Merge pull request #700 from simonpasquier/cleanup-thanos-ruler

Cleanup thanos ruler

assets/thanos-ruler/service-monitor.yaml

@@ -2,17 +2,18 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   labels:
-    k8s-app: alertmanager
+    k8s-app: thanos-ruler
   name: thanos-ruler
   namespace: openshift-user-workload-monitoring
 spec:
   endpoints:
   - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
     interval: 30s
     port: web
+    scheme: https
     tlsConfig:
       caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
       serverName: server-name-replaced-at-runtime
   selector:
     matchLabels:
-      thanosRuler: user-workload
+      app.kubernetes.io/name: user-workload

assets/thanos-ruler/service.yaml

@@ -5,13 +5,16 @@ metadata:
     service.alpha.openshift.io/serving-cert-secret-name: thanos-ruler-tls
   labels:
     app.kubernetes.io/name: user-workload
-  name: thanos-ruler-user-workload
+  name: thanos-ruler
   namespace: openshift-user-workload-monitoring
 spec:
   ports:
   - name: web
     port: 9091
     targetPort: web
+  - name: grpc
+    port: 10901
+    targetPort: grpc
   selector:
     app: thanos-ruler
     thanos-ruler: user-workload

assets/thanos-ruler/thanos-ruler.yaml

@@ -81,6 +81,3 @@ spec:
   - name: secret-thanos-ruler-oauth-htpasswd
     secret:
       secretName: thanos-ruler-oauth-htpasswd
-  - name: secret-thanos-ruler-kube-rbac-proxy
-    secret:
-      secretName: thanos-ruler-kube-rbac-proxy

jsonnet/thanos-ruler.jsonnet

@@ -38,10 +38,9 @@ local authorizationRole =
       'thanos-ruler': thanosRulerName,
     },
     ports: {
+      web: 9091,
       grpc: 10901,
-      http: 10902,
     },
-
   },
 
   thanos+:: {
@@ -115,35 +114,6 @@ local authorizationRole =
         secret.mixin.metadata.withNamespace(thanosRulerConfig.namespace) +
         secret.mixin.metadata.withLabels({ 'k8s-app': 'thanos-ruler' }),
 
-      // holds the kube-rbac-proxy configuration as a secret.
-      // It configures to template the request in flight
-      // to extract a "namespace" query parameter
-      // and perform a SubjectAccessReview
-      // asserting if the request bearer token in flight has permissions
-      // to access the pod.metrics.k8s.io API.
-      // The asserted verb (PUT, GET, POST, etc.) is implied from the http request verb in flight.
-      kubeRbacProxySecret:
-        local config = {
-          'config.yaml': std.base64(std.manifestYamlDoc({
-            authorization: {
-              rewrites: {
-                byQueryParameter: {
-                  name: 'namespace',
-                },
-              },
-              resourceAttributes: {
-                apiVersion: 'metrics.k8s.io/v1beta1',
-                resource: 'pods',
-                namespace: '{{ .Value }}',
-              },
-            },
-          })),
-        };
-
-        secret.new('thanos-ruler-kube-rbac-proxy', config) +
-        secret.mixin.metadata.withNamespace(thanosRulerConfig.namespace) +
-        secret.mixin.metadata.withLabels({ 'k8s-app': 'thanos' }),
-
       serviceAccount:
         local serviceAccount = k.core.v1.serviceAccount;
 
@@ -160,11 +130,11 @@ local authorizationRole =
 
       service:
         service.new(
-          'thanos-ruler-' + thanosRulerConfig.name,
+          'thanos-ruler',
           thanosRulerConfig.selectorLabels,
           [
+            ports.newNamed('web', thanosRulerConfig.ports.web, 'web'),
             ports.newNamed('grpc', thanosRulerConfig.ports.grpc, 'grpc'),
-            ports.newNamed('http', thanosRulerConfig.ports.http, 'http'),
           ],
         ) +
         // The following annotation will instruct the serving certs controller
@@ -179,10 +149,7 @@ local authorizationRole =
         // cluster-monitoring-operator, that when reconciling this service the
         // cluster IP needs to be retained.
         service.mixin.spec.withType('ClusterIP') +
-        service.mixin.spec.withSessionAffinity('ClientIP') +
-        service.mixin.spec.withPorts([
-          ports.newNamed('web', 9091, 'web'),
-        ]),
+        service.mixin.spec.withSessionAffinity('ClientIP'),
 
       serviceMonitor: {
         apiVersion: 'monitoring.coreos.com/v1',
@@ -191,19 +158,18 @@ local authorizationRole =
           name: 'thanos-ruler',
           namespace: thanosRulerConfig.namespace,
           labels: {
-            'k8s-app': 'alertmanager',
+            'k8s-app': 'thanos-ruler',
           },
         },
         spec: {
           selector: {
-            matchLabels: {
-              thanosRuler: thanosRulerConfig.name,
-            },
+            matchLabels: thanosRulerConfig.labels,
           },
           endpoints: [
             {
               port: 'web',
               interval: '30s',
+              scheme: 'https',
               tlsConfig: {
                 caFile: '/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt',
                 serverName: 'server-name-replaced-at-runtime',
@@ -247,7 +213,6 @@ local authorizationRole =
             volume.fromSecret('secret-thanos-ruler-tls', 'thanos-ruler-tls'),
             volume.fromSecret('secret-thanos-ruler-oauth-cookie', 'thanos-ruler-oauth-cookie'),
             volume.fromSecret('secret-thanos-ruler-oauth-htpasswd', 'thanos-ruler-oauth-htpasswd'),
-            volume.fromSecret('secret-thanos-ruler-kube-rbac-proxy', 'thanos-ruler-kube-rbac-proxy'),
           ],
           serviceAccountName: 'thanos-ruler',
           containers: [
@@ -278,7 +243,7 @@ local authorizationRole =
               image: $._config.imageRepos.openshiftOauthProxy + ':' + $._config.versions.openshiftOauthProxy,
               ports: [
                 {
-                  containerPort: 9091,
+                  containerPort: thanosRulerConfig.ports.web,
                   name: 'web',
                 },
               ],

pkg/manifests/manifests.go

@@ -2808,17 +2808,6 @@ func (f *Factory) ThanosRulerOauthCookieSecret() (*v1.Secret, error) {
 	return s, nil
 }
 
-func (f *Factory) ThanosRulerRBACProxySecret() (*v1.Secret, error) {
-	s, err := f.NewSecret(MustAssetReader(ThanosRulerRBACProxySecret))
-	if err != nil {
-		return nil, err
-	}
-
-	s.Namespace = f.namespaceUserWorkload
-
-	return s, nil
-}
-
 func (f *Factory) ThanosRulerCustomResource(trustedCA *v1.ConfigMap, grpcTLS *v1.Secret) (*monv1.ThanosRuler, error) {
 	t, err := f.NewThanosRuler(MustAssetReader(ThanosRulerCustomResource))
 	if err != nil {
@@ -3149,9 +3138,14 @@ func (f *Factory) HashTrustedCA(caBundleCM *v1.ConfigMap, prefix string) *v1.Con
 	h.Write([]byte(caBundle))
 	hash := strconv.FormatUint(h.Sum64(), 32)
 
+	ns := f.namespace
+	if caBundleCM.ObjectMeta.Namespace != "" {
+		ns = caBundleCM.ObjectMeta.Namespace
+	}
+
 	return &v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: "openshift-monitoring",
+			Namespace: ns,
 			Name:      fmt.Sprintf("%s-trusted-ca-bundle-%s", prefix, hash),
 			Labels: map[string]string{
 				"monitoring.openshift.io/name": prefix,

pkg/tasks/thanos_ruler_user_workload.go

@@ -129,16 +129,6 @@ func (t *ThanosRulerUserWorkloadTask) create() error {
 		return errors.Wrap(err, "creating Thanos Ruler htpasswd Secret failed")
 	}
 
-	rs, err := t.factory.ThanosRulerRBACProxySecret()
-	if err != nil {
-		return errors.Wrap(err, "initializing Thanos Ruler RBAC proxy Secret failed")
-	}
-
-	err = t.client.CreateIfNotExistSecret(rs)
-	if err != nil {
-		return errors.Wrap(err, "creating Thanos Ruler RBAC proxy Secret failed")
-	}
-
 	{
 		// Create trusted CA bundle ConfigMap.
 		trustedCA, err := t.factory.ThanosRulerTrustedCABundle()