I am newbie to K8s and still testing things. I have got prometheus running outside my cluster. I am using admin creds to hit kube api server to get metrics in to my prometheus which at the moment is working fine.
I want to create another user only to scrape metrics. While searching, i could not find any documentation on creating a user with user id and password.
Also, we are managing our repo in gitlab with pipeline. Is it possible to create user using yaml config instead of kubectl as given in the documentation.
Thanks
Eswar
According to Prometheus docs:
Prometheus does not directly support basic authentication (aka "basic auth") for connections to the Prometheus expression browser and HTTP API. If you'd like to enforce basic auth for those connections, we recommend using Prometheus in conjunction with a reverse proxy and applying authentication at the proxy layer.
In the link above there is a step-by-step guide in how to set up a nginx reverse proxy in front of Prometheus.
Related
I am using LDAP as User federation for my Keycloak instance. Is there a supported way to monitor LDAP events like syncErrors/successfulImports, userUpdates and etc? Preferably
through Prometheus metrics endpoint. Im aware of "aerogear/keycloak-metrics-spi" extension, but looks like it doesnt expose any metrics related to user federation.
If I understand Keycloak monitoring innerworks correctly, Keycloak should be issuing user federation related "events". When I inspect available events at documentation there seems to be only 4 events that resemblence what Im looking for (see image attached). But even these events are not enough for me.
I’m currently experimenting on Metaflow. I followed the documentation and was able to deploy an aws setup with the given cloud formation template.
My question is why is that I’m always getting a:
message: "Missing Authentication Token"
when I access METAFLOW_SERVICE_URL in the browser, even if I made sure that the APIBasicAuth was set to false during the creation of cloudformation?
Shouldn’t this setting make the metadata/metaflow service accessible without the authentication/api key?
How can I resolve this? Or is this expected? That is, I cannot really view the metadata/metaflow service url via browser?
Thanks in advance
This was resolved under this github issue.
You still need to set the x-api-key header if you are trying to access the service url via the browser. To get the api-key you can go to the aws console
Api Gateway -> Api Keys -> show api key
Alternatively you can use the metaflow client in the sagemaker notebook which should be automatically setup for you via the template.
Also worth mentioning that there are two sets of endpoints: The one provided by the api gateway (which you seem to be hitting) and the one provided by the service itself. The api gateway forwards the requests the the service endpoints but needs the x-api-key to be set in the header. You can probably try hitting the service endpoints directly since you disabled auth.
How to configure Basic Authentication Configuration In kubernetes Dashbaord .I have done below steps
--authentication-mode=basic added in kubernetes dashboard deployment yaml.
Done API server to be configured (inside /etc/kubernetes/manifests/kube-apiserver.yaml" with authorization mode ABAC and --basic-auth-file given to a file and that file contain like "userpass,username,uid"
But still unable to get the result . Whatever I wrote (even random letter) in the username and password field it able to login into the dashboard and no resources access after that.
one way to achieve is by fronting the dashboard service with a traefik ingress controller. set basic auth in traefik deployment file. create ingress rule for dashboard service
you can also use nginx ingress controller.
below link would be helpful
https://github.com/kubernetes-retired/contrib/tree/master/ingress/controllers/nginx/examples/auth
I have created keycloak docker image and deployed in kubernates in my on premise server and setup localhost: as redirect URLs and when I am accessing it from other systems, it should be the IP address of that system, instead of localhost. Could you please help me to get dynamic IP setup in my keycloak from Kubernetes script?
I think you can just set the redirectUris in your realm config to *. Otherwise each system to be accessible needs to be added to the realm, which you can do from the admin console or through the API.
In Activiti we distribute a keycloak helm chart with a custom realm for activiti installations. In that we set redirectUris to * and allow that to be overridden at install time. We're doing that in a helm chart but if you weren't using a helm template then you could do a sed to replace a string. But that is for a shareable distribution. If you've just got a single installation then I'd expect you to be adding applications/clients to the realm through the console or API.
I know it's possible to access the static views of the api, but I can't find out the basic auth details that I need to login via the browser. Where can I find these? I'm on GCE and created a cluster.
Run kubectl config view. It'll dump out the auth information used to access your cluster, including the basic auth username and password.