-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated Components topic for OIDC authentication #547
base: master
Are you sure you want to change the base?
Updated Components topic for OIDC authentication #547
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
|
||
![access-plutono](./images/access-plutono.png) | ||
|
||
Programmatic access is still possible via the non-OIDC ingress using the credentials from the `<clustername>.monitoring` secret. It contains the HTTP basic auth credentials in base64-encoded form, as well as the Plutono ingress URL. The Prometheus URL can be derived from the Plutono URL by replacing the `gu` prefix with `p`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
programmatic access
although possible is not a publicly supported scenario. We still shall explain that user name password access is possible. The latter values are indeed stored in <clustername>.monitoring
secret and the url as present as an annotation on the same secret. But again please do not market this as programmatic
access. Today we don't support that scenario.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nickytd do we have an issue or even a timeline for programmatic access? If we don't offer an alternative solution to users who need machine-to-machine access to e.g. Prometheus, we're forcing them to go with the deprecated option. I don't expect them to be happy with that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not aware of such plans. That is why we keep the current state preserving the use case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case I disagree with marking it as deprecated. It's a feature we're expected to provide, and without a replacement it should not be considered deprecated IMO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will agree with you If you point me to the scenario description of programatic access
service offering. Otherwise I am against this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will agree with you If you point me to the scenario description of programatic access service offering.
Was there a GEP discussing the move from basic auth to OIDC and dropping the support for federating metrics? I'm not entirely sure, where/if this kind of documentation exists at all for the observability area 🤔 @nickytd maybe you can help me out? Thanks!
Anyways, from the perspective of a Gardener consumer/user, basic auth access as an implementation of programmatic access
is essential to federate metrics. If we are indeed deprecating it, a proper replacement needs to be in place before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To add to Hendrik's point: The ability to federate control plane metrics using the basic auth credentials has been an option available to users since before the OIDC ingresses were introduced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Perhaps there is some historical service offering to which I am not aware. In this case, it is better, the service (scenario) owner of the programatic access
to define the correct wording, reflecting the desired service offering.
As for the OIDC
it is an addition to the current auth & auth schemes and not a replacement.
website/documentation/getting-started/observability/components.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Jordan Jordanov <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
website/documentation/getting-started/observability/components.md
Outdated
Show resolved
Hide resolved
Change due to discussion on `programmatic access`
@nickytd @rickardsjp I have omitted the mention of "programmatic access" in the topic. Is there a need for further updates, or can the PR be merged as is? |
What this PR does / why we need it:
This PR updates screenshot and text in the
Logging into Plutono
section of the Components topic with details on logging in with OIDC authentication. It also adds information on programmatic access.Which issue(s) this PR fixes:
Fixes #545
Special notes for your reviewer:
Release note: