mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
287 lines
9.3 KiB
Plaintext
287 lines
9.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * monitoring/configuring-the-monitoring-stack.adoc
|
|
|
|
:_mod-docs-content-type: REFERENCE
|
|
[id="example-remote-write-authentication-settings_{context}"]
|
|
= Example remote write authentication settings
|
|
|
|
// Set attributes to distinguish between cluster monitoring examples and user workload monitoring examples.
|
|
ifndef::openshift-dedicated,openshift-rosa[]
|
|
:configmap-name: cluster-monitoring-config
|
|
:namespace-name: openshift-monitoring
|
|
:prometheus-instance: prometheusK8s
|
|
endif::openshift-dedicated,openshift-rosa[]
|
|
ifdef::openshift-dedicated,openshift-rosa[]
|
|
:configmap-name: user-workload-monitoring-config
|
|
:namespace-name: openshift-user-workload-monitoring
|
|
:prometheus-instance: prometheus
|
|
endif::openshift-dedicated,openshift-rosa[]
|
|
|
|
The following samples show different authentication settings you can use to connect to a remote write endpoint. Each sample also shows how to configure a corresponding `Secret` object that contains authentication credentials and other relevant settings. Each sample configures authentication for use with
|
|
ifndef::openshift-dedicated,openshift-rosa[]
|
|
default platform monitoring
|
|
endif::openshift-dedicated,openshift-rosa[]
|
|
ifdef::openshift-dedicated,openshift-rosa[]
|
|
monitoring user-defined projects
|
|
endif::openshift-dedicated,openshift-rosa[]
|
|
in the `{namespace-name}` namespace.
|
|
|
|
.Sample YAML for AWS Signature Version 4 authentication
|
|
====
|
|
The following shows the settings for a `sigv4` secret named `sigv4-credentials` in the `{namespace-name}` namespace.
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: sigv4-credentials
|
|
namespace: {namespace-name}
|
|
stringData:
|
|
accessKey: <AWS_access_key> <1>
|
|
secretKey: <AWS_secret_key> <2>
|
|
type: Opaque
|
|
----
|
|
<1> The AWS API access key.
|
|
<2> The AWS API secret key.
|
|
|
|
The following shows sample AWS Signature Version 4 remote write authentication settings that use a `Secret` object named `sigv4-credentials` in the `{namespace-name}` namespace:
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {configmap-name}
|
|
namespace: {namespace-name}
|
|
data:
|
|
config.yaml: |
|
|
{prometheus-instance}:
|
|
remoteWrite:
|
|
- url: "https://authorization.example.com/api/write"
|
|
sigv4:
|
|
region: <AWS_region> <1>
|
|
accessKey:
|
|
name: sigv4-credentials <2>
|
|
key: accessKey <3>
|
|
secretKey:
|
|
name: sigv4-credentials <2>
|
|
key: secretKey <4>
|
|
profile: <AWS_profile_name> <5>
|
|
roleArn: <AWS_role_arn> <6>
|
|
----
|
|
<1> The AWS region.
|
|
<2> The name of the `Secret` object containing the AWS API access credentials.
|
|
<3> The key that contains the AWS API access key in the specified `Secret` object.
|
|
<4> The key that contains the AWS API secret key in the specified `Secret` object.
|
|
<5> The name of the AWS profile that is being used to authenticate.
|
|
<6> The unique identifier for the Amazon Resource Name (ARN) assigned to your role.
|
|
====
|
|
|
|
.Sample YAML for basic authentication
|
|
====
|
|
The following shows sample basic authentication settings for a `Secret` object named `rw-basic-auth` in the `{namespace-name}` namespace:
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: rw-basic-auth
|
|
namespace: {namespace-name}
|
|
stringData:
|
|
user: <basic_username> <1>
|
|
password: <basic_password> <2>
|
|
type: Opaque
|
|
----
|
|
<1> The username.
|
|
<2> The password.
|
|
|
|
The following sample shows a `basicAuth` remote write configuration that uses a `Secret` object named `rw-basic-auth` in the `{namespace-name}` namespace.
|
|
It assumes that you have already set up authentication credentials for the endpoint.
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {configmap-name}
|
|
namespace: {namespace-name}
|
|
data:
|
|
config.yaml: |
|
|
{prometheus-instance}:
|
|
remoteWrite:
|
|
- url: "https://basicauth.example.com/api/write"
|
|
basicAuth:
|
|
username:
|
|
name: rw-basic-auth <1>
|
|
key: user <2>
|
|
password:
|
|
name: rw-basic-auth <1>
|
|
key: password <3>
|
|
----
|
|
<1> The name of the `Secret` object that contains the authentication credentials.
|
|
<2> The key that contains the username in the specified `Secret` object.
|
|
<3> The key that contains the password in the specified `Secret` object.
|
|
====
|
|
|
|
.Sample YAML for authentication with a bearer token using a `Secret` Object
|
|
====
|
|
The following shows bearer token settings for a `Secret` object named `rw-bearer-auth` in the `{namespace-name}` namespace:
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: rw-bearer-auth
|
|
namespace: {namespace-name}
|
|
stringData:
|
|
token: <authentication_token> <1>
|
|
type: Opaque
|
|
----
|
|
<1> The authentication token.
