New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change kube-rbac-proxy authentication for UWM Prometheus #1411
Change kube-rbac-proxy authentication for UWM Prometheus #1411
Conversation
7edb94a
to
046e4d7
Compare
/retest-required |
1 similar comment
/retest-required |
This PR is about switching kube-rbac-proxy to use TLS client certificates for authentication rather than removing prom-label-proxy? |
The UWM Prometheus kube-rbac-proxy currently works with subject access reviews to verify whether the caller is allowed to access Prometheus endpoints. This commit changes the authentication method to a static one based on the CN in the certificate of the caller.
046e4d7
to
3ae5457
Compare
Ah correct, I mechanically added the same description as for #1406. /retitle Change kube-rbac-proxy authentication for UWM Prometheus |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/retest-required Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/label px-approved No change from a user standpoint, it's only modifying the Prometheus configuration to use client TLS certificates instead of bearer token when scraping metrics from UWM Prometheus. |
@juzhao I'll leave it to you whether you want to verify this PR or not. The e2e tests should already validate that the platform Prometheus can successfully scrape metrics from UWM Prometheus. |
@simonpasquier @fpetkovski
|
@juzhao this is because the authorization mechanism has changed, we are now relying on TLS certificates instead of using the bearer token. Can you see UWM metrics and targets through the Prometheus UI? |
thanks, we can see the UWM metrics from thanos-querier UI and targets could be found from Prometheus UI |
/label qe-approved |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fpetkovski, juzhao, simonpasquier The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The UWM Prometheus kube-rbac-proxy currently works with subject access
reviews to verify whether the caller is allowed to access Prometheus endpoints.
This commit changes the authentication method to a static one based on
the CN in the certificate of the caller.