Azure managed Prometheus¶
This guide walks you through integrating your Azure managed Prometheus with Robusta. You will need to configure two integrations: both a push integration and a pull integration.
Configure Push Integration¶
A push integration sends Azure Managed Prometheus alerts to Robusta. To configure it:
Login to the Robusta UI and navigate to the
In the Azure Webhook section click
Generate URLand save the generated url.
Login to the Microsoft Azure Portal, go to
Create a new action group, or edit an existing one.
Under the Actions tabs (not the Notifications tab) add a
Webhookand copy the url from step 2, into the URI input. Make sure to select
Enable the common alert schema.
Why do I see a banner in the UI that "Alerts won't show up"?
This notification is displayed until the first alert to Robusta.
Configure Pull Integration¶
A pull integration lets Robusta pull metrics from Azure Managed Prometheus.
This can be configured either of two ways:
Option #1: Create an Azure Active Directory authentication app
Quick setup. Just need to create an app, get the credentials and add them to the manifests
Other pods can't use the Service Principal without having the secret
Requires a service principal (Azure AD permission)
Need the client secret in the kubernetes manifests
Client secret expires, you need to manage its rotation
Option #2: Use kubelet Managed Identity
Quick setup. Get the Managed Identity Client ID and add them to the manifests
No need to manage secrets. Removing the password element decreases the risk of the credentials being compromised
Managed Identity is bound to the entire VMSS, which means that other pods can use it if they have the client ID
Retrieve the Azure Prometheus query endpoint¶
Whichever method you choose, you will need an Azure Prometheus query endpoint:
Go to Azure Monitor workspaces and choose your monitored workspace.
In your monitored workspace, overview, find the
Query endpointand copy it.
In your generated_values.yaml file add the query endpoint URL under
globalConfigwith a 443 port:
globalConfig: # this line should already exist prometheus_url: "<https://your-workspace.region.prometheus.monitor.azure.com>:443"
Option #1: Create an Azure authentication app¶
Create an Azure authentication app and get credentials for Robusta to access Prometheus data:
Follow the Azure guide to register an app with Azure Active Directory
In your generated_values.yaml file add environment variables from the previous step.
runner: additional_env_vars: - name: PROMETHEUS_SSL_ENABLED value: "true" - name: AZURE_CLIENT_ID value: "<your-client-id>" - name: AZURE_TENANT_ID value: "<your-tenant-id>" - name: AZURE_CLIENT_SECRET value: "<your-client-secret>"
Complete the step allow your app access to your workspace, so your app can query data from your Azure Monitor workspace.
Option #2: Use Kubelet's Managed Identity¶
Instead of creating an Azure authentication app, you can use kubelet's Managed Identity to access Prometheus. (As a variation on this, you can also create a new User Assigned Managed Identity and bind it to the underlying VMSS.)
Get the AKS kubelet's Managed Identity Client ID:
az aks show -g <resource-group> -n <cluster-name> --query identityProfile.kubeletidentity.clientId -o tsv
In your generated_values.yaml file add the following environment variables from the previous step.
runner: additional_env_vars: - name: PROMETHEUS_SSL_ENABLED value: "true" - name: AZURE_USE_MANAGED_ID value: "true" - name: AZURE_CLIENT_ID value: "<your-client-id>" - name: AZURE_TENANT_ID value: "<your-tenant-id>"
Give access to your Managed Identity on your workspace:
Open the Access Control (IAM) page for your Azure Monitor workspace in the Azure portal.
Select Add role assignment.
Select Monitoring Data Reader and select Next.
For Assign access to, select Managed identity.
Select + Select members.
Select the Managed Identity you got from step 1.
Select Review + assign to save the configuration.