Allow changes in remote write api endpoint secret (#1209)

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Allow changes in the remote write api endpoint secret.
+
 ## [4.26.0] - 2023-03-20
 
 ### Changed

go.mod

@@ -22,7 +22,6 @@ require (
 	github.com/spf13/viper v1.15.0
 	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
 	golang.org/x/net v0.7.0
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/api v0.25.4
 	k8s.io/apiextensions-apiserver v0.25.4
 	k8s.io/apimachinery v0.25.4
@@ -107,6 +106,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/resty.v1 v1.12.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/component-base v0.25.4 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect

service/controller/resource/monitoring/remotewriteapiendpointconfigsecret/create.go

@@ -0,0 +1,103 @@
+package remotewriteapiendpointconfigsecret
+
+import (
+	"context"
+	"reflect"
+
+	"github.com/giantswarm/microerror"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+
+	"github.com/giantswarm/prometheus-meta-operator/v2/service/key"
+)
+
+func (r *Resource) EnsureCreated(ctx context.Context, obj interface{}) error {
+	r.logger.Debugf(ctx, "ensuring prometheus remote write api endpoint secret")
+	{
+
+		cluster, err := key.ToCluster(obj)
+		if err != nil {
+			return microerror.Mask(err)
+		}
+
+		name, namespace := key.RemoteWriteAPIEndpointConfigSecretNameAndNamespace(cluster, r.Installation, r.Provider)
+
+		// Get the current secret if it exists.
+		current, err := r.k8sClient.K8sClient().CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
+		if apierrors.IsNotFound(err) {
+			err = r.createSecret(ctx, cluster, name, namespace)
+			if err != nil {
+				return microerror.Mask(err)
+			}
+		} else if err != nil {
+			return microerror.Mask(err)
+		}
+
+		if current != nil {
+			// We thought that having an immutable secret would be a good thing as the remote write password cannot be changed (causing remote write errors)
+			// However, this causes a lot of issues if we want to update the other configurations like the queue config.
+			// Hence if the secret is immutable, we force delete it to create a non-immutable one
+			if current.Immutable != nil && *current.Immutable {
+				err = r.deleteSecret(ctx, current)
+				if err != nil {
+					return microerror.Mask(err)
+				}
+				err = r.createSecret(ctx, cluster, name, namespace)
+				if err != nil {
+					return microerror.Mask(err)
+				}
+			}
+
+			// As it takes a long time to apply the new password to the agent due to a built-in delay in the app-platform,
+			// we keep the already generated remote write password.
+			password, err := readRemoteWritePasswordFromSecret(*current)
+			if err != nil {
+				return microerror.Mask(err)
+			}
+
+			desired, err := r.desiredSecret(cluster, name, namespace, password)
+			if err != nil {
+				return microerror.Mask(err)
+			}
+			if !reflect.DeepEqual(current.Data, desired.Data) {
+				updateMeta(current, desired)
+				_, err := r.k8sClient.K8sClient().CoreV1().Secrets(namespace).Update(ctx, desired, metav1.UpdateOptions{})
+				if err != nil {
+					return microerror.Mask(err)
+				}
+			}
+		}
+	}
+
+	r.logger.Debugf(ctx, "ensured prometheus remote write api endpoint secret")
+
+	return nil
+}
+
+func readRemoteWritePasswordFromSecret(secret corev1.Secret) (string, error) {
+	secretValues := GlobalRemoteWriteValues{}
+	err := yaml.Unmarshal(secret.Data["values"], &secretValues)
+	if err != nil {
+		return "", microerror.Mask(err)
+	}
+
+	return secretValues.Global.RemoteWrite[0].Password, nil
+}
+
+func updateMeta(c, d metav1.Object) {
+	d.SetGenerateName(c.GetGenerateName())
+	d.SetUID(c.GetUID())
+	d.SetResourceVersion(c.GetResourceVersion())
+	d.SetGeneration(c.GetGeneration())
+	d.SetSelfLink(c.GetSelfLink())
+	d.SetCreationTimestamp(c.GetCreationTimestamp())
+	d.SetDeletionTimestamp(c.GetDeletionTimestamp())
+	d.SetDeletionGracePeriodSeconds(c.GetDeletionGracePeriodSeconds())
+	d.SetLabels(c.GetLabels())
+	d.SetAnnotations(c.GetAnnotations())
+	d.SetFinalizers(c.GetFinalizers())
+	d.SetOwnerReferences(c.GetOwnerReferences())
+	d.SetManagedFields(c.GetManagedFields())
+}

service/controller/resource/monitoring/remotewriteapiendpointconfigsecret/delete.go

@@ -0,0 +1,37 @@
+package remotewriteapiendpointconfigsecret
+
+import (
+	"context"
+
+	"github.com/giantswarm/microerror"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/giantswarm/prometheus-meta-operator/v2/service/key"
+)
+
+func (r *Resource) EnsureDeleted(ctx context.Context, obj interface{}) error {
+	r.logger.Debugf(ctx, "deleting prometheus remote write api endpoint secret")
+	{
+		cluster, err := key.ToCluster(obj)
+		if err != nil {
+			return microerror.Mask(err)
+		}
+
+		name, namespace := key.RemoteWriteAPIEndpointConfigSecretNameAndNamespace(cluster, r.Installation, r.Provider)
+
+		current, err := r.k8sClient.K8sClient().CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
+
+		if err != nil {
+			return microerror.Mask(err)
+		}
+
+		err = r.deleteSecret(ctx, current)
+		if err != nil {
+			return microerror.Mask(err)
+		}
+
+	}
+	r.logger.Debugf(ctx, "deleted prometheus remote write api endpoint secret")
+
+	return nil
+}