Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mimir-continuous-test tool: Add basic authentication support #2717

Merged

Conversation

wilfriedroset
Copy link
Collaborator

@wilfriedroset wilfriedroset commented Aug 14, 2022

What this PR does

Added basic authentication support to mimir-continuous-testing for when Mimir is behind a gateway authenticating the calls.

Which issue(s) this PR fixes or relates to

Fixes #2105

Checklist

  • Tests updated
  • Documentation added
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

@wilfriedroset wilfriedroset force-pushed the continuous-test-authentication branch from 7f3d597 to 86974f3 Compare August 14, 2022 20:11
Copy link
Contributor

@56quarters 56quarters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one change. Thanks!

pkg/continuoustest/client.go Outdated Show resolved Hide resolved
… support

Signed-off-by: Wilfried Roset <wilfriedroset@users.noreply.github.com>
@wilfriedroset wilfriedroset force-pushed the continuous-test-authentication branch from 86974f3 to 642ec76 Compare August 15, 2022 19:17
@wilfriedroset
Copy link
Collaborator Author

I've also added the support for bearer token to fully address #2105

@56quarters 56quarters merged commit 4a12de2 into grafana:main Aug 16, 2022
@56quarters
Copy link
Contributor

Thanks!

@jcquiles
Copy link

@wilfriedroset I have a question! How does reverse proxy work when authenticating with a bearer token, does this mean mimir doesn't do the auth but the proxy does instead? I've seen the configs in the docs, but havent been able to find an explanation on how it actually works. Thank you!

@wilfriedroset
Copy link
Collaborator Author

Mimir does not handle authentication by itself. This part is delegated to an eventual proxy placed before Mimir.
Mimir trust the http header X-Scope-OrgID, as such the proxy is responsible for authenticating the user as it sees fit and then forward the request to mimir with the correct value.

It can be as simple as a basic auth in nginx something like:

location /api/v1/push {
  auth_basic           "prometheus remote write";
  auth_basic_user_file /etc/nginx/htpasswd.write;
  proxy_pass            https://distributor$request_uri;
  proxy_set_header      X-Scope-OrgID $x_scope_orgid;
}

Where x_scope_orgid is define as a map in nginx configuration

map $remote_user $x_scope_orgid {
    foo bar;
}

@jcquiles
Copy link

Thanks @wilfriedroset for the explanation! How about when it comes to externalLabels does it preserve all labels or only certain ones such as cluster & namespace? Afaik, it only accepts specific labels.

@wilfriedroset
Copy link
Collaborator Author

The proxy (at least for nginx) does not do anything about the external labels. They are used by mimir during the deduplication process. You can find out more in the documentation: https://grafana.com/docs/mimir/latest/operators-guide/configure/configuring-high-availability-deduplication/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[mimir-continuous-test]: Support authentication
3 participants