Promtail 基本身份验证在 helm values.yaml 中使用 kubernetes secret
Promtail basic auth using kubernetes secret in helm values.yaml
我正在使用 promtail helm chart 连接到不同堆栈上的 Loki 服务器 运行。我让 Loki 支持使用基本身份验证保护的 Nginx 入口。
我找不到任何关于此的文档,这很可能只是我对 helm 的公认有限的理解。
我只是尝试使用基本身份验证连接到 Loki 实例,同时在 helm 值中使用 Kubernetes 机密而不是明文凭据
这很完美:
snippets:
extraClientConfigs: |
basic_auth:
username: myusername
password: mypassword
我创建了一个这样的秘密:
kubectl create secret generic loki-credentials -n monitoring --from-literal=password="mypassword" --from-literal=username="myusername"
现在我想在 values.yaml 文件中使用它。
这是我目前得到的:
extraEnv:
- name: LOKI_USERNAME
valueFrom:
secretKeyRef:
name: loki-credentials
key: username
- name: LOKI_PASSWORD
valueFrom:
secretKeyRef:
name: loki-credentials
key: password
extraArgs:
- -client.external-labels=stack=development
- -config.expand-env
config:
serverPort: 3101
lokiAddress: myurl
snippets:
extraClientConfigs: |
basic_auth:
username: ${LOKI_USERNAME}
password: ${LOKI_PASSWORD}
我刚收到 401 响应。
Chart version: 3.1.0
Promtail version: 2.1.0
编辑
这是我的入口 yaml:
controller:
replicaCount: 1
config:
force-ssl-redirect: "true"
use-forwarded-headers: "true"
service:
targetPorts:
http: http
https: http
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:123456:certificate/123456"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
enableHttp: false
enableHttps: true
type: LoadBalancer
loadBalancerSourceRanges:
- "0.0.0.0/0"
## Name of the ingress class to route through this controller
ingressClass: nginx-external
...还有我的洛基 values.yaml
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx-external"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: loki-ingress-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
hosts:
- host: loki.mydomain.com
paths:
- "/"
tls: []
config:
auth_enabled: false
ingester:
chunk_idle_period: 3m
chunk_block_size: 262144
chunk_retain_period: 1m
max_transfer_retries: 3
lifecycler:
ring:
kvstore:
store: inmemory
replication_factor: 1
schema_config:
configs:
- from: 2021-03-06
store: boltdb-shipper
object_store: aws
schema: v11
index:
prefix: loki_index_
period: 24h
server:
http_listen_port: 3100
storage_config:
aws:
bucketnames: my-bucket-name
region: us-west-2
s3forcepathstyle: true
boltdb_shipper:
active_index_directory: /data/loki/boltdb-shipper-active
cache_location: /data/loki/boltdb-shipper-cache
shared_store: s3
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: false
retention_period: 0s
compactor:
working_directory: /data/loki/boltdb-shipper-compactor
shared_store: aws
replicas: 1
podAnnotations:
iam.amazonaws.com/role: "arn:aws:iam::123456:role/my-loki-role"
resources:
limits:
cpu: 500m
memory: 2G
requests:
cpu: 250m
memory: 1G
# The values to set in the PodDisruptionBudget spec
# If not set then a PodDisruptionBudget will not be created
podDisruptionBudget:
minAvailable: 1
我来自 Loki 坐在后面的 nginx pod 的日志:
2021/03/09 04:23:44 [error] 37#37: *925 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
2021/03/09 04:23:44 [error] 37#37: *921 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
xx.xxx.xxx.xx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 326 0.000 [monitoring-loki-3100] [] - - - - 63294b16fe010a8c9ec1d4684f0472f5
xxx.xx.xxx.xxx: - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 204 0 "-" "promtail/2.1.0" 2744 0.003 [monitoring-loki-3100] [] xxx.xx.xxx.xxx:3100 0 0.004 204 029e0a9d1ee6242cad8b9a6d2ee50940
2021/03/09 04:23:44 [error] 37#37: *925 user "myusername": password mismatch, client: xx.xxx.xxx.xx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 325 0.000 [monitoring-loki-3100] [] - - - - b75a2cfcf6c62b81953dd4fb26f1a844
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 204 0 "-" "promtail/2.1.0" 1513 0.014 [monitoring-loki-3100] [] xxx.xx.xxx.xxx:3100 0 0.016 204 0049965a49877cb5d336ac6ec869feb4
2021/03/09 04:23:45 [error] 36#36: *941 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:45 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 326 0.000 [monitoring-loki-3100] [] - - - - e5954bd055db5b3e9bd3227f57651847
如 documentation 中所述,为 Loki 新手提供一些背景知识:Loki 不附带任何身份验证层。运营商应该 运行 在您的服务前面进行身份验证的反向代理,例如使用基本身份验证的 NGINX 或 OAuth2 代理。
这基本上意味着你必须在客户端和 Loki 之间放置一些东西来强制执行,例如基本认证。在这种情况下,有一个 Ingress (Nginx) 作为具有基本身份验证的反向代理。
要解决使用 Nginx 进行身份验证的问题,需要检查许多事项:
- Nginx Ingress Pod 的日志,检查身份验证错误。
- 添加的 Kubernetes Secret 包含您所期望的内容。
- 您已经为 Ingress 对象配置了所需的
annotations。
当谈到使用 Nginx 作为 Ingress 并添加基本身份验证时 this 来自官方文档的资源真的很有帮助。
通常在创建 Kubernetes 机密时,尤其是使用 kubectl 从命令行创建时,如果密码包含特殊字符,则必须将密码用单引号引起来。这样特殊字符就不会被您的 shell 解释。更多信息 here.
我正在使用 promtail helm chart 连接到不同堆栈上的 Loki 服务器 运行。我让 Loki 支持使用基本身份验证保护的 Nginx 入口。
我找不到任何关于此的文档,这很可能只是我对 helm 的公认有限的理解。
我只是尝试使用基本身份验证连接到 Loki 实例,同时在 helm 值中使用 Kubernetes 机密而不是明文凭据
这很完美:
snippets:
extraClientConfigs: |
basic_auth:
username: myusername
password: mypassword
我创建了一个这样的秘密:
kubectl create secret generic loki-credentials -n monitoring --from-literal=password="mypassword" --from-literal=username="myusername"
现在我想在 values.yaml 文件中使用它。
这是我目前得到的:
extraEnv:
- name: LOKI_USERNAME
valueFrom:
secretKeyRef:
name: loki-credentials
key: username
- name: LOKI_PASSWORD
valueFrom:
secretKeyRef:
name: loki-credentials
key: password
extraArgs:
- -client.external-labels=stack=development
- -config.expand-env
config:
serverPort: 3101
lokiAddress: myurl
snippets:
extraClientConfigs: |
basic_auth:
username: ${LOKI_USERNAME}
password: ${LOKI_PASSWORD}
我刚收到 401 响应。
Chart version: 3.1.0
Promtail version: 2.1.0
编辑
这是我的入口 yaml:
controller:
replicaCount: 1
config:
force-ssl-redirect: "true"
use-forwarded-headers: "true"
service:
targetPorts:
http: http
https: http
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:123456:certificate/123456"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
enableHttp: false
enableHttps: true
type: LoadBalancer
loadBalancerSourceRanges:
- "0.0.0.0/0"
## Name of the ingress class to route through this controller
ingressClass: nginx-external
...还有我的洛基 values.yaml
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx-external"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: loki-ingress-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
hosts:
- host: loki.mydomain.com
paths:
- "/"
tls: []
config:
auth_enabled: false
ingester:
chunk_idle_period: 3m
chunk_block_size: 262144
chunk_retain_period: 1m
max_transfer_retries: 3
lifecycler:
ring:
kvstore:
store: inmemory
replication_factor: 1
schema_config:
configs:
- from: 2021-03-06
store: boltdb-shipper
object_store: aws
schema: v11
index:
prefix: loki_index_
period: 24h
server:
http_listen_port: 3100
storage_config:
aws:
bucketnames: my-bucket-name
region: us-west-2
s3forcepathstyle: true
boltdb_shipper:
active_index_directory: /data/loki/boltdb-shipper-active
cache_location: /data/loki/boltdb-shipper-cache
shared_store: s3
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: false
retention_period: 0s
compactor:
working_directory: /data/loki/boltdb-shipper-compactor
shared_store: aws
replicas: 1
podAnnotations:
iam.amazonaws.com/role: "arn:aws:iam::123456:role/my-loki-role"
resources:
limits:
cpu: 500m
memory: 2G
requests:
cpu: 250m
memory: 1G
# The values to set in the PodDisruptionBudget spec
# If not set then a PodDisruptionBudget will not be created
podDisruptionBudget:
minAvailable: 1
我来自 Loki 坐在后面的 nginx pod 的日志:
2021/03/09 04:23:44 [error] 37#37: *925 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
2021/03/09 04:23:44 [error] 37#37: *921 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
xx.xxx.xxx.xx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 326 0.000 [monitoring-loki-3100] [] - - - - 63294b16fe010a8c9ec1d4684f0472f5
xxx.xx.xxx.xxx: - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 204 0 "-" "promtail/2.1.0" 2744 0.003 [monitoring-loki-3100] [] xxx.xx.xxx.xxx:3100 0 0.004 204 029e0a9d1ee6242cad8b9a6d2ee50940
2021/03/09 04:23:44 [error] 37#37: *925 user "myusername": password mismatch, client: xx.xxx.xxx.xx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 325 0.000 [monitoring-loki-3100] [] - - - - b75a2cfcf6c62b81953dd4fb26f1a844
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 204 0 "-" "promtail/2.1.0" 1513 0.014 [monitoring-loki-3100] [] xxx.xx.xxx.xxx:3100 0 0.016 204 0049965a49877cb5d336ac6ec869feb4
2021/03/09 04:23:45 [error] 36#36: *941 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:45 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 326 0.000 [monitoring-loki-3100] [] - - - - e5954bd055db5b3e9bd3227f57651847
如 documentation 中所述,为 Loki 新手提供一些背景知识:Loki 不附带任何身份验证层。运营商应该 运行 在您的服务前面进行身份验证的反向代理,例如使用基本身份验证的 NGINX 或 OAuth2 代理。
这基本上意味着你必须在客户端和 Loki 之间放置一些东西来强制执行,例如基本认证。在这种情况下,有一个 Ingress (Nginx) 作为具有基本身份验证的反向代理。
要解决使用 Nginx 进行身份验证的问题,需要检查许多事项:
- Nginx Ingress Pod 的日志,检查身份验证错误。
- 添加的 Kubernetes Secret 包含您所期望的内容。
- 您已经为 Ingress 对象配置了所需的
annotations。
当谈到使用 Nginx 作为 Ingress 并添加基本身份验证时 this 来自官方文档的资源真的很有帮助。
通常在创建 Kubernetes 机密时,尤其是使用 kubectl 从命令行创建时,如果密码包含特殊字符,则必须将密码用单引号引起来。这样特殊字符就不会被您的 shell 解释。更多信息 here.