I have 5 GKE private clusters. On all clusters I have prom-stack chart deployed.(prometheus-community/kube-prometheus-stack version 52.0.1) On DevOps cluster I also have Thanos.(bitnami/thanos version 12.13.13) For Thanos query to be able to access all Thanos sidecars on the other clusters. I am using external LB.
thanosServiceExternal:
enabled: true
loadBalancerIP: <IP>
That way my query is able to scrap them all.
My question is, how can I make the communication between the query and the sidecars more secure. Lets say with basic auth (I don't know about https, cause I think the query is using grpc protocol)
My query store conf:
query:
dnsDiscovery:
sidecarsService: prom-stack-devops-kube-pro-thanos-discovery
sidecarsNamespace: monitoring
stores:
- "dns+<CLUSTER A IP>:10901"
- "dns+<CLUSTER B IP>:10901"
- "dns+<CLUSTER C IP>:10901"
- "dns+<CLUSTER D IP>:10901"
I searched for basic auth conf for the query to use, and could'nt find any. Same goes for the sidecar. I can see basic auth conf for the Thanos itself (if lets say I want to Thanos as Grafana Data source)