create stub CR for KRP authorize access to Thanos Querier

openshift · Nov 8, 2023 · ec9abfe · ec9abfe
1 parent 7b8cc2c
commit ec9abfe
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 31 deletions.
diff --git a/assets/cluster-monitoring-operator/cluster-role-view.yaml b/assets/cluster-monitoring-operator/cluster-role-view.yaml
@@ -12,3 +12,11 @@ rules:
   - namespaces
   verbs:
   - get
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheuses/query
+  verbs:
+  - get
+  - create
+  - update
diff --git a/assets/thanos-querier/deployment.yaml b/assets/thanos-querier/deployment.yaml
@@ -87,14 +87,14 @@ spec:
         - --tls-cert-file=/etc/tls/private/tls.crt
         - --tls-private-key-file=/etc/tls/private/tls.key
         - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-        - --ignore-paths=/-/healthy,/-/ready
+        - --allow-paths=/api/v1/query,/api/v1/query_range,/api/v1/format_query,/api/v1/series,/api/v1/labels,/api/v1/label/*/values,/api/v1/query_exemplars,/api/v1/targets,/api/v1/rules,/api/v1/alerts,/api/v1/targets/metadata,/api/v1/metadata,/api/v1/alertmanagers,/api/v1/status/*
         - -v=10
         image: quay.io/brancz/kube-rbac-proxy:v0.15.0
         livenessProbe:
           failureThreshold: 4
           httpGet:
             path: /-/healthy
-            port: 9091
+            port: 9090
             scheme: HTTPS
           initialDelaySeconds: 30
           periodSeconds: 30
@@ -106,7 +106,7 @@ spec:
           failureThreshold: 20
           httpGet:
             path: /-/ready
-            port: 9091
+            port: 9090
             scheme: HTTPS
           initialDelaySeconds: 5
           periodSeconds: 5

diff --git a/assets/thanos-querier/kube-rbac-proxy-web-secret.yaml b/assets/thanos-querier/kube-rbac-proxy-web-secret.yaml
@@ -11,15 +11,15 @@ stringData:
   config.yaml: |-
     "authorization":
       "resourceAttributes":
-        "apiGroup": ""
-        "resource": "namespaces"
+        "apiGroup": "monitoring.coreos.com"
+        "resource": "prometheuses"
+        "subresource": "query"
         "verbs":
         - "get"
+        - "create"
+        - "update"
       "static":
       - "resourceRequest": true
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
-      - "resourceRequest": true
-        "user":
-          "name": "system:serviceaccount:openshift-user-workload-monitoring:thanos-ruler"
 type: Opaque
diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet
@@ -330,11 +330,18 @@ function(params) {
     metadata: {
       name: 'cluster-monitoring-view',
     },
-    rules: [{
-      apiGroups: [''],
-      resources: ['namespaces'],
-      verbs: ['get'],
-    }],
+    rules: [
+      {
+        apiGroups: [''],
+        resources: ['namespaces'],
+        verbs: ['get'],
+      },
+      {
+        apiGroups: ['monitoring.coreos.com'],
+        resources: ['prometheuses/query'],
+        verbs: ['get', 'create', 'update'],
+      },
+    ],
   },
 
   // This role enables read/write access to the platform Alertmanager API through OAuth proxy.

diff --git a/jsonnet/components/thanos-querier.libsonnet b/jsonnet/components/thanos-querier.libsonnet
@@ -156,12 +156,12 @@ function(params)
       stringData: {
         'config.yaml': std.manifestYamlDoc({
           authorization: {
-            resourceAttributes:
-              {
-                apiGroup: '',
-                resource: 'namespaces',
-                verbs: ['get'],
-              },
+            resourceAttributes: {
+              apiGroup: 'monitoring.coreos.com',
+              resource: 'prometheuses',
+              subresource: 'query',
+              verbs: ['get', 'create', 'update'],
+            },
             static: [
               {
                 // allow prometheus-k8s to get/post queries from/to thanos querier
@@ -170,13 +170,6 @@ function(params)
                 },
                 resourceRequest: true,
               },
-              {
-                // allow thanos ruler to get/post queries from/to thanos querier
-                user: {
-                  name: 'system:serviceaccount:openshift-user-workload-monitoring:thanos-ruler',
-                },
-                resourceRequest: true,
-              },
             ],
           },
         }),
@@ -428,9 +421,22 @@ function(params)
                   '--tls-cert-file=/etc/tls/private/tls.crt',
                   '--tls-private-key-file=/etc/tls/private/tls.key',
                   '--tls-cipher-suites=' + cfg.tlsCipherSuites,
-                  '--ignore-paths=' + std.join(',', [
-                    '/-/healthy',
-                    '/-/ready',
+                  /* all Prometheus API endpoints except /api/v1/admin */
+                  '--allow-paths=' + std.join(',', [
+                    '/api/v1/query',
+                    '/api/v1/query_range',
+                    '/api/v1/format_query',
+                    '/api/v1/series',
+                    '/api/v1/labels',
+                    '/api/v1/label/*/values',
+                    '/api/v1/query_exemplars',
+                    '/api/v1/targets',
+                    '/api/v1/rules',
+                    '/api/v1/alerts',
+                    '/api/v1/targets/metadata',
+                    '/api/v1/metadata',
+                    '/api/v1/alertmanagers',
+                    '/api/v1/status/*',
                   ]),
                   '-v=10',
                 ],
@@ -454,7 +460,7 @@ function(params)
                 livenessProbe: {
                   httpGet: {
                     path: '/-/healthy',
-                    port: 9091,
+                    port: 9090,
                     scheme: 'HTTPS',
                   },
                   initialDelaySeconds: 30,
@@ -464,7 +470,7 @@ function(params)
                 readinessProbe: {
                   httpGet: {
                     path: '/-/ready',
-                    port: 9091,
+                    port: 9090,
                     scheme: 'HTTPS',
                   },
                   initialDelaySeconds: 5,
@@ -658,4 +664,5 @@ function(params)
 
       },
     },
+
   }
diff --git a/manifests/0000_50_cluster-monitoring-operator_02-role.yaml b/manifests/0000_50_cluster-monitoring-operator_02-role.yaml
@@ -199,6 +199,14 @@ rules:
   - namespaces
   verbs:
   - get
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheuses/query
+  verbs:
+  - get
+  - create
+  - update
 - apiGroups:
   - ""
   resourceNames: