mudhorn/prometheus
1
0
Fork 0
mirror of https://github.com/prometheus/prometheus.git synced 2024-12-25 21:54:10 -08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #8512 from roidelapluie/update-common-for-credentials

Browse source 
Update common to support credential types
This commit is contained in:
Julien Pivotto 2021-02-19 21:04:09 +01:00 committed by GitHub
parent 42a0e0acad 8787f0aed7
commit f4bf9df4ec
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 191 additions and 93 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/config.go
View file

@ -618,7 +618,7 @@ func (c *RemoteWriteConfig) UnmarshalYAML(unmarshal func(interface{}) error) err
}
for header := range c.Headers {
if strings.ToLower(header) == "authorization" {
return errors.New("authorization header must be changed via the basic_auth, bearer_token, or bearer_token_file parameter")
return errors.New("authorization header must be changed via the basic_auth or authorization parameter")
}
if _, ok := unchangeableHeaders[strings.ToLower(header)]; ok {
return errors.Errorf("%s is an unchangeable header", header)

28
config/config_test.go
View file

@ -141,7 +141,10 @@ var expectedConf = &Config{
Scheme: DefaultScrapeConfig.Scheme,
HTTPClientConfig: config.HTTPClientConfig{
BearerTokenFile: filepath.FromSlash("testdata/valid_token_file"),
Authorization: &config.Authorization{
Type: "Bearer",
CredentialsFile: filepath.FromSlash("testdata/valid_token_file"),
},
},
ServiceDiscoveryConfigs: discovery.Configs{
@ -344,7 +347,10 @@ var expectedConf = &Config{
KeyFile: filepath.FromSlash("testdata/valid_key_file"),
},
BearerToken: "mysecret",
Authorization: &config.Authorization{
Type: "Bearer",
Credentials: "mysecret",
},
},
},
{
@ -603,7 +609,10 @@ var expectedConf = &Config{
ServiceDiscoveryConfigs: discovery.Configs{
&digitalocean.SDConfig{
HTTPClientConfig: config.HTTPClientConfig{
BearerToken: "abcdef",
Authorization: &config.Authorization{
Type: "Bearer",
Credentials: "abcdef",
},
},
Port: 80,
RefreshInterval: model.Duration(60 * time.Second),
@ -665,7 +674,10 @@ var expectedConf = &Config{
ServiceDiscoveryConfigs: discovery.Configs{
&hetzner.SDConfig{
HTTPClientConfig: config.HTTPClientConfig{
BearerToken: "abcdef",
Authorization: &config.Authorization{
Type: "Bearer",
Credentials: "abcdef",
},
},
Port: 80,
RefreshInterval: model.Duration(60 * time.Second),
@ -919,6 +931,9 @@ var expectedErrors = []struct {
}, {
filename: "kubernetes_bearertoken_basicauth.bad.yml",
errMsg: "at most one of basic_auth, bearer_token & bearer_token_file must be configured",
}, {
filename: "kubernetes_authorization_basicauth.bad.yml",
errMsg: "at most one of basic_auth & authorization must be configured",
}, {
filename: "marathon_no_servers.bad.yml",
errMsg: "marathon_sd: must contain at least one Marathon server",
@ -931,6 +946,9 @@ var expectedErrors = []struct {
}, {
filename: "marathon_authtoken_bearertoken.bad.yml",
errMsg: "marathon_sd: at most one of bearer_token, bearer_token_file, auth_token & auth_token_file must be configured",
}, {
filename: "marathon_authtoken_authorization.bad.yml",
errMsg: "marathon_sd: at most one of auth_token, auth_token_file & authorization must be configured",
}, {
filename: "openstack_role.bad.yml",
errMsg: "unknown OpenStack SD role",
@ -957,7 +975,7 @@ var expectedErrors = []struct {
errMsg: `x-prometheus-remote-write-version is an unchangeable header`,
}, {
filename: "remote_write_authorization_header.bad.yml",
errMsg: `authorization header must be changed via the basic_auth, bearer_token, or bearer_token_file parameter`,
errMsg: `authorization header must be changed via the basic_auth or authorization parameter`,
}, {
filename: "remote_write_url_missing.bad.yml",
errMsg: `url for remote_write is empty`,

12
config/testdata/conf.good.yml vendored
View file

@ -79,7 +79,8 @@ scrape_configs:
replacement: static
target_label: abc
bearer_token_file: valid_token_file
authorization:
credentials_file: valid_token_file
- job_name: service-x
@ -158,7 +159,8 @@ scrape_configs:
cert_file: valid_cert_file
key_file: valid_key_file
bearer_token: mysecret
authorization:
credentials: mysecret
- job_name: service-kubernetes
@ -263,7 +265,8 @@ scrape_configs:
- job_name: digitalocean-droplets
digitalocean_sd_configs:
- bearer_token: abcdef
- authorization:
credentials: abcdef
- job_name: dockerswarm
dockerswarm_sd_configs:
@ -284,7 +287,8 @@ scrape_configs:
- job_name: hetzner
hetzner_sd_configs:
- role: hcloud
bearer_token: abcdef
authorization:
credentials: abcdef
- role: robot
basic_auth:
username: abcdef

13
config/testdata/kubernetes_authorization_basicauth.bad.yml vendored Normal file
View file

@ -0,0 +1,13 @@
scrape_configs:
- job_name: prometheus
kubernetes_sd_configs:
- role: pod
api_server: 'https://localhost:1234'
authorization:
credentials: 1234
basic_auth:
username: user
password: password

3
config/testdata/kubernetes_http_config_without_api_server.bad.yml vendored
View file

@ -2,4 +2,5 @@ scrape_configs:
- job_name: prometheus
kubernetes_sd_configs:
- role: pod
bearer_token: 1234
authorization:
credentials: 1234

10
config/testdata/marathon_authtoken_authorization.bad.yml vendored Normal file
View file

@ -0,0 +1,10 @@
scrape_configs:
- job_name: prometheus
marathon_sd_configs:
- servers:
- 'https://localhost:1234'
auth_token: 1234
authorization:
credentials: 4567

3
config/testdata/roundtrip.good.yml vendored
View file

@ -53,7 +53,8 @@ scrape_configs:
key_file: valid_key_file
digitalocean_sd_configs:
- bearer_token: <secret>
- authorization:
credentials: <secret>
dockerswarm_sd_configs:
- host: http://127.0.0.1:2375

2
discovery/digitalocean/digitalocean.go
View file

@ -89,7 +89,7 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
if err != nil {
return err
}
return nil
return c.HTTPClientConfig.Validate()
}
// Discovery periodically performs DigitalOcean requests. It implements

2
discovery/dockerswarm/dockerswarm.go
View file

@ -102,7 +102,7 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
default:
return fmt.Errorf("invalid role %s, expected tasks, services, or nodes", c.Role)
}
return nil
return c.HTTPClientConfig.Validate()
}
// Discovery periodically performs Docker Swarm requests. It implements

2
discovery/hetzner/hetzner.go
View file

@ -110,7 +110,7 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
if c.Role == "" {
return errors.New("role missing (one of: robot, hcloud)")
}
return nil
return c.HTTPClientConfig.Validate()
}
// Discovery periodically performs Hetzner requests. It implements

3
discovery/marathon/marathon.go
View file

@ -111,6 +111,9 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
if (len(c.HTTPClientConfig.BearerToken) > 0 || len(c.HTTPClientConfig.BearerTokenFile) > 0) && (len(c.AuthToken) > 0 || len(c.AuthTokenFile) > 0) {
return errors.New("marathon_sd: at most one of bearer_token, bearer_token_file, auth_token & auth_token_file must be configured")
}
if c.HTTPClientConfig.Authorization != nil && (len(c.AuthToken) > 0 || len(c.AuthTokenFile) > 0) {
return errors.New("marathon_sd: at most one of auth_token, auth_token_file & authorization must be configured")
}
return c.HTTPClientConfig.Validate()
}

