (default: false)

Build the container image

If you want to build a container image with this proxy, run:

$ docker build -t prometheus-multi-tenant-proxy:local -f build/package/Dockerfile .

After built, just run it:

$ docker run --rm prometheus-multi-tenant-proxy:local

Using this project at work or in production?

See ADOPTERS.md for what companies are doing with this project today.

License

The scripts and documentation in this project are released under the GNU GPLv3