Thanos: HTTP Basic Auth support for remote sidecar access in querier

Created on 10 Oct 2019 · 2Comments · Source: thanos-io/thanos

How can we connect to remote sidecar grpc port over http basic-auth in querier? now we get this error message :
too many colons in address
for something like user:password@sidecarAddress:80
(We proxied sidecar over traefik ingress)
Is it possible? If not how can we expose sidecar port over internet?

query question stale

Source

bbkgh

Most helpful comment

IMO the correct way to do this would be to use mTLS so that the sidecar can authenticate the querier. You can specify the gRPC client certificates in the querier using the --grpc-client... flags [0] and specify the CA used to verify the client certificates in the sidecar with the --grpc-server-tls-client-ca flag [1].

If you prefer to terminate TLS in Traefik, you can also set the TLS configuration there, rather than in the sidecar; see [2].

[0] https://github.com/thanos-io/thanos/blob/master/docs/components/query.md#flags
[1] https://github.com/thanos-io/thanos/blob/master/docs/components/sidecar.md#flags
[2] https://docs.traefik.io/https/tls/#client-authentication-mtls

squat on 11 Oct 2019

👍2

All 2 comments

If you prefer to terminate TLS in Traefik, you can also set the TLS configuration there, rather than in the sidecar; see [2].

squat on 11 Oct 2019

👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.