feat(service-monitor): support bearer token authentication on metrics endpoint (#719)

### Benefits

Can protect metrics endpoint with `Bearer` token authentication provided by gitea.
see PR #637 for previous discussion.

### Possible drawbacks

No possible drawbacks

### Applicable issues

- fixes #635

### Additional information

```
gitea:
  metrics:
    enabled: true
    token: "somepassword"
    serviceMonitor:
      enabled: true
```

Using above configuration is sufficient to secure /metrics endpoint with bearer token and corresponding ServiceMonitor.

### Checklist

- [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
- [ ] ~~Breaking changes are documented in the `README.md`~~ Not applicable
- [x] Templating unittests are added

Signed-off-by: Hitesh Nayak <hiteshnayak305@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/719
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com>
Co-authored-by: Hitesh Nayak <hiteshnayak305@gmail.com>
Co-committed-by: Hitesh Nayak <hiteshnayak305@gmail.com>
This commit is contained in:
Hitesh Nayak 2024-11-30 13:59:29 +00:00 committed by justusbunsi
parent 3bacaaad84
commit 389a8460e4
10 changed files with 253 additions and 0 deletions

View File

@ -30,6 +30,7 @@
- [OAuth2 Settings](#oauth2-settings) - [OAuth2 Settings](#oauth2-settings)
- [Configure commit signing](#configure-commit-signing) - [Configure commit signing](#configure-commit-signing)
- [Metrics and profiling](#metrics-and-profiling) - [Metrics and profiling](#metrics-and-profiling)
- [Secure Metrics Endpoint](#secure-metrics-endpoint)
- [Pod annotations](#pod-annotations) - [Pod annotations](#pod-annotations)
- [Themes](#themes) - [Themes](#themes)
- [Renovate](#renovate) - [Renovate](#renovate)
@ -747,6 +748,21 @@ gitea:
ENABLE_PPROF: true ENABLE_PPROF: true
``` ```
### Secure Metrics Endpoint
Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
```yaml
gitea:
metrics:
token: "secure-token"
enabled: true
serviceMonitor:
enabled: true
```
## Pod annotations ## Pod annotations
Annotations can be added to the Gitea pod. Annotations can be added to the Gitea pod.
@ -1053,6 +1069,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | | `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | | `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` | | `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` |
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` |
| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | | `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` |
| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | | `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` |

View File

@ -311,6 +311,9 @@ https
{{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
{{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
{{- end -}} {{- end -}}
{{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
{{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
{{- end -}}
{{- /* redis queue */ -}} {{- /* redis queue */ -}}
{{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}} {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
{{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}} {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
@ -465,3 +468,7 @@ https
{{- end -}} {{- end -}}
{{- toYaml $probe -}} {{- toYaml $probe -}}
{{- end -}} {{- end -}}
{{- define "gitea.metrics-secret-name" -}}
{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
{{- end -}}

View File

@ -0,0 +1,12 @@
{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.metrics-secret-name" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
data:
token: {{ .Values.gitea.metrics.token | b64enc }}
{{- end }}

View File

@ -32,4 +32,12 @@ spec:
tlsConfig: tlsConfig:
{{- . | toYaml | nindent 6 }} {{- . | toYaml | nindent 6 }}
{{- end }} {{- end }}
{{- if .Values.gitea.metrics.token }}
authorization:
type: Bearer
credentials:
name: {{ include "gitea.metrics-secret-name" . }}
key: token
optional: false
{{- end }}
{{- end -}} {{- end -}}

View File

@ -0,0 +1,58 @@
suite: config template | metrics section (metrics token)
release:
name: gitea-unittests
namespace: testing
tests:
- it: metrics token is set
