feat(service-monitor): support bearer token authentication on metrics endpoint (#719)

### Benefits Can protect metrics endpoint with `Bearer` token authentication provided by gitea. see PR #637 for previous discussion. ### Possible drawbacks No possible drawbacks ### Applicable issues - fixes #635 ### Additional information ``` gitea: metrics: enabled: true token: "somepassword" serviceMonitor: enabled: true ``` Using above configuration is sufficient to secure /metrics endpoint with bearer token and corresponding ServiceMonitor. ### Checklist - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] ~~Breaking changes are documented in the `README.md`~~ Not applicable - [x] Templating unittests are added Signed-off-by: Hitesh Nayak <hiteshnayak305@gmail.com> Reviewed-on: gitea/helm-chart#719 Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com> Co-authored-by: Hitesh Nayak <hiteshnayak305@gmail.com> Co-committed-by: Hitesh Nayak <hiteshnayak305@gmail.com>
2024-11-30 13:59:29 +00:00
parent 3bacaaad84
commit 389a8460e4
10 changed files with 253 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@
 - [OAuth2 Settings](#oauth2-settings) 
 - [Configure commit signing](#configure-commit-signing) 
 - [Metrics and profiling](#metrics-and-profiling) 
+ - [Secure Metrics Endpoint](#secure-metrics-endpoint) 
 - [Pod annotations](#pod-annotations) 
 - [Themes](#themes) 
 - [Renovate](#renovate) 
@@ -747,6 +748,21 @@ gitea:
 ENABLE_PPROF: true 
 ``` 
 
+### Secure Metrics Endpoint 
+ 
+Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication. 
+ 
+**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`. 
+ 
+```yaml 
+gitea: 
+ metrics: 
+ token: "secure-token" 
+ enabled: true 
+ serviceMonitor: 
+ enabled: true 
+``` 
+ 
 ## Pod annotations 
 
 Annotations can be added to the Gitea pod. 
@@ -1053,6 +1069,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | 
 | `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | 
 | `gitea.metrics.enabled` | Enable Gitea metrics | `false` | 
+| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` | 
 | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | 
 | `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | 
 | `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | 
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -311,6 +311,9 @@ https
 {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} 
 {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} 
 {{- end -}} 
+ {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}} 
+ {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}} 
+ {{- end -}} 
 {{- /* redis queue */ -}} 
 {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}} 
 {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}} 
@@ -465,3 +468,7 @@ https
 {{- end -}} 
 {{- toYaml $probe -}} 
 {{- end -}} 
+ 
+{{- define "gitea.metrics-secret-name" -}} 
+{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }} 
+{{- end -}} 
--- a/templates/gitea/metrics-secret.yaml
+++ b/templates/gitea/metrics-secret.yaml
@@ -0,0 +1,12 @@
+{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}} 
+apiVersion: v1 
+kind: Secret 
+metadata: 
+ name: {{ include "gitea.metrics-secret-name" . }} 
+ namespace: {{ .Values.namespace | default .Release.Namespace }} 
+ labels: 
+ {{- include "gitea.labels" . | nindent 4 }} 
+type: Opaque 
+data: 
+ token: {{ .Values.gitea.metrics.token | b64enc }} 
+{{- end }} 
--- a/templates/gitea/servicemonitor.yaml
+++ b/templates/gitea/servicemonitor.yaml
@@ -32,4 +32,12 @@ spec:
 tlsConfig: 
 {{- . | toYaml | nindent 6 }} 
 {{- end }} 
+ {{- if .Values.gitea.metrics.token }} 
+ authorization: 
+ type: Bearer 
+ credentials: 
+ name: {{ include "gitea.metrics-secret-name" . }} 
+ key: token 
+ optional: false 
+ {{- end }} 
 {{- end -}} 
--- a/unittests/config/metrics-section_metrics-token.yaml
+++ b/unittests/config/metrics-section_metrics-token.yaml
@@ -0,0 +1,58 @@
+suite: config template | metrics section (metrics token) 
+release: 
+ name: gitea-unittests 
+ namespace: testing 
+tests: 
+ - it: metrics token is set 
+ template: templates/gitea/config.yaml 
+ set: 
+ gitea: 
+ metrics: 
+ enabled: true 
+ token: "somepassword" 
+ asserts: 
+ - documentIndex: 0 
+ equal: 
+ path: stringData.metrics 
+ value: |- 
+ ENABLED=true 
+ TOKEN=somepassword 
+ - it: metrics token is empty 
+ template: templates/gitea/config.yaml 
+ set: 
+ gitea: 
+ metrics: 
+ enabled: true 
+ token: "" 
+ asserts: 
+ - documentIndex: 0 
+ equal: 
+ path: stringData.metrics 
+ value: |- 
+ ENABLED=true 
+ - it: metrics token is nil 
+ template: templates/gitea/config.yaml 
+ set: 
+ gitea: 
+ metrics: 
+ enabled: true 
+ token: 
+ asserts: 
+ - documentIndex: 0 
+ equal: 
+ path: stringData.metrics 
+ value: |- 
+ ENABLED=true 
+ - it: does not configures a token if metrics are disabled 
+ template: templates/gitea/config.yaml 
+ set: 
+ gitea: 
+ metrics: 
+ enabled: false 
+ token: "somepassword" 
+ asserts: 
+ - documentIndex: 0 
+ equal: 
+ path: stringData.metrics 
+ value: |- 
+ ENABLED=false 
--- a/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml
+++ b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml
@@ -0,0 +1,23 @@
+suite: Metrics secret template (monitoring disabled) 
+release: 
+ name: gitea-unittests 
+ namespace: testing 
+templates: 
+ - templates/gitea/metrics-secret.yaml 
+tests: 
+ - it: renders nothing if monitoring disabled and gitea.metrics.token empty 
+ set: 
+ gitea.metrics.enabled: false 
+ gitea.metrics.serviceMonitor.enabled: false 
+ gitea.metrics.token: "" 
+ asserts: 
+ - hasDocuments: 
+ count: 0 
+ - it: renders nothing if monitoring disabled and gitea.metrics.token not empty 
+ set: 
+ gitea.metrics.enabled: false 
+ gitea.metrics.serviceMonitor.enabled: false 
+ gitea.metrics.token: "test-token" 
+ asserts: 
+ - hasDocuments: 
+ count: 0 
--- a/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml
+++ b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml
@@ -0,0 +1,33 @@
+suite: Metrics secret template (monitoring enabled) 
+release: 
+ name: gitea-unittests 
+ namespace: testing 
+templates: 
+ - templates/gitea/metrics-secret.yaml 
+tests: 
+ - it: renders nothing if monitoring enabled and gitea.metrics.token empty 
+ set: 
+ gitea.metrics.enabled: true 
+ gitea.metrics.serviceMonitor.enabled: true 
+ gitea.metrics.token: "" 
+ asserts: 
+ - hasDocuments: 
+ count: 0 
+ - it: renders Secret if monitoring enabled and gitea.metrics.token not empty 
+ set: 
+ gitea.metrics.enabled: true 
+ gitea.metrics.serviceMonitor.enabled: true 
+ gitea.metrics.token: "test-token" 
+ asserts: 
+ - hasDocuments: 
+ count: 1 
+ - documentIndex: 0 
+ containsDocument: 
+ kind: Secret 
+ apiVersion: v1 
+ name: gitea-unittests-metrics-secret 
+ - isNotNullOrEmpty: 
+ path: metadata.labels 
+ - equal: 
+ path: data.token 
+ value: "dGVzdC10b2tlbg==" 
--- a/unittests/servicemonitor/servicemonitor-disabled.yaml
+++ b/unittests/servicemonitor/servicemonitor-disabled.yaml
@@ -0,0 +1,23 @@
+suite: ServiceMonitor template (monitoring disabled) 
+release: 
+ name: gitea-unittests 
+ namespace: testing 
+templates: 
+ - templates/gitea/servicemonitor.yaml 
+tests: 
+ - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty 
+ set: 
+ gitea.metrics.enabled: false 
+ gitea.metrics.token: "" 
+ gitea.metrics.serviceMonitor.enabled: false 
+ asserts: 
+ - hasDocuments: 
+ count: 0 
+ - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty 
+ set: 
+ gitea.metrics.enabled: false 
+ gitea.metrics.token: "test-token" 
+ gitea.metrics.serviceMonitor.enabled: false 
+ asserts: 
+ - hasDocuments: 
+ count: 0 
--- a/unittests/servicemonitor/servicemonitor-enabled.yaml
+++ b/unittests/servicemonitor/servicemonitor-enabled.yaml
@@ -0,0 +1,70 @@
+suite: ServiceMonitor template (monitoring enabled) 
+release: 
+ name: gitea-unittests 
+ namespace: testing 
+templates: 
+ - templates/gitea/servicemonitor.yaml 
+tests: 
+ - it: renders unsecure ServiceMonitor if gitea.metrics.token nil 
+ set: 
+ gitea.metrics.enabled: true 
+ gitea.metrics.token: 
+ gitea.metrics.serviceMonitor.enabled: true 
+ asserts: 
+ - hasDocuments: 
+ count: 1 
+ - documentIndex: 0 
+ containsDocument: 
+ kind: ServiceMonitor 
+ apiVersion: monitoring.coreos.com/v1 
+ name: gitea-unittests 
+ - isNotNullOrEmpty: 
+ path: metadata.labels 
+ - equal: 
+ path: spec.endpoints 
+ value: 
+ - port: http 
+ - it: renders unsecure ServiceMonitor if gitea.metrics.token empty 
+ set: 
+ gitea.metrics.enabled: true 
+ gitea.metrics.token: "" 
+ gitea.metrics.serviceMonitor.enabled: true 
+ asserts: 
+ - hasDocuments: 
+ count: 1 
+ - documentIndex: 0 
+ containsDocument: 
+ kind: ServiceMonitor 
+ apiVersion: monitoring.coreos.com/v1 
+ name: gitea-unittests 
+ - isNotNullOrEmpty: 
+ path: metadata.labels 
+ - equal: 
+ path: spec.endpoints 
+ value: 
+ - port: http 
+ - it: renders secure ServiceMonitor if gitea.metrics.token not empty 
+ set: 
+ gitea.metrics.enabled: true 
+ gitea.metrics.token: "test-token" 
+ gitea.metrics.serviceMonitor.enabled: true 
+ asserts: 
+ - hasDocuments: 
+ count: 1 
+ - documentIndex: 0 
+ containsDocument: 
+ kind: ServiceMonitor 
+ apiVersion: monitoring.coreos.com/v1 
+ name: gitea-unittests 
+ - isNotNullOrEmpty: 
+ path: metadata.labels 
+ - equal: 
+ path: spec.endpoints 
+ value: 
+ - port: http 
+ authorization: 
+ type: Bearer 
+ credentials: 
+ name: gitea-unittests-metrics-secret 
+ key: token 
+ optional: false 
--- a/values.yaml
+++ b/values.yaml
@@ -461,6 +461,7 @@ gitea:
 passwordMode: keepUpdated 
 
 ## @param gitea.metrics.enabled Enable Gitea metrics 
+ ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. 
 ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. 
 ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. 
 ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. 
@@ -469,6 +470,7 @@ gitea:
 ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. 
 metrics: 
 enabled: false 
+ token: 
 serviceMonitor: 
 enabled: false 
 # additionalLabels: