I have metricbeat up and running on kubernetes collecting k8s metrics, as well as node metrics, forwarding to ES, deployed as a deamonset via helm chart.
I want to use some of the other modules (rabbitmq, redis, etc), but the secrets for those are in a different namespace. What is the recommended way of enabling metricbeat to capture those additional metrics?
There would be some alternatives, but they wouldn't be as secure as using secrets.
Take a look to hints-based autodiscover, that allows to setup the configuration, including credentials, in the annotations of the pods, but this would require to copy the secrets to the pod annotations, what can be unsafe.
You could also mount the secrets as environment variables in the metricbeat pod and use them in the autodiscover templates, but this would require to copy the secrets into the namespace where metricbeat is deployed, and any change on these secrets would need to redeploy metricbeat.
Can we do better with per namespace deployments of metric beats?
I would wonder if there is a way to mount the secrets, and then every some unit time restart the metric beat pod (maybe doing a rolling upgrade so there is no loss of coverage, though at least in my case a gap of a few seconds is acceptable).
If there are multiple namespaces then you would need multiple metric beats pods, but you would probably want different kibana boards in any case for that.
What I'm not clear on is how to do the service discovery. I see that the hint autodiscovery can get the secrets, but if I don't want to actually put the secret in the annotation, is there a way to put the secret key and value name in the annotation, and then
have metricbeat get the secret from k8s? I don't think there is a technical problem, but I also don't know that it's supported.
Yes, using a metricbeat per namespace would be another option, this way you could mount the secrets as environment variables in the metricbeat pod. If you do it, remember to set the namespace setting to the proper namespace in the kubernetes settings of each metricbeat.
Yeah, at the moment it would be needed to copy the secrets to the annotations, what is not very nice. The open issue is to avoid the need of doing that.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.