cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Prometheus and basic auth

mgateau
Nimbostratus
Nimbostratus

Dear all

I have setup telemetry streaming so that a remote prometheus server can scrape metrics.

 

I used this advice to use a guest account for "basic auth" done on prometheus :

https://devcentral.f5.com/s/articles/icontrol-rest-fine-grained-role-based-access-control-30773

Here is the prometheus scrape_configs entry :

- job_name: bigip

 honor_timestamps: true

 scrape_interval: 10s

 scrape_timeout: 10s

 metrics_path: /mgmt/shared/telemetry/pullconsumer/My_Prometheus

 scheme: https

 basic_auth:

   username: prometheus

   password: <secret>

 tls_config:

   ca_file: /etc/ssl/certs/ca.crt

   cert_file: /etc/ssl/certs/prometheus.crt

   key_file: /etc/ssl/certs/prometheus.key

   insecure_skip_verify: false

 static_configs:

 - targets:

   - lb5

 

My problem is excessive warning messages in the logs :

Dec 13 16:33:37 lb5 warning httpd[13888]: [warn] [client XXXX] AUTHCACHE Error processing cookie 7BA470C4F1E2F722E1685046756D1F1A70621E38 - Cookie user mismatch

 

The problem is clearly identified (K11140735) but changing pam idle timeout is not a solution as promtheus scrapes every 10s which is too low for an usual webui idle timeout.

 

I was wondering if there is a fix or other way to do it ?

 

Using a F5 token is not a solution as prometheus does not seam to support it in its scrape_config section (https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config).

 

Thanks for your help ;-))

 

0 REPLIES 0