Method of Authentication for Prometheus
Problem to solve
GitLab.com currently allows for importing metrics into a project through Prometheus. However, in order to do this, a customer's Prometheus instance must be exposed to the internet. As of 2019-10-17 there is no documented method of restricting access to the Prometheus instance to just GitLab. Since I don't want to expose my metrics to the entirety of the internet I cannot make use of the GitLab.com features that depend on Metrics.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Prometheus itself does not provide a method for securing access to the metrics (query, api, etc) as they assume the instance is run inside of a secure network. However, it possible to put a reverse proxy such as NGINX in front of Prometheus to enable TLS secured access as well as any authentication/authorization methods the reverse proxy supports:
I have already setup and tested this configuration in a sandbox environment and it easily works as expected. So, I can now have at least basic security controls over who can access my infrastructure and application metrics. However, I don't have any way to configure GitLab to take advantage of this. Some potential methods could include:
- HTTP Basic Auth
- Mutual TLS Authentication
- OAuth2
- Basic shared secret/token
Proposal
My proposal at this point would be to keep it simple and just allow for HTTP Basic Auth over TLS. I'd prefer to be able to it via a securely stored variable in the GitLab; however, I would take even a very simple "https://username:password@www.example.com/" URL format in the "API URL" field of the Prometheus integration form.