-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MON-1631: prometheus: remove ui access #1532
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: v1 | ||
kind: Route | ||
metadata: | ||
name: prometheus-k8s-federate | ||
namespace: openshift-monitoring | ||
spec: | ||
path: /federate | ||
port: | ||
targetPort: web | ||
tls: | ||
insecureEdgeTerminationPolicy: Redirect | ||
termination: Reencrypt | ||
to: | ||
kind: Service | ||
name: prometheus-k8s |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -115,7 +115,8 @@ var ( | |||||
PrometheusK8sProxySecret = "prometheus-k8s/proxy-secret.yaml" | ||||||
PrometheusRBACProxySecret = "prometheus-k8s/kube-rbac-proxy-secret.yaml" | ||||||
PrometheusUserWorkloadRBACProxySecret = "prometheus-user-workload/kube-rbac-proxy-secret.yaml" | ||||||
PrometheusK8sRoute = "prometheus-k8s/route.yaml" | ||||||
PrometheusK8sAPIRoute = "prometheus-k8s/api-route.yaml" | ||||||
PrometheusK8sFederateRoute = "prometheus-k8s/federate-route.yaml" | ||||||
PrometheusK8sHtpasswd = "prometheus-k8s/htpasswd-secret.yaml" | ||||||
PrometheusK8sServingCertsCABundle = "prometheus-k8s/serving-certs-ca-bundle.yaml" | ||||||
PrometheusK8sKubeletServingCABundle = "prometheus-k8s/kubelet-serving-ca-bundle.yaml" | ||||||
|
@@ -323,14 +324,6 @@ func NewFactory(namespace, namespaceUserWorkload string, c *Config, infrastructu | |||||
} | ||||||
} | ||||||
|
||||||
func (f *Factory) PrometheusExternalURL(host string) *url.URL { | ||||||
return &url.URL{ | ||||||
Scheme: "https", | ||||||
Host: host, | ||||||
Path: "/", | ||||||
} | ||||||
} | ||||||
|
||||||
func (f *Factory) AlertmanagerExternalURL(host string) *url.URL { | ||||||
return &url.URL{ | ||||||
Scheme: "https", | ||||||
|
@@ -1344,8 +1337,19 @@ func (f *Factory) PrometheusK8sThanosSidecarServiceMonitor() (*monv1.ServiceMoni | |||||
return s, nil | ||||||
} | ||||||
|
||||||
func (f *Factory) PrometheusK8sRoute() (*routev1.Route, error) { | ||||||
r, err := f.NewRoute(f.assets.MustNewAssetReader(PrometheusK8sRoute)) | ||||||
func (f *Factory) PrometheusK8sAPIRoute() (*routev1.Route, error) { | ||||||
r, err := f.NewRoute(f.assets.MustNewAssetReader(PrometheusK8sAPIRoute)) | ||||||
if err != nil { | ||||||
return nil, err | ||||||
} | ||||||
|
||||||
r.Namespace = f.namespace | ||||||
|
||||||
return r, nil | ||||||
} | ||||||
|
||||||
func (f *Factory) PrometheusK8sFederateRoute() (*routev1.Route, error) { | ||||||
r, err := f.NewRoute(f.assets.MustNewAssetReader(PrometheusK8sFederateRoute)) | ||||||
if err != nil { | ||||||
return nil, err | ||||||
} | ||||||
|
@@ -1405,7 +1409,7 @@ func (f *Factory) PrometheusK8sTrustedCABundle() (*v1.ConfigMap, error) { | |||||
return cm, nil | ||||||
} | ||||||
|
||||||
func (f *Factory) PrometheusK8s(host string, grpcTLS *v1.Secret, trustedCABundleCM *v1.ConfigMap) (*monv1.Prometheus, error) { | ||||||
func (f *Factory) PrometheusK8s(grpcTLS *v1.Secret, trustedCABundleCM *v1.ConfigMap) (*monv1.Prometheus, error) { | ||||||
p, err := f.NewPrometheus(f.assets.MustNewAssetReader(PrometheusK8s)) | ||||||
if err != nil { | ||||||
return nil, err | ||||||
|
@@ -1420,7 +1424,10 @@ func (f *Factory) PrometheusK8s(host string, grpcTLS *v1.Secret, trustedCABundle | |||||
} | ||||||
|
||||||
p.Spec.Image = &f.config.Images.Prometheus | ||||||
p.Spec.ExternalURL = f.PrometheusExternalURL(host).String() | ||||||
|
||||||
if f.consoleConfig != nil { | ||||||
p.Spec.ExternalURL = f.consoleConfig.Status.ConsoleURL + "/monitoring" | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. (nit)
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 Makes sense yes, any objections against a followup PR? The manifest creation for Alertmanager has the same code and could use the same fix. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not at all There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. more robust than the simple + 👍 |
||||||
} | ||||||
|
||||||
if f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.Resources != nil { | ||||||
p.Spec.Resources = *f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.Resources | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm I missed this detail 🤔...
Ideally I would expect that we link back to the OCP console but the generated URL is hardcoded to
<externalURL>/graph?g0.expr=up&g0.tab=1
which wouldn't work for the console. Maybe @kyoto has some ideas?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I follow...link back from where? Afaiu this is what the Prometheus UI uses internally. With this PR it should only be accessible through the Prometheus Service, so setting this as the external URL should suffice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the missing details :)
When Prometheus sends alerts to Alertmanager, the payload includes a
generatorURL
field that is a back-link to the Prometheus UI (see https://prometheus.io/docs/alerting/latest/clients/). The URL is constructed by concatenating--web.external-url
and/graph?g0.expr=<alert expression>&g0.tab=1
(see here and here).My thinking is that if the generator URL would link to the console route and the console redirects to the "Observe > Metrics" page... The other option would be to discuss upstream if it would be possible to have a full customization of the generator URL (not sure if it makes sense in general).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh alerts, of course. Yeah the console route makes sense. Will add that and ping @kyoto is there are any objections.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding a Console redirect sounds like a reasonable workaround to me.
Can we have the generator URL go directly to
<Console URL>/monitoring
in the Console? Then, if I understand correctly, the constructed URL would be<Console URL>/monitoring/graph?g0.expr=<alert expression>&g0.tab=1
, which Console would then redirect to<Console URL>/monitoring/query-browser?query0=<alert expression>
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good @kyoto, lets try it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR for handling the Console redirect: openshift/console#10963