New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom HTTP headers when connecting to Prometheus #4323
Comments
Hi @libesz , thanks for creating the issue. I think this is a reasonable enhancement and am adding to the backlog. |
Thanks @jshaughn . Our team might offer some help with the actual contribution in the coming months if you need it. |
@libesz If you'd like to see it sooner than later please feel free to submit a PR and we will be more than happy to review/guide the submission. Just let us know if you are starting so that we don't also start at some point. |
Since this requires adding new configuration settings to the server, this checklist will help tell you what needs to be done to add the new config - https://github.com/kiali/kiali-operator/blob/master/DEVELOPING.adoc#are-you-altering-a-kiali-server-configuration-setting |
Okay, sure! It is unlikely that we will have any free cycles in 1-2 months, but whenever we get there, I will get back to you. |
@libesz I'm going to take a stab at this. Can you confirm if this is what you would need? This is a snippet of the Kiali CR with the new setting:
I place them under the |
@jmazzitelli thanks for taking a look! Let me discuss the proposal within our team in the coming days. Meanwhile... for our particular use-case these are indeed auth related headers only, though not really any secret as far as I can tell (i.e. instance ID is not very sensitive). I think other people might have other use-cases outside of auth, so probably having it as generic header section makes more sense. |
side note: this also makes sure the prom config is the same for custom_dashboards.prometheus since that follows the identical config schema as the external_services.prometheus config. part of: kiali/kiali#4323
side note: this also makes sure the prom config is the same for custom_dashboards.prometheus since that follows the identical config schema as the external_services.prometheus config. part of: kiali/kiali#4323
draft operator PR adds the following:
|
@jmazzitelli Sounds good, thanks! We are more than happy to test this change whenever becomes available. |
I'll be working in this draft server-side PR: #4350 |
side note: this also makes sure the prom config is the same for custom_dashboards.prometheus since that follows the identical config schema as the external_services.prometheus config. part of: kiali/kiali#4323
@libesz can you test this out and see how it works for you? Here's a quick way to install the Kiali Operator (and a Kiali CR) via helm - you can add your own
|
@jmazzitelli quick update from my side. FYI I am trying to use this change along with some other extraordinary things:
Anyways, once every configuration (i.e. prometheus and remote K8S API) seems to be in place, I run into the following crash:
If I am not mistaken, it is here. |
Ignore that seg fault - see this for the bug and workaround. We might ship a patch release/fix for this (1.40.1) - haven't decided yet. #4351 Just shutdown your Kiali UI browser tabs when you restart a kiali pod. How is the custom headers working is the important question. UPDATE: 1.40.1 patch release has just been published. That segfault should not happen anymore. |
side note: this also makes sure the prom config is the same for custom_dashboards.prometheus since that follows the identical config schema as the external_services.prometheus config. part of: kiali/kiali#4323
I don't have anything special setup (so these headers are essentially a no-op) but here's what Kiali's HTTP request looks like when passing in custom headers to the Prometheus endpoint: Kiali CR snippet:
HTTP request that the internal client sends to prometheus:
I will assume case does not matter (looks like the client library is modifying the header names to just be capitalized). Other than that, the custom headers are being sent over the wire to Prometheus. |
Thanks for the update. I was also able to set up my kiali instance, just stuck with the actual (relevant) metrics push to my monitoring backend from the proxies. Will get back to you once I got working graphs within Kiali. |
Another update: I am now having a working graph with live data. We can consider the custom_header changes as working. Thanks @jmazzitelli 馃憤 |
side note: this also makes sure the prom config is the same for custom_dashboards.prometheus since that follows the identical config schema as the external_services.prometheus config. part of: kiali/kiali#4323
Once I asked about this topic on Slack and I was told that: this is not yet supported and it is better to open an issue for further consideration. So here it is 馃槃
Is your feature request related to a problem? Please describe.
There are certain managed public cloud offerings, where a multi-tenant monitoring endpoint however, is a standard Prometheus API, but the client authentication is not a standard bearer token of basic authentication based solution. In the environment, where I would like to operate Kiali, the Prometheus API requires custom HTTP headers to authenticate the client.
Describe the solution you'd like
A generic new feature for Kiali would be to add custom HTTP header options for the Prometheus configuration. Basically a new string list could be added to here: https://github.com/kiali/kiali-operator/blob/76242369299c35db350119516c6db6fd87f47822/deploy/kiali/kiali_cr.yaml#L551
This then would be consumed by the actual HTTP client which is connecting to the Prometheus API. Whenever the extra headers are to be changed/renewed, it would be out of scope of Kiali. External automation would take care of the reconfiguration and restart of the Kiali instance.
Describe alternatives you've considered
Some transparend or non-transparent HTTP proxy could be employed in the same cluster to add the extra headers. The downside is that it requires an extra dedicated component (with all the security considerations of it) just for the proper Kiali operation.
Additional context
IBM Cloud monitoring documentation, which explains the usage of the custom HTTP headers for it's Prometheus API. It basically requires an instance ID reference to be set in the queries.
https://cloud.ibm.com/docs/monitoring?topic=monitoring-metrics_api#metrics_api-curl
The text was updated successfully, but these errors were encountered: