chart/network-observer: openshift auth with external metrics collection #2194
Description
Describe the bug
Running the skupper network-observer with the openshift auth proxy, it is difficult to configure external metrics collection.
# values.yaml
auth:
strategy: openshift
tls:
skupperIssued: false
openshiftIssued: true
route:
enabled: true
The network-observer pod exposes just port 443 - which is protected by the oauth proxy complicating collection. Internally to the pod, the observer exposes an HTTP API on port 8080 and binds to localhost only (not externally accessible.)
How To Reproduce
Steps to reproduce the behavior:
Expected behavior
There should be a clear way to mitigate this.
The most obvious workaround is to change the deployment such that the network-observer container binds to 0.0.0.0:8080 (instead of the default 127.0.0.1:8080) to allow connections from outside of the pod.
# values-workaround.yaml
extraArgs:
- -listen=:8080
auth:
strategy: openshift
tls:
skupperIssued: false
openshiftIssued: true
route:
enabled: true
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: network-observer
spec:
podMetricsEndpoints:
- port: api
selector:
matchLabels:
app.kubernetes.io/name: network-observer
Alternate approaches may be:
- changing the default api listen address from
127.0.0.1:8080to:8080 - editing the proxy configuration to add
-skip-auth-regex=/metricsto bypass auth for the metrics endpoint. - solving for using oauth2 auth to authenticate the external prometheus instnace with the auth proxy.
- adding a separate listen address in the network-observer application for metrics only (i.e. api binds to localhost, metrics binds 0.0.0.0), and expose that as a service by default.
Environment details
- Skupper Operator 2.1
- Platform: Openshift