Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add kube-rbac-proxy and prom-label-proxy to Alertmanager #701

Merged
merged 6 commits into from Mar 30, 2020
Merged

Add kube-rbac-proxy and prom-label-proxy to Alertmanager #701

merged 6 commits into from Mar 30, 2020

Conversation

simonpasquier
Copy link
Contributor

@simonpasquier simonpasquier commented Mar 12, 2020
edited

This needs e2e tests.

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 12, 2020
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 12, 2020
@pgier pgier mentioned this pull request Mar 12, 2020
Merged
@s-urbaniak
Copy link
Contributor

just nits around resource requests, else lgtm module e2e tests 👍

@simonpasquier simonpasquier force-pushed the add-rbac-and-label-proxy-to-alertmanager branch 2 times, most recently from 7465b88 to b241d5e Compare March 13, 2020 14:21
@lilic
Copy link
Contributor

lilic commented Mar 13, 2020
edited

Why do we need this PR? Is this for thanos ruler/querier integration with alertmanager? 🤔

@s-urbaniak
Copy link
Contributor

@lilic xref https://github.com/openshift/enhancements/blob/master/enhancements/monitoring/user-workload-monitoring.md#alertmanager-silences

@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 13, 2020
@simonpasquier simonpasquier force-pushed the add-rbac-and-label-proxy-to-alertmanager branch from b241d5e to a7191e3 Compare March 16, 2020 08:55
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 16, 2020
@brancz
Copy link
Contributor

brancz commented Mar 16, 2020

lgtm as well after e2e tests

@s-urbaniak
Copy link
Contributor

@simonpasquier i believe it is unrelated but do you mind to peek at the e2e failure?

level=error msg="Cluster operator monitoring Degraded is True with UpdatingAlertmanagerFailed: Failed to rollout the stack. Error: running task Updating Alertmanager failed: waiting for Alertmanager object changes failed: waiting for Alertmanager: expected 3 replicas, updated 0 and available 0"
level=fatal msg="failed to initialize the cluster: Cluster operator monitoring is still updating"

@simonpasquier simonpasquier force-pushed the add-rbac-and-label-proxy-to-alertmanager branch 11 times, most recently from 79990c6 to 6850c49 Compare March 25, 2020 13:01
@simonpasquier simonpasquier force-pushed the add-rbac-and-label-proxy-to-alertmanager branch from 6850c49 to e6df898 Compare March 25, 2020 14:37
@simonpasquier simonpasquier changed the title [WIP] Add rbac and label proxy to alertmanager Add rbac and label proxy to alertmanager Mar 25, 2020
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 25, 2020
@simonpasquier simonpasquier changed the title Add rbac and label proxy to alertmanager Add kube-rbac-proxy and prom-label-proxy to alertmanager Mar 25, 2020
@simonpasquier simonpasquier changed the title Add kube-rbac-proxy and prom-label-proxy to alertmanager Add kube-rbac-proxy and prom-label-proxy to Alertmanager Mar 25, 2020
@simonpasquier simonpasquier force-pushed the add-rbac-and-label-proxy-to-alertmanager branch from ebfe47c to 001fa60 Compare March 26, 2020 09:36
brancz
brancz reviewed Mar 26, 2020
View reviewed changes
pkg/manifests/manifests.go Outdated Show resolved Hide resolved
lilic
lilic reviewed Mar 26, 2020
View reviewed changes
Copy link
Contributor

@lilic lilic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

manifests/0000_50_cluster_monitoring_operator_02-role.yaml
@@ -145,6 +147,25 @@ rules:
- namespaces
verbs:
- get
- apiGroups:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure, it was automatically generated by the script...

cc @s-urbaniak @paulfantom

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, I guess CMO needs this permissions as well, explains it.

pkg/manifests/manifests.go Outdated Show resolved Hide resolved
pkg/tasks/clustermonitoringoperator.go Show resolved Hide resolved
test/e2e/alertmanager_test.go
}

// The Alertmanager API should be protected by the OAuth proxy.
func TestAlertmanagerOAuthProxy(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain how this is testing alertmanger oauth proxy, we just do a query against alertmanager.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're querying Alertmanager via its OpenShift route which should be mapped to the OAuth proxy service. This is copied from

cluster-monitoring-operator/test/e2e/user_workload_monitoring_test.go

Lines 376 to 403 in e597c67

err = framework.Poll(5*time.Second, 5*time.Minute, func() error {
body, err := f.AlertmanagerClient.AlertmanagerQuery(
"filter", `alertname="VersionAlert"`,
"active", "true",
)
if err != nil {
t.Fatal(err)
}
res, err := gabs.ParseJSON(body)
if err != nil {
return err
}
count, err := res.ArrayCount()
if err != nil {
return err
}
if count == 1 {
return nil
}
return fmt.Errorf("expected 1 fired VersionAlert, got %d", count)
})
if err != nil {
t.Fatal(err)
}

I should probably add an e2e test checking that a request without sufficient permissions is denied.

brancz
brancz reviewed Mar 26, 2020
View reviewed changes
test/e2e/alertmanager_test.go
if err != nil {
t.Fatalf("%v (data: %q)", err, string(b))
}
silID, ok := parsed.Path("silenceID").Data().(string)
Copy link
Contributor

@brancz brancz Mar 26, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's additionally validate that the namespace label exists/is enforced no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done, the original silence is created with a namespace="openshift-monitoring" matcher and the test verifies that it is modified to namespace="test-kube-rbac-proxy".

@simonpasquier
Copy link
Contributor Author

/retest

@simonpasquier simonpasquier force-pushed the add-rbac-and-label-proxy-to-alertmanager branch 2 times, most recently from df2bf16 to f4f37b3 Compare March 26, 2020 15:07
@simonpasquier
Copy link
Contributor Author

/test e2e-aws-operator

@simonpasquier simonpasquier force-pushed the add-rbac-and-label-proxy-to-alertmanager branch from f4f37b3 to 655bfcf Compare March 27, 2020 09:38
lilic
lilic reviewed Mar 27, 2020
View reviewed changes
Copy link
Contributor

@lilic lilic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

/lgtm
/hold

in case brancz has anymore questions.

manifests/0000_50_cluster_monitoring_operator_02-role.yaml
@@ -145,6 +147,25 @@ rules:
- namespaces
verbs:
- get
- apiGroups:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, I guess CMO needs this permissions as well, explains it.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 27, 2020
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 27, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lilic, simonpasquier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [lilic,simonpasquier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@simonpasquier
Copy link
Contributor Author

Thanks Lili! cc @brancz

@simonpasquier
Copy link
Contributor Author

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 30, 2020
@openshift-merge-robot openshift-merge-robot merged commit 6791732 into openshift:master Mar 30, 2020
@pgier pgier mentioned this pull request Jun 23, 2020
Closed
1 task
@simonpasquier simonpasquier deleted the add-rbac-and-label-proxy-to-alertmanager branch June 24, 2020 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s-urbaniak s-urbaniak s-urbaniak left review comments

@brancz brancz brancz left review comments

@lilic lilic lilic left review comments

@squat squat Awaiting requested review from squat

Assignees

@lilic lilic

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@simonpasquier @s-urbaniak @lilic @brancz @openshift-ci-robot @openshift-merge-robot