Add OAuth token authentication to manual configuration of prometheus instance
Problem to solve
Our current manual configuration of Prometheus feature assumes that a user would be able to have unauthenticated (or authenticated through tokenized URL) API access to the prometheus instance URL. This isn't always the case, we should provide an option to add token authentication. This is especially useful for our own use case as well.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
Further details
This will also improve the security of how we authenticate with our Prometheus instance on gitlab.com.
Proposal
- Add 2 optional inputs fields to accept credentials file and client_id in manual Prometheus configuration page
- Backend should accept the values to do the oAuth authentication handshake.
- On the frontend side, we should make sure that the token input field explicitly disables autocomplete to prevent leaking of previously used tokens when filling out the form
This is behind prometheus_service_iap_auth
feature flag.
Permissions and Security
Documentation
Availability & Testing
GitLab team members can use https://prometheus-dogfood.ops.gitlab.net/ OAuth'd URL for testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Programmatic authentication using service account | IAP Docs
Edited by Dhiraj Bodicherla