Skip to content

Support for basic auth on the Prometheus API

Leonardo da Rosa requested to merge 462021-database-indicators-support-for-basic-auth-on-the-prometheus-api into master

What does this MR do and why?

Adds a new connection client, MimirClient to connect to Prometheus via Mimir - using basic auth.

Needs to be merged before adding mimir_api_url to prometheus_alert_db_indicators_settings:

How to set up and validate locally

To test the MimirClient

As we don't have access from our local machine, the best way is through staging rails-ro@console-ro-01-sv-gstg. So far, we can only check if headers are being correctly sent, as we don't have the auth env variable set.

  1. Connect to a Rails Console using Teleport
  2. Instantiate the MimirClient in the rails session and test the ready endpoint:
module Gitlab
  class MimirClient < PrometheusClient
    def initialize(api_url:, user:, password:, options: {})
      super(api_url, options)

      base64_auth = Base64.strict_encode64("#{user}:#{password}")
      @options.merge!(
        headers: {
          "Authorization" => "Basic #{base64_auth}"
        }
      )
    end
  end
end

client = Gitlab::MimirClient.new(api_url: 'https://mimir-internal.ops.gke.gitlab.net/prometheus', user: 'user', password: 'pass', options: { allow_local_requests: true, verify: true, debug_output: STDOUT })

client.ready?

opening connection to ...
opened
starting SSL for ...
SSL established, protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384
<- "GET /-/ready? HTTP/1.1\r\nAuthorization: Basic dummyauth\r\nAccept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\nAccept: */*\r\nUser-Agent: Ruby\r\nConnection: close\r\nHost: mimir-internal.ops.gke.gitlab.net\r\n\r\n"
-> "HTTP/1.1 401 Unauthorized\r\n"
-> "server: istio-envoy\r\n"
-> "date: Wed, 22 May 2024 00:00:14 GMT\r\n"
-> "content-type: text/html\r\n"
-> "content-length: 179\r\n"
-> "www-authenticate: Basic realm=\"Mimir\"\r\n"
-> "x-envoy-upstream-service-time: 1\r\n"
-> "connection: close\r\n"
-> "\r\n"
reading 179 bytes...
-> "<html>\r\n<head><title>401 Authorization Required</title></head>\r\n<body>\r\n<center><h1>401 Authorization Required</h1></center>\r\n<hr><center>nginx/1.25.5</center>\r\n</body>\r\n</html>\r\n"

Numbered steps to set up and validate the change are strongly suggested.

Related to #462021

Edited by Leonardo da Rosa

Merge request reports