Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

password_file ignored in kubernetes_sd_configs #5210

Closed
drewboswell opened this Issue Feb 13, 2019 · 3 comments

Comments

Assignees
No one assigned
Labels
component/service discovery kind/bug
Projects
None yet
Milestone
No milestone
2 participants
@drewboswell @simonpasquier
@drewboswell
Copy link

drewboswell commented Feb 13, 2019

Bug Report

What did you do?
Attempted to use password_file in stead of plaintext password in kubernetes_sd_configs

What did you expect to see?
Authorized http calls

What did you see instead? Under which circumstances?
Unauthorized/401 codes thrown in response

In kubernetes_sd_configs only:

  • if I use password, authorized, it works
  • if I use password_file, unauthorized, it doesn't work
  • if I use password and password_file at the same time, no error thrown, but it works

it appears that the password_file variable is ignored completely

Environment

  • System information:
    Linux 4.15.0-45-generic x86_64

  • Prometheus version:
    prometheus, version 2.7.1 (branch: HEAD, revision: 62e591f)
    build user: root@f9f82868fc43
    build date: 20190131-11:16:59
    go version: go1.11.5

  • Prometheus configuration file:

# Global Prometheus Configuration
global:
  scrape_interval: 30s     # By default, scrape targets every 30 seconds.
  evaluation_interval: 30s # By default, scrape targets every 30 seconds.

scrape_configs:

- job_name: kubernetes-apiservers-pre
  kubernetes_sd_configs:
  - role: endpoints
    api_server: https://**********:443
    tls_config:
      insecure_skip_verify: true
    basic_auth:
      username: prometheus
      password_file: /var/run/secrets/prometheus/pre
  scheme: https
  tls_config:
    insecure_skip_verify: true
  basic_auth:
    username: prometheus
    password_file: /var/run/secrets/prometheus/pre
  relabel_configs:
  - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
    action: keep
    regex: default;kubernetes;https
  • Logs:
prometheus_1  | level=debug ts=2019-02-13T11:16:30.775409678Z caller=klog.go:70 component=k8s_client_runtime func=Infof msg="GET https://********:443/api/v1/endpoints?limit=500&resourceVersion=0 401 Unauthorized in 2 milliseconds"
prometheus_1  | level=error ts=2019-02-13T11:16:30.775560501Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:300: Failed to list *v1.Endpoints: Unauthorized"

@simonpasquier simonpasquier added kind/bug component/service discovery labels Feb 13, 2019

@simonpasquier simonpasquier referenced this issue Feb 13, 2019

Merged

discovery/kubernetes: fix support for password_file and bearer_token_file #5211

@simonpasquier

This comment has been minimized.

Sign in to view
Copy link
Member

simonpasquier commented Feb 13, 2019

Indeed... I've tested #5211 quickly and it seems to be ok but it would good if you could test it too.
@drewboswell

This comment has been minimized.

Sign in to view
Copy link
Author

drewboswell commented Feb 13, 2019

Wow that was fast, yes I just checkout out your pull request built it and it works like a charm. It also throws the usual errors if the file doesn't exist etc.

Thanks a bunch!
@drewboswell

This comment has been minimized.

Sign in to view
Copy link
Author

drewboswell commented Feb 14, 2019
edited

There is a problem when using the "bearer_token_file" within the kubernetes SD block but it is a different error that I get. #5221

@simonpasquier simonpasquier closed this in #5211 Feb 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.