Merge pull request #5941 from simonpasquier/pr/5881

pkg/server: get rules/alerts from thanos
openshift · Jul 22, 2020 · ee4d282 · ee4d282
2 parents a38673e + 0bd839d
commit ee4d282
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 28 deletions.
diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go
@@ -35,10 +35,6 @@ const (
 	k8sInClusterCA          = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 	k8sInClusterBearerToken = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 
-	// Well-known location of the cluster monitoring (not user workload monitoring) Prometheus service for OpenShift.
-	// This is only accessible in-cluster. This is used for non-tenant global (alerting) rules requests.
-	openshiftPrometheusHost = "prometheus-k8s.openshift-monitoring.svc:9091"
-
 	// Well-known location of the tenant aware Thanos service for OpenShift exposing the query and query_range endpoints. This is only accessible in-cluster.
 	// Thanos proxies requests to both cluster monitoring and user workload monitoring prometheus instances.
 	openshiftThanosTenancyHost = "thanos-querier.openshift-monitoring.svc:9092"
@@ -84,7 +80,6 @@ func main() {
 	fK8sMode := fs.String("k8s-mode", "in-cluster", "in-cluster | off-cluster")
 	fK8sModeOffClusterEndpoint := fs.String("k8s-mode-off-cluster-endpoint", "", "URL of the Kubernetes API server.")
 	fK8sModeOffClusterSkipVerifyTLS := fs.Bool("k8s-mode-off-cluster-skip-verify-tls", false, "DEV ONLY. When true, skip verification of certs presented by k8s API server.")
-	fK8sModeOffClusterPrometheus := fs.String("k8s-mode-off-cluster-prometheus", "", "DEV ONLY. URL of the cluster's Prometheus server.")
 	fK8sModeOffClusterThanos := fs.String("k8s-mode-off-cluster-thanos", "", "DEV ONLY. URL of the cluster's Thanos server.")
 	fK8sModeOffClusterAlertmanager := fs.String("k8s-mode-off-cluster-alertmanager", "", "DEV ONLY. URL of the cluster's AlertManager server.")
 	fK8sModeOffClusterMetering := fs.String("k8s-mode-off-cluster-metering", "", "DEV ONLY. URL of the cluster's metering server.")
@@ -323,11 +318,6 @@ func main() {
 				RootCAs:      serviceProxyRootCAs,
 				CipherSuites: crypto.DefaultCiphers(),
 			}
-			srv.PrometheusProxyConfig = &proxy.Config{
-				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
-				Endpoint:        &url.URL{Scheme: "https", Host: openshiftPrometheusHost, Path: "/api"},
-			}
 			srv.ThanosProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
 				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
@@ -368,15 +358,7 @@ func main() {
 			Endpoint:        k8sEndpoint,
 		}
 
-		if *fK8sModeOffClusterPrometheus != "" {
-			offClusterPrometheusURL := bridge.ValidateFlagIsURL("k8s-mode-off-cluster-prometheus", *fK8sModeOffClusterPrometheus)
-			offClusterPrometheusURL.Path = "/api"
-			srv.PrometheusProxyConfig = &proxy.Config{
-				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
-				Endpoint:        offClusterPrometheusURL,
-			}
-
+		if *fK8sModeOffClusterThanos != "" {
 			offClusterThanosURL := bridge.ValidateFlagIsURL("k8s-mode-off-cluster-thanos", *fK8sModeOffClusterThanos)
 			offClusterThanosURL.Path = "/api"
 			srv.ThanosTenancyProxyConfig = &proxy.Config{

diff --git a/contrib/oc-environment.sh b/contrib/oc-environment.sh
@@ -28,9 +28,6 @@ export BRIDGE_K8S_MODE_OFF_CLUSTER_SKIP_VERIFY_TLS
 BRIDGE_K8S_MODE_OFF_CLUSTER_THANOS=$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.thanosPublicURL}')
 export BRIDGE_K8S_MODE_OFF_CLUSTER_THANOS
 
-BRIDGE_K8S_MODE_OFF_CLUSTER_PROMETHEUS=$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.prometheusPublicURL}')
-export BRIDGE_K8S_MODE_OFF_CLUSTER_PROMETHEUS
-
 BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER=$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.alertmanagerPublicURL}')
 export BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER
 

diff --git a/examples/run-bridge.sh b/examples/run-bridge.sh
@@ -15,6 +15,5 @@ set -exuo pipefail
     --user-auth-oidc-client-id=console-oauth-client \
     --user-auth-oidc-client-secret-file=examples/console-client-secret \
     --user-auth-oidc-ca-file=examples/ca.crt \
-    --k8s-mode-off-cluster-prometheus="$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.prometheusPublicURL}')"  \
     --k8s-mode-off-cluster-alertmanager="$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.alertmanagerPublicURL}')" \
     --k8s-mode-off-cluster-thanos="$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.thanosPublicURL}')"
diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -104,7 +104,6 @@ type Server struct {
 	DexClient            api.DexClient
 	// A client with the correct TLS setup for communicating with the API server.
 	K8sClient                        *http.Client
-	PrometheusProxyConfig            *proxy.Config
 	ThanosProxyConfig                *proxy.Config
 	ThanosTenancyProxyConfig         *proxy.Config
 	ThanosTenancyProxyForRulesConfig *proxy.Config
@@ -130,7 +129,7 @@ func (s *Server) authDisabled() bool {
 }
 
 func (s *Server) prometheusProxyEnabled() bool {
-	return s.PrometheusProxyConfig != nil && s.ThanosTenancyProxyConfig != nil && s.ThanosTenancyProxyForRulesConfig != nil
+	return s.ThanosTenancyProxyConfig != nil && s.ThanosTenancyProxyForRulesConfig != nil
 }
 
 func (s *Server) alertManagerProxyEnabled() bool {
@@ -275,7 +274,6 @@ func (s *Server) HTTPHandler() http.Handler {
 			tenancyRulesSourcePath      = prometheusTenancyProxyEndpoint + "/api/v1/rules"
 			tenancyTargetAPIPath        = prometheusTenancyProxyEndpoint + "/api/"
 
-			prometheusProxy            = proxy.NewProxy(s.PrometheusProxyConfig)
 			thanosProxy                = proxy.NewProxy(s.ThanosProxyConfig)
 			thanosTenancyProxy         = proxy.NewProxy(s.ThanosTenancyProxyConfig)
 			thanosTenancyForRulesProxy = proxy.NewProxy(s.ThanosTenancyProxyForRulesConfig)
@@ -304,12 +302,13 @@ func (s *Server) HTTPHandler() http.Handler {
 			})),
 		)
 
-		// alerting (rules) have to be proxied via cluster monitoring prometheus
+		// alerting (rules) are being proxied via thanos querier
+		// such that both in-cluster and user workload alerts appear in console.
 		handle(rulesSourcePath, http.StripPrefix(
 			proxy.SingleJoiningSlash(s.BaseURL.Path, targetAPIPath),
 			authHandlerWithUser(func(user *auth.User, w http.ResponseWriter, r *http.Request) {
 				r.Header.Set("Authorization", fmt.Sprintf("Bearer %s", user.Token))
-				prometheusProxy.ServeHTTP(w, r)
+				thanosProxy.ServeHTTP(w, r)
 			})),
 		)