exporter-toolkit icon indicating copy to clipboard operation
exporter-toolkit copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Support path exclusion from basic authentication

Open heylongdacoder opened this issue 3 years ago • 10 comments

Fixes: https://github.com/prometheus/prometheus/issues/9166

Signed-off-by: heylongdacoder [email protected]

heylongdacoder avatar Aug 13 '22 07:08 heylongdacoder

This PR is based on some of the comment from https://github.com/prometheus/exporter-toolkit/pull/70

heylongdacoder avatar Aug 13 '22 07:08 heylongdacoder

Can we make the parameter more generic and also skip TLS cert validation?

roidelapluie avatar Sep 14 '22 09:09 roidelapluie

@roidelapluie hello, I got two questions:

  1. May I know what do you mean by make the parameter more generic?
  2. Regarding the skip TLS cert validation, you mean when user config client_auth_type as RequireAndVerifyClientCert, but they want Prometheus server to skip the TLS client cert validation only for certain endpoints?

Thanks in advance. :D

heylongdacoder avatar Sep 19 '22 16:09 heylongdacoder

The use case for this is that you can serve /-/health without TLS authentication but the rest with authentication because kube probes do not support certs

roidelapluie avatar Oct 18 '22 10:10 roidelapluie

This needs a rebase.

SuperQ avatar Oct 19 '22 06:10 SuperQ

The use case for this is that you can serve /-/health without TLS authentication but the rest with authentication because kube probes do not support certs

Got it! Let me check how to do this. Thanks :D

heylongdacoder avatar Oct 19 '22 07:10 heylongdacoder

Any chance get this merged?

Or, maybe, someone can recommend any workarounds for keeping health check works with mTLS/auth added to prometheus and/or some sensitive exporters?

Even switching health checks to exec of custom wget or curl is not possible in a straight way, since since busybox based images wget not able to handle client certs, while curl is missing at all (this approach also potentially may spawn zombie processes within containers).

SiiiiiiD avatar Dec 12 '22 04:12 SiiiiiiD

@roidelapluie @SuperQ are you accepting contributions for this issue? Seems like this particular PR lost traction.

rzetelskik avatar Mar 29 '23 13:03 rzetelskik

To follow up, I'm particularly interested in being able to skip mTLS for /-/healthy and /-/ready endpoints with "RequireAndVerifyClientCert" due to kubelet probes not supporting certificates (see comments above and https://github.com/prometheus-operator/prometheus-operator/issues/5419). I'd be happy to contribute that part. @roidelapluie did you guys put any thought into how you'd want this implemented?

rzetelskik avatar Mar 30 '23 14:03 rzetelskik

skip TLS for /-/healthy and /-/ready endpoints with "RequireAndVerifyClientCert"

Hi @rzetelskik, as you may know, this is the part that missing in my PR. I have gone through the HTTP server code a bit regarding this but got no idea how to implement this at this moment. And currently I am busy with my personal life. Please feel free to take this issue 😄

heylongdacoder avatar Apr 12 '23 13:04 heylongdacoder