k8spin / prometheus-multi-tenant-proxy Goto Github PK

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• fix(deps): update module github.com/aws/aws-sdk-go to v1.51.24

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.2.1
• fix(deps): update module github.com/prometheus-community/prom-label-proxy to v0.8.1
• chore(deps): update golang docker tag to v1.22.2
• fix(deps): update module github.com/prometheus/prometheus to v0.51.2
• chore(deps): update actions/setup-go action to v5
• chore(deps): update docker/build-push-action action to v5
• chore(deps): update docker/login-action action to v3
• chore(deps): update docker/setup-buildx-action action to v3
• chore(deps): update docker/setup-qemu-action action to v3
• fix(deps): update module github.com/micahparks/keyfunc/v2 to v3
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

This project doesn't provide a way to install it by helm, it worth trying to create a helm chart and host it on github pages.

Hello World!

I want to post this issue/feature-request to see if anyone out there can help us improve this proxy.

As you probably know, this is a reverse proxy that auto injects some query params to a set of URIs. It also checks basic auth in all the endpoints.

We need to avoid the auth checks in the following endpoints:

• GET /-/healthy: https://prometheus.io/docs/prometheus/latest/management_api/#health-check
• GET /-/ready: https://prometheus.io/docs/prometheus/latest/management_api/#readiness-check

With this change, we can add to the Kubernetes deployment some basic health check based on the upstream server response.

Thanks!

@derlin introduced a new configuration parameter (for aws signing) on the latest release. It can be configured either by an environment variable or by flag in the cli.

It would be nice to have the other parameters to be configurable by environment variables.
It must have the same prefix @derlin used for the aws signing feature.

Thanks!

Currenty, the proxy only adds a filter for the namespace label, which is well suited to filter by k8s namespaces. This issue is about adding support for additional/customizable filters on top/instead of namespaces.

We would like to restrict access to metrics at (for example) the application level instead of the namespace.

In this case, the configuration could look like this:

  - username: Different labels
    password: NamespacesWithoutAppName
    labels:
      namespace: default
      app_name: poll-demo-app

Hi,
I use this to deploy on k8s but I think some of args like --reload-interval=5 are removed. I removed this arg but my pod not getting ready. With v1.4.0 everything work as expected.
Please help me
Thank you

As hinted in reverse_test.go, prometheus exposes other endpoints than just the ones for querying: status, alerts, etc. With the current implementation, as long as you have a valid authentication, you should be able to query any of those without issues, which could leak very sensitive information.

I would propose to add a whitelist feature: the ability to restrict access to only specific API endpoints.
The whitelist could be set by default to /series, /query and /query_range, as they are the ones we inject labels to.

The whitelist should however be configurable, as we do with the unprotected endpoints.

What do you think?

Label support was added in #58 with a warning in the README:

(It could lead to a security issue if the proxy is not configured to use namespaces or labels)

I am wondering if it wouldn't be better to actually check either labels or namespaces exist during the authentication ? Except if having users without proxying is a feature we want to support?

If we go with that, I hesitate on where this check should arise. My two propositions:

1. add it to the auth.go::AuthHandler function: if !authorized || (len(namespaces) == 0 && len(labels) == 0
2. add it to each auth type. Using basic auth, we should check during loading that all users have at least a namespace or a label. For JWT, ensure the claim contains one of both.

Currently, the proxy only supports basic auth with a fixed configuration for namespaces; this issue's goal is to add support for JWT-based authentication, including fetching the namespace(s) (and/or other filters, see #51 ) from the token itself.

The use case is to offload the decision of what namespaces a request has access to to a different service and let thus the proxy be fully dynamic and not need any configuration about the content of the Prometheus cluster.

Ideally, support for a quick asymmetric signature algorithm (e.g. EdDSA with Ed25519 and SHA-512) that allows to avoid sharing the private key with the proxy would be provided.

Hi,
How can I have multi namespace for each user in config?