-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
documentation for usage in combination with security plugins #60
Comments
We have Prometheus and OpenSearch running in a Kubernetes cluster, and what we do for Prometheus scraping with security enabled, is to:
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: opensearch-metrics
namespace: opensearch
spec:
endpoints:
- path: /_prometheus/metrics
port: http
scheme: https
tlsConfig:
# Not possible to verify the certificate, since Prometheus targets IP addresses
# directly instead of using Kubernetes DNS, which aren't included in their certificates
insecureSkipVerify: true
# Used for authentication
ca:
secret:
name: opensearch-prometheus-http-crt
key: ca.crt
cert:
secret:
name: opensearch-prometheus-http-crt
key: tls.crt
keySecret:
name: opensearch-prometheus-http-crt
key: tls.key
selector:
matchLabels:
app.kubernetes.io/name: opensearch The important part here is the Unfortunately, I haven't found a solution around the need for using What do you think of this solution @rursprung and @lukas-vlcek ? |
thanks for your feedback @AndersBennedsgaard! that sounds like an interesting approach!
if you're using the CSI driver from cert-manager to issue certificates then you should be able to include the specific IP of the pod in the certificate (i haven't tried that myself). |
@rursprung I have considered using the CSI driver, but I'm not really comfortable introducing it to production since it does not seem entirely stable yet. But a good suggestion, which we will take in consideration in the future 😃 |
[OpenSearch Prometheus Exporter](https://github.com/Aiven-Open/prometheus-exporter-plugin-for-opensearch) requires auhentication when security pluign is switched on. More info: Aiven-Open/prometheus-exporter-plugin-for-opensearch#60 Thus we're adding this new user.
background
this is the third attempt in the third repo to get an answer to vvanholl/elasticsearch-prometheus-exporter#324 and aparo/opensearch-prometheus-exporter#4 🙂
there are various security plugins available for OpenSearch (OpenSearch Security and SearchGuard with their upcoming release) and OpenSearch Security is included and enabled by default in the normal distribution.
is there any documentation on how to use opensearch-prometheus-exporter in combination with them?
problems
i see two aspects to this:
our workaround (solution?)
this is how we got it to work:
there's a role for prometheus (both to access the prometheus metrics as well as for the prometheus plugin itself to access the internal metrics; mixed here because as you can see in the role mapping below it's anyway using the same mechanism):
this is then mapped for all anonymous users in a role mapping (which IMHO is bad practice as it requires enabling anonymous auth in the first place):
this of course requires
config.dynamic.http.anonymous_auth_enabled: true
to be set in the security config.note: this is currently undocumented in OpenSearch, i've raised the corresponding docs ticket: opensearch-project/documentation-website#627
if the prometheus scrapper doesn't know the CA used for the TLS certificates on the http port then you might also have to disable TLS on OpenSearch (or re-configure the prometheus scrapper).
with this in place it's then possible for prometheus to scrap the metrics.
alternatives
it would also be possible to set up basic authentication on OpenSearch with a dedicated user for prometheus and then let the prometheus scrapper use this user to read the data. however, this also isn't particularly secure (e.g. when using the k8s annotations for prometheus and having to define the username/password there...) and requires having basic auth enabled in the first place (which isn't what we want given that we have no other usage for it and adding a new auth realm for one single use-case opens a whole new can of worms).
required solution
preferred solution
minimal solution
The text was updated successfully, but these errors were encountered: