DEV Community: Md Asraful Haque (Sohel)

Prometric-Go Part 2 — Full Hands-On Demo with Grafana, Prometheus & k6 📈

Md Asraful Haque (Sohel) — Tue, 18 Nov 2025 04:19:43 +0000

This article is Part 2 of my Prometric-Go series.

If you haven't read Part 1 yet — the introduction to the library — you can check it out here:

🔗 https://dev.to/asraful_haque/simplifying-prometheus-metrics-in-go-with-prometric-go-22ef

👋 What we’re building in Part 2

In this article we will instrument a real Go API using prometric-go, collect metrics in Prometheus, and visualize everything in Grafana — including a load-test using k6 to generate traffic.

To make this super easy, I created a ready-to-run sample project:

🔗 GitHub Repo: https://github.com/peek8/prometric-go-sample

This repository contains:

Purpose	Tool
Metric instrumentation	`prometric-go`
Metrics storage	Prometheus
Metrics visualization	Grafana
Web API	Go + net/http
Traffic Generation	Grafan k6

k6 hits the API → API exposes metrics via /metrics → Prometheus scrapes → Grafana visualizes.

⚙️ Clone & Run the Sample

$ git clone https://github.com/peek8/prometric-go-sample
$ cd prometric-go-sample
$ make run

This will run the api server at port 7080. You can explore the prometheus metrics exposed by prometric-go library at url:

http://localhost:7080/metrics

See the full metrics list exposed at prometric-go library readme

The K6 Script

I use Grafan k6 to generate traffic against the prometric API. This k6-scripts demonstrates a simple scenario that exercises the CRUD endpoints for Person objects.

What the script does

Creates some 50K Objects (ie Person) in ~20 mins (50000 iterations shared among 50 VUs, maxDuration: 10m).
Tries to get Person by Random Id for 10 mins (20.00 iterations/s for 10m0s, maxVUs: 10).
Tries to get Person list for 10 mins (10.00 iterations/s for 10m0s, maxVUs: 5).
Updates the Person for 10 mins (5.00 iterations/s for 2m0s, maxVUs: 5).
Deletes about 1500 Persons randomly within 10 mins (1500 iterations shared among 2 VUs,maxDuration: 10m0s).

These above iterations are enough to generate some adequate prometheus metrics which can be used to play with prometheus and grafana dashboard.

Run k6

Install Grafan k6 at your local machine and run the k6-scripts from the repo:

$ k6 run ./scripts/k6-scripts.js

And now if you hit the metric endpoint, you will see different metric values keep changing.

Prometheus and Grafana

Run Prometheus

Run prometheus using the prometheus.yml file:

$ docker run \
    -p 9090:9090 \
    -v ./resources/prometheus.yml:/etc/prometheus/prometheus.yml \
    prom/prometheus

N.B: If you are using podman use host.containers.internal as targets at prometheus.yml file, ie:

targets: ["host.containers.internal:7080"]

Run Grafana

Run Grafan using docker:

$ docker run -d -p 3000:3000 grafana/grafana

Then grafana will be available at http://localhost:3000, use admin:admin as to login for the first time.

Import the included dashboard

Create Grafana Data Source

You can create datasource if you don't have any running the shell script: grafana-datasource.sh

Import Grafana Dashboard

Open Grafana → Dashboards
Click Import
Upload grafana-dashboard.json
Select Prometheus datasource → prometric-k6 (or the one you use)

Voila, You’ll now see real-time metrics at the dashboard from the sample app:

💡 What You Learn From This Sample

Category	Benefit
Go backend	Clean way to expose metrics
Prometheus	Scraping & querying the app
Grafana	Dashboarding for API performance
k6	Generating programmable load
Observability	From raw counters → real visual insights

🎁 Bonus: You Can Reuse This as a Template

The repo is intentionally simple, so you can fork it and adapt it for your own services.

Replace Person CRUD API with your own business logic
Keep the prometric-go instrumentation + dashboard
Add additional domain metrics as needed
Extend k6 tests to simulate real traffic

🌟 Final Thoughts

Prometheus + Grafana can feel complex when you start from scratch —
but with prometric-go, you get:

👌 Meaningful metrics by default
📦 Domain-specific metrics with 2–3 lines of code
🚀 Dashboards ready to plug into production

If you try out the sample, I’d love to hear your feedback!

⭐ If this helped you…

Support the project by giving a ⭐ to both repos:

🔗 https://github.com/peek8/prometric-go

🔗 https://github.com/peek8/prometric-go-sample

And feel free to reach out if you want help adding alerting rules, histograms tuning, Grafana provisioning, or Kubernetes deployment.

Prometheus + K6 Fusion: Measure API Performance with Real-Time Metrics in Grafana

Md Asraful Haque (Sohel) — Tue, 11 Nov 2025 06:53:04 +0000

🏁 Introduction

When running load tests, we often get numbers like requests per second or average latency — but that doesn’t tell us how our system is actually behaving inside.

So I wanted to bring Prometheus observability and K6 performance testing together — to visualize live latency, error rate, CPU usage, and throughput in real-time while load tests are running.

That’s how Prometheus-K6-Fusion was born — a simple yet powerful open-source stack combining Go, Prometheus, K6, and Grafana.

⚙️ What is Prometheus-K6-Fusion?

prometheus-k6-fusion is a lightweight Go-based API server that provides CRUD operations for sample data objects and exposes Prometheus metrics.
Its a lightweight and easy to start observability + performance testing lab.

It includes:

🟢 A Go-based API instrumented with Prometheus metrics
🔵 K6 load test scripts that generate real traffic
🟠 Prometheus to scrape the metrics
🔴 Grafana dashboard to visualize everything in real-time

In short — it’s a single repo that lets you see how load affects latency, error rate, and resource usage instantly.

Target Audience

Developers learning Prometheus integration in Go.
Teams exploring observability setups with Prometheus and Grafana.
People practicing performance testing with k6.
Interview/demo projects to showcase system design, metrics, and automation skills.

Why It’s Useful

Provides a ready-to-run environment for:
- CRUD REST API (in Go)
- Prometheus metrics exposure
- k6 traffic generation
Ideal for learning, teaching, or demonstrating:
- Metrics instrumentation best practices
- Monitoring pipelines
- Performance & load testing workflows

Components at a glance:

Prometric (Go API) → exposes Prometheus metrics like http_requests_total, latency histograms, and memory usage
K6 → generates load (GET, POST, DELETE) to the API
Prometheus → scrapes the /metrics endpoint every few seconds
Grafana → displays dashboards that correlate load, latency, and system behavior

Prometric

Prometric = Prometheus + Metric
This provides CRUD operations for Person objects. It uses an in-memory database and exposes Prometheus metrics for observability.

Features

RESTful API for managing Person objects (Create, Read, Update, Delete)
In-memory storage (no external database required)
Built-in Prometheus metrics for monitoring
Runs on port :7080 by default

API Endpoints

Method	Endpoint	Description
GET	`/person/list`	List all persons
GET	`/persons/{id}`	Get a specific person
POST	`/person`	Create a new person
PUT	`/person/{id}`	Update an existing person
DELETE	`/person/{id}`	Delete a person
GET	`/metrics`	Prometheus metrics endpoint

K6 Script

I use Grafan k6 to generate traffic against the prometric API. This k6-scripts demonstrates a simple scenario that exercises the CRUD endpoints for Person objects.

The script does the following:

Creates some 50K Objects (ie Person) in ~20 mins (50000 iterations shared among 50 VUs, maxDuration: 10m).
Tries to get Person by Random Id for 10 mins (20.00 iterations/s for 10m0s, maxVUs: 10).
Tries to get Person list for 10 mins (10.00 iterations/s for 10m0s, maxVUs: 5).
Updates the Person for 10 mins (5.00 iterations/s for 2m0s, maxVUs: 5).
Deletes about 1500 Persons randomly within 10 mins (1500 iterations shared among 2 VUs,maxDuration: 10m0s).

These above iterations are enough to generate some adequate prometheus metrics which can be used to play with prometheus and grafana dashboard.

📈 Metrics Exposed

Metric	Type	Description
`http_requests_total`	Counter	Total HTTP requests processed
`http_requests_in_progress`	Gauge	Active requests being handled
`http_request_duration_seconds`	Histogram	Request latency
`person_store_count`	Gauge	Person records in memory
`person_created_total`	Counter	Successful creations
`person_deleted_total`	Counter	Deletions
`person_not_found_total`	Counter	Failed lookups
`person_payload_size_bytes`	Histogram	POST payload size
`app_cpu_usage_percent`	Gauge	CPU usage (%)
`app_memory_usage_megabytes`	Gauge	Memory usage (MB)

These cover both application-level and system-level observability.

Quick Start

Run Locally

Clone the repo and run the app

$ git clone https://github.com/peek8/prometheus-k6-fusion.git
$ cd prometheus-k6-fusion
$ go run main.go

The API server will start on http://localhost:7080. You can use tools like curl or Postman to interact with the endpoints for testing. Access Prometheus metrics at: http://localhost:7080/metrics.
Install Grafan k6 at your local machine and run the k6-scripts from the repo:

$ k6 run ./scripts/k6-scripts.js

And now if you hit the metric endpoint, you will see different metric values keep changing.

Use Docker

Run the api server first:

$ docker run \
--rm -p 7080:7080 \
ghcr.io/peek8/prometric:latest

With this, The API server will start on http://localhost:7080.

Run the k6 script with grafana/k6 image:

$ docker run -i --rm \
  -e BASE_URL=http://host.docker.internal:7080 \
  grafana/k6:latest  run  - < ./scripts/k6-scripts.js

if you are using podman, use BASE_URL=http://host.containers.internal:7080.

Prometheus and Grafana

Run Prometheus

Run prometheus using the prometheus.yml file:

$ docker run \
    -p 9090:9090 \
    -v ./prometheus.yml:/etc/prometheus/prometheus.yml \
    prom/prometheus

N.B: If you are using podman use host.containers.internal as targets at prometheus.yml file, ie:

targets: ["host.docker.internal:7080"]

Run Grafana

Run Grafan using docker:

$ docker run -d -p 3000:3000 grafana/grafana

Then grafana will be available at http://localhost:3000, use admin:admin as to login for the first time.

Grafana Dashboard

You can create a nice grafana dashboard using these metrics using the ready-to-import Grafana JSON dashboard.

At this json the Datasource name is prometric-k6, if you have already a datasource use that in the json file Or you can create it using running the grafana-datasource.sh where the credentials used is admin/admin, Change it to your own user name/password.

Simplifying Prometheus Metrics in Go with prometric-go (Part-1)

Md Asraful Haque (Sohel) — Sun, 09 Nov 2025 04:32:44 +0000

Effortless observability for your Go applications — without the boilerplate.

This article is Part 1 of my Prometric-Go series.

Please have a look at Part 2 after reading this to see a full example of how this library can be used and create a Grafana Dashboard :

🔗 https://dev.to/asraful_haque/prometric-go-part-2-full-hands-on-demo-with-grafana-prometheus-k6-216k

🧠 The Problem

As Go developers, we all want observability — to know how our APIs perform, how many requests we handle, and how our systems behave in production.

Prometheus is fantastic for that — but setting up metrics in Go can quickly turn verbose:

counter := prometheus.NewCounterVec(
    prometheus.CounterOpts{Name: "http_requests_total", Help: "Total HTTP requests"},
    []string{"path", "method", "status"},
)
prometheus.MustRegister(counter)

And soon your code fills with boilerplate.

That’s why I built prometric-go — a lightweight, idiomatic helper library that makes exposing Prometheus metrics in Go as simple as possible.

💡 What is prometric-go?

prometric-go is a minimal Go library that wraps Prometheus client_golang and provides ready-to-use metrics for:

🌐 HTTP request tracking (latency, size, in-flight)
⚙️ CRUD operation metrics (total, duration, object count)
❤️ Application health metrics
🧱 Helpers for creating and registering custom metrics easily

It’s designed to be plug-and-play for HTTP servers and microservices.

