Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-2160

Support additional auth section in remote_write

XMLWordPrintable

    • Support more authentication methods for remote write
    • False
    • False
    • NEW
    • To Do
    • OBSDA-39 - Support Sigv4 authentication for remote write in OCP monitoring
    • Impediment
    • OBSDA-39Support Sigv4 authentication for remote write in OCP monitoring
    • NEW
    • 0% To Do, 0% In Progress, 100% Done

      Epic Goal

      The cluster monitoring operator should allow OpenShift customers to configure remote write with all authentication methods supported by upstream Prometheus.

      We will extend CMO's configuration API to support the following authentications with remote write:

      • Sigv4
      • Authorization
      • OAuth2

      Why is this important?

      Customers want to send metrics to AWS Managed Prometheus that require sigv4 authentication (see https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-secure-metric-ingestion.html#AMP-secure-auth).

      Scenarios

      1. As a cluster admin, I want to forward platform/user metrics to remote write systems requiring Sigv4 authentication.
      2. As a cluster admin, I want to forward platform/user metrics to remote write systems requiring OAuth2 authentication.
      3. As a cluster admin, I want to forward platform/user metrics to remote write systems requiring custom Authorization header for authentication (e.g. API key).

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • It is possible for a cluster admin to configure any authentication method that is supported by Prometheus upstream for remote write (both platform and user-defined metrics):
        • Sigv4
        • Authorization
        • OAuth2

      Dependencies (internal and external)

      • In theory none because everything is already supported by the Prometheus operator upstream. We may discover bugs in the upstream implementation though that may require upstream involvement.

      Previous Work

      • After CMO started exposing the RemoteWrite specification in MON-1069, additional authentication options where added to prometheus and prometheus-operator but CMO didn't catch up on these.

      Open Questions

      • None

              jmarcal@redhat.com Joao Marcal
              jfajersk@redhat.com Jan Fajerski
              Hongyan Li Hongyan Li
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: