fluxcd
Allow access to Prometheus/Thanos-Querier in OpenShift via SA token
Describe the bug
Hi, we are using OpenShift 4 and its integration with Prometheus/Thanos-Querier is using the OAuth header: "Authorization: Bearer token", where the token is from a ServiceAcount that has the OpenShift ClusterRole "cluster-monitoring-view" granted. Without this header Flagger cannot access to Prometheus/Thanos-Querier.
To Reproduce
Expected behavior
1 - The quickest solution (I don't know if the best one) would always be to add the header "Authorization: Bearer token" using as token the content of "/var/run/secrets/kubernetes.io/serviceaccount/token" in RunQuery:
if p.username != "" && p.password != "" {
req.SetBasicAuth(p.username, p.password)
}
add header here always regardless of whether it is Openshift o if you want security or not.
2 - Another alternative would be to add to the secret for the Prometheus authentication the field bearer_token in addition to username and password. In NewPrometheusProvider allow as valid the 3 values or a combination of username/password or bearer_token:
type PrometheusProvider struct {
timeout time.Duration
url url.URL
username string
password string
bearer_token string
client *http.Client
}
In RunQuery:
if p.username != "" && p.password != "" {
req.SetBasicAuth(p.username, p.password)
}
if p.bearer_token != "" {
add header here
}
In both cases, the OpenShift ClusterRole "cluster-monitoring-view" must be assigned to the ServiceAccount used (usually flagger).
Additional context
- Flagger version: 1.16.0
- Kubernetes version: OpenShift 4.8/K8s 1.21
- Service Mesh provider: Kubernetes (Blue/Green L4)
- Ingress provider:
helm upgrade -i flagger flagger/flagger --namespace flagger --set prometheus.install=false --set meshProvider=kubernetes --set metricsServer=https://prometheus-k8s.openshift-monitoring.svc:9091 --set securityContext.enabled=false
