From f5b57a217b06f1de13c5f2a972de7648cb29e7f8 Mon Sep 17 00:00:00 2001 From: Aditya Konarde Date: Mon, 9 Sep 2019 15:52:54 +0200 Subject: [PATCH] Add auth proxy for cache, change cache container port --- components/thanos-querier-cache.libsonnet | 2 +- .../thanos-querier-cache-configmap.yaml | 2 +- environments/openshift/kube-thanos.libsonnet | 41 ++++++++++++++- .../manifests/observatorium-template.yaml | 51 +++++++++++++++++-- 4 files changed, 89 insertions(+), 7 deletions(-) diff --git a/components/thanos-querier-cache.libsonnet b/components/thanos-querier-cache.libsonnet index a7c52c5f5..55e834409 100644 --- a/components/thanos-querier-cache.libsonnet +++ b/components/thanos-querier-cache.libsonnet @@ -17,7 +17,7 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet'; target: 'query-frontend', http_prefix: null, server: { - http_listen_port: 9091, + http_listen_port: 9090, }, frontend: { split_queries_by_day: true, diff --git a/environments/kubernetes/manifests/thanos-querier-cache-configmap.yaml b/environments/kubernetes/manifests/thanos-querier-cache-configmap.yaml index be71f3602..f53ec5451 100644 --- a/environments/kubernetes/manifests/thanos-querier-cache-configmap.yaml +++ b/environments/kubernetes/manifests/thanos-querier-cache-configmap.yaml @@ -16,7 +16,7 @@ data: "split_queries_by_day": true "http_prefix": null "server": - "http_listen_port": 9091 + "http_listen_port": 9090 "target": "query-frontend" kind: ConfigMap metadata: diff --git a/environments/openshift/kube-thanos.libsonnet b/environments/openshift/kube-thanos.libsonnet index 11b523d0b..16f329ec0 100644 --- a/environments/openshift/kube-thanos.libsonnet +++ b/environments/openshift/kube-thanos.libsonnet @@ -272,6 +272,13 @@ local list = import 'telemeter/lib/list.libsonnet'; roleBinding+: setSubjectNamespace(super.roleBinding) + roleBinding.mixin.metadata.withNamespace(namespace), }, querierCache+: { + // The proxy secret is there to encrypt session created by the oauth proxy. + proxySecret: + secret.new('querier-proxy', { + session_secret: std.base64($.thanos.variables.proxyConfig.sessionSecret), + }) + + secret.mixin.metadata.withNamespace(namespace) + + secret.mixin.metadata.withLabels({ 'app.kubernetes.io/name': 'thanos-querier' }), configmap+: configmap.mixin.metadata.withNamespace(namespace), service+: @@ -294,12 +301,44 @@ local list = import 'telemeter/lib/list.libsonnet'; }, }, }, + ] + [ + container.new('proxy', $.thanos.variables.proxyImage) + + container.withArgs([ + '-provider=openshift', + '-https-address=:%d' % $.thanos.querier.service.spec.ports[2].port, + '-http-address=', + '-email-domain=*', + '-upstream=http://localhost:%d' % $.thanos.querier.service.spec.ports[1].port, + '-openshift-service-account=prometheus-telemeter', + '-openshift-sar={"resource": "namespaces", "verb": "get", "name": "${NAMESPACE}", "namespace": "${NAMESPACE}"}', + '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get", "name": "${NAMESPACE}", "namespace": "${NAMESPACE}"}}', + '-tls-cert=/etc/tls/private/tls.crt', + '-tls-key=/etc/tls/private/tls.key', + '-client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token', + '-cookie-secret-file=/etc/proxy/secrets/session_secret', + '-openshift-ca=/etc/pki/tls/cert.pem', + '-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', + '-skip-auth-regex=^/metrics', + ]) + + container.withPorts([ + { name: 'https', containerPort: $.thanos.querier.service.spec.ports[2].port }, + ]) + + container.withVolumeMounts( + [ + volumeMount.new('secret-querier-cache-tls', '/etc/tls/private'), + volumeMount.new('secret-querier-cache-proxy', '/etc/proxy/secrets'), + ] + ), ], }, }, }, } + - deployment.mixin.metadata.withNamespace(namespace), + deployment.mixin.metadata.withNamespace(namespace) + + deployment.mixin.spec.template.spec.withVolumes([ + volume.fromSecret('secret-querier-cache-tls', 'querier-cache-tls'), + volume.fromSecret('secret-querier-cache-proxy', 'querier-cache-proxy'), + ]), }, }, } + { diff --git a/environments/openshift/manifests/observatorium-template.yaml b/environments/openshift/manifests/observatorium-template.yaml index 61e22dac3..a741d6b33 100644 --- a/environments/openshift/manifests/observatorium-template.yaml +++ b/environments/openshift/manifests/observatorium-template.yaml @@ -97,7 +97,7 @@ objects: "split_queries_by_day": true "http_prefix": null "server": - "http_listen_port": 9091 + "http_listen_port": 9090 "target": "query-frontend" kind: ConfigMap metadata: @@ -147,10 +147,53 @@ objects: - mountPath: /etc/cache-config/ name: querier-cache-config readOnly: false + - args: + - -provider=openshift + - -https-address=:9091 + - -http-address= + - -email-domain=* + - -upstream=http://localhost:9090 + - -openshift-service-account=prometheus-telemeter + - '-openshift-sar={"resource": "namespaces", "verb": "get", "name": "${NAMESPACE}", + "namespace": "${NAMESPACE}"}' + - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get", + "name": "${NAMESPACE}", "namespace": "${NAMESPACE}"}}' + - -tls-cert=/etc/tls/private/tls.crt + - -tls-key=/etc/tls/private/tls.key + - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token + - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -openshift-ca=/etc/pki/tls/cert.pem + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - -skip-auth-regex=^/metrics + image: ${PROXY_IMAGE}:${PROXY_IMAGE_TAG} + name: proxy + ports: + - containerPort: 9091 + name: https + volumeMounts: + - mountPath: /etc/tls/private + name: secret-querier-cache-tls + readOnly: false + - mountPath: /etc/proxy/secrets + name: secret-querier-cache-proxy + readOnly: false volumes: - - configMap: - name: observatorium-cache-conf - name: querier-cache-config + - name: secret-querier-cache-tls + secret: + secretName: querier-cache-tls + - name: secret-querier-cache-proxy + secret: + secretName: querier-cache-proxy +- apiVersion: v1 + data: + session_secret: "" + kind: Secret + metadata: + labels: + app.kubernetes.io/name: thanos-querier + name: querier-proxy + namespace: ${NAMESPACE} + type: Opaque - apiVersion: v1 kind: Service metadata: