feat(all): add basic auth settings to server, worker, and prom exporter

[parkedwards]

relates to PrefectHQ/prefect#16408

implements the env var needed support PrefectHQ/prometheus-prefect-exporter#60

in https://docs.prefect.io/v3/develop/settings-and-profiles#security-settings, there are two env vars:

• PREFECT_SERVER_API_AUTH_STRING -> for server processes (eg. prefect-server)
• PREFECT_API_AUTH_STRING -> for client processes (eg. prefect-worker, prometheus-exporter)

Testing

(1) Create a shared secret:

➜ k create secret generic server-auth --from-literal=auth-string=from-k8s

(2) Deploy the server chart

Server values:

server:
  basicAuth:
    enabled: true
    existingSecret: server-auth

verify the auth string is correctly mounted on the server container

➜ keti prefect-server-5c5c977768-7ld25 -- env | grep PREFECT_SERVER_API_AUTH_STRING
PREFECT_SERVER_API_AUTH_STRING=from-k8s

(3) Deploy the worker chart, no basic auth

worker:
  basicAuth:
    enabled: false
  apiConfig: server
  serverApiConfig:
    apiUrl: http://prefect-server:4200/api
  config:
    workPool: my-pool

Verify that the worker is failing auth

➜ kl prefect-worker-55b49458b6-9lj96

  File "/usr/local/lib/python3.11/site-packages/prefect/client/base.py", line 355, in send
    response.raise_for_status()
  File "/usr/local/lib/python3.11/site-packages/prefect/client/base.py", line 163, in raise_for_status
    raise PrefectHTTPStatusError.from_httpx_error(exc) from exc.__cause__
prefect.exceptions.PrefectHTTPStatusError: Client error '401 Unauthorized' for url 'http://prefect-server:4200/api/work_pools/my-pool'
Response: {'exception_message': 'Unauthorized'}
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401
An exception occurred.

Enable basicAuth, mount the same secret

worker:
  basicAuth:
    enabled: true
    existingSecret: server-auth

➜ kl prefect-worker-c9488cc6c-7nsjn
Worker 'KubernetesWorker f52b5522-fd96-44d7-8352-57dd45ecc3b3' started!

(4) Deploy the exporter chart, no basic auth

basicAuth:
  enabled: false
prefectApiUrl: http://prefect-server:4200/api

➜ kl prefect-exporter-prometheus-prefect-exporter-7d99857d6f-b9chz
2025-01-24 22:25:14,798 - prometheus-prefect-exporter - [INFO] Prefect health check: 200 - OK
2025-01-24 22:25:14,799 - prometheus-prefect-exporter - [INFO] Inizializing metrics...
2025-01-24 22:25:14,803 - prometheus-prefect-exporter - [ERROR] 401 Client Error: Unauthorized for url: http://prefect-server:4200/api/deployments/filter
2025-01-24 22:25:14,807 - prometheus-prefect-exporter - [ERROR] 401 Client Error: Unauthorized for url: http://prefect-server:4200/api/deployments/filter

Enable basic auth with shared secret, and profit

basicAuth:
  enabled: true
  existingSecret: server-auth
prefectApiUrl: http://prefect-server:4200/api

➜ kl prefect-exporter-prometheus-prefect-exporter-f9d6d8b65-kh66b
2025-01-24 22:28:48,593 - prometheus-prefect-exporter - [INFO] Added Basic Authorization header for PREFECT_API_AUTH_STRING
2025-01-24 22:28:48,603 - prometheus-prefect-exporter - [INFO] Prefect health check: 200 - OK
2025-01-24 22:28:48,603 - prometheus-prefect-exporter - [INFO] Pagination is enabled
2025-01-24 22:28:48,603 - prometheus-prefect-exporter - [INFO] Pagination limit is 200
2025-01-24 22:28:48,603 - prometheus-prefect-exporter - [INFO] Initializing metrics...
2025-01-24 22:28:48,734 - prometheus-prefect-exporter - [INFO] Exporter listening on 0.0.0.0:8000