From ef44bae8ed85751784b2a48a479f8b704e85f7ed Mon Sep 17 00:00:00 2001 From: josunect Date: Tue, 3 Sep 2024 12:21:50 +0100 Subject: [PATCH 1/4] Add auth section for each external services --- .../p8s-jaeger-grafana/grafana.md | 19 ++++++++++++++++ .../p8s-jaeger-grafana/prometheus.md | 18 +++++++++++++++ .../p8s-jaeger-grafana/tracing/jaeger.md | 19 ++++++++++++++++ .../p8s-jaeger-grafana/tracing/tempo.md | 22 ++++++++++++++++++- 4 files changed, 77 insertions(+), 1 deletion(-) diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md b/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md index d65b57236..4e7a5c286 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md @@ -57,3 +57,22 @@ spec: The described configuration is done in the Kiali CR when Kiali is installed using the Kiali Operator. If Kiali is installed with the Helm chart then the correct way to configure this is via regular --set flags. {{% /alert %}} +### Grafana authentication configuration + +The Kiali CR provides authentication configuration that will be used also for querying the version check to provide information in the Mesh graph. + +```yaml +spec: + external_services: + grafana: + enabled: true + auth: + ca_file: "" + insecure_skip_verify: false + password: "pwd" + token: "" + type: "basic" + use_kiali_token: false + username: "user" + health_check_url: "" +``` \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md b/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md index 0eda98a89..b00e3bace 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md @@ -169,4 +169,22 @@ The recommendation for Kiali is to set the shortest retention time that meets yo For more information, see the [Prometheus documentation](https://prometheus.io/docs/prometheus/latest/storage/#operational-aspects). +### Prometheus authentication configuration +The Kiali CR provides authentication configuration that will be used also for querying the version check to provide information in the Mesh graph. + +```yaml +spec: + external_services: + prometheus: + enabled: true + auth: + ca_file: "" + insecure_skip_verify: false + password: "pwd" + token: "" + type: "basic" + use_kiali_token: false + username: "user" + health_check_url: "" +``` \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md index b7934c301..fd4d2b131 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md @@ -52,3 +52,22 @@ If your Jaeger setup differs significantly from the sample add-ons, make sure that Istio is also properly configured to push traces to the right URL. {{% /alert %}} +### Jaeger authentication configuration + +The Kiali CR provides authentication configuration that will be used also for querying the version check to provide information in the Mesh graph. + +```yaml +spec: + external_services: + tracing: + enabled: true + auth: + ca_file: "" + insecure_skip_verify: false + password: "pwd" + token: "" + type: "basic" + use_kiali_token: false + username: "user" + health_check_url: "" +``` \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md index 2dfaeba92..b0018c7d6 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md @@ -231,4 +231,24 @@ In `external_services.tracing` | |
http
|
grpc
| |--------|-------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Jaeger | `.in_cluster_url = 'http://jaeger_service_url:16686/jaeger'`
`.use_grpc = false`
| `.in_cluster_url = 'http://jaeger_service_url:16685/jaeger'`
`.use_grpc = true (Not required: by default)`
| -| Tempo |
`in_cluster_url = 'http://query_frontend_url:3200'`
`.use_grpc = false`
`.provider = 'tempo'`
| `.in_cluster_url = 'http://query_frontend_url:3200'`
`.grpc_port: 9095`
`.provider: 'tempo'`
`.use_grpc = true (Not required: by default)`
| \ No newline at end of file +| Tempo |
`in_cluster_url = 'http://query_frontend_url:3200'`
`.use_grpc = false`
`.provider = 'tempo'`
| `.in_cluster_url = 'http://query_frontend_url:3200'`
`.grpc_port: 9095`
`.provider: 'tempo'`
`.use_grpc = true (Not required: by default)`
| + +### Tempo authentication configuration + +The Kiali CR provides authentication configuration that will be used also for querying the version check to provide information in the Mesh graph. + +```yaml +spec: + external_services: + tracing: + enabled: true + auth: + ca_file: "" + insecure_skip_verify: false + password: "pwd" + token: "" + type: "basic" + use_kiali_token: false + username: "user" + health_check_url: "" +``` \ No newline at end of file From 7009aa6572e5b59826d3c5a882de81c458cb9623 Mon Sep 17 00:00:00 2001 From: Josune Cordoba <49480155+josunect@users.noreply.github.com> Date: Tue, 10 Sep 2024 11:18:41 +0100 Subject: [PATCH 2/4] Update content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md Co-authored-by: Nick Fox --- content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md b/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md index 4e7a5c286..a8637c684 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md @@ -59,7 +59,7 @@ The described configuration is done in the Kiali CR when Kiali is installed usin ### Grafana authentication configuration -The Kiali CR provides authentication configuration that will be used also for querying the version check to provide information in the Mesh graph. +The Kiali CR provides authentication configuration that will be used to connect to your grafana instance and for detecting your grafana version in the Mesh graph. ```yaml spec: From d9933ca63ec48e6c542e0062fb459fec61870e27 Mon Sep 17 00:00:00 2001 From: josunect Date: Tue, 10 Sep 2024 12:03:55 +0100 Subject: [PATCH 3/4] Update faq --- .../p8s-jaeger-grafana/grafana.md | 4 +- .../p8s-jaeger-grafana/prometheus.md | 4 +- .../p8s-jaeger-grafana/tracing/jaeger.md | 4 +- .../p8s-jaeger-grafana/tracing/tempo.md | 4 +- content/en/docs/FAQ/authentication.md | 56 +++++++++++++++++++ 5 files changed, 68 insertions(+), 4 deletions(-) diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md b/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md index a8637c684..042988a42 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md @@ -75,4 +75,6 @@ spec: use_kiali_token: false username: "user" health_check_url: "" -``` \ No newline at end of file +``` + +To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../FAQ/authentication#how-to-configure-a-secret-as-password-for-external-services" >}}) \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md b/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md index b00e3bace..3d179bb66 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md @@ -187,4 +187,6 @@ spec: use_kiali_token: false username: "user" health_check_url: "" -``` \ No newline at end of file +``` + +To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../FAQ/authentication#how-to-configure-a-secret-as-password-for-external-services" >}}) \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md index fd4d2b131..389cb7953 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md @@ -70,4 +70,6 @@ spec: use_kiali_token: false username: "user" health_check_url: "" -``` \ No newline at end of file +``` + +To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../../FAQ/authentication#how-to-configure-a-secret-as-password-for-external-services" >}}) \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md index b0018c7d6..df6d1a85b 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md @@ -251,4 +251,6 @@ spec: use_kiali_token: false username: "user" health_check_url: "" -``` \ No newline at end of file +``` + +To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../../FAQ/authentication#how-to-configure-a-secret-as-password-for-external-services" >}}) \ No newline at end of file diff --git a/content/en/docs/FAQ/authentication.md b/content/en/docs/FAQ/authentication.md index 325b3ea28..13089e85d 100644 --- a/content/en/docs/FAQ/authentication.md +++ b/content/en/docs/FAQ/authentication.md @@ -59,3 +59,59 @@ spec: number: 20001 ``` +### How to configure a secret as password for external services + +The external services as [Prometheus]({{< relref "../Configuration/p8s-jaeger-grafana/prometheus" >}}), [Grafana]({{< relref "../Configuration/p8s-jaeger-grafana/grafana" >}}), [Jaeger]({{< relref "../Configuration/p8s-jaeger-grafana/tracing/jaeger" >}}) or [Tempo]({{< relref "../Configuration/p8s-jaeger-grafana/tracing/tempo" >}}), can use a secret in order to specify the password for authentication. + +1. Create a secret with the prometheus password in it. The key must be value.txt: +``` +kubectl -n istio-system create secret generic my-prom-secret --from-literal=value.txt=my-own-password +``` + +2. Create a values file that: + +* Defines a custom secret and mounts it to the place that Kiali Server expects to see it +* Tell Kiali to use that secret for the prometheus password: + +``` + deployment: + custom_secrets: + - name: "my-prom-secret" + mount: "/kiali-override-secrets/prometheus-password" +``` + +The custom folders should be one of the following: + +- grafana-password +- grafana-token +- prometheus-password +- prometheus-token +- tracing-password +- tracing-token +- login-token-signing-key + +``` + external_services: + prometheus: + auth: + password: "secret:my-prom-secret:value.txt" +``` + +3. Install with the server helm chart using that values file: + +``` +helm install \ + --namespace istio-system \ + --set deployment.custom_secrets[0].name="my-prom-secret" \ + --set deployment.custom_secrets[0].mount="/kiali-override-secrets/prometheus-password" \ + --set external_services.prometheus.auth.password="secret:my-prom-secret:value.txt" \ + --set auth.strategy="anonymous" \ + --set deployment.logger.log_level="debug" \ + kiali-server \ + kiali/kiali-server +``` + +If this works, there should be a debug log message in the kiali server: +``` +2024-09-10T09:56:24Z DBG Credentials loaded from secret file [/kiali-override-secrets/prometheus-password/value.txt] +``` \ No newline at end of file From 5a0e6e83da58fd35930a4fdbc443cfec315991ec Mon Sep 17 00:00:00 2001 From: josunect Date: Thu, 12 Sep 2024 13:50:36 +0100 Subject: [PATCH 4/4] Update link --- .../p8s-jaeger-grafana/grafana.md | 2 +- .../p8s-jaeger-grafana/prometheus.md | 2 +- .../p8s-jaeger-grafana/tracing/jaeger.md | 2 +- .../p8s-jaeger-grafana/tracing/tempo.md | 2 +- content/en/docs/FAQ/authentication.md | 57 ------------------- 5 files changed, 4 insertions(+), 61 deletions(-) diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md b/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md index 042988a42..eabc0f626 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/grafana.md @@ -77,4 +77,4 @@ spec: health_check_url: "" ``` -To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../FAQ/authentication#how-to-configure-a-secret-as-password-for-external-services" >}}) \ No newline at end of file +To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../FAQ/installation#how-can-i-use-a-secret-to-pass-external-service-credentials-to-the-kiali-server" >}}) \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md b/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md index 3d179bb66..f313c8189 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/prometheus.md @@ -189,4 +189,4 @@ spec: health_check_url: "" ``` -To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../FAQ/authentication#how-to-configure-a-secret-as-password-for-external-services" >}}) \ No newline at end of file +To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../FAQ/installation#how-can-i-use-a-secret-to-pass-external-service-credentials-to-the-kiali-server" >}}) \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md index 389cb7953..c316d4f29 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/jaeger.md @@ -72,4 +72,4 @@ spec: health_check_url: "" ``` -To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../../FAQ/authentication#how-to-configure-a-secret-as-password-for-external-services" >}}) \ No newline at end of file +To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../../FAQ/installation#how-can-i-use-a-secret-to-pass-external-service-credentials-to-the-kiali-server" >}}) \ No newline at end of file diff --git a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md index df6d1a85b..c08da4597 100644 --- a/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md +++ b/content/en/docs/Configuration/p8s-jaeger-grafana/tracing/tempo.md @@ -253,4 +253,4 @@ spec: health_check_url: "" ``` -To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../../FAQ/authentication#how-to-configure-a-secret-as-password-for-external-services" >}}) \ No newline at end of file +To configure a secret to be used as a password, see this [FAQ entry]({{< relref "../../../FAQ/installation#how-can-i-use-a-secret-to-pass-external-service-credentials-to-the-kiali-server" >}}) \ No newline at end of file diff --git a/content/en/docs/FAQ/authentication.md b/content/en/docs/FAQ/authentication.md index 13089e85d..cb4ade1e7 100644 --- a/content/en/docs/FAQ/authentication.md +++ b/content/en/docs/FAQ/authentication.md @@ -58,60 +58,3 @@ spec: port: number: 20001 ``` - -### How to configure a secret as password for external services - -The external services as [Prometheus]({{< relref "../Configuration/p8s-jaeger-grafana/prometheus" >}}), [Grafana]({{< relref "../Configuration/p8s-jaeger-grafana/grafana" >}}), [Jaeger]({{< relref "../Configuration/p8s-jaeger-grafana/tracing/jaeger" >}}) or [Tempo]({{< relref "../Configuration/p8s-jaeger-grafana/tracing/tempo" >}}), can use a secret in order to specify the password for authentication. - -1. Create a secret with the prometheus password in it. The key must be value.txt: -``` -kubectl -n istio-system create secret generic my-prom-secret --from-literal=value.txt=my-own-password -``` - -2. Create a values file that: - -* Defines a custom secret and mounts it to the place that Kiali Server expects to see it -* Tell Kiali to use that secret for the prometheus password: - -``` - deployment: - custom_secrets: - - name: "my-prom-secret" - mount: "/kiali-override-secrets/prometheus-password" -``` - -The custom folders should be one of the following: - -- grafana-password -- grafana-token -- prometheus-password -- prometheus-token -- tracing-password -- tracing-token -- login-token-signing-key - -``` - external_services: - prometheus: - auth: - password: "secret:my-prom-secret:value.txt" -``` - -3. Install with the server helm chart using that values file: - -``` -helm install \ - --namespace istio-system \ - --set deployment.custom_secrets[0].name="my-prom-secret" \ - --set deployment.custom_secrets[0].mount="/kiali-override-secrets/prometheus-password" \ - --set external_services.prometheus.auth.password="secret:my-prom-secret:value.txt" \ - --set auth.strategy="anonymous" \ - --set deployment.logger.log_level="debug" \ - kiali-server \ - kiali/kiali-server -``` - -If this works, there should be a debug log message in the kiali server: -``` -2024-09-10T09:56:24Z DBG Credentials loaded from secret file [/kiali-override-secrets/prometheus-password/value.txt] -``` \ No newline at end of file