-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add azuread oauth support to remote write #6037
feat: Add azuread oauth support to remote write #6037
Conversation
1a5e0d5
to
960100c
Compare
3db7fcd
to
48fa1d8
Compare
pkg/prometheus/promcfg.go
Outdated
if err != nil { | ||
return yaml.MapItem{}, fmt.Errorf("the provided Azure OAuth clientId is invalid") | ||
} | ||
matched := tenantIDre.MatchString(spec.AzureAD.OAuth.TenantID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a bit torn if we should validate this on the operator or not, because if MS change this we have to change the operator too.
But!
If we think it's valuable, I'd prefer to add this annotation // +kubebuilder:validation:Pattern
to the struct and let the validation on the CRD side.
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved validation to the CRD side. I'd keep it probably since prometheus itself does the same validation? Invalid id -> prometheus startup issues?
I'm fine with either though!
48fa1d8
to
f434330
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! Looking at "API Conventions" in our CONTRIBUTING.md we could make some improvements to the API definition.
Mostly around Optionals vs. Required
pkg/prometheus/promcfg.go
Outdated
if spec.AzureAD.ManagedIdentity.ClientID == "" && spec.AzureAD.OAuth == nil { | ||
return yaml.MapItem{}, fmt.Errorf("must provide Azure Managed Identity or Azure OAuth in the Azure AD config") | ||
} | ||
if spec.AzureAD.ManagedIdentity.ClientID != "" && spec.AzureAD.OAuth != nil { | ||
return yaml.MapItem{}, fmt.Errorf("cannot provide both Azure Managed Identity and Azure OAuth in the Azure AD config") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if there isn't a more appropriate place for the validation? The method signature is only generateRemoteWriteConfig and doesn't mention any kind of validation. I also don't see other remote write options being validated here.
Sorry for giving such a vague answer for this one, at the moment I can't remember where exactly we validate remote-write, but I have a feeling we do it elsewhere 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by validation I mean, we don't return errors here because we've already checked it beforehand
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks in general for all the feedback! Specifically this comment -> I've moved it to the ValidateRemoteWriteSpec
function and reverted the signature of the generateRemoteWriteConfig
to no error returns. Makes sense.
pkg/prometheus/promcfg.go
Outdated
if !cg.WithMinimumVersion("2.48.0").IsCompatible() { | ||
return yaml.MapItem{}, fmt.Errorf("Azure OAuth is only supported in Prometheus 2.48.0 and later") | ||
} | ||
if spec.AzureAD.OAuth.ClientID == "" { | ||
return yaml.MapItem{}, fmt.Errorf("clientId must be provided in the Azure AD OAuth config") | ||
} | ||
if spec.AzureAD.OAuth.TenantID == "" { | ||
return yaml.MapItem{}, fmt.Errorf("tenantId must be provided in the Azure AD OAuth config") | ||
} | ||
_, err := uuid.Parse(spec.AzureAD.OAuth.ClientID) | ||
if err != nil { | ||
return yaml.MapItem{}, fmt.Errorf("the provided Azure OAuth clientId is invalid") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
e58b401
to
8b5ecb9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some very small nits!
pkg/prometheus/operator.go
Outdated
@@ -96,8 +97,7 @@ func NewTLSAssetSecret(p monitoringv1.PrometheusInterface, labels map[string]str | |||
} | |||
} | |||
|
|||
// ValidateRemoteWriteSpec checks that mutually exclusive configurations are not | |||
// included in the Prometheus remoteWrite configuration section. | |||
// ValidateRemoteWriteSpec validates the RemoteWriteSpec. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// ValidateRemoteWriteSpec validates the RemoteWriteSpec. | |
// ValidateRemoteWriteSpec checks that mutually exclusive configurations are not | |
// included in the Prometheus remoteWrite configuration section, while validating | |
// RemoteWriteSpec child fields. |
I'm not sure about this one, I think it makes sense to keep the previous comment and extend with the extra functionality... I struggling to find a good comment though 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sounds good :)
5d7e70b
to
dd4230f
Compare
332ec32
to
77814de
Compare
Prometheus v2.48.0 is out! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Just a few minor comments otherwise LGTM.
OAuth *AzureOAuth `json:"oauth,omitempty"` | ||
} | ||
|
||
// AzureOAuth is used to store azure oauth config values. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// AzureOAuth is used to store azure oauth config values. | |
// AzureOAuth defines the Azure OAuth settings. |
@@ -1246,8 +1246,28 @@ type AzureAD struct { | |||
// +optional | |||
Cloud *string `json:"cloud,omitempty"` | |||
// ManagedIdentity defines the Azure User-assigned Managed identity. | |||
// Cannot be set at the same time as `oAuth`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Cannot be set at the same time as `oAuth`. | |
// Cannot be set at the same time as `oauth`. |
// AzureOAuth is used to store azure oauth config values. | ||
// +k8s:openapi-gen=true | ||
type AzureOAuth struct { | ||
// ClientID is the clientId of the azure active directory application that is being used to authenticate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// ClientID is the clientId of the azure active directory application that is being used to authenticate. | |
// `clientID` is the clientId of the Azure Active Directory application that is being used to authenticate. |
// ClientID is the clientId of the azure active directory application that is being used to authenticate. | ||
// +required | ||
ClientID string `json:"clientId"` | ||
// ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate. | |
// `clientSecret` specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate. |
// ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate. | ||
// +required | ||
ClientSecret v1.SecretKeySelector `json:"clientSecret"` | ||
// TenantID is the tenantId of the azure active directory application that is being used to authenticate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// TenantID is the tenantId of the azure active directory application that is being used to authenticate. | |
// tenantID is the tenant ID of the Azure Active Directory application that is being used to authenticate. |
pkg/prometheus/operator.go
Outdated
if spec.AzureAD.OAuth.ClientID == "" { | ||
return fmt.Errorf("clientId must be provided in the Azure AD OAuth config") | ||
} | ||
if spec.AzureAD.OAuth.TenantID == "" { | ||
return fmt.Errorf("tenantId must be provided in the Azure AD OAuth config") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
already validated at the CRD level
if spec.AzureAD.OAuth.ClientID == "" { | |
return fmt.Errorf("clientId must be provided in the Azure AD OAuth config") | |
} | |
if spec.AzureAD.OAuth.TenantID == "" { | |
return fmt.Errorf("tenantId must be provided in the Azure AD OAuth config") | |
} |
Signed-off-by: adinhodovic <hodovicadin@gmail.com>
77814de
to
7f22f69
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good! I've spotted one small typo but we can merge it now and you can fix it later.
// `clientSecret` specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate. | ||
// +required | ||
ClientSecret v1.SecretKeySelector `json:"clientSecret"` | ||
// `tenantID` is the tenant ID of the Azure Active Directory application that is being used to authenticate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// `tenantID` is the tenant ID of the Azure Active Directory application that is being used to authenticate. | |
// `tenantId` is the tenant ID of the Azure Active Directory application that is being used to authenticate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do!
Description
Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.
If it fixes a bug or resolves a feature request, be sure to link to that issue.
Fixes #6032. Adds azure ad oauth support to remote write.
Type of change
What type of changes does your code introduce to the Prometheus operator? Put an
x
in the box that apply.CHANGE
(fix or feature that would cause existing functionality to not work as expected)FEATURE
(non-breaking change which adds functionality)BUGFIX
(non-breaking change which fixes an issue)ENHANCEMENT
(non-breaking change which improves existing functionality)NONE
(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry
Please put a one-line changelog entry below. This will be copied to the changelog file during the release process.