Problem Statement
The current metrics endpoint is nested in the admin/ route which requires authentication. This means any metrics scraper I use needs to both support authenticating and I need to logistically get that authentication to it, which is also admin privileged. In Kubernetes specifically this is fairly perilous and cross-namespace secrets are already difficult.
Proposed Solution
Following many other helm deployed applications I've used, have an optional metrics endpoint on another port entirely that's unauthenticated, allowing a set of other avenues for getting those metrics and securing it however we wish for that risk profile
Alternatives Considered
I considered putting it in the normal API as either a regular user or unauthed endpoint, but then it's sharing the same exposure profile as the rest of the API, and doesn't solve the secret logistics hurdles at all
I also considered adding a proxy pod instead, but this seemed out of line with common industry approaches and I didn't like the hacky nature of it, plus it's more failure points
Component
Helm Chart
Additional Context
This is slight double accounting, as the main Issue is artifact-keeper/artifact-keeper#570
I figured it's better to be thorough and provide a paper trail in both repos though when I saw this repo had a similar flow.
Pre-submission Checklist
Problem Statement
The current metrics endpoint is nested in the admin/ route which requires authentication. This means any metrics scraper I use needs to both support authenticating and I need to logistically get that authentication to it, which is also admin privileged. In Kubernetes specifically this is fairly perilous and cross-namespace secrets are already difficult.
Proposed Solution
Following many other helm deployed applications I've used, have an optional metrics endpoint on another port entirely that's unauthenticated, allowing a set of other avenues for getting those metrics and securing it however we wish for that risk profile
Alternatives Considered
I considered putting it in the normal API as either a regular user or unauthed endpoint, but then it's sharing the same exposure profile as the rest of the API, and doesn't solve the secret logistics hurdles at all
I also considered adding a proxy pod instead, but this seemed out of line with common industry approaches and I didn't like the hacky nature of it, plus it's more failure points
Component
Helm Chart
Additional Context
This is slight double accounting, as the main Issue is artifact-keeper/artifact-keeper#570
I figured it's better to be thorough and provide a paper trail in both repos though when I saw this repo had a similar flow.
Pre-submission Checklist