template: templates/gitea/config.yaml
set:
gitea:
metrics:
enabled: true
token: "somepassword"
asserts:
- documentIndex: 0
equal:
path: stringData.metrics
value: |-
ENABLED=true
TOKEN=somepassword
- it: metrics token is empty
template: templates/gitea/config.yaml
set:
gitea:
metrics:
enabled: true
token: ""
asserts:
- documentIndex: 0
equal:
path: stringData.metrics
value: |-
ENABLED=true
- it: metrics token is nil
template: templates/gitea/config.yaml
set:
gitea:
metrics:
enabled: true
token:
asserts:
- documentIndex: 0
equal:
path: stringData.metrics
value: |-
ENABLED=true
- it: does not configures a token if metrics are disabled
template: templates/gitea/config.yaml
set:
gitea:
metrics:
enabled: false
token: "somepassword"
asserts:
- documentIndex: 0
equal:
path: stringData.metrics
value: |-
ENABLED=false

View File

@ -0,0 +1,23 @@
suite: Metrics secret template (monitoring disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/metrics-secret.yaml
tests:
- it: renders nothing if monitoring disabled and gitea.metrics.token empty
set:
gitea.metrics.enabled: false
gitea.metrics.serviceMonitor.enabled: false
gitea.metrics.token: ""
asserts:
- hasDocuments:
count: 0
- it: renders nothing if monitoring disabled and gitea.metrics.token not empty
set:
gitea.metrics.enabled: false
gitea.metrics.serviceMonitor.enabled: false
gitea.metrics.token: "test-token"
asserts:
- hasDocuments:
count: 0

View File

@ -0,0 +1,33 @@
suite: Metrics secret template (monitoring enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/metrics-secret.yaml
tests:
- it: renders nothing if monitoring enabled and gitea.metrics.token empty
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.metrics.token: ""
asserts:
- hasDocuments:
count: 0
- it: renders Secret if monitoring enabled and gitea.metrics.token not empty
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.metrics.token: "test-token"
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-metrics-secret
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: data.token
value: "dGVzdC10b2tlbg=="

View File

@ -0,0 +1,23 @@
suite: ServiceMonitor template (monitoring disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/servicemonitor.yaml
tests:
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
set:
gitea.metrics.enabled: false
gitea.metrics.token: ""
gitea.metrics.serviceMonitor.enabled: false
asserts:
- hasDocuments:
count: 0
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty
set:
gitea.metrics.enabled: false
gitea.metrics.token: "test-token"
gitea.metrics.serviceMonitor.enabled: false
asserts:
- hasDocuments:
count: 0

View File

@ -0,0 +1,70 @@
suite: ServiceMonitor template (monitoring enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/servicemonitor.yaml
tests:
- it: renders unsecure ServiceMonitor if gitea.metrics.token nil
set:
gitea.metrics.enabled: true
gitea.metrics.token:
gitea.metrics.serviceMonitor.enabled: true
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: spec.endpoints
value:
- port: http
- it: renders unsecure ServiceMonitor if gitea.metrics.token empty
set:
gitea.metrics.enabled: true
gitea.metrics.token: ""
gitea.metrics.serviceMonitor.enabled: true
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: spec.endpoints
value:
- port: http
- it: renders secure ServiceMonitor if gitea.metrics.token not empty
set:
gitea.metrics.enabled: true
gitea.metrics.token: "test-token"
gitea.metrics.serviceMonitor.enabled: true
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: spec.endpoints
value:
- port: http
authorization:
type: Bearer
credentials:
name: gitea-unittests-metrics-secret
key: token
optional: false

View File

@ -461,6 +461,7 @@ gitea:
passwordMode: keepUpdated passwordMode: keepUpdated
## @param gitea.metrics.enabled Enable Gitea metrics ## @param gitea.metrics.enabled Enable Gitea metrics
## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.
## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
@ -469,6 +470,7 @@ gitea:
## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
metrics: metrics:
enabled: false enabled: false
token:
serviceMonitor: serviceMonitor:
enabled: false enabled: false
# additionalLabels: # additionalLabels: