Configure authentication for Prometheus and Alermanager

Configure authentication for Prometheus and Alermanager

Note

This feature is available starting from the MCP 2019.2.7 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.

You can configure basic authentication to access Prometheus and Alertmanager web UI through the proxy nodes that are available if external access to cloud resources is enabled in your OpenStack deployment.

This section describes how to configure authentication for Prometheus and Alertmanager by defining new passwords instead of the default ones on the existing MCP deployments updated to 2019.2.7. For new clusters starting from the MCP 2019.2.7 maintenance update, you define custom credentials for Prometheus and Alertmanager during the cluster creation.

To configure authentication for Prometheus and Alertmanager:

  1. Log in to the Salt Master node.

  2. Obtain user names and passwords:

    1. For Alertmanager:

      salt -C 'I@horizon:server' pillar.get _param:nginx_proxy_prometheus_alertmanager_password
      salt -C 'I@horizon:server' pillar.get _param:nginx_proxy_prometheus_alertmanager_user
      
    2. For Prometheus:

      salt -C 'I@horizon:server' pillar.get _param:nginx_proxy_prometheus_server_user
      salt -C 'I@horizon:server' pillar.get _param:nginx_proxy_prometheus_server_password
      
  3. Change the default credentials for Prometheus and Alertmanager:

    1. Open the classes/cluster/<cluster_name>/stacklight/proxy.yml file for editing.

    2. Specify new passwords using the following parameters:

      parameters:
        _param:
           nginx_proxy_prometheus_alertmanager_password: <password>
           nginx_proxy_prometheus_server_password: <password>
      
    3. Optional. Specify new user names using the following parameters:

      parameters:
        _param:
           nginx_proxy_prometheus_alertmanager_user: <user_name>
           nginx_proxy_prometheus_server_user: <user_name>
      
  4. On all proxy nodes, synchronize Salt modules and apply the nginx state. For example:

    salt 'prxNode01*' saltutil.sync_all
    salt 'prxNode01*' state.sls nginx
    
  5. Verify authentication through the proxy nodes. For example:

    salt 'prxNode01*' pillar.get _param:cluster_vip_address
    salt 'prxNode01*' pillar.get nginx:server:site:nginx_proxy_prometheus_server:proxy:port
    salt 'prxNode01*' pillar.get nginx:server:site:nginx_proxy_prometheus_alertmanager:proxy:port
    curl https://<cluster_vip_address>:<prometheus_server_port>
    curl -u <username>:<password> https://<cluster_vip_address>:<prometheus_server_port>