feat(service-monitor): support bearer token authentication on metrics endpoint #719
17
README.md
17
README.md
@ -30,6 +30,7 @@
|
|||||||
- [OAuth2 Settings](#oauth2-settings)
|
- [OAuth2 Settings](#oauth2-settings)
|
||||||
- [Configure commit signing](#configure-commit-signing)
|
- [Configure commit signing](#configure-commit-signing)
|
||||||
- [Metrics and profiling](#metrics-and-profiling)
|
- [Metrics and profiling](#metrics-and-profiling)
|
||||||
|
- [Secure Metrics Endpoint](#secure-metrics-endpoint)
|
||||||
- [Pod annotations](#pod-annotations)
|
- [Pod annotations](#pod-annotations)
|
||||||
- [Themes](#themes)
|
- [Themes](#themes)
|
||||||
- [Renovate](#renovate)
|
- [Renovate](#renovate)
|
||||||
@ -746,6 +747,21 @@ gitea:
|
|||||||
ENABLE_PPROF: true
|
ENABLE_PPROF: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Secure Metrics Endpoint
|
||||||
|
|
||||||
|
Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
|
||||||
|
|
||||||
|
**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
gitea:
|
||||||
|
metrics:
|
||||||
|
token: "secure-token"
|
||||||
|
enabled: true
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
## Pod annotations
|
## Pod annotations
|
||||||
|
|
||||||
Annotations can be added to the Gitea pod.
|
Annotations can be added to the Gitea pod.
|
||||||
@ -1017,6 +1033,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
|
|||||||
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
|
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
|
||||||
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
|
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
|
||||||
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
|
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
|
||||||
|
| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` |
|
||||||
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` |
|
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` |
|
||||||
| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` |
|
| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` |
|
||||||
| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` |
|
| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` |
|
||||||
|
@ -278,6 +278,9 @@ https
|
|||||||
{{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
|
{{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
|
||||||
{{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
|
{{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
{{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
|
||||||
|
{{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
|
||||||
|
{{- end -}}
|
||||||
{{- /* redis queue */ -}}
|
{{- /* redis queue */ -}}
|
||||||
{{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
|
{{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
|
||||||
{{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
|
{{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
|
||||||
@ -426,3 +429,7 @@ https
|
|||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- toYaml $probe -}}
|
{{- toYaml $probe -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "gitea.metrics-secret-name" -}}
|
||||||
|
{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
|
||||||
|
{{- end -}}
|
12
templates/gitea/metrics-secret.yaml
Normal file
12
templates/gitea/metrics-secret.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "gitea.metrics-secret-name" . }}
|
||||||
|
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{- include "gitea.labels" . | nindent 4 }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
token: {{ .Values.gitea.metrics.token | b64enc }}
|
||||||
|
{{- end }}
|
@ -32,4 +32,12 @@ spec:
|
|||||||
tlsConfig:
|
tlsConfig:
|
||||||
{{- . | toYaml | nindent 6 }}
|
{{- . | toYaml | nindent 6 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.gitea.metrics.token }}
|
||||||
|
authorization:
|
||||||
|
type: Bearer
|
||||||
|
credentials:
|
||||||
|
name: {{ include "gitea.metrics-secret-name" . }}
|
||||||
|
key: token
|
||||||
|
optional: false
|
||||||
|
{{- end }}
|
||||||
{{- end -}}
|
{{- end -}}
|
58
unittests/config/metrics-section_metrics-token.yaml
Normal file
58
unittests/config/metrics-section_metrics-token.yaml
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
suite: config template | metrics section (metrics token)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
tests:
|
||||||
|
- it: metrics token is set
|
||||||
|
template: templates/gitea/config.yaml
|
||||||
|
set:
|
||||||
|
gitea:
|
||||||
|
metrics:
|
||||||
|
enabled: true
|
||||||
|
token: "somepassword"
|
||||||
|
asserts:
|
||||||
|
- documentIndex: 0
|
||||||
|
equal:
|
||||||
|
path: stringData.metrics
|
||||||
|
value: |-
|
||||||
|
ENABLED=true
|
||||||
|
TOKEN=somepassword
|
||||||
|
- it: metrics token is empty
|
||||||
|
template: templates/gitea/config.yaml
|
||||||
|
set:
|
||||||
|
gitea:
|
||||||
|
metrics:
|
||||||
|
enabled: true
|
||||||
|
token: ""
|
||||||
|
asserts:
|
||||||
|
- documentIndex: 0
|
||||||
|
equal:
|
||||||
|
path: stringData.metrics
|
||||||
|
value: |-
|
||||||
|
ENABLED=true
|
||||||
|
- it: metrics token is nil
|
||||||
|
template: templates/gitea/config.yaml
|
||||||
|
set:
|
||||||
|
gitea:
|
||||||
|
metrics:
|
||||||
|
enabled: true
|
||||||
|
token:
|
||||||
|
asserts:
|
||||||
|
- documentIndex: 0
|
||||||
|
equal:
|
||||||
|
path: stringData.metrics
|
||||||
|
value: |-
|
||||||
|
ENABLED=true
|
||||||
|
- it: does not configures a token if metrics are disabled
|
||||||
|
template: templates/gitea/config.yaml
|
||||||
|
set:
|
||||||
|
gitea:
|
||||||
|
metrics:
|
||||||
|
enabled: false
|
||||||
|
token: "somepassword"
|
||||||
|
asserts:
|
||||||
|
- documentIndex: 0
|
||||||
|
equal:
|
||||||
|
path: stringData.metrics
|
||||||
|
value: |-
|
||||||
|
ENABLED=false
|
@ -0,0 +1,23 @@
|
|||||||
|
suite: Metrics secret template (monitoring disabled)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/metrics-secret.yaml
|
||||||
|
tests:
|
||||||
|
- it: renders nothing if monitoring disabled and gitea.metrics.token empty
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: false
|
||||||
|
gitea.metrics.serviceMonitor.enabled: false
|
||||||
|
gitea.metrics.token: ""
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
||||||
|
- it: renders nothing if monitoring disabled and gitea.metrics.token not empty
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: false
|
||||||
|
gitea.metrics.serviceMonitor.enabled: false
|
||||||
|
gitea.metrics.token: "test-token"
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
@ -0,0 +1,33 @@
|
|||||||
|
suite: Metrics secret template (monitoring enabled)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/metrics-secret.yaml
|
||||||
|
tests:
|
||||||
|
- it: renders nothing if monitoring enabled and gitea.metrics.token empty
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: true
|
||||||
|
gitea.metrics.serviceMonitor.enabled: true
|
||||||
|
gitea.metrics.token: ""
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
||||||
|
- it: renders Secret if monitoring enabled and gitea.metrics.token not empty
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: true
|
||||||
|
gitea.metrics.serviceMonitor.enabled: true
|
||||||
|
gitea.metrics.token: "test-token"
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- documentIndex: 0
|
||||||
|
containsDocument:
|
||||||
|
kind: Secret
|
||||||
|
apiVersion: v1
|
||||||
|
name: gitea-unittests-metrics-secret
|
||||||
|
- isNotNullOrEmpty:
|
||||||
|
path: metadata.labels
|
||||||
|
- equal:
|
||||||
|
path: data.token
|
||||||
|
value: "dGVzdC10b2tlbg=="
|
23
unittests/servicemonitor/servicemonitor-disabled.yaml
Normal file
23
unittests/servicemonitor/servicemonitor-disabled.yaml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
suite: ServiceMonitor template (monitoring disabled)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/servicemonitor.yaml
|
||||||
|
tests:
|
||||||
|
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: false
|
||||||
|
gitea.metrics.token: ""
|
||||||
|
gitea.metrics.serviceMonitor.enabled: false
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
||||||
|
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: false
|
||||||
|
gitea.metrics.token: "test-token"
|
||||||
|
gitea.metrics.serviceMonitor.enabled: false
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
70
unittests/servicemonitor/servicemonitor-enabled.yaml
Normal file
70
unittests/servicemonitor/servicemonitor-enabled.yaml
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
suite: ServiceMonitor template (monitoring enabled)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/servicemonitor.yaml
|
||||||
|
tests:
|
||||||
|
- it: renders unsecure ServiceMonitor if gitea.metrics.token nil
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: true
|
||||||
|
gitea.metrics.token:
|
||||||
|
gitea.metrics.serviceMonitor.enabled: true
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- documentIndex: 0
|
||||||
|
containsDocument:
|
||||||
|
kind: ServiceMonitor
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
name: gitea-unittests
|
||||||
|
- isNotNullOrEmpty:
|
||||||
|
path: metadata.labels
|
||||||
|
- equal:
|
||||||
|
path: spec.endpoints
|
||||||
|
value:
|
||||||
|
- port: http
|
||||||
|
- it: renders unsecure ServiceMonitor if gitea.metrics.token empty
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: true
|
||||||
|
gitea.metrics.token: ""
|
||||||
|
gitea.metrics.serviceMonitor.enabled: true
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- documentIndex: 0
|
||||||
|
containsDocument:
|
||||||
|
kind: ServiceMonitor
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
name: gitea-unittests
|
||||||
|
- isNotNullOrEmpty:
|
||||||
|
path: metadata.labels
|
||||||
|
- equal:
|
||||||
|
path: spec.endpoints
|
||||||
|
value:
|
||||||
|
- port: http
|
||||||
|
- it: renders secure ServiceMonitor if gitea.metrics.token not empty
|
||||||
|
set:
|
||||||
|
gitea.metrics.enabled: true
|
||||||
|
gitea.metrics.token: "test-token"
|
||||||
|
gitea.metrics.serviceMonitor.enabled: true
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- documentIndex: 0
|
||||||
|
containsDocument:
|
||||||
|
kind: ServiceMonitor
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
name: gitea-unittests
|
||||||
|
- isNotNullOrEmpty:
|
||||||
|
path: metadata.labels
|
||||||
|
- equal:
|
||||||
|
path: spec.endpoints
|
||||||
|
value:
|
||||||
|
- port: http
|
||||||
|
authorization:
|
||||||
|
type: Bearer
|
||||||
|
credentials:
|
||||||
|
name: gitea-unittests-metrics-secret
|
||||||
|
key: token
|
||||||
|
optional: false
|
@ -365,6 +365,7 @@ gitea:
|
|||||||
passwordMode: keepUpdated
|
passwordMode: keepUpdated
|
||||||
|
|
||||||
## @param gitea.metrics.enabled Enable Gitea metrics
|
## @param gitea.metrics.enabled Enable Gitea metrics
|
||||||
|
## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.
|
||||||
## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
|
## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
|
||||||
## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
|
## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
|
||||||
## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
|
## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
|
||||||
@ -373,6 +374,7 @@ gitea:
|
|||||||
## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
|
## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
|
||||||
metrics:
|
metrics:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
token:
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: false
|
enabled: false
|
||||||
# additionalLabels:
|
# additionalLabels:
|
||||||
|
Loading…
x
Reference in New Issue
Block a user