Nexus ServiceMonitor uses admin as basicAuth user
As seen here the ServiceMonitor uses basicAuth for prometheus metrics scraping. It uses the admin credentials - but these credentials (should) change after the admin logs into nexus the first time and the wizard requires establishing a new password.
I tested the current orchestration, and the prometheus target for nexus does go "down" after the credentials are modified.
Designs
Related merge requests 1
When this merge request is accepted, this issue will be closed automatically.
Activity
Throwing this out there...Twistlock is the only other servicemonitor we use with authentication (to my knowledge). Twistlock is a bit different since we created everything to initialize it, but the way that one works:
- Metrics user/password is created as a secret, this user has a randomized password
- Admin user/password is created as part of init job OR supplied by end user configuration (to handle existing installs)
- Init job calls api to create the metrics user with least privilege
- Service monitor references the secret for auth
We could likely implement some job logic around things similar to this?
- Handle initial password change based on user supplied values or accept user input for password
- Create an additional least privilege metrics user
- Change servicemonitor to reference ^ user account rather than admin
Would have to evaluate what API calls we have to use, but should be doable?
added priority5 teamXForce labels
changed iteration to Big Bang Iterations Nov 29, 2022 - Dec 12, 2022
assigned to @brandt.w.keller
added statusdoing label
mentioned in merge request !75 (merged)
removed iteration Big Bang Iterations Nov 29, 2022 - Dec 12, 2022
changed iteration to Big Bang Iterations Dec 13, 2022 - Dec 26, 2022
added statusreview label and removed statusdoing label
closed with merge request big-bang/bigbang!2341 (merged)