Hub admins may want direct access to their Prometheus from outside the cluster, e.g. as a datasource for their own AWS CloudWatch dashboards.
We can provision an extra set of credentials to the ingress-nginx basic auth and securely distribute these to the community
Steps¶
Update the relevant
enc-support.secret.values.yamlfile under theconfig/clusters/<cluster-name>/folder with another username/password entryprometheusIngressAuthSecret: users: - username: <output of pwgen -s 64 1> password: <output of pwgen -s 64 1> - username: <output of pwgen -s 64 1> password: <output of pwgen -s 64 1>Securely send the user credentials to the community
Instruct the community to send you a public key with
ageby runningage-keygen -o key.txtand link the corresponding user-facing docs.After they have sent you a public key, place the username and password in a
credentials.txtfile and encrypt it withage -r <public-key> -o credentials.txt.age credentials.txtYou can respond and attach the
credentials.txt.agefile with the following message template:
Hello {{ name }}
We have provisioned credentials for you to access your Prometheus endpoint from https://prometheus.<cluster_name>.2i2c.cloud.
Attached is an encrypted file containing the username/password pair. Please run
age --decrypt -i key.txt -o credentials.txt credentials.txt.age
to retrieve the contents.
Personally Identifiable Information (PII) is at risk if the credentials are compromised. Please do not share these credentials through any insecure channels, and notify us immediately if you need to renew them.
Thanks!