New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS/EKS: Support for IAM authentication #326
Comments
Closes prometheus-community#326 as is provides a viable solution to use a K8S init container to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter process.
Closes #326 as is provides a viable solution to use a K8S init container to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter process.
Closes prometheus-community#326 as is provides a viable solution to use a K8S init container to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter process. (cherry picked from commit 9b13f5e)
Closes prometheus-community#326 as is provides a viable solution to use a K8S init container to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter process. (cherry picked from commit 9b13f5e)
@headcr4sh Your PR is great but i'm wondering how you are triggering a token update every 15 minutes since the password expires every 15? |
@robbiet480 Unfortunately, I was not able to solve any further issues with the postgres_exporter in conjunction with EKS and IAM-based So... I was not able to trigger the token update. :-( (Using the posgres_exporter was just a proof-of-concept and I did not proceed any further, unfortunately,...) |
Closes prometheus-community#326 as is provides a viable solution to use a K8S init container to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter process.
I am trying to connect a postgres_exporter instance running on AWS EKS (managed Kubernetes platform) to a managed AWS/RDS instance using IAM authentication methods as described here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.PostgreSQL.html
My attempt to use an initContainer to obtain the access token (which is valid for a limited period of time only) works just fine:
As you might see, the
initContainer
writes an RDS connection string into a file which I put onto a shared volume (tmpDir) that is accessible from the main container (postgres-exporter). Now comes the tricky part: This connection string contains the full postgresql connection string.Example (credentials obfuscated):
Unfortunately, it is not possible, to use that string when using the official Docker image of the postgres_exporter, because there is no way to construct the
DATA_SOURCE_URI
environment variable from a file like that. Overriding the container's entrypoint would be an option:But right now it is not an option, since the container does not contain a shell (which is actually a good thing when considering best container security practices, I assume).
... any help/ideas appreciated.
PS:
After having thought about it for quite some time, I suppose, a
DATA_SOURCE_URI_FILE
environment variable might solve all my issues. Would that make for an acceptable PR?The text was updated successfully, but these errors were encountered: