在helm values.yaml中使用kubernetes secret的Promtail基本身份验证
我使用promtail helm图表连接到运行在不同堆栈上的Loki服务器。我有洛基在一个Nginx入口后面,用basic auth保护 我找不到这方面的任何文档,很可能这只是我对赫尔姆的有限理解 我只是尝试使用basic auth连接到Loki实例,同时在helm值中使用Kubernetes秘密而不是明文凭据 这非常有效:在helm values.yaml中使用kubernetes secret的Promtail基本身份验证,kubernetes,logging,prometheus,kubernetes-helm,Kubernetes,Logging,Prometheus,Kubernetes Helm,我使用promtail helm图表连接到运行在不同堆栈上的Loki服务器。我有洛基在一个Nginx入口后面,用basic auth保护 我找不到这方面的任何文档,很可能这只是我对赫尔姆的有限理解 我只是尝试使用basic auth连接到Loki实例,同时在helm值中使用Kubernetes秘密而不是明文凭据 这非常有效: snippets: extraClientConfigs: | basic_auth: username: myusername
snippets:
extraClientConfigs: |
basic_auth:
username: myusername
password: mypassword
我创造了这样一个秘密:
kubectl create secret generic loki-credentials -n monitoring --from-literal=password="mypassword" --from-literal=username="myusername"
现在我想在values.yaml
文件中使用它
到目前为止,我得到的是:
extraEnv:
- name: LOKI_USERNAME
valueFrom:
secretKeyRef:
name: loki-credentials
key: username
- name: LOKI_PASSWORD
valueFrom:
secretKeyRef:
name: loki-credentials
key: password
extraArgs:
- -client.external-labels=stack=development
- -config.expand-env
config:
serverPort: 3101
lokiAddress: myurl
snippets:
extraClientConfigs: |
basic_auth:
username: ${LOKI_USERNAME}
password: ${LOKI_PASSWORD}
我刚收到401的回复
Chart version: 3.1.0
Promtail version: 2.1.0
编辑
这是我的入口yaml:
controller:
replicaCount: 1
config:
force-ssl-redirect: "true"
use-forwarded-headers: "true"
service:
targetPorts:
http: http
https: http
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:123456:certificate/123456"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
enableHttp: false
enableHttps: true
type: LoadBalancer
loadBalancerSourceRanges:
- "0.0.0.0/0"
## Name of the ingress class to route through this controller
ingressClass: nginx-external
…和我的lokivalues.yaml
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx-external"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: loki-ingress-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
hosts:
- host: loki.mydomain.com
paths:
- "/"
tls: []
config:
auth_enabled: false
ingester:
chunk_idle_period: 3m
chunk_block_size: 262144
chunk_retain_period: 1m
max_transfer_retries: 3
lifecycler:
ring:
kvstore:
store: inmemory
replication_factor: 1
schema_config:
configs:
- from: 2021-03-06
store: boltdb-shipper
object_store: aws
schema: v11
index:
prefix: loki_index_
period: 24h
server:
http_listen_port: 3100
storage_config:
aws:
bucketnames: my-bucket-name
region: us-west-2
s3forcepathstyle: true
boltdb_shipper:
active_index_directory: /data/loki/boltdb-shipper-active
cache_location: /data/loki/boltdb-shipper-cache
shared_store: s3
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: false
retention_period: 0s
compactor:
working_directory: /data/loki/boltdb-shipper-compactor
shared_store: aws
replicas: 1
podAnnotations:
iam.amazonaws.com/role: "arn:aws:iam::123456:role/my-loki-role"
resources:
limits:
cpu: 500m
memory: 2G
requests:
cpu: 250m
memory: 1G
# The values to set in the PodDisruptionBudget spec
# If not set then a PodDisruptionBudget will not be created
podDisruptionBudget:
minAvailable: 1
我的日志来自洛基坐在后面的nginx吊舱:
2021/03/09 04:23:44 [error] 37#37: *925 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
2021/03/09 04:23:44 [error] 37#37: *921 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
xx.xxx.xxx.xx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 326 0.000 [monitoring-loki-3100] [] - - - - 63294b16fe010a8c9ec1d4684f0472f5
xxx.xx.xxx.xxx: - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 204 0 "-" "promtail/2.1.0" 2744 0.003 [monitoring-loki-3100] [] xxx.xx.xxx.xxx:3100 0 0.004 204 029e0a9d1ee6242cad8b9a6d2ee50940
2021/03/09 04:23:44 [error] 37#37: *925 user "myusername": password mismatch, client: xx.xxx.xxx.xx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.mydomain.com"
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 325 0.000 [monitoring-loki-3100] [] - - - - b75a2cfcf6c62b81953dd4fb26f1a844
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:44 +0000] "POST /loki/api/v1/push HTTP/1.1" 204 0 "-" "promtail/2.1.0" 1513 0.014 [monitoring-loki-3100] [] xxx.xx.xxx.xxx:3100 0 0.016 204 0049965a49877cb5d336ac6ec869feb4
2021/03/09 04:23:45 [error] 36#36: *941 user "myusername": password mismatch, client: xxx.xx.xxx.xxx, server: loki.mydomain.com, request: "POST /loki/api/v1/push HTTP/1.1", host: "loki.c3dops.com"
xxx.xx.xxx.xxx - myusername [09/Mar/2021:04:23:45 +0000] "POST /loki/api/v1/push HTTP/1.1" 401 172 "-" "promtail/2.1.0" 326 0.000 [monitoring-loki-3100] [] - - - - e5954bd055db5b3e9bd3227f57651847
给任何刚接触Loki的人一点背景知识,如:Loki没有任何包含的身份验证层。操作员需要在您的服务前运行身份验证反向代理,例如使用基本身份验证或OAuth2代理的NGINX 这基本上意味着您必须在客户端和Loki之间放置一些东西,以强制执行例如基本身份验证。在这种情况下,有一个入口(Nginx)充当具有基本身份验证的反向代理 要解决使用Nginx进行身份验证的问题,需要检查以下几点:
- Nginx入口吊舱的日志,检查身份验证错误
- 添加的Kubernetes秘密包含您期望的内容
- 您已使用所需的
注释配置入口对象
通常,在使用
kubectl
创建Kubernetes机密时,尤其是从命令行创建时,如果密码包含特殊字符,则必须对其进行单引号引用。这样,shell就不会解释特殊字符。更多信息。您是否查看了helm生成的配置图?有正确的值吗?@JensBaitinger-Baitinger-huh,promtail实际上不会生成配置映射。但是,我可以SSH到pod中,env vars就在那里,以及引用那些env vars的预期配置文件Nginx入口日志告诉您什么?你能分享Loki配置和Ingress yaml吗(去掉了任何敏感的东西)?我做了一些测试并创建了这个repo,如果它有用的话,我现在还没有添加任何与promtail
相关的内容,但是如果你不确定的话,Ingress部分可能会有帮助:@hhaslam11谢谢,我会添加一个答案!我想知道如果密码对你有效,你在创建秘密时是否会引用密码?您可以轻松地解码该秘密以查看保存的内容。很高兴你成功了!