add prometheus auth via environment variables

Signed-off-by: devpulse94-ui <[email protected]>

Author: devpulse94-ui

vertical-pod-autoscaler/docs/faq.md

@@ -152,6 +152,55 @@ Here you should see the flags that you set for the VPA recommender and you shoul
 
 This means that the VPA recommender is now using Prometheus as the history provider.
 
+
+For authentication to Prometheus, you can provide credentials in following ways:
+
+1) Set the flags `--username=<user>` and `--password=<password>` in the `VPA recommender deployment`. The `args` for the container should look something like this:
+
+```yaml
+spec:
+  containers:
+  - args:
+    - --v=4
+    - --storage=prometheus
+    - --prometheus-address=http://prometheus.default.svc.cluster.local:9090
+    - --username=example-user
+    - --password=example-password
+```
+
+2) Set the environment variables `PROMETHEUS_USERNAME` and `PROMETHEUS_PASSWORD` in the `VPA recommender deployment`.
+
+```yaml
+spec:
+  containers:
+  - args:
+    - --storage=prometheus
+    - --prometheus-address=http://prometheus.default.svc.cluster.local:9090
+  env:
+  - name: PROMETHEUS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: prometheus-auth
+        key: example-user
+  - name: PROMETHEUS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: prometheus-auth
+        key: example-password
+```
+
+3) Set the flag `prometheus-bearer-token=<token>`, to use bearer token auth.
+
+```yaml
+spec:
+  containers:
+  - args:
+    - --v=4
+    - --storage=prometheus
+    - --prometheus-address=http://prometheus.default.svc.cluster.local:9090
+    - --prometheus-bearer-token=<example-token>
+```
+
 ### I get recommendations for my single pod replicaset but they are not applied
 
 By default, the [`--min-replicas`](https://github.com/kubernetes/autoscaler/tree/master/pkg/updater/main.go#L44) flag on the updater is set to 2. To change this, you can supply the arg in the [deploys/updater-deployment.yaml](https://github.com/kubernetes/autoscaler/tree/master/deploy/updater-deployment.yaml) file:

vertical-pod-autoscaler/docs/flags.md

@@ -97,7 +97,7 @@ This document is auto-generated from the flag definitions in the VPA recommender
 | `one-output` | severity |  | If true, only write logs to their native level (vs also writing to each lower severity level; no effect when -logtostderr=true) |
 | `oom-bump-up-ratio` | float |  1.2 | The memory bump up ratio when OOM occurred, default is 1.2.  |
 | `oom-min-bump-up-bytes` | float |  1.048576e+08 | The minimal increase of memory when OOM occurred in bytes, default is 100 * 1024 * 1024  |
-| `password` | string |  | The password used in the prometheus server basic auth |
+| `password` | string |  | The password used in the prometheus server basic auth. Can also be set via the PROMETHEUS_PASSWORD environment variable |
 | `pod-label-prefix` | string |  "pod_label_" | Which prefix to look for pod labels in metrics  |
 | `pod-name-label` | string |  "kubernetes_pod_name" | Label name to look for pod names  |
 | `pod-namespace-label` | string |  "kubernetes_namespace" | Label name to look for pod namespaces  |
@@ -127,7 +127,7 @@ This document is auto-generated from the flag definitions in the VPA recommender
 | `target-memory-percentile` | float |  0.9 | Memory usage percentile that will be used as a base for memory target recommendation. Doesn't affect memory lower bound nor memory upper bound.  |
 | `update-worker-count` | int |  10 | Number of concurrent workers to update VPA recommendations and checkpoints. When increasing this setting, make sure the client-side rate limits ('kube-api-qps' and 'kube-api-burst') are either increased or turned off as well. Determines the minimum number of VPA checkpoints written per recommender loop.  |
 | `use-external-metrics` |  |  | ALPHA.  Use an external metrics provider instead of metrics_server. |
-| `username` | string |  | The username used in the prometheus server basic auth |
+| `username` | string |  | The username used in the prometheus server basic auth. Can also be set via the PROMETHEUS_USERNAME environment variable |
 | `v,` |  | : 4 | , --v Level                                                set the log level verbosity  (default 4) |
 | `vmodule` | moduleSpec |  | comma-separated list of pattern=N settings for file-filtered logging |
 | `vpa-object-namespace` | string |  | Specifies the namespace to search for VPA objects. Leave empty to include all namespaces. If provided, the garbage collector will only clean this namespace. |

vertical-pod-autoscaler/pkg/recommender/input/history/history_provider.go

@@ -21,6 +21,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"os"
 	"sort"
 	"strings"
 	"time"
@@ -151,6 +152,17 @@ func NewPrometheusHistoryProvider(config PrometheusHistoryProviderConfig) (Histo
 			Password: config.Authentication.Password,
 			Base:     prometheusTransport,
 		}
+	} else {
+		// check if env vars for credentials are set
+		prometheusUsername := os.Getenv("PROMETHEUS_USERNAME")
+		prometheusPassword := os.Getenv("PROMETHEUS_PASSWORD")
+		if prometheusUsername != "" && prometheusPassword != "" {
+			prometheusTransport = &PrometheusBasicAuthTransport{
+				Username: prometheusUsername,
+				Password: prometheusPassword,
+				Base:     prometheusTransport,
+			}
+		}
 	}
 
 	roundTripper := metrics_recommender.NewPrometheusRoundTripperCounter(

vertical-pod-autoscaler/pkg/recommender/input/history/history_provider_test.go

@@ -398,4 +398,18 @@ func TestPrometheusAuth(t *testing.T) {
 		assert.NotContains(t, capturedRequest.Header.Get("Authorization"), "Basic")
 		assert.Equal(t, capturedRequest.Header.Get("Authorization"), "Bearer token")
 	})
+
+	t.Run("Basic auth with username/password configured as env", func(t *testing.T) {
+		// clear auth config so only environment variables are used in this test
+		cfg.Authentication = PrometheusCredentials{}
+		t.Setenv("PROMETHEUS_USERNAME", "prom_user")
+		t.Setenv("PROMETHEUS_PASSWORD", "prom_password")
+
+		prov, _ := NewPrometheusHistoryProvider(cfg)
+		_, err := prov.GetClusterHistory()
+
+		assert.Nil(t, err)
+		assert.Equal(t, capturedRequest.Header.Get("Authorization"), "Basic cHJvbV91c2VyOnByb21fcGFzc3dvcmQ=") // "prom_user:prom_password"
+
+	})
 }

vertical-pod-autoscaler/pkg/recommender/main.go

@@ -84,8 +84,8 @@ var (
 	ctrNamespaceLabel         = flag.String("container-namespace-label", "namespace", `Label name to look for container namespaces`)
 	ctrPodNameLabel           = flag.String("container-pod-name-label", "pod_name", `Label name to look for container pod names`)
 	ctrNameLabel              = flag.String("container-name-label", "name", `Label name to look for container names`)
-	username                  = flag.String("username", "", "The username used in the prometheus server basic auth")
-	password                  = flag.String("password", "", "The password used in the prometheus server basic auth")
+	username                  = flag.String("username", "", "The username used in the prometheus server basic auth. Can also be set via the PROMETHEUS_USERNAME environment variable")
+	password                  = flag.String("password", "", "The password used in the prometheus server basic auth. Can also be set via the PROMETHEUS_PASSWORD environment variable")
 	prometheusBearerToken     = flag.String("prometheus-bearer-token", "", "The bearer token used in the Prometheus server bearer token auth")
 	prometheusBearerTokenFile = flag.String("prometheus-bearer-token-file", "", "Path to the bearer token file used for authentication by the Prometheus server")
 )