6. prometheus oauth2

prometheus๊ฐ€ ์ธ์ฆ์—†์ด ์ ‘๊ทผ์ด ๊ฐ€๋Šฅํ•˜๋‹ค. ์™ธ๋ถ€์— ์˜คํ”ˆํ•˜๋ฉด ์•ˆ๋˜๊ธฐ๋•Œ๋ฌธ์— ์ธ์ฆ์„ ๋„ฃ์–ด์•ผํ•œ๋‹ค.

basic์œผ๋กœ ์ฒ˜๋ฆฌ๋„ ๊ฐ€๋Šฅํ•˜๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ๋‚œ oauth2๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ๋กœ ๊ฒฐ์ •

oauth2๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ์—๋Š” oauth2_proxy๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ prometheus์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•ด์•ผ ํ•œ๋‹ค.

flow diagram

nginx proxy๊ฐ€ ํŠธ๋ž˜ํ”ฝ์„ oauth2-proxy ๋กœ ๋ณด๋‚ธ๋‹ค. ๋กœ๊ทธ์ธ์ •๋ณด๊ฐ€ ์—†์œผ๋ฉด ๋กœ๊ทธ์ธ ํ™”๋ฉด์„ ๋ณด์—ฌ์ค€๋‹ค. ๋กœ๊ทธ์ธ ๋ฒ„ํŠผ์„ ๋ˆ„๋ฅด๋ฉด auth0.com์œผ๋กœ ๊ฐ€์„œ ๋กœ๊ทธ์ธ์„ ํ•œํ›„ ๋‹ค์‹œ oauth2-proxy๋กœ ๋Œ์•„์˜จ๋‹ค. ์ด์ œ ๋กœ๊ทธ์ธ์ด ์„ฑ๊ณตํ•˜์˜€์œผ๋ฏ€๋กœ oauth2-proxy๋Š” ํŠธ๋ž˜ํ”ฝ์„ prometheus๋กœ ๋ณด๋‚ธ๋‹ค.

nginx์—์„œ๋Š” ssl์„ ์ถ”๊ฐ€ํ•ด๋‘๊ธฐ ๋ฐ”๋ž€๋‹ค.

auth0.com

์•ฑ์„๋งŒ๋“ค๊ณ  callback url์„ ์„ค์ •ํ•œ๋‹ค.

secret/clientid๋ฅผ ์ ์–ด๋‘”๋‹ค.

oauth2_proxy

https://oauth2-proxy.github.io/oauth2-proxy/docs/

dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_'; echo

์ด๊ฑธ ์•„๋ž˜ ํŒŒ์ผ์— ๋„ฃ๋Š”๋‹ค.

docker-compose

https://github.com/teamsmiley/devops-public/blob/main/monitoring/6.prometheus-oauth/docker-compose.yaml

version: '3'

services:
  nginx:
    image: nginx:1.23.3-alpine
    container_name: nginx
    depends_on:
      - prometheus
      - grafana
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx:/etc/nginx/conf.d
      - /etc/letsencrypt:/etc/letsencrypt
    restart: always

  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
    container_name: oauth2-proxy
    environment:
      OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
      OAUTH2_PROXY_UPSTREAMS: http://prometheus:9090
      OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: Auth0
      OAUTH2_PROXY_PROVIDER: oidc
      OAUTH2_PROXY_OIDC_ISSUER_URL: https://yourdomain.us.auth0.com/
      OAUTH2_PROXY_CLIENT_ID: xxxxxxxxxxxx
      OAUTH2_PROXY_CLIENT_SECRET: xxxxxxxxxxxx
      OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256
      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
      OAUTH2_PROXY_REDIRECT_URL: https://prom.your-domain.com/oauth2/callback
      OAUTH2_PROXY_COOKIE_SECRET: 'xxxxxxxxxx'
    ports:
      - 4180:4180

  prometheus:
    image: prom/prometheus:v2.40.7
    container_name: prometheus
    ports:
      - '9090:9090'
    volumes:
      - ./prometheus/prometheus.yaml:/etc/prometheus/prometheus.yaml
      - ./prometheus/k8s:/etc/prometheus/k8s
      - ./prometheus/alerts:/etc/prometheus/alerts
      - ./prometheus/file-sd:/etc/prometheus/file-sd
      - prometheus_data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yaml'
    depends_on:
      - alertmanager
    restart: always
volumes:
  prometheus_data:

nginx config

server {
  server_name prom.your-domain.com;
  listen 443 ssl;
  ssl_certificate     /etc/letsencrypt/live/your-domain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

  location / {
    proxy_pass http://oauth2-proxy:4180;
  }
}

ํ™•์ธ

docker-compose up -d

๋„์ปค๊ฐ€ ์‹คํ–‰๋˜๊ณ  ๋‚˜๋ฉด https://prom.your-domain.com์— ์ ‘์†ํ•˜๋ฉด ๋กœ๊ทธ์ธ ํ™”๋ฉด์ด ๋‚˜์˜จ๋‹ค.

signin์„ ๋ˆ„๋ฅด๋ฉด auth0์—์„œ ๋กœ๊ทธ์ธ์„ ํ•˜๊ณ  ๋‹ค์‹œ prometheus๋กœ ๋Œ์•„์˜จ๋‹ค.

์ด์ œ prometheusํ™”๋ฉด์ด ๋ณด์ธ๋‹ค.

error

๋งŒ์•ฝ ๋‹ค์Œ ํ™”๋ฉด์„ ๋ณด๊ฒŒ ๋œ๋‹ค๋ฉด oauth0-proxy์™€ prometheus๊ฐ€ ์„œ๋กœ ํ†ต์‹ ์ด ์•ˆ๋˜๋Š”๊ฒƒ์ด๋‹ค.

์„ค์ •์„ ํ™•์ธํ•ด์„œ ์ˆ˜์ •ํ•˜์ž.

Last updated

Was this helpful?