Skip to content

feat(cadvisor): add support for basic auth #758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pdesgarets wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(cadvisor): add support for basic auth #758

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions roles/cadvisor/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ cadvisor_whitelisted_container_labels: []
cadvisor_store_container_labels: true
cadvisor_docker_only: false

cadvisor_basic_auth_users: {}

cadvisor_system_group: "root"
cadvisor_system_user: "{{ cadvisor_system_group }}"

Expand All @@ -27,3 +29,5 @@ cadvisor_binary_install_dir: "/usr/local/bin"
#
cadvisor_housekeeping_interval: 10s
cadvisor_max_housekeeping_interval: 15s

cadvisor_config_dir: "/etc/cadvisor"
10 changes: 10 additions & 0 deletions roles/cadvisor/meta/argument_specs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,13 @@ argument_specs:
description: "do not report raw cgroup metrics, except the root cgroup"
type: "bool"
default: false
cadvisor_basic_auth_users:
description:
- "Dictionary of username / password for HTTP basic authentication"
- >-
Warning : The endpoints `/api/*` and `/metrics` are exposed without authentication. See https://github.com/google/cadvisor/blob/master/docs/web.md#web-ui-authentication and https://github.com/google/cadvisor/issues/3401 for more details.
type: "dict"
default: {}
cadvisor_system_group:
description:
- "I(Advanced)"
Expand All @@ -97,3 +104,6 @@ argument_specs:
cadvisor_max_housekeeping_interval:
description: 'Largest interval to allow between container housekeepings'
default: '10s'
cadvisor_config_dir:
description: "Directory for cAdvisor configuration files"
default: "/etc/cadvisor"
2 changes: 2 additions & 0 deletions roles/cadvisor/molecule/alternative/molecule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,5 @@ provisioner:
env_metadata_whitelist: [ "PATH" ]
store_container_labels: false
cadvisor_housekeeping_interval: 15s
cadvisor_basic_auth_users:
foo: bar
10 changes: 10 additions & 0 deletions roles/cadvisor/molecule/alternative/tests/test_alternative.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,13 @@ def test_protecthome_property(host):
])
def test_socket(host, sockets):
assert host.socket(sockets).is_listening


def test_forbidden_access(host):
output = host.check_output('curl -s -o /dev/null -w "%{http_code}" -L http://127.0.0.1:8000/')
assert '401' in output


def test_granted_access(host):
output = host.check_output('curl -s -o /dev/null -w "%{http_code}" -L http://127.0.0.1:8000/ -u foo:bar')
assert '200' in output
30 changes: 30 additions & 0 deletions roles/cadvisor/tasks/configure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---

- name: Configure
ansible.builtin.include_role:
name: prometheus.prometheus._common
tasks_from: configure.yml
vars:
_common_config_dir: "{{ cadvisor_config_dir if (cadvisor_basic_auth_users | length > 0) else None }}"
_common_system_group: "{{ cadvisor_system_group }}"
_common_system_user: "{{ cadvisor_system_user }}"
tags:
- cadvisor
- configure
- cadvisor_configure

- name: Generate htpasswd file
ansible.builtin.template:
src: "htpasswd.j2"
dest: "{{ cadvisor_config_dir }}/htpasswd"
owner: "{{ cadvisor_system_user }}"
group: "{{ cadvisor_system_group }}"
mode: 0640
become: true
when: cadvisor_basic_auth_users | length > 0
notify:
- Restart cadvisor
tags:
- cadvisor
- configure
- cadvisor_configure
5 changes: 2 additions & 3 deletions roles/cadvisor/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,8 @@
- cadvisor_configure

- name: Configure
ansible.builtin.include_role:
name: prometheus.prometheus._common
tasks_from: configure.yml
ansible.builtin.include_tasks:
file: configure.yml
tags:
- cadvisor_configure

Expand Down
4 changes: 4 additions & 0 deletions roles/cadvisor/templates/cadvisor.service.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ ExecStart={{ cadvisor_binary_install_dir }}/cadvisor \
{% endif -%}
{% if cadvisor_env_metadata_whitelist | length > 0 %}
'--env_metadata_whitelist={{ cadvisor_env_metadata_whitelist | join(',') }}' \
{% endif %}
{% if cadvisor_basic_auth_users | length > 0 %}
'--http_auth_file={{ cadvisor_config_dir }}/htpasswd' \
'--http_auth_realm=cadvisor' \
{% endif %}
'--store_container_labels={{ cadvisor_store_container_labels | lower }}' \
'--listen_ip={{ cadvisor_listen_ip }}' \
Expand Down
4 changes: 4 additions & 0 deletions roles/cadvisor/templates/htpasswd.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{{ ansible_managed | comment }}
{% for user, password in cadvisor_basic_auth_users.items() %}
{{ user }}:{{ password | string | password_hash('bcrypt', ('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890' | shuffle(seed=inventory_hostname) | join)[:22], rounds=9) }}
{% endfor %}
Loading