openshift-docs/modules/monitoring-supported-remote-write-authentication-settings.adoc

// Module included in the following assemblies:
//
// * monitoring/configuring-the-monitoring-stack.adoc

:_content-type: REFERENCE
[id="supported_remote_write_authentication_settings_{context}"]
= Supported remote write authentication settings

You can use different methods to authenticate with a remote write endpoint.
Currently supported authentication methods are AWS Signature Version 4, basic authentication, authorization, OAuth 2.0, and TLS client.
The following table provides details about supported authentication methods for use with remote write.

[options="header"]
|===

|Authentication method|Config map field|Description

|AWS Signature Version 4|`sigv4`|This method uses AWS Signature Version 4 authentication to sign requests.
You cannot use this method simultaneously with authorization, OAuth 2.0, or basic authentication.

|basic authentication|`basicAuth`|Basic authentication sets the authorization header on every remote write request with the configured username and password.

|authorization|`authorization`|Authorization sets the `Authorization` header on every remote write request using the configured token.

|OAuth 2.0|`oauth2`|An OAuth 2.0 configuration uses the client credentials grant type.
Prometheus fetches an access token from `tokenUrl` with the specified client ID and client secret to access the remote write endpoint.
You cannot use this method simultaneously with authorization, AWS Signature Version 4, or basic authentication.

|TLS client|`tlsConfig`|A TLS client configuration specifies the CA certificate, the client certificate, and the client key file information used to authenticate with the remote write endpoint server using TLS.
The sample configuration assumes that you have already created a CA certificate file, a client certificate file, and a client key file.

|===

== Config map location for authentication settings
The following shows the location of the authentication configuration in the `ConfigMap` object for default platform monitoring.

[source,yaml]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com" <1>
        <endpoint_authentication_details> <2>
----
<1> The URL of the remote write endpoint.
<2> The required configuration details for the authentication method for the endpoint.
Currently supported authentication methods are Amazon Web Services (AWS) Signature Version 4, authorization, basic authentication, OAuth 2.0, and TLS client.

[NOTE]
====
If you configure remote write for the Prometheus instance that monitors user-defined projects, edit the `user-workload-monitoring-config` config map in the `openshift-user-workload-monitoring` namespace.
Note that the Prometheus config map component is called `prometheus` in the `user-workload-monitoring-config` `ConfigMap` object and not `prometheusK8s`, as it is in the `cluster-monitoring-config` `ConfigMap` object.
====

== Example remote write authentication settings

The following samples show different authentication settings you can use to connect to a remote write endpoint.
Each sample also shows how to configure a corresponding `Secret` object that contains authentication credentials and other relevant settings.
Each sample configures authentication for use with default platform monitoring in the `openshift-monitoring` namespace.

.Sample YAML for AWS Signature Version 4 authentication

The following shows the settings for a `sigv4` secret named `sigv4-credentials` in the `openshift-monitoring` namespace.

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  name: sigv4-credentials
  namespace: openshift-monitoring
stringData:
  accessKey: <AWS_access_key> <1>
  secretKey: <AWS_secret_key> <2>
type: Opaque
----
<1> The AWS API access key.
<2> The AWS API secret key.

The following shows sample AWS Signature Version 4 remote write authentication settings that use a `Secret` object named `sigv4-credentials` in the `openshift-monitoring` namespace:

[source,yaml]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://authorization.example.com/api/write"
        sigv4:
          region: <AWS_region> <1>
          accessKey:
            name: sigv4-credentials <2>
            key: accessKey <3>
          secretKey:
            name: sigv4-credentials <2>
            key: secretKey <4>
          profile: <AWS_profile_name> <5>
          roleArn: <AWS_role_arn> <6>
----
<1> The AWS region.
<2> The name of the `Secret` object containing the AWS API access credentials.
<3> The key that contains the AWS API access key in the specified `Secret` object.
<4> The key that contains the AWS API secret key in the specified `Secret` object.
<5> The name of the AWS profile that is being used to authenticate.
<6> The unique identifier for the Amazon Resource Name (ARN) assigned to your role.

.Sample YAML for basic authentication

The following shows sample basic authentication settings for a `Secret` object named `rw-basic-auth` in the `openshift-monitoring` namespace:

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  name: rw-basic-auth
  namespace: openshift-monitoring
stringData:
  user: <basic_username> <1>
  password: <basic_password> <2>
type: Opaque
----
<1> The username.
<2> The password.

The following sample shows a `basicAuth` remote write configuration that uses a `Secret` object named `rw-basic-auth` in the `openshift-monitoring` namespace.
It assumes that you have already set up authentication credentials for the endpoint.

[source,yaml]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://basicauth.example.com/api/write"
        basicAuth:
          username:
            name: rw-basic-auth <1>
            key: user <2>
          password:
            name: rw-basic-auth <1>
            key: password <3>
----
<1> The name of the `Secret` object that contains the authentication credentials.
<2> The key that contains the username  in the specified `Secret` object.
<3> The key that contains the password in the specified `Secret` object.

.Sample YAML for authentication with a bearer token using a `Secret` Object

The following shows bearer token settings for a `Secret` object named `rw-bearer-auth` in the `openshift-monitoring` namespace:

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  name: rw-bearer-auth
  namespace: openshift-monitoring
stringData:
  token: <authentication_token> <1>
type: Opaque
----
<1> The authentication token.

The following shows sample bearer token config map settings that use a `Secret` object named `rw-bearer-auth` in the `openshift-monitoring` namespace:

[source,yaml]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    enableUserWorkload: true
    prometheusK8s:
      remoteWrite:
      - url: "https://authorization.example.com/api/write"
        authorization:
          type: Bearer <1>
          credentials:
            name: rw-bearer-auth <2>
            key: token <3>
----
<1> The authentication type of the request. The default value is `Bearer`.
<2> The name of the `Secret` object that contains the authentication credentials.
<3> The key that contains the authentication token in the specified `Secret` object.

.Sample YAML for OAuth 2.0 authentication

The following shows sample OAuth 2.0 settings for a `Secret` object named `oauth2-credentials` in the `openshift-monitoring` namespace:

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  name: oauth2-credentials
  namespace: openshift-monitoring
stringData:
  id: <oauth2_id> <1>
  secret: <oauth2_secret> <2>
  token: <oauth2_authentication_token> <3>
type: Opaque
----
<1> The Oauth 2.0 ID.
<2> The OAuth 2.0 secret.
<3> The OAuth 2.0 token.

The following shows an `oauth2` remote write authentication sample configuration that uses a `Secret` object named `oauth2-credentials` in the `openshift-monitoring` namespace:

[source,yaml]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://test.example.com/api/write"
        oauth2:
          clientId:
            secret:
              name: oauth2-credentials <1>
              key: id <2>
          clientSecret:
            name: oauth2-credentials <1>
            key: secret <2>
          tokenUrl: https://example.com/oauth2/token <3>
          scopes: <4>
          - <scope_1>
          - <scope_2>
          endpointParams: <5>
            param1: <parameter_1>
            param2: <parameter_2>
----
<1> The name of the corresponding `Secret` object. Note that `ClientId` can alternatively refer to a `ConfigMap` object, although `clientSecret` must refer to a `Secret` object.
<2> The key that contains the OAuth 2.0 credentials in the specified `Secret` object.
<3> The URL used to fetch a token with the specified `clientId` and `clientSecret`.
<4> The OAuth 2.0 scopes for the authorization request. These scopes limit what data the tokens can access.
<5> The OAuth 2.0 authorization request parameters required for the authorization server.

.Sample YAML for TLS client authentication

The following shows sample TLS client settings for a `tls` `Secret` object named `mtls-bundle` in the `openshift-monitoring` namespace.

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
  name: mtls-bundle
  namespace: openshift-monitoring
data:
  ca.crt: <ca_cert> <1>
  client.crt: <client_cert> <2>
  client.key: <client_key> <3>
type: tls
----
<1> The CA certificate in the Prometheus container with which to validate the server certificate.
<2> The client certificate for authentication with the server.
<3> The client key.

The following sample shows a `tlsConfig` remote write authentication configuration that uses a TLS `Secret` object named `mtls-bundle`.

[source,yaml]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com"
        tlsConfig:
          ca:
            secret:
              name: mtls-bundle <1>
              key: ca.crt <2>
          cert:
            secret:
              name: mtls-bundle <1>
              key: client.crt <3>
          keySecret:
            name: mtls-bundle <1>
            key: client.key <4>
----
<1> The name of the corresponding `Secret` object that contains the TLS authentication credentials. Note that `ca` and `cert` can alternatively refer to a `ConfigMap` object, though `keySecret` must refer to a `Secret` object.
<2> The key in the specified `Secret` object that contains the CA certificate for the endpoint.
<3> The key in the specified `Secret` object that contains the client certificate for the endpoint.
<4> The key in the specified `Secret` object that contains the client key secret.