🏗️ Installation

go get github.com/peek8/prometric-go/prometrics

Then import it in your Go app:

import "github.com/peek8/prometric-go/prometrics"

⚙️ Getting Started

Start by exposing a /metrics endpoint on your existing HTTP server:

package main
import (
    "net/http"
    "github.com/prometheus/client_golang/prometheus/promhttp"
)
func main() {
    mux := http.NewServeMux()
    mux.Handle("/metrics", promhttp.Handler())

    http.ListenAndServe(":7080", mux)
}

You now have a fully working Prometheus endpoint at http://localhost:7080/metrics.

🔍 Track HTTP Request Metrics Automatically

You can easily wrap your handlers with Prometheus middleware:

handler := prometrics.InstrumentHttpHandler("/person",http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    w.Write([]byte("Hello, Prometheus!"))
}))

http.Handle("/", handler)
http.ListenAndServe(":7080", nil)

The library automatically tracks:

http_requests_total: Total HTTP requests processed
http_request_duration_seconds: Request duration histogram
http_requests_in_flight: Current requests being handled
http_request_size_bytes: Request payload size
http_response_size_bytes: Response size

Example output:

http_requests_total{path="/",method="GET",code="200"} 42
http_request_duration_seconds_bucket{le="0.1",path="/",method="GET",code="200"} 12
http_requests_in_flight{path="/"} 1

📦 Tracking CRUD Operations

The library also provides metrics for tracking your CRUD operations:

// Example: create user in DB here
tracker := prometrics.TrackCRUD("user", "create")
defer tracker(time.Now())

This automatically records:

crud_operations_total: Total CRUD operations by object & operation
object_operation_duration_seconds: Histogram of CRUD operation durations
object_count: Current number of objects

⚡ Setting Object Counts

You can manually control the current count of entities in your system:

prometrics.SetObjectCount("user", 100)
prometrics.IncObjectCount("user")
prometrics.DecObjectCount("user")

All labeled and tracked automatically.

🧠 System Metrics (Optional)

You can also enable lightweight system metric collection in a background goroutine:

// collect health metrics in 10s interval
ctx, cancel := context.WithCancel(context.Background(), 10)
go prometrics.CollectSystemMetricsLoop(ctx)

This will report CPU and memory usage to Prometheus — useful for understanding resource trends.

Its also possible to collect these health metrics using Middleware:

mux := http.NewServeMux()

// Use HealthMiddleware at /metrics endpoint
mux.Handle("/metrics", prometrics.HealthMiddleware(promhttp.Handler()))

Using GIN Framework

If you are using Gin Web framework for your api, you can use the gin middlewares from prometrics.

r := gin.Default()
// For http metrics
r.Use(prometrics.GinMiddleware())
// For health metrics
r.Use(prometrics.GinHealthMiddleware())

r.GET("/ping", func(c *gin.Context) {
  c.JSON(200, gin.H{"msg": "pong"})
})

r.GET("/person", func(c *gin.Context) {
  defer prometrics.TrackCRUD("person", "Get")(time.Now())

  c.JSON(200, gin.H{"name": "asraf"})
})

📊 Visualizing in Grafana

Once your app exposes /metrics, you can scrape it using Prometheus:

scrape_configs:
  - job_name: 'prometric-go-demo'
    static_configs:
      - targets: ['localhost:7080']

Then build dashboards in Grafana with panels like:

Request duration heatmaps
Total requests per endpoint
In-flight request gauge

⚙️ Behind the Scenes

When I started building small Go microservices, I kept rewriting the same few lines of Prometheus setup code — NewCounterVec, MustRegister, boilerplate handlers, and middleware wrappers.

I wanted:

quick start
clean, ready-to-use metrics,
label conventions that were consistent,
and no mental overhead every time I started a new project.

That’s where prometric-go was born.

Some internal design goals that shaped it:

Quick Start with Metrics: Which metrics are useful to expose for a microservice/http-api and how to expose those. I wanted to start up with something without thinking too much.
Self-registration: all metrics are registered automatically using promauto.
Safe concurrency: metric operations are goroutine-safe by design.
GoDoc first: all exported symbols are documented so the package looks clean on pkg.go.dev.
Composable structure: submodules like http.go, crudmetrics.go, and apphealth.go keep responsibilities separate.

