prometheus: remove ui access

Type: feature removal Problem: We expose the full prometheus http api to authorized users through a route, i.e. its externally available. We want to remove access to the UI for a reduced support footprint, while maintaining access to `/api` and `/federate`. Solution: Alter the existing Route object to be limited to `/api` and create a new Route object to expose `/federate`. Another solution considered was to alter the oauth-proxy config. This is discarded due to oauth-proxy feature not alligning as needed and any change there also impacting the Service obhect that exposes the deployment cluster-internal. Issue: https://issues.redhat.com/browse/MON-1631 Signed-off-by: Jan Fajerski <[email protected]>
openshift · Jan 13, 2022 · 86d9e72 · 86d9e72
1 parent b07ad32
commit 86d9e72
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 2 deletions.
diff --git a/assets/prometheus-k8s/route.yaml → assets/prometheus-k8s/api-route.yaml b/assets/prometheus-k8s/route.yaml → assets/prometheus-k8s/api-route.yaml
@@ -4,6 +4,7 @@ metadata:
   name: prometheus-k8s
   namespace: openshift-monitoring
 spec:
+  path: /api
   port:
     targetPort: web
   tls:

diff --git a/assets/prometheus-k8s/federate-route.yaml b/assets/prometheus-k8s/federate-route.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Route
+metadata:
+  name: prometheus-k8s-federate
+  namespace: openshift-monitoring
+spec:
+  path: /federate
+  port:
+    targetPort: web
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: Reencrypt
+  to:
+    kind: Service
+    name: prometheus-k8s
diff --git a/jsonnet/components/prometheus.libsonnet b/jsonnet/components/prometheus.libsonnet
@@ -22,8 +22,8 @@ function(params)
       data: {},
     },
 
-    // OpenShift route to access the Prometheus UI.
-    route: {
+    // OpenShift route to access the Prometheus api.
+    apiRoute: {
       apiVersion: 'v1',
       kind: 'Route',
       metadata: {
@@ -35,6 +35,31 @@ function(params)
           kind: 'Service',
           name: 'prometheus-k8s',
         },
+        path: '/api',
+        port: {
+          targetPort: 'web',
+        },
+        tls: {
+          termination: 'Reencrypt',
+          insecureEdgeTerminationPolicy: 'Redirect',
+        },
+      },
+    },
+
+    // OpenShift route to access the Prometheus federate endpoint.
+    federateRoute: {
+      apiVersion: 'v1',
+      kind: 'Route',
+      metadata: {
+        name: 'prometheus-k8s-federate',
+        namespace: cfg.namespace,
+      },
+      spec: {
+        to: {
+          kind: 'Service',
+          name: 'prometheus-k8s',
+        },
+        path: '/federate',
         port: {
           targetPort: 'web',
         },