Skip to content

Commit

Permalink
Add auth proxy for cache, change cache container port
Browse files Browse the repository at this point in the history
  • Loading branch information
@aditya-konarde
aditya-konarde committed Sep 9, 2019
1 parent 5128891 commit f5b57a2
Show file tree
Hide file tree
Showing 4 changed files with 89 additions and 7 deletions.
2 changes: 1 addition & 1 deletion components/thanos-querier-cache.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
target: 'query-frontend',
http_prefix: null,
server: {
http_listen_port: 9091,
http_listen_port: 9090,
},
frontend: {
split_queries_by_day: true,
Expand Down
2 changes: 1 addition & 1 deletion environments/kubernetes/manifests/thanos-querier-cache-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ data:
"split_queries_by_day": true
"http_prefix": null
"server":
"http_listen_port": 9091
"http_listen_port": 9090
"target": "query-frontend"
kind: ConfigMap
metadata:
Expand Down
41 changes: 40 additions & 1 deletion environments/openshift/kube-thanos.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,13 @@ local list = import 'telemeter/lib/list.libsonnet';
roleBinding+: setSubjectNamespace(super.roleBinding) + roleBinding.mixin.metadata.withNamespace(namespace),
},
querierCache+: {
// The proxy secret is there to encrypt session created by the oauth proxy.
proxySecret:
secret.new('querier-proxy', {
session_secret: std.base64($.thanos.variables.proxyConfig.sessionSecret),
}) +
secret.mixin.metadata.withNamespace(namespace) +
secret.mixin.metadata.withLabels({ 'app.kubernetes.io/name': 'thanos-querier' }),
configmap+:
configmap.mixin.metadata.withNamespace(namespace),
service+:
Expand All @@ -294,12 +301,44 @@ local list = import 'telemeter/lib/list.libsonnet';
},
},
},
] + [
container.new('proxy', $.thanos.variables.proxyImage) +
container.withArgs([
'-provider=openshift',
'-https-address=:%d' % $.thanos.querier.service.spec.ports[2].port,
'-http-address=',
'-email-domain=*',
'-upstream=http://localhost:%d' % $.thanos.querier.service.spec.ports[1].port,
'-openshift-service-account=prometheus-telemeter',
'-openshift-sar={"resource": "namespaces", "verb": "get", "name": "${NAMESPACE}", "namespace": "${NAMESPACE}"}',
'-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get", "name": "${NAMESPACE}", "namespace": "${NAMESPACE}"}}',
'-tls-cert=/etc/tls/private/tls.crt',
'-tls-key=/etc/tls/private/tls.key',
'-client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token',
'-cookie-secret-file=/etc/proxy/secrets/session_secret',
'-openshift-ca=/etc/pki/tls/cert.pem',
'-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt',
'-skip-auth-regex=^/metrics',
]) +
container.withPorts([
{ name: 'https', containerPort: $.thanos.querier.service.spec.ports[2].port },
]) +
container.withVolumeMounts(
[
volumeMount.new('secret-querier-cache-tls', '/etc/tls/private'),
volumeMount.new('secret-querier-cache-proxy', '/etc/proxy/secrets'),
]
),
],
},
},
},
} +
deployment.mixin.metadata.withNamespace(namespace),
deployment.mixin.metadata.withNamespace(namespace) +
deployment.mixin.spec.template.spec.withVolumes([
volume.fromSecret('secret-querier-cache-tls', 'querier-cache-tls'),
volume.fromSecret('secret-querier-cache-proxy', 'querier-cache-proxy'),
]),
},
},
} + {
Expand Down
51 changes: 47 additions & 4 deletions environments/openshift/manifests/observatorium-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ objects:
"split_queries_by_day": true
"http_prefix": null
"server":
"http_listen_port": 9091
"http_listen_port": 9090
"target": "query-frontend"
kind: ConfigMap
metadata:
Expand Down Expand Up @@ -147,10 +147,53 @@ objects:
- mountPath: /etc/cache-config/
name: querier-cache-config
readOnly: false
- args:
- -provider=openshift
- -https-address=:9091
- -http-address=
- -email-domain=*
- -upstream=http://localhost:9090
- -openshift-service-account=prometheus-telemeter
- '-openshift-sar={"resource": "namespaces", "verb": "get", "name": "${NAMESPACE}",
"namespace": "${NAMESPACE}"}'
- '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get",
"name": "${NAMESPACE}", "namespace": "${NAMESPACE}"}}'
- -tls-cert=/etc/tls/private/tls.crt
- -tls-key=/etc/tls/private/tls.key
- -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
- -cookie-secret-file=/etc/proxy/secrets/session_secret
- -openshift-ca=/etc/pki/tls/cert.pem
- -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- -skip-auth-regex=^/metrics
image: ${PROXY_IMAGE}:${PROXY_IMAGE_TAG}
name: proxy
ports:
- containerPort: 9091
name: https
volumeMounts:
- mountPath: /etc/tls/private
name: secret-querier-cache-tls
readOnly: false
- mountPath: /etc/proxy/secrets
name: secret-querier-cache-proxy
readOnly: false
volumes:
- configMap:
name: observatorium-cache-conf
name: querier-cache-config
- name: secret-querier-cache-tls
secret:
secretName: querier-cache-tls
- name: secret-querier-cache-proxy
secret:
secretName: querier-cache-proxy
- apiVersion: v1
data:
session_secret: ""
kind: Secret
metadata:
labels:
app.kubernetes.io/name: thanos-querier
name: querier-proxy
namespace: ${NAMESPACE}
type: Opaque
- apiVersion: v1
kind: Service
metadata:
Expand Down

0 comments on commit f5b57a2

Please sign in to comment.