176
docs/configuration/configuration.md
View file

@ -169,12 +169,16 @@ basic_auth:
[ password_file: <string> ]
# Sets the `Authorization` header on every scrape request with
# the configured bearer token. It is mutually exclusive with `bearer_token_file`.
[ bearer_token: <secret> ]
# Sets the `Authorization` header on every scrape request with the bearer token
# read from the configured file. It is mutually exclusive with `bearer_token`.
[ bearer_token_file: <filename> ]
# the configured credentials.
authorization:
# Sets the authentication type of the request.
[ type: <string> | default: Bearer ]
# Sets the credentials of the request. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials of the request with the credentials read from the
# configured file. It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# Configures the scrape request's TLS settings.
tls_config:
@ -436,7 +440,7 @@ The following meta labels are available on targets during [relabeling](#relabel_
```yaml
# Authentication information used to authenticate to the API server.
# Note that `basic_auth`, `bearer_token` and `bearer_token_file` options are
# Note that `basic_auth` and `authorization` options are
# mutually exclusive.
# password and password_file are mutually exclusive.
@ -446,11 +450,16 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Optional bearer token authentication information.
[ bearer_token: <secret> ]
# Optional bearer token file authentication information.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# Optional proxy URL.
[ proxy_url: <string> ]
@ -592,7 +601,7 @@ role: <string>
[ refresh_interval: <duration> | default = 60s ]
# Authentication information used to authenticate to the Docker daemon.
# Note that `basic_auth`, `bearer_token` and `bearer_token_file` options are
# Note that `basic_auth` and `authorization` options are
# mutually exclusive.
# password and password_file are mutually exclusive.
@ -602,11 +611,16 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Optional bearer token authentication information.
[ bearer_token: <secret> ]
# Optional bearer token file authentication information.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
```
The [relabeling phase](#relabel_config) is the preferred and more powerful
@ -989,7 +1003,7 @@ The labels below are only available for targets with `role` set to `robot`:
role: <string>
# Authentication information used to authenticate to the API server.
# Note that `basic_auth`, `bearer_token` and `bearer_token_file` options are
# Note that `basic_auth` and `authorization` options are
# mutually exclusive.
# password and password_file are mutually exclusive.
@ -1000,12 +1014,17 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Optional bearer token authentication information, required when role is hcloud
# Role robot does not support bearer token authentication.
[ bearer_token: <secret> ]
# Optional bearer token file authentication information.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration. required when role is
# hcloud. Role robot does not support bearer token authentication.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# Optional proxy URL.
[ proxy_url: <string> ]
@ -1154,7 +1173,7 @@ See below for the configuration options for Kubernetes discovery:
role: <string>
# Optional authentication information used to authenticate to the API server.
# Note that `basic_auth`, `bearer_token` and `bearer_token_file` options are
# Note that `basic_auth` and `authorization` options are
# mutually exclusive.
# password and password_file are mutually exclusive.
@ -1164,11 +1183,16 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Optional bearer token authentication information.
[ bearer_token: <secret> ]
# Optional bearer token file authentication information.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# Optional proxy URL.
[ proxy_url: <string> ]
@ -1253,15 +1277,19 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Sets the `Authorization` header on every request with
# the configured bearer token. It is mutually exclusive with `bearer_token_file` and other authentication mechanisms.
# NOTE: The current version of DC/OS marathon (v1.11.0) does not support standard Bearer token authentication. Use `auth_token` instead.
[ bearer_token: <string> ]
# Sets the `Authorization` header on every request with the bearer token
# read from the configured file. It is mutually exclusive with `bearer_token` and other authentication mechanisms.
# NOTE: The current version of DC/OS marathon (v1.11.0) does not support standard Bearer token authentication. Use `auth_token_file` instead.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration.
# NOTE: The current version of DC/OS marathon (v1.11.0) does not support
# standard `Authentication` header, use `auth_token` or `auth_token_file`
# instead.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# TLS configuration for connecting to marathon servers
tls_config:
@ -1447,13 +1475,16 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Sets the `Authorization` header on every request with
# the configured bearer token. It is mutually exclusive with `bearer_token_file`.
[ bearer_token: <string> ]
# Sets the `Authorization` header on every request with the bearer token
# read from the configured file. It is mutually exclusive with `bearer_token`.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# Configures the scrape request's TLS settings.
tls_config:
@ -1616,13 +1647,16 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Sets the `Authorization` header on every request with
# the configured bearer token. It is mutually exclusive with `bearer_token_file`.
[ bearer_token: <string> ]
# Sets the `Authorization` header on every request with the bearer token
# read from the configured file. It is mutually exclusive with `bearer_token`.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# Configures the scrape request's TLS settings.
tls_config:
@ -1742,13 +1776,16 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Sets the `Authorization` header on every remote write request with
# the configured bearer token. It is mutually exclusive with `bearer_token_file`.
[ bearer_token: <string> ]
# Sets the `Authorization` header on every remote write request with the bearer token
# read from the configured file. It is mutually exclusive with `bearer_token`.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# Configures the remote write request's TLS settings.
tls_config:
@ -1825,13 +1862,16 @@ basic_auth:
[ password: <secret> ]
[ password_file: <string> ]
# Sets the `Authorization` header on every remote read request with
# the configured bearer token. It is mutually exclusive with `bearer_token_file`.
[ bearer_token: <string> ]
# Sets the `Authorization` header on every remote read request with the bearer token
# read from the configured file. It is mutually exclusive with `bearer_token`.
[ bearer_token_file: <filename> ]
# Optional the `Authorization` header configuration.
authorization:
# Sets the authentication type.
[ type: <string> | default: Bearer ]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[ credentials: <secret> ]
# Sets the credentials with the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[ credentials_file: <filename> ]
# Configures the remote read request's TLS settings.
tls_config:

3
documentation/examples/prometheus-digitalocean.yml
View file

@ -12,7 +12,8 @@ scrape_configs:
- job_name: 'node'
digitalocean_sd_configs:
- bearer_token: "<replace with a Personal Access Token>"
- authorization:
credentials: "<replace with a Personal Access Token>"
relabel_configs:
# Only scrape targets that have a tag 'monitoring'.
- source_labels: [__meta_digitalocean_tags]

6
documentation/examples/prometheus-hetzner.yml
View file

@ -12,7 +12,8 @@ scrape_configs:
- job_name: 'node'
hetzner_sd_configs:
- bearer_token: "<replace with a Hetzner Cloud API Token>"
- authorization:
credentials: "<replace with a Hetzner Cloud API Token>"
platform: "hcloud"
relabel_configs:
# Use the public IPv4 and port 9100 to scrape the target.
@ -24,7 +25,8 @@ scrape_configs:
- job_name: 'node_private'
hetzner_sd_configs:
- bearer_token: "<replace with a Hetzner Cloud API Token>"
- authorization:
credentials: "<replace with a Hetzner Cloud API Token>"
platform: "hcloud"
relabel_configs:
# Use the private IPv4 within the Hetzner Cloud Network and port 9100 to scrape the target.

15
documentation/examples/prometheus-kubernetes.yml
View file

@ -25,7 +25,7 @@ scrape_configs:
# `http`.
scheme: https
# This TLS & bearer token file config is used to connect to the actual scrape
# This TLS & authorization config is used to connect to the actual scrape
# endpoints for cluster components. This is separate to discovery auth
# configuration because discovery & scraping are two separate concerns in
# Prometheus. The discovery auth config is automatic if Prometheus runs inside
@ -40,7 +40,8 @@ scrape_configs:
# disable certificate verification by uncommenting the line below.
#
# insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
authorization:
credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# Keep only the default/kubernetes service endpoints for the https port. This
# will add targets for each API server which Kubernetes adds an endpoint to
@ -62,7 +63,7 @@ scrape_configs:
# `http`.
scheme: https
# This TLS & bearer token file config is used to connect to the actual scrape
# This TLS & authorization config is used to connect to the actual scrape
# endpoints for cluster components. This is separate to discovery auth
# configuration because discovery & scraping are two separate concerns in
# Prometheus. The discovery auth config is automatic if Prometheus runs inside
@ -77,7 +78,8 @@ scrape_configs:
# disable certificate verification by uncommenting the line below.
#
# insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
authorization:
credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
@ -112,7 +114,7 @@ scrape_configs:
# are used.
metrics_path: /metrics/cadvisor
# This TLS & bearer token file config is used to connect to the actual scrape
# This TLS & authorization config is used to connect to the actual scrape
# endpoints for cluster components. This is separate to discovery auth
# configuration because discovery & scraping are two separate concerns in
# Prometheus. The discovery auth config is automatic if Prometheus runs inside
@ -127,7 +129,8 @@ scrape_configs:
# disable certificate verification by uncommenting the line below.
#
# insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
authorization:
credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node

2
go.mod
View file

@ -48,7 +48,7 @@ require (
github.com/prometheus/alertmanager v0.21.0
github.com/prometheus/client_golang v1.9.0
github.com/prometheus/client_model v0.2.0
github.com/prometheus/common v0.15.0
github.com/prometheus/common v0.17.0
github.com/prometheus/exporter-toolkit v0.5.1
github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749
github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546

2
go.sum
View file

@ -715,6 +715,8 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b
github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
github.com/prometheus/common v0.15.0 h1:4fgOnadei3EZvgRwxJ7RMpG1k1pOZth5Pc13tyspaKM=
github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
github.com/prometheus/common v0.17.0 h1:kDIZLI74SS+3tedSvEkykgBkD7txMxaJAPj8DtJUKYA=
github.com/prometheus/common v0.17.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
github.com/prometheus/exporter-toolkit v0.5.1 h1:9eqgis5er9xN613ZSADjypCJaDGj9ZlcWBvsIHa8/3c=
github.com/prometheus/exporter-toolkit v0.5.1/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=