[VPA] Add prometheus bearer auth support #8263
Conversation
k8s-ci-robot
added
kind/feature
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: yalosev The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @yalosev. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
area/vertical-pod-autoscaler
size/L
yalosev
force-pushed
the
feature/prometheus-bearer
branch
from
ea4d11f to
751c5b9
Compare
Signed-off-by: Yuriy Losev <[email protected]>
yalosev
force-pushed
the
feature/prometheus-bearer
branch
from
05c38de to
ef07fa1
Compare
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| bearerToken = flag.String("bearer-token", "", "The bearer token used in the Prometheus server bearer token auth") | ||
| bearerTokenFile = flag.String("bearer-token-file", "", "Path to the bearer token file used for authentication by the Prometheus server") |
There was a problem hiding this comment.
Could these both be prepended with prometheus?
That way all the Prometheus options are bundled together when sorted alphabetically
There was a problem hiding this comment.
Yes, sure. Changed.
I'm actually was surprised that not all prometheus options have this prefix. For example username / password are not linked with prometheus at all, as well as all -label options
Signed-off-by: Yuriy Losev <[email protected]>
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
| rt = http.DefaultTransport | ||
| } | ||
|
|
||
| // Clone the request to avoid modifying the original |
There was a problem hiding this comment.
This comment says what the code is doing, but not why the code is doing it. Could you add a comment linking to the best practise?
There was a problem hiding this comment.
Well, it's a good point. It's more a self-control comment that I didn't remove. The main link is in the Golang source code. Also we have an example in the ReverseProxy.
I have changed the comment, is it ok for you?
While this code likely won’t cause undefined behavior now, I think we can avoid keeping it in such a risky state for future modifications.
There was a problem hiding this comment.
That new comment is great, thank you!
It's the kind of thing that I imagine someone may come refactor later, and decide to remove. The new comment will at least give them the context to know why it's like that (if they didn't know before hand).
vertical-pod-autoscaler/pkg/recommender/input/history/history_provider_test.go
Outdated
Show resolved
Hide resolved
| bearerToken = flag.String("prometheus-bearer-token", "", "The bearer token used in the Prometheus server bearer token auth") | ||
| bearerTokenFile = flag.String("prometheus-bearer-token-file", "", "Path to the bearer token file used for authentication by the Prometheus server") |
There was a problem hiding this comment.
More nits: can the variable also start with prometheus? In case we need a bearer token and bearer token file in the future for other purposes.
…provider_test.go Co-authored-by: Adrian Moisey <[email protected]>
Co-authored-by: Adrian Moisey <[email protected]>
Signed-off-by: Yuriy Losev <[email protected]>
There was a problem hiding this comment.
Could you add another test that specifies the token and a username/password, and verifies that the bearer token is used?
There was a problem hiding this comment.
I think it's fine as is. I figured the test was worth adding to ensure that the behaviour doesn't change over time.
Signed-off-by: Yuriy Losev <[email protected]>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds several flags for the Prometheus historical provider:
prometheus-insecure– Skip TLS verification. Prometheus may use a TLS certificate, and accessing it over https:// could result in an unknown CA certificate error if the certificate is self-signed or untrusted.prometheus-bearer-token– Use a bearer token for authentication.prometheus-bearer-token-file– Read the bearer token from a file. This is useful when using kube-rbac-proxy and a service account token is mounted into the pod.Bearer token authentication and basic authentication are mutually exclusive, as both use the Authorization header. Only one of the following combinations should be set: username + password, bearer-token, or bearer-token-file.
Additionally, the authentication middleware logic was updated to follow best practices by cloning the request rather than modifying the original one.
Which issue(s) this PR fixes:
Fixes N/A
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: