Prometheus with Vault Integration about nri-prometheus HOT 5 CLOSED

Hey @brianbao,

Thanks for your ticket!
Right now we don't offer that functionality, but I do agree that it's a useful feature to add.

I will discuss your feature request with the team and we'll get back to you.

from nri-prometheus.

Hey @jorikvdwerf,

I did some digging and it looks like this was already basically implemented. The config.yaml file can specify a bearer_token_file, which will read the file and append the Authorization: Bearer {TOKEN} header to the request, which the Vault Prometheus endpoint accepts.

In my digging it looks like there are actually a lot of parameters that went undocumented, such as metrics_api_url or insecure_skip_verify on the targets config just to give two examples. It would be great if we could get these documented.

from nri-prometheus.

Hey @brianbao! Replying to your finding and feedback:

• We intentionally don't want to document insecure_skip_verify as it completely defeats the purpose of mutual TLS.

• The metrics api url shouldn't need to be changed. Our code is smart enough to guess the region based on your license key. See here: https://github.com/newrelic/nri-prometheus/blob/a022884ea187367015dbe90edd48707d3dbddb0f/cmd/nri-prometheus/config_test.go. Is it somehow not working well for you?

• The bearer_token_file configuration was created to allow the metric fetching process to work on RBAC-protected Kubernetes clusters without changing a lot of the code. "Accidentally" it also works for your use case. This one I believe we can maybe transform into a feature, allowing you to configure bearer tokens per scraped URL maybe. WDYT?

from nri-prometheus.

Thanks for your response @douglascamata. Everything you wrote makes sense.

Regarding the bearer_token_file, our only requirement is that there is some way to dynamically read a location for a token instead of having it hard-coded as a passed parameter, since these tokens can expire and will need to be refreshed. The code is already implemented to read the token file before every scrape request, so having the scraper configure a file per scraped URL as you described would be nice to have.

As it stands we are also perfectly fine using the bearer_token_file as is, so the feature may not be fully necessary.

from nri-prometheus.

Hey @brianbao! Replying to your finding and feedback:

• We intentionally don't want to document insecure_skip_verify as it completely defeats the purpose of mutual TLS.
• The metrics api url shouldn't need to be changed. Our code is smart enough to guess the region based on your license key. See here: https://github.com/newrelic/nri-prometheus/blob/a022884ea187367015dbe90edd48707d3dbddb0f/cmd/nri-prometheus/config_test.go. Is it somehow not working well for you?
• The bearer_token_file configuration was created to allow the metric fetching process to work on RBAC-protected Kubernetes clusters without changing a lot of the code. "Accidentally" it also works for your use case. This one I believe we can maybe transform into a feature, allowing you to configure bearer tokens per scraped URL maybe. WDYT?

Hello NR team, it will be great to have the possibility to configure bearer tokens per scraped URL. Can we reopen that issue or transform it into a feature request? Thanks

from nri-prometheus.