diff --git a/README.md b/README.md index f02df2fbe..630f789e6 100644 --- a/README.md +++ b/README.md @@ -56,3 +56,23 @@ To start generating the document run: ``` make gen-doc ``` + +## Accessing Prometheus metrics provided by Insights Operator + +It is possible to read Prometheus metrics provided by Insights Operator. For example if the IO runs locally, the following command migth be used: + +`` +curl --cert k8s.crt --key k8s.key -k https://localhost:8443/metrics +`` + +### Certificate and key needed to access Prometheus metrics + +Certificate and key are required to access Prometheus metrics (instead 404 Forbidden is returned). It is possible to generate these two files from Kubernetes config file. Certificate is stored in `users/admin/client-cerfificate-data` and key in `users/admin/client-key-data`. Please note that these values are encoded by using Base64 encoding, so it is needed to decode them, for example by `base64 -d`. + +There's a tool named `gen_cert_key.py` that can be used to automatically generate both files. It is stored in `tools` subdirectory. + +#### Usage: + +``` +gen_cert_file.py kubeconfig.yaml +``` diff --git a/tools/gen_cert_key.py b/tools/gen_cert_key.py new file mode 100755 index 000000000..702ac846d --- /dev/null +++ b/tools/gen_cert_key.py @@ -0,0 +1,89 @@ +#!/usr/bin/env python3 + +"""Script to generate certificate and user key from provided Kubernetes configuration file. + +Generated files k8s.crt and k8s.key might be used to access Insights Operator +REST API endpoints and Prometheus metrics as well. +""" + +# Copyright © 2020 Red Hat +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import yaml +import base64 +import sys + + +def get_data_for_user(payload, user_name): + """ + Try to retrieve data for given user. + + KeyError will be raised in case of improper payload format. + """ + users = payload["users"] + for user_data in users: + if "name" in user_data and user_data["name"] == user_name: + return user_data + + +def get_value_assigned_to_user(user_data, key): + """ + Try to retrieve (attribute) value assigned to an user. + + In practise it will be certificate or key. KeyError will be raised in case + of improper payload format or when the attribute for given key does not + exist. + """ + d = user_data["user"] + return d[key] + + +def decode(b64): + """ + Decode given attribute encoded by using Base64 encoding. + + The result is returned as regular Python string. Note that TypeError might + be thrown when the input data are not encoded properly. + """ + barray = base64.b64decode(b64) + return barray.decode('ascii') + + +def generate_cert_and_key_files(input_file): + """Generate file with certificate and user key from k8s configuration file.""" + with open(input_file) as f: + payload = yaml.load(f) + if payload is not None: + user_data = get_data_for_user(payload, "admin") + encoded_certificate = get_value_assigned_to_user(user_data, "client-certificate-data") + encoded_key = get_value_assigned_to_user(user_data, "client-key-data") + decoded_certificate = decode(encoded_certificate) + decoded_key = decode(encoded_key) + with open("k8s.crt", "w") as cert: + cert.write(decoded_certificate) + with open("k8s.key", "w") as cert: + cert.write(decoded_key) + + +def main(): + """Entry point to this script.""" + if len(sys.argv) <= 1: + print("Usage: gen_cert_file.py kubeconfig.yaml") + sys.exit(1) + generate_cert_and_key_files(sys.argv[1]) + + +# Common Python's black magic +if __name__ == "__main__": + main()