Merge pull request #5897 from simonpasquier/add-tenancy-thanos-for-rules

Add Thanos tenancy proxy for rules
openshift · Jul 9, 2020 · 96d02b4 · 96d02b4
2 parents 3f882db + 1fc713d
commit 96d02b4
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 12 deletions.
diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go
@@ -39,10 +39,14 @@ const (
 	// This is only accessible in-cluster. This is used for non-tenant global (alerting) rules requests.
 	openshiftPrometheusHost = "prometheus-k8s.openshift-monitoring.svc:9091"
 
-	// Well-known location of the tenant aware Thanos service for OpenShift. This is only accessible in-cluster.
+	// Well-known location of the tenant aware Thanos service for OpenShift exposing the query and query_range endpoints. This is only accessible in-cluster.
 	// Thanos proxies requests to both cluster monitoring and user workload monitoring prometheus instances.
 	openshiftThanosTenancyHost = "thanos-querier.openshift-monitoring.svc:9092"
 
+	// Well-known location of the tenant aware Thanos service for OpenShift exposing the rules endpoint. This is only accessible in-cluster.
+	// Thanos proxies requests to the cluster monitoring and user workload monitoring prometheus instances as well as Thanos ruler instances.
+	openshiftThanosTenancyForRulesHost = "thanos-querier.openshift-monitoring.svc:9093"
+
 	// Well-known location of the Thanos service for OpenShift. This is only accessible in-cluster.
 	// This is used for non-tenant global query requests
 	// proxying to both cluster monitoring and user workload monitoring prometheus instances.
@@ -334,6 +338,11 @@ func main() {
 				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
 				Endpoint:        &url.URL{Scheme: "https", Host: openshiftThanosTenancyHost, Path: "/api"},
 			}
+			srv.ThanosTenancyProxyForRulesConfig = &proxy.Config{
+				TLSClientConfig: serviceProxyTLSConfig,
+				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				Endpoint:        &url.URL{Scheme: "https", Host: openshiftThanosTenancyForRulesHost, Path: "/api"},
+			}
 			srv.AlertManagerProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
 				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
@@ -375,6 +384,11 @@ func main() {
 				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
 				Endpoint:        offClusterThanosURL,
 			}
+			srv.ThanosTenancyProxyForRulesConfig = &proxy.Config{
+				TLSClientConfig: serviceProxyTLSConfig,
+				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				Endpoint:        offClusterThanosURL,
+			}
 			srv.ThanosProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
 				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -103,13 +103,14 @@ type Server struct {
 	LoadTestFactor       int
 	DexClient            api.DexClient
 	// A client with the correct TLS setup for communicating with the API server.
-	K8sClient                *http.Client
-	PrometheusProxyConfig    *proxy.Config
-	ThanosProxyConfig        *proxy.Config
-	ThanosTenancyProxyConfig *proxy.Config
-	AlertManagerProxyConfig  *proxy.Config
-	MeteringProxyConfig      *proxy.Config
-	TerminalProxyTLSConfig   *tls.Config
+	K8sClient                        *http.Client
+	PrometheusProxyConfig            *proxy.Config
+	ThanosProxyConfig                *proxy.Config
+	ThanosTenancyProxyConfig         *proxy.Config
+	ThanosTenancyProxyForRulesConfig *proxy.Config
+	AlertManagerProxyConfig          *proxy.Config
+	MeteringProxyConfig              *proxy.Config
+	TerminalProxyTLSConfig           *tls.Config
 	// A lister for resource listing of a particular kind
 	MonitoringDashboardConfigMapLister ResourceLister
 	KnativeEventSourceCRDLister        ResourceLister
@@ -129,7 +130,7 @@ func (s *Server) authDisabled() bool {
 }
 
 func (s *Server) prometheusProxyEnabled() bool {
-	return s.PrometheusProxyConfig != nil && s.ThanosTenancyProxyConfig != nil
+	return s.PrometheusProxyConfig != nil && s.ThanosTenancyProxyConfig != nil && s.ThanosTenancyProxyForRulesConfig != nil
 }
 
 func (s *Server) alertManagerProxyEnabled() bool {
@@ -271,11 +272,13 @@ func (s *Server) HTTPHandler() http.Handler {
 
 			tenancyQuerySourcePath      = prometheusTenancyProxyEndpoint + "/api/v1/query"
 			tenancyQueryRangeSourcePath = prometheusTenancyProxyEndpoint + "/api/v1/query_range"
+			tenancyRulesSourcePath      = prometheusTenancyProxyEndpoint + "/api/v1/rules"
 			tenancyTargetAPIPath        = prometheusTenancyProxyEndpoint + "/api/"
 
-			prometheusProxy    = proxy.NewProxy(s.PrometheusProxyConfig)
-			thanosProxy        = proxy.NewProxy(s.ThanosProxyConfig)
-			thanosTenancyProxy = proxy.NewProxy(s.ThanosTenancyProxyConfig)
+			prometheusProxy            = proxy.NewProxy(s.PrometheusProxyConfig)
+			thanosProxy                = proxy.NewProxy(s.ThanosProxyConfig)
+			thanosTenancyProxy         = proxy.NewProxy(s.ThanosTenancyProxyConfig)
+			thanosTenancyForRulesProxy = proxy.NewProxy(s.ThanosTenancyProxyForRulesConfig)
 		)
 
 		// global label, query, and query_range requests have to be proxied via thanos
@@ -325,6 +328,14 @@ func (s *Server) HTTPHandler() http.Handler {
 				thanosTenancyProxy.ServeHTTP(w, r)
 			})),
 		)
+		// tenancy rules have to be proxied via thanos
+		handle(tenancyRulesSourcePath, http.StripPrefix(
+			proxy.SingleJoiningSlash(s.BaseURL.Path, tenancyTargetAPIPath),
+			authHandlerWithUser(func(user *auth.User, w http.ResponseWriter, r *http.Request) {
+				r.Header.Set("Authorization", fmt.Sprintf("Bearer %s", user.Token))
+				thanosTenancyForRulesProxy.ServeHTTP(w, r)
+			})),
+		)
 	}
 
 	if s.alertManagerProxyEnabled() {