|
|
|
|
The following shows sample bearer token config map settings that use a `Secret` object named `rw-bearer-auth` in the `{namespace-name}` namespace:
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {configmap-name}
|
|
namespace: {namespace-name}
|
|
data:
|
|
config.yaml: |
|
|
enableUserWorkload: true
|
|
{prometheus-instance}:
|
|
remoteWrite:
|
|
- url: "https://authorization.example.com/api/write"
|
|
authorization:
|
|
type: Bearer <1>
|
|
credentials:
|
|
name: rw-bearer-auth <2>
|
|
key: token <3>
|
|
----
|
|
<1> The authentication type of the request. The default value is `Bearer`.
|
|
<2> The name of the `Secret` object that contains the authentication credentials.
|
|
<3> The key that contains the authentication token in the specified `Secret` object.
|
|
====
|
|
|
|
.Sample YAML for OAuth 2.0 authentication
|
|
====
|
|
The following shows sample OAuth 2.0 settings for a `Secret` object named `oauth2-credentials` in the `{namespace-name}` namespace:
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: oauth2-credentials
|
|
namespace: {namespace-name}
|
|
stringData:
|
|
id: <oauth2_id> <1>
|
|
secret: <oauth2_secret> <2>
|
|
token: <oauth2_authentication_token> <3>
|
|
type: Opaque
|
|
----
|
|
<1> The Oauth 2.0 ID.
|
|
<2> The OAuth 2.0 secret.
|
|
<3> The OAuth 2.0 token.
|
|
|
|
The following shows an `oauth2` remote write authentication sample configuration that uses a `Secret` object named `oauth2-credentials` in the `{namespace-name}` namespace:
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {configmap-name}
|
|
namespace: {namespace-name}
|
|
data:
|
|
config.yaml: |
|
|
{prometheus-instance}:
|
|
remoteWrite:
|
|
- url: "https://test.example.com/api/write"
|
|
oauth2:
|
|
clientId:
|
|
secret:
|
|
name: oauth2-credentials <1>
|
|
key: id <2>
|
|
clientSecret:
|
|
name: oauth2-credentials <1>
|
|
key: secret <2>
|
|
tokenUrl: https://example.com/oauth2/token <3>
|
|
scopes: <4>
|
|
- <scope_1>
|
|
- <scope_2>
|
|
endpointParams: <5>
|
|
param1: <parameter_1>
|
|
param2: <parameter_2>
|
|
----
|
|
<1> The name of the corresponding `Secret` object. Note that `ClientId` can alternatively refer to a `ConfigMap` object, although `clientSecret` must refer to a `Secret` object.
|
|
<2> The key that contains the OAuth 2.0 credentials in the specified `Secret` object.
|
|
<3> The URL used to fetch a token with the specified `clientId` and `clientSecret`.
|
|
<4> The OAuth 2.0 scopes for the authorization request. These scopes limit what data the tokens can access.
|
|
<5> The OAuth 2.0 authorization request parameters required for the authorization server.
|
|
====
|
|
|
|
.Sample YAML for TLS client authentication
|
|
====
|
|
The following shows sample TLS client settings for a `tls` `Secret` object named `mtls-bundle` in the `{namespace-name}` namespace.
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: mtls-bundle
|
|
namespace: {namespace-name}
|
|
data:
|
|
ca.crt: <ca_cert> <1>
|
|
client.crt: <client_cert> <2>
|
|
client.key: <client_key> <3>
|
|
type: tls
|
|
----
|
|
<1> The CA certificate in the Prometheus container with which to validate the server certificate.
|
|
<2> The client certificate for authentication with the server.
|
|
<3> The client key.
|
|
|
|
The following sample shows a `tlsConfig` remote write authentication configuration that uses a TLS `Secret` object named `mtls-bundle`.
|
|
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {configmap-name}
|
|
namespace: {namespace-name}
|
|
data:
|
|
config.yaml: |
|
|
{prometheus-instance}:
|
|
remoteWrite:
|
|
- url: "https://remote-write-endpoint.example.com"
|
|
tlsConfig:
|
|
ca:
|
|
secret:
|
|
name: mtls-bundle <1>
|
|
key: ca.crt <2>
|
|
cert:
|
|
secret:
|
|
name: mtls-bundle <1>
|
|
key: client.crt <3>
|
|
keySecret:
|
|
name: mtls-bundle <1>
|
|
key: client.key <4>
|
|
----
|
|
<1> The name of the corresponding `Secret` object that contains the TLS authentication credentials. Note that `ca` and `cert` can alternatively refer to a `ConfigMap` object, though `keySecret` must refer to a `Secret` object.
|
|
<2> The key in the specified `Secret` object that contains the CA certificate for the endpoint.
|
|
<3> The key in the specified `Secret` object that contains the client certificate for the endpoint.
|
|
<4> The key in the specified `Secret` object that contains the client key secret.
|
|
====
|
|
|
|
// Unset the source code block attributes just to be safe.
|
|
:!namespace-name:
|
|
:!prometheus-instance:
|