Secure Your Prometheus: Step‑by‑Step Guide to Enabling Basic Auth Across Deployments

Abstract: In daily use Prometheus lacks encryption, risking leakage of monitoring and sensitive data; protecting access with Basic Auth is required.

Prometheus Basic Auth Usage Background

Prometheus default deployment has no security measures, which may lead to information leakage; protecting access is necessary.

Solution Overview

Since version 2.24 Prometheus provides Basic Auth for encrypted access; the UI and API require username and password.

General steps:

Generate user password using a Python bcrypt tool.

Create the corresponding password configuration file and modify the Prometheus startup command (or use nginx‑ingress in operator scenarios).

If Prometheus has probes, adjust probe configuration.

If Grafana is used, modify its related steps.

Prepare User Password with Python

Install the python3‑bcrypt package: apt install python3-bcrypt Python script to hash a password:

import getpass
import bcrypt

password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())

Run the script, input the desired password (e.g., test), and obtain a hash such as $2b$12$kXxrZP74Fmjh6Wih0Ignu.uWSiojl5aKj4UnMvHN9s2h/Lc/ui0.S for later use.

Prometheus Deployment Practices

Prometheus can be deployed in three common ways:

Containerized deployment in a Kubernetes cluster.

Via kube‑prometheus operator.

Direct binary deployment on a virtual machine.

The Basic Auth configuration differs slightly among these scenarios; the following sections cover each.

4.1 Containerized Deployment Adding Basic Auth

Verify the Prometheus version; versions lower than 2.24 do not support Basic Auth.

Create a ConfigMap with webconfig.yml:

basic_auth_users:
  admin: $2b$12$kXxrZP74Fmjh6Wih0Ignu.uWSiojl5aKj4UnMvHN9s2h/Lc/ui0.S

Validate the configuration: promtool check web-config webconfig.yml Create the ConfigMap in the monitoring namespace:

kubectl -n monitoring create configmap webconfig --from-file=webconfig.yml

Mount the ConfigMap as a volume in the Prometheus pod and add the flag --web.config.file=/etc/prometheus/basicauth/webconfig.yml to the startup command.

Update the pod specification to include the volume and volumeMount:

volumes:
 - configMap:
     name: webconfig
   name: basic-auth

volumeMounts:
 - mountPath: /etc/prometheus/basicauth
   name: basic-auth

Modify the startup arguments:

- --web.config.file=/etc/prometheus/basicauth/webconfig.yml

If liveness or readiness probes are defined, add an Authorization header with Base64‑encoded credentials (e.g., admin:test → YWRtaW46dGVzdA==).

httpGet:
  httpHeaders:
  - name: Authorization
    value: Basic YWRtaW46dGVzdA==

Restart the pod; both the UI and API now require authentication.

4.2 Prometheus‑Operator Deployment Adding Basic Auth

The operator does not currently support Basic Auth directly; use an nginx‑ingress to provide authentication.

Create an auth file with htpasswd and generate a secret:

yum -y install httpd
htpasswd -c auth admin
# enter password (e.g., test)
kubectl create secret generic basic-auth --from-file=auth

Create an Ingress with the required annotations:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-type: basic
    kubernetes.io/ingress.class: nginx
  name: prometheus-k8s
  namespace: monitoring
spec:
  rules:
  - host: prometheus.example.com
    http:
      paths:
      - backend:
          serviceName: prometheus-k8s
          servicePort: 9090
        path: /
        pathType: Prefix

After applying the Ingress, both the Prometheus API and UI require login credentials.

4.3 Bare‑Metal Deployment Adding Basic Auth

Create the same webconfig.yml as above.

Start Prometheus with the flag:

./prometheus --web.config.file=webconfig.yml --config.file=prometheus.yml

The UI prompts for username and password, and the API requires authentication.

Grafana Integration with Authenticated Prometheus

When Prometheus is protected, Grafana data sources must include Basic Auth credentials.

Log in to Grafana (default admin:admin), edit the Prometheus data source, enable editing, and provide the username and password.

After saving, restart the Grafana pod to load the new configuration.

Summary and Recommendations

Basic Auth works for containerized, operator, and binary deployments; ensure Prometheus version is 2.24 or newer.

If liveness or readiness probes are defined, add the appropriate Authorization header; otherwise the pod may fail to start.

Additional Topics

7.1 Disable Grafana Anonymous Login

In the grafana-conf ConfigMap, set auth.anonymous.enabled = false and restart Grafana.

7.2 Add Multiple Users to Prometheus Basic Auth

Append additional user: hashed_password entries to webconfig.yml, then reload the configuration with:

curl -u "admin:test" -XPOST http://ip:9090/-/reload

Multiple users can now authenticate successfully.