k8s-sidecar
k8s-sidecar copied to clipboard
kiwigrid
Separate auth for REQ_URL and *.url
Issue abstract
Right now REQ_USERNAME and REQ_PASSWORD is used for authenticating for both the REQ_URL and any configmaps/secrets with *.url key, I believe it would be good for these to be handled separately.
Our setup
We are using this from the grafana helm chart, with auth turned on on grafana we need to supply auth in order to hit the reload API on grafana for the different resources, and so we set REQ_USERNAME, REQ_PASSWORD.
We do however also download dashboards from grafana.com, e.g. https://grafana.com/api/dashboards/13329/revisions/latest/download, using the *.url notation. As of right now this will use the same configured auth REQ_USERNAME and REQ_PASSWORD as is used to hit the grafana reload api, since these are local accounts on our own self-hosted instances, this will not work.
Example solution
I think omitting auth by default for *.url and since secrets are an option to use, and basic auth is used, setting them in the value of the *.url, e.g. username:[email protected]/api/dashboards/13329/revisions/latest/download, would solve this issue.
Example request log:
{"time": "2023-06-19T10:01:40.386431+00:00", "msg": "GET request sent to https://grafana.com/api/dashboards/13329/revisions/latest/download. Response: 401 Unauthorized {\n \"code\": \"InvalidCredentials\",\n \"message\": \"Invalid password\",\n \"requestId\": \"7ea4528f-e2b9-4279-a523-53a0bcf2acbb\"\n}", "level": "DEBUG"}
I'm hitting a similar issue after testing an upgrade of Kube-Prometheus-Stack, I now can't pull from my public repositories using BitBucket as its trying to supply auth creds during the pull.
Looking at the Grafana Helm chart it appears this commit breaks the ability to use *.url notation as it will alway set the REQ_USERNAME and REQ_PASSWORD env variables. The in turn triggers the fetch to use authorization which breaks pulling from some sources.
https://github.com/grafana/helm-charts/commit/3bcfc47221007e5f7f53830eec17c66d97fcd62f