feat: Add azuread oauth support to remote write #6037
Conversation
adinhodovic
force-pushed
the
add-azuread-oauth
branch
from
1a5e0d5
to
960100c
Compare
adinhodovic
force-pushed
the
add-azuread-oauth
branch
2 times, most recently
from
3db7fcd
to
48fa1d8
Compare
pkg/prometheus/promcfg.go
Outdated
| if err != nil { | ||
| return yaml.MapItem{}, fmt.Errorf("the provided Azure OAuth clientId is invalid") | ||
| } | ||
| matched := tenantIDre.MatchString(spec.AzureAD.OAuth.TenantID) |
There was a problem hiding this comment.
I'm a bit torn if we should validate this on the operator or not, because if MS change this we have to change the operator too.
But!
If we think it's valuable, I'd prefer to add this annotation // +kubebuilder:validation:Pattern to the struct and let the validation on the CRD side.
WDYT?
There was a problem hiding this comment.
Moved validation to the CRD side. I'd keep it probably since prometheus itself does the same validation? Invalid id -> prometheus startup issues?
I'm fine with either though!
adinhodovic
force-pushed
the
add-azuread-oauth
branch
from
48fa1d8
to
f434330
Compare
There was a problem hiding this comment.
Thanks for the PR! Looking at "API Conventions" in our CONTRIBUTING.md we could make some improvements to the API definition.
Mostly around Optionals vs. Required
pkg/prometheus/promcfg.go
Outdated
| if spec.AzureAD.ManagedIdentity.ClientID == "" && spec.AzureAD.OAuth == nil { | ||
| return yaml.MapItem{}, fmt.Errorf("must provide Azure Managed Identity or Azure OAuth in the Azure AD config") | ||
| } | ||
| if spec.AzureAD.ManagedIdentity.ClientID != "" && spec.AzureAD.OAuth != nil { | ||
| return yaml.MapItem{}, fmt.Errorf("cannot provide both Azure Managed Identity and Azure OAuth in the Azure AD config") | ||
| } |
There was a problem hiding this comment.
I wonder if there isn't a more appropriate place for the validation? The method signature is only generateRemoteWriteConfig and doesn't mention any kind of validation. I also don't see other remote write options being validated here.
Sorry for giving such a vague answer for this one, at the moment I can't remember where exactly we validate remote-write, but I have a feeling we do it elsewhere 😅
There was a problem hiding this comment.
by validation I mean, we don't return errors here because we've already checked it beforehand
There was a problem hiding this comment.
Thanks in general for all the feedback! Specifically this comment -> I've moved it to the ValidateRemoteWriteSpec function and reverted the signature of the generateRemoteWriteConfig to no error returns. Makes sense.
pkg/prometheus/promcfg.go
Outdated
| if !cg.WithMinimumVersion("2.48.0").IsCompatible() { | ||
| return yaml.MapItem{}, fmt.Errorf("Azure OAuth is only supported in Prometheus 2.48.0 and later") | ||
| } | ||
| if spec.AzureAD.OAuth.ClientID == "" { | ||
| return yaml.MapItem{}, fmt.Errorf("clientId must be provided in the Azure AD OAuth config") | ||
| } | ||
| if spec.AzureAD.OAuth.TenantID == "" { | ||
| return yaml.MapItem{}, fmt.Errorf("tenantId must be provided in the Azure AD OAuth config") | ||
| } | ||
| _, err := uuid.Parse(spec.AzureAD.OAuth.ClientID) | ||
| if err != nil { | ||
| return yaml.MapItem{}, fmt.Errorf("the provided Azure OAuth clientId is invalid") | ||
| } |
adinhodovic
force-pushed
the
add-azuread-oauth
branch
2 times, most recently
from
e58b401
to
8b5ecb9
Compare
pkg/prometheus/operator.go
Outdated
| @@ -96,8 +97,7 @@ func NewTLSAssetSecret(p monitoringv1.PrometheusInterface, labels map[string]str | |||
| } | |||
| } | |||
|
|
|||
| // ValidateRemoteWriteSpec checks that mutually exclusive configurations are not | |||
| // included in the Prometheus remoteWrite configuration section. | |||
| // ValidateRemoteWriteSpec validates the RemoteWriteSpec. | |||
There was a problem hiding this comment.
| // ValidateRemoteWriteSpec validates the RemoteWriteSpec. | |
| // ValidateRemoteWriteSpec checks that mutually exclusive configurations are not | |
| // included in the Prometheus remoteWrite configuration section, while validating | |
| // RemoteWriteSpec child fields. |
I'm not sure about this one, I think it makes sense to keep the previous comment and extend with the extra functionality... I struggling to find a good comment though 😅
There was a problem hiding this comment.
That sounds good :)
adinhodovic
force-pushed
the
add-azuread-oauth
branch
from
5d7e70b
to
dd4230f
Compare
adinhodovic
force-pushed
the
add-azuread-oauth
branch
4 times, most recently
from
332ec32
to
77814de
Compare
|
Prometheus v2.48.0 is out! |
| OAuth *AzureOAuth `json:"oauth,omitempty"` | ||
| } | ||
|
|
||
| // AzureOAuth is used to store azure oauth config values. |
There was a problem hiding this comment.
| // AzureOAuth is used to store azure oauth config values. | |
| // AzureOAuth defines the Azure OAuth settings. |
| @@ -1246,8 +1246,28 @@ type AzureAD struct { | |||
| // +optional | |||
| Cloud *string `json:"cloud,omitempty"` | |||
| // ManagedIdentity defines the Azure User-assigned Managed identity. | |||
| // Cannot be set at the same time as `oAuth`. | |||
There was a problem hiding this comment.
| // Cannot be set at the same time as `oAuth`. | |
| // Cannot be set at the same time as `oauth`. |
| // AzureOAuth is used to store azure oauth config values. | ||
| // +k8s:openapi-gen=true | ||
| type AzureOAuth struct { | ||
| // ClientID is the clientId of the azure active directory application that is being used to authenticate. |
There was a problem hiding this comment.
| // ClientID is the clientId of the azure active directory application that is being used to authenticate. | |
| // `clientID` is the clientId of the Azure Active Directory application that is being used to authenticate. |
| // ClientID is the clientId of the azure active directory application that is being used to authenticate. | ||
| // +required | ||
| ClientID string `json:"clientId"` | ||
| // ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate. |
There was a problem hiding this comment.
| // ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate. | |
| // `clientSecret` specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate. |
| // ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate. | ||
| // +required | ||
| ClientSecret v1.SecretKeySelector `json:"clientSecret"` | ||
| // TenantID is the tenantId of the azure active directory application that is being used to authenticate. |
There was a problem hiding this comment.
| // TenantID is the tenantId of the azure active directory application that is being used to authenticate. | |
| // tenantID is the tenant ID of the Azure Active Directory application that is being used to authenticate. |
pkg/prometheus/operator.go
Outdated
| if spec.AzureAD.OAuth.ClientID == "" { | ||
| return fmt.Errorf("clientId must be provided in the Azure AD OAuth config") | ||
| } | ||
| if spec.AzureAD.OAuth.TenantID == "" { | ||
| return fmt.Errorf("tenantId must be provided in the Azure AD OAuth config") | ||
| } |
There was a problem hiding this comment.
already validated at the CRD level
| if spec.AzureAD.OAuth.ClientID == "" { | |
| return fmt.Errorf("clientId must be provided in the Azure AD OAuth config") | |
| } | |
| if spec.AzureAD.OAuth.TenantID == "" { | |
| return fmt.Errorf("tenantId must be provided in the Azure AD OAuth config") | |
| } |
Signed-off-by: adinhodovic <hodovicadin@gmail.com>
adinhodovic
force-pushed
the
add-azuread-oauth
branch
from
77814de
to
7f22f69
Compare
| // `clientSecret` specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate. | ||
| // +required | ||
| ClientSecret v1.SecretKeySelector `json:"clientSecret"` | ||
| // `tenantID` is the tenant ID of the Azure Active Directory application that is being used to authenticate. |
There was a problem hiding this comment.
| // `tenantID` is the tenant ID of the Azure Active Directory application that is being used to authenticate. | |
| // `tenantId` is the tenant ID of the Azure Active Directory application that is being used to authenticate. |
Description
Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.
If it fixes a bug or resolves a feature request, be sure to link to that issue.
Fixes #6032. Adds azure ad oauth support to remote write.
Type of change
What type of changes does your code introduce to the Prometheus operator? Put an
xin the box that apply.CHANGE(fix or feature that would cause existing functionality to not work as expected)FEATURE(non-breaking change which adds functionality)BUGFIX(non-breaking change which fixes an issue)ENHANCEMENT(non-breaking change which improves existing functionality)NONE(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry
Please put a one-line changelog entry below. This will be copied to the changelog file during the release process.