Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(prometheus): Support all Prometheus parameters #77

Merged
merged 7 commits into from
Jan 12, 2024
Merged

feat(prometheus): Support all Prometheus parameters #77

merged 7 commits into from
Jan 12, 2024

Conversation

jsirianni
Copy link
Member

@jsirianni jsirianni commented Jan 12, 2024
edited
Loading

Description of Changes

Added support for

  • Query Path Prefix
  • Remote Write Host, port, and path (endpoint)
  • Auth
  • TLS

Testing

Prometheus

I followed our Prometheus Installation documentation when building my Prometheus test system.

Chart deployed from the branch with:

helm template \
  --namespace default \
  --values values.yaml \
  bindplane \
  charts/bindplane | kubectl apply -f -

Port forwarding used to connect to the ui on port 3011.

kubectl port-forward pod/bindplane-0 3011:3001

Tested by ensuring topology view has active measurements.

Default Prometheus Install

config:
  username: bpuser
  password: bppass
  secret_key: 12D8FB6E-1532-4A4C-97AF-95A430BE5E6E
  sessions_secret: 4484766F-5016-4077-B8E0-0DE1D637854B
prometheus:
  enable: true
  host: prometheus-tls.c.bpcli-dev.internal
dev:
  collector:
    create: true

Basic Auth

Web.yaml config

basic_auth_users:
  admin: $2b$12$maOicLymWgsIQleRCm604ePbaaavp9cKj3bJUg0IrcVXCHB3terLa
config:
  username: bpuser
  password: bppass
  secret_key: 12D8FB6E-1532-4A4C-97AF-95A430BE5E6E
  sessions_secret: 4484766F-5016-4077-B8E0-0DE1D637854B
prometheus:
  enable: true
  host: prometheus-tls.c.bpcli-dev.internal
  auth:
    type: basic
    username: admin
    password: password
dev:
  collector:
    create: true

TLS

I used step cli to create a CA and signed certificate for my host prometheus-tls.c.bpcli-dev.internal.

I configured web.yml on the prometheus server with:

tls_server_config:
  cert_file: /etc/prometheus/tls/prometheus.crt
  key_file: /etc/prometheus/tls/prometheus.key

I then created a secret with:

kubectl create secret generic prometheus-tls \     
  --from-file ca.crt 
config:
  username: bpuser
  password: bppass
  secret_key: 12D8FB6E-1532-4A4C-97AF-95A430BE5E6E
  sessions_secret: 4484766F-5016-4077-B8E0-0DE1D637854B
prometheus:
  enable: true
  host: prometheus-tls.c.bpcli-dev.internal
  tls:
    enable: true
    insecure: false
    secret:
      name: prometheus-tls
      caSubPath: ca.crt
dev:
  collector:
    create: true

TLS is tested by configuring the ca and keeping skip verify set to false.

Mutual TLS

I used step cli to create another signed certificate, this time the keypair is used for bindplane's client auth.

The client auth type and client ca file were configured like this:

tls_server_config:
  client_auth_type: RequireAndVerifyClientCert
  client_ca_file: /etc/prometheus/tls/ca.crt
  cert_file: /etc/prometheus/tls/prometheus.crt
  key_file: /etc/prometheus/tls/prometheus.key

After restarting prometheus, bindplane starts logging client auth errors (Expected, bindplane does not have a client keypair configured yet)

{"level":"error","timestamp":"2024-01-12T02:56:36.030Z","message":"failed to get configurationMetrics","error":"query: query: Post \"https://prometheus-tls.c.bpcli-dev.internal:9090/api/v1/query\": remote error: tls: certificate required"}

I created the secret with the bindplane client keypair and the ca

kubectl create secret generic prometheus-tls \
  --from-file prometheus-client.crt \     
  --from-file prometheus-client.key \     
  --from-file ca.crt 
config:
  username: bpuser
  password: bppass
  secret_key: 12D8FB6E-1532-4A4C-97AF-95A430BE5E6E
  sessions_secret: 4484766F-5016-4077-B8E0-0DE1D637854B
prometheus:
  enable: true
  host: prometheus-tls.c.bpcli-dev.internal
  tls:
    enable: true
    insecure: false
    secret:
      name: prometheus-tls
      caSubPath: ca.crt
      crtSubPath: prometheus-client.crt
      keySubPath: prometheus-client.key
dev:
  collector:
    create: true

Mimir

Using our in house tooling, I deployed mimir to my test cluster with:

kubectl create ns mimir
kustomize build app/priority-class/base | kubectl apply -f -
kustomize build app/mimir/environments/local | kubectl apply --namespace mimir -f -

The mimir config requires the following be set

  • prometheus.host
  • prometheus.port
  • prometheus.queryPathPrefix
  • prometheus.remoteWrite.host
  • prometheus.remoteWrite.port
  • prometheus.remoteWrite.path

The query host and remote write host are not the same.

config:
  username: bpuser
  password: bppass
  secret_key: 12D8FB6E-1532-4A4C-97AF-95A430BE5E6E
  sessions_secret: 4484766F-5016-4077-B8E0-0DE1D637854B
prometheus:
  enable: true
  host: mimir-query-frontend.mimir.svc.cluster.local
  port: 8080
  queryPathPrefix: /prometheus
  remoteWrite:
    host: mimir-distributor-headless.mimir.svc.cluster.local
    port: 8080
    path: /api/v1/push
dev:
  collector:
    create: true

I did not use our recording rule with mimir, so measurements are not exactly working 100% but I did confirm that remote write + query endpoints are working. No errors from bindplane, agents page does show measurements on a brand new install of bindplane.

Please check that the PR fulfills these requirements

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)
  • CI passes

@jsirianni jsirianni marked this pull request as ready for review January 12, 2024 13:59
@jsirianni jsirianni requested a review from a team as a code owner January 12, 2024 13:59
cpheps
cpheps suggested changes Jan 12, 2024
View reviewed changes
charts/bindplane/README.md Outdated Show resolved Hide resolved
@jsirianni jsirianni requested a review from cpheps January 12, 2024 15:55
@jsirianni jsirianni merged commit 3aa9560 into main Jan 12, 2024
16 checks passed
@jsirianni jsirianni deleted the prometheus-params branch January 12, 2024 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpheps cpheps cpheps approved these changes

@BinaryFissionGames BinaryFissionGames BinaryFissionGames approved these changes

@antonblock antonblock Awaiting requested review from antonblock antonblock was automatically assigned from observIQ/platform

@kuiperda kuiperda Awaiting requested review from kuiperda kuiperda was automatically assigned from observIQ/platform

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jsirianni @BinaryFissionGames @cpheps