Question posted in
The official documentation can be found here.

Redis – Disable security on Prometheus health endpoints, /-/healthy and /-/ready endpoints also secured when basic Auth enabled

I am using Prometheus version 2.28, I enabled basic Authentication on Prometheus server and seems that after enabling that, /-/healthy and /-/ready endpoints are also secured. I am using these endpoints in Kubernates for liveness and rediness probe. I have option to pass in Authorization header as a part of yaml as follows. But, is their any other way we can securely pass the username and password as its only base64 encoded. Or is it possible to disable security on Prometheus health endpoints.

livenessProbe:
      httpGet:
        path: /-/healthy
        port: 9090
        httpHeaders:
        - name: Authorization
          value: Basic dXNlcjpwYXNz
Tags:

3

Answers


  1. 0

    Unfortunately no. What you have is probably the only solution that works, as of today.

    Back in 2015 there was a GitHub issue (#16910) to implement authentication support for HTTP liveness probes, but it was ultimately scrapped.

    Login or Signup to reply.
  2. 0

    The Promethus server just returns 200 OK for /healthy and /ready endpoint without doing any further check so I think you can use tcpSocket probe which does not require credentials instead of httpGet.

    Login or Signup to reply.
  3. 0

    One can use the Authorization Bearer token in livenessProbe probe, while using the basic Authentication on Prometheus server. Below is the snippet for example:

    livenessProbe:
  httpGet:
    path: /-/healthy
    port: 9090
    httpHeaders:
    - name: Authorization
      value: Basic ejikUHJvOlpahbgrk1Bhc3MkMjekMg==

    Important thing to know is that one have to pick the Basic <Token Value> from browser’s Request Headers in the network tab of devtools. Please don’t encode from cli or terminal, <Token Value> might not work.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search