New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kube-rbac-proxy and prom-label-proxy to Alertmanager #701
Add kube-rbac-proxy and prom-label-proxy to Alertmanager #701
Conversation
just nits around resource requests, else lgtm module e2e tests 👍 |
7465b88
to
b241d5e
Compare
Why do we need this PR? Is this for thanos ruler/querier integration with alertmanager? 🤔 |
b241d5e
to
a7191e3
Compare
lgtm as well after e2e tests |
@simonpasquier i believe it is unrelated but do you mind to peek at the e2e failure?
|
79990c6
to
6850c49
Compare
6850c49
to
e6df898
Compare
ebfe47c
to
001fa60
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
@@ -145,6 +147,25 @@ rules: | |||
- namespaces | |||
verbs: | |||
- get | |||
- apiGroups: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure, it was automatically generated by the script...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, I guess CMO needs this permissions as well, explains it.
} | ||
|
||
// The Alertmanager API should be protected by the OAuth proxy. | ||
func TestAlertmanagerOAuthProxy(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain how this is testing alertmanger oauth proxy, we just do a query against alertmanager.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're querying Alertmanager via its OpenShift route which should be mapped to the OAuth proxy service. This is copied from
cluster-monitoring-operator/test/e2e/user_workload_monitoring_test.go
Lines 376 to 403 in e597c67
err = framework.Poll(5*time.Second, 5*time.Minute, func() error { | |
body, err := f.AlertmanagerClient.AlertmanagerQuery( | |
"filter", `alertname="VersionAlert"`, | |
"active", "true", | |
) | |
if err != nil { | |
t.Fatal(err) | |
} | |
res, err := gabs.ParseJSON(body) | |
if err != nil { | |
return err | |
} | |
count, err := res.ArrayCount() | |
if err != nil { | |
return err | |
} | |
if count == 1 { | |
return nil | |
} | |
return fmt.Errorf("expected 1 fired VersionAlert, got %d", count) | |
}) | |
if err != nil { | |
t.Fatal(err) | |
} |
I should probably add an e2e test checking that a request without sufficient permissions is denied.
if err != nil { | ||
t.Fatalf("%v (data: %q)", err, string(b)) | ||
} | ||
silID, ok := parsed.Path("silenceID").Data().(string) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's additionally validate that the namespace label exists/is enforced no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, the original silence is created with a namespace="openshift-monitoring"
matcher and the test verifies that it is modified to namespace="test-kube-rbac-proxy"
.
/retest |
df2bf16
to
f4f37b3
Compare
/test e2e-aws-operator |
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
f4f37b3
to
655bfcf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
/lgtm
/hold
in case brancz has anymore questions.
@@ -145,6 +147,25 @@ rules: | |||
- namespaces | |||
verbs: | |||
- get | |||
- apiGroups: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, I guess CMO needs this permissions as well, explains it.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lilic, simonpasquier The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks Lili! cc @brancz |
/hold cancel |
This needs e2e tests.