The idea wasn’t to replace Prometheus — just to make it nicer and faster to use for everyday Go developers.

🚀 Roadmap

Planned future enhancements include:

Add more metrics and customization to choose/filter metrics.
Integration with OpenTelemetry
Customizable metric namespace/prefix
Built-in Chi(and probably others) middleware
Out-of-the-box Grafana dashboards

Conclusion

prometric-go makes Prometheus metrics in Go simple, standardized, and developer-friendly.

Whether you’re building an HTTP API, a CLI, or a microservice, it helps you focus on business logic — not boilerplate metrics wiring.

Give it a try 👇

📦 github.com/peek8/prometric-go
If want to explore with some sample, please have a look at the part-2 blog: https://dev.to/asraful_haque/prometric-go-part-2-full-hands-on-demo-with-grafana-prometheus-k6-216k

And checkout the corresponding github repo:
https://github.com/peek8/prometric-go-sample

📚 Documentation
Full API reference available at:
pkg.go.dev/github.com/peek8/prometric-go/prometrics

Make ArgoCD authenticated using AWS Cognito

Md Asraful Haque (Sohel) — Sun, 01 Sep 2024 13:08:09 +0000

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. If you install the argocd using the official guide and expose it using ALB and Route53, it will be open to anyone knowing the url.

(If you want to know how to expose some EKS application using ALB and Route53 - see the blog post of exposing tekton-dashboard)

The Goal of this blog is to show how we can make the argoCD protected from public access using AWS Cognito and also control the access eg read/write access.

Pre-Requisite

EKS Cluster (or any other k8s cluster)
Kubectl is configured at your local machine
ArgoCD is installed at the cluster

Step by Step

Setup AWS Cognito

Follow the steps from this blog post on how to setup AWS Cognito for argoCD application.

Get CLIENT_ID, CLIENT_SECRET and oidc-issuer-url from aws cognito to be used in later steps.

Create Users at AWS Cognito

Go to the user pool and create two groups eg named argocd-admin and argocd-reader. Add the corresponding users to these groups ie add some admin users to argocd-admin group and add some read-only user at argocd-reader. The read-only users can't create application at argoCD console.

Update argoCD config

Now we have to edit argocd-cm and argocd-rbac-cm configMap.
You will get the samples at this github repo.
So steps would be:

Clone the git repository
go to aws-cognito-config dir
Get the clientID, clientSecret and issuer url from previous cognito-setup step and fill the oidc.config at argocm.yaml file
The last field url (at configMap) should be the domain url with which you will access the argocd console eg. https://argocd.myekscluster.com.
Now apply the configurations by :

$ kubectl apply -n argocd -k .

To take effect immediately, you can restart the argocd server pod ie. get the pods

$kubectl get pods -n argocd | grep argocd-server

Then delete the pods eg if your argocd-server pod is argocd-server-6d879b555c-srbv5

$ kubectl delete pod -n argocd argocd-server-6d879b555c-srbv5

That's it, Now if you hit the argocd url eg. https://argocd.myekscluster.com, you will see the button login with Cognito and if you enter the correct user and password you can login !!! 🎉.

References:
https://medium.com/@devopsrockers/argocd-sso-config-with-aws-cognito-c51cade75cef
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html

Setup AWS Cognito as OIDC for adding access control for Application

Md Asraful Haque (Sohel) — Wed, 28 Aug 2024 03:31:53 +0000

Goal

We will setup aws cognito by creating user pool and identity provider. This setup can be used for authenticating other app which support oidc endpoint.

Setup AWS Cognito

Create User Pool

Go to AWS Cognito Console and click on create user pool

Configure sign-in experience

Select the user name and email sign-in options selected.

Configure security requirements

Keep everything as default except set No MFA option to keep things simple

Configure sign-up experience

For this section keep it to the default options

Configure message delivery

For message deliver select select email with cognito.

Integrate your app

Give some user-pool name eg myapp-users and app client name is myapp. Make sure that the app client is public and check the option Generate a client secret. Keep everything else as their default options.

Create User Pool

Create Identity Pools by going to AWS cognito then identity-pool console

Configure identity pool trust

Check Authenticated Access and Amazon Cognito User Pool.

Configure permissions

Create a new role eg named myapp-identity-role:

Connect identity providers

Select your user pools eg myapp-users and the client (eg myapp) you created in earlier steps. Set everything else default

Configure properties

Put some name eg. myapp-idp, keep everthing else on their default values.

Review and create

Review and Create your identity Pool

Create user at your user pools

Go to your user pools eg myapp-users, and then click on users then create user.
Put your user name and email and set a password:

Get Values for using AWS Cognito as OIDC

CLIENT_ID and CLIENT_SECRET

You will get client-id and secret from your AWS User Pools ie

Go to Cognito User Pools and select your user pool(eg. tekton-user)
Click on App Integration tab
Go to the App client list section
Click on your client
At App client information page you will find the Client ID and Client Secret.

OIDC Issuer URL

The oidc url for your AWS Cognito User Pools, It would be like : https://cognito-idp.AWS_REGION.amazonaws.com/USER_POOL_ID.

For example if your region is eu-west-1 and your user-pool id is eu-west-1-1234, then it will be: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1-1234. You will find the user-pool id at your AWS Cognito user-pools overview page.

Next Read

See my next blog post on authenticating tekton-dashboard as an example how we can use aws cognito as OIDC provider.

Reference:
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html

Make Tekton Dashboard user authenticated at EKS using AWS Cognito

Md Asraful Haque (Sohel) — Thu, 22 Aug 2024 07:19:39 +0000

Goal

The goal of this post is to add authentication to Tekton Dashboard installed at AWS EKS
If you are only interested to install the Dashboard and keep it publicly accessible, have a look at my previous blog post on Expose EKS tekton pipeline dashboard with ssl enabled.

Photo by Iraj Ishtiak on Unsplash

Pre-Requisite

EKS Cluster
Kubectl is configured at your local machine
Tekton pipeline is installed

Strategy

As per the Tekton Dashboard documentation:

The Dashboard does not provide its own authentication or authorization, however it will pass on any authentication headers provided to it by a proxy deployed in front of the Dashboard.

For authentication, there are several options like oauth2-proxy, Keycloak, OpenUnison, Traefik, Istio’s EnvoyFilter. For this tutorial we will use oauth2-proxy.

Workflows

-- There will be a oauth2-proxy service deployed
-- This service will be exposed via the loadbalancer and the loadbalancer will be mapped against the your domain eg tekton-dashboard.myeks.com
-- The upstream of the oauth-proxy service is the tekton-dashboard service.
-- We will use AWS Cognito as the OIDC provider for oauth2-proxy service ie user will be authenticated via AWS Cognito.
-- With the above setup, when the end user will request for the tekton-dashboard (with eg tekton-dashboard.myeks.com) it will first hit the oauth2 proxy service.
-- The oauth2-proxy service will forward the request to AWS Cognito to check if the user is authenticated.
-- If authenticated, the user is logged in and can see the tekton-dashboard.

Step By Step

Install Tekton Dashboard

-- Install the Tekton Dashboard using the official documentation
-- Add a Service to access the Tekton Dashboard eg. tekton-dashboard.yaml:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: tekton-dashboard
    app.kubernetes.io/component: dashboard
    app.kubernetes.io/instance: default
    app.kubernetes.io/name: dashboard
    app.kubernetes.io/part-of: tekton-dashboard
    app.kubernetes.io/version: v0.49.0
    dashboard.tekton.dev/release: v0.49.0
    version: v0.49.0
  name: tekton-dashboard
  namespace: tekton-pipelines
spec:
  ports:
    - name: http
      port: 9097
      protocol: TCP
      targetPort: 9097
  selector:
    app.kubernetes.io/component: dashboard
    app.kubernetes.io/instance: default
    app.kubernetes.io/name: dashboard
    app.kubernetes.io/part-of: tekton-dashboard
  sessionAffinity: None

Note that this service doesn't have a type so, its of type ClusterIP that means only accessible internally inside the cluster ie this service can be accessed using http://tekton-dashboard:9097.

Setup AWS Cognito

Follow the steps from this blog post on how to setup AWS Cognito for this app

Now We are done with setting up AWS Cognito. Lets move to Oauth2 Proxy.
Get CLIENT_ID, CLIENT_SECRET and oidc-issuer-url from aws cognito to be used in later steps.

Installing and Configuring Oauth2-Proxy

What we have to do now deploy the oauth2 proxy as k8s Deployement, expose that proxy app to the world by creating a service and map the domain name for the service.

Create Tekton Dashboard secret

$ kubectl create secret generic tekton-dashboard-auth \
-n tekton-pipelines \
--from-literal=username=CLIENT_ID \
--from-literal=password=CLIENT_SECRET

You will get the CLIENT_ID and CLIENT_SECRET from your AWS User Pools (see the steps at AWS Cognito post

Add the oauth2-proxy Deployment

Before creating the deployment for oauth2-proxy, check the following values:

upstream: This is the url of the tekton-dashboard service. In our case it will be http://tekton-dashboard:9097.
redirect-url: The url where the oauth-proxy will be redirected. it will be you tekton-dashboard callback url eg. https://tkn-dashboard.myeks/oauth2/callback
oidc-issuer-url: The oidc url for your AWS Cognito User Pools, It would be like : https://cognito-idp.AWS_REGION.amazonaws.com/USER_POOL_ID. For example if your region is eu-west-1 and your user-pool id is eu-west-1-1234, then it will be: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1-1234. You will find the user-pool id at your AWS Cognito user-pools overview page.
cookie-secret: Generate some random string for cookie secret. you can use openssl for that:

$ openssl rand -base64 32 | head -c 32 | base64

To make things easier, I have put the deployment and service file at this eks-tekton github repository. Clone it and add the values of above params at the Deployment manifest.
(Don't apply it yet, we have to change the service as well)

Exposing the oauth2-proxy service with LoadBalancer

Create Certificate

Create Certificate using AWS Certificate Manager for your domain tekton-dashboard.myeks.com. Make sure you also validate the certificate.

Add certificate arn at the service

We need to add the following annotations at the service which needs the certificate arn, ie

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"

Replace the certificate arn, at your cloned github repository for the tekton-dashboard-auth service

Create the deployment and service

If you are at the root of the cloned github repo and modified as per above steps, now you can apply it

$ kubectl apply -n tekton-pipelines -k tekton-dashboard-oidc

This will create the deployment and corresponding services, and there will be a loadbalancer created which points to the oauth2-proxy service.

Map the domain with Loadbalancer

Now, Find your LoadBalancer from the service:

$ kc get svc tekton-dashboard-auth -n tekton-pipelines

You will get the LoadBalancer URl at the External-IP field.

With the URL, Locate that LoadBalancer at AWS Console and check at the Listener there is 443 port. For the SSL certificate check the certificate you defined at the Service has been attached at the loadbalancer.
From AWS Route53, Associate your domain name (eg. tekton-dashboard.myeks.com) with the LoadBalancer. If you are doing it for the first time, you can follow the AWS Routing traffic to an ELB load balancer documentation

That's it now you can browse the tekton dashboard using your domain eg. https://tekton-dashboard.myeks.com and it ask you login with AWS Cognito.
If you put the correct username and password, you will be on the Tekton Dashboard homepage 🎉.

NB. The picture attached at this post not related to content, its just attached to soothe your eyes :)

References:
https://medium.com/octo-technology-morocco/secure-authentication-to-tekton-dashboard-using-oidc-36de9b3f8a7d
https://stackoverflow.com/questions/56534589/is-there-a-way-to-configure-an-eks-service-to-use-https
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html

Expose EKS tekton pipeline dashboard with ssl enabled

Md Asraful Haque (Sohel) — Wed, 21 Aug 2024 06:36:30 +0000

In this tutorial we will try to expose tekton-pipeline dashboard using application load balancer with ssl enabled at AWS EKS cluster.

Photo by ATM Arafath Ali on Unsplash

Pre-Requisite

EKS Cluster
Kubectl is configured at your local machine
Tekton pipeline is installed

Context

Tekton Dashboard is a Web-based UI for Tekton Pipelines and Tekton Triggers resources. Its quite easy to install following the official Install guidelines using kubectl. In your self-managed kubernetes cluster, you can easily expose it with ingress controller, But at EKS you have to install some ingress controller which is AWS Load Balancer Controller which seems to be a bit hassle to me if you want to achieve something quickly. Rather than I would use Service to achieve this.

Install Tekton Dashboard

Install the Tekton Dashboard using the official documentation

Expose Tekton Dashboard with Service (without https)

Create a LoadBalancer Type Service (ie tekton-dashboard-svc.yaml) with the following manifests:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: tekton-dashboard    
  name: tekton-dashboard
  namespace: tekton-pipelines
spec:
  type: LoadBalancer
  ports:
    - name: http
      port: 9097
      protocol: TCP
      targetPort: 9097
  selector:
    app.kubernetes.io/component: dashboard
    app.kubernetes.io/instance: default
    app.kubernetes.io/name: dashboard
    app.kubernetes.io/part-of: tekton-dashboard
  sessionAffinity: None

Create this service using kubectl:

$ kubectl apply -n tekton-pipelines -f tekton-dashboard-svc.yaml

This will create a LoadBalancer at aws, with the load balancer url you can access the dashboard or you can also map this loadBalancer with your domain name eg tekton-dashboard.myeks.com using Route53 service.

Expose Tekton Dashboard with Service and https enabled

Exposing the Tekton Dashboard with LoadBalancer Service was quite easy. Now we want to enable https. To do that we have to do the following steps:

Step 1: Create Certificate

Create Certificate using AWS Certificate Manager for your domain tekton-dashboard.myeks.com. Make sure you also validate the certificate.

Step 2 : Create Service with the certificate

Add the following annotations with the certificate arn:

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"

So the service will be like following (ie. tekton-dashboard-svc-ssl.yaml):

apiVersion: v1
kind: Service
metadata:
  annotations:
    # Note that the backend talks over HTTP.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    # TODO: Fill in with the ARN of your certificate.
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
    # Only run SSL on the port named "https" below.
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
  labels:
    app: tekton-dashboard
  name: tekton-dashboard-ssl
  namespace: tekton-pipelines
spec:
  type: LoadBalancer
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 9097
    - name: https
      port: 443
      protocol: TCP
      targetPort: 9097
   selector:
    app.kubernetes.io/component: dashboard
    app.kubernetes.io/instance: default
    app.kubernetes.io/name: dashboard
    app.kubernetes.io/part-of: tekton-dashboard
  sessionAffinity: None

Create this service using kubectl:

$ kubectl apply -n tekton-pipelines -f tekton-dashboard-svc-ssl.yaml

If you had created the service using tekton-dashboard-svc.yaml, you can delete that service.
Wait for some time, the load balancer will be created and now you can use now https.

Step 3 : Use the domain name

Now, Find your LoadBalancer from the service:

$ kc get svc tekton-dashboard-ssl -n tekton-pipelines

You will get the LoadBalancer URl at the External-IP field.

-- With the URL, Locate that LoadBalancer at AWS Console and check at the Listener there is 443 port. For the SSL certificate check the certificate you defined at the Service has been attached at the loadbalancer.
-- From AWS Route53, Associate your domain name (eg. tekton-dashboard.myeks.com) with the LoadBalancer. If you are doing it for the first time, you can follow the AWS Routing traffic to an ELB load balancer documentation

That's it now you can browse the tekton dashboard using https://tekton-dashboard.myeks.com 🎉

If you want to Make your Tekton Dashboard user authenticated, Look at my next post to authenticate Tekton Dashboard using AWS Cognito.

NB. The picture attached at this post not related to content, its just attached to soothe your eyes :)

References:
https://stackoverflow.com/questions/56534589/is-there-a-way-to-configure-an-eks-service-to-use-https