When the operator was configured to select only a limited number of
namespaces, it would not watch for namespace changes. It means that the
operator may not reconcile when a namespace label is added/removed
(affecting which objects should be selected or not).
This change enables the operator to use a privileged namespace
lister/watcher whenever the service account has the needed permissions.
**IMPORTANT:** it also requires Kubernetes >= 1.22 to be effective but
the operator will degrade to the suboptimal implementation without watch
if this condition isn't met.
Closes #3847
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* api/v1alpha1: Add ScrapeConfig CRD
Co-authored-by: Simon Pasquier <spasquie@redhat.com>
Co-authored-by: Joao Marcal <joao.marcal12@gmail.com>
* api/v1: Add ScrapeConfig selectors to Prometheus
Co-authored-by: Joao Marcal <joao.marcal12@gmail.com>
* prometheus/server/operator: Add ScrapeConfig selection logic
Co-authored-by: Arthur Silva Sens <arthursens2005@gmail.com>
* prometheus/server/operator: Add static_config generation from ScrapeConfig
Co-authored-by: Joao Marcal <joao.marcal12@gmail.com>
* prometheus/server/operator: Add file_sd_config and http_sd_config generation from ScrapeConfig
Co-authored-by: Joao Marcal <joao.marcal12@gmail.com>
* prometheus/server/operator: Check ScrapeConfig permissions before trying to select them
* prometheus/server/operator: Check that the ScrapeConfig CRD is installed
* fix: Apply suggestions from Joao
Co-authored-by: Joao Marcal <joao.marcal12@gmail.com>
* fix: Apply suggestion from mrueg
Co-authored-by: Manuel Rüger <manuel@rueg.eu>
* fix: Properly generate scrape configurations for PrometheusAgent
Also check that the ScrapeConfig CRD is installed and that the operator has the
right permissions.
* fix: Address Joao's points
Co-authored-by: Joao Marcal <joao.marcal12@gmail.com>
* fix: ScrapeConfig only needs get,list,watch
References:
- https://github.com/prometheus-operator/prometheus-operator/pull/5335#discussion_r1162861091
Co-authored-by: Arthur Silva Sens <arthursens2005@gmail.com>
* fix: Implement ScrapeConfig ResourceEventHandlerFuncs
References:
- https://github.com/prometheus-operator/prometheus-operator/pull/5335#discussion_r1162901259
Co-authored-by: Arthur Silva Sens <arthursens2005@gmail.com>
* fix: Missing permissions for prometheus-operator's serviceaccount
* fix: Address Arthur's feedback
Co-authored-by: Arthur Silva Sens <arthursens2005@gmail.com>
* fix: Address Simon's feedback
Co-authored-by: Simon Pasquier <spasquie@redhat.com>
* feat: Add ScrapeConfig.HonorTimestamps
* feat: Add ScrapeConfig.HonorLabels
* fix: Address feedback from Joao
Co-authored-by: Joao Marcal <joao.marcal12@gmail.com>
* fix: Address Simon's feedback
Co-authored-by: Simon Pasquier <spasquie@redhat.com>
* chore: Finalize the move to CRDChecker
* fix: Include ScrapeConfig in e2e tests
* docs: spec.ProbeSelector -> spec.probeSelector
* fix: Don't addEventHandler if we don't have a scrape confirm informer
* fix: Address feedback from Simon and Philip
Co-authored-by: Simon Pasquier <spasquie@redhat.com>
Co-authored-by: Philip Gough <philip.p.gough@gmail.com>
* fix: Wrap error with a better error message
* fix: Linting
---------
Co-authored-by: Simon Pasquier <spasquie@redhat.com>
Co-authored-by: Joao Marcal <joao.marcal12@gmail.com>
Co-authored-by: Arthur Silva Sens <arthursens2005@gmail.com>
Co-authored-by: Manuel Rüger <manuel@rueg.eu>
Co-authored-by: Philip Gough <philip.p.gough@gmail.com>
* Introduce PrometheusAgent CRD
Operator is able to run with PrometheusAgent resources in the cluster, but doesn't do anything with them yet. This is the first step to implement the Prometheus Agent Operator.
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
* Re-enable configmap and secret informers
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit 1a71db03db6b41cd0cee9d0193b6ea3884bb5bae)
* Implement Resolve for Agent operator
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit 49558165b9178b6c1bda833a48f7bfe1468c942a)
* Operator is able to create Agent Statefulset
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit 7a3826683c92f917312c866a2bb6401dc54b95f2)
* Agent Operator creates secret from ServiceMonitors
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit 11232669befb4de9d0765dfadfe5fae00b575f11)
* Agent Operator creates secret from PodMonitors
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit 5ae551734bac2babc056c86443d15729d43d12b0)
* Agent Operator creates secret from Probes
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit 9637612fbbe9617335fd6188271ebf2cc74a3693)
* Agent Operator configures remote-write
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit c4bdf230d527e19f8b77ca5f938b9254ed344f7d)
* Agent Operator configures additionalScrapeConfigs
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit d9f28db764641e682bf4fe8963310f791979c387)
* Implement UpdateStatus
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit c546ecaf3e8b73916df44a8f48b279c6988e32f5)
* Add resource handlers
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit 5b83359445e20f88ea5fff80302fce62d58058b9)
* make format
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
(cherry picked from commit 6507964ba28f4ebf32ce3203db752444e288c45d)
* Only start agent operator if there is enough permission
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
* Remove node endpoint syncronization from agent operator
The server operator already handles it
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
* Move PrometheusAgent API from v1 to v1alpha1
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
* pkg/prometheus/agent/statefulset.go: Fix image concatenation
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
* Avoid name colisions between Prometheus Agents and Servers
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
* agent/createOrUpdateConfigurationSecret: Do not handle case where servicemonitor and podmonitor selectors are empty
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
* make format
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
* make --always-make format generate
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
* Remove unused fields from Operator struct
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
* Add deployment mode as new selector label for agent/server ssts
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
* WIP: Fix OperatorUpgrade e2e test
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
* Panic if type casting PrometheusInterface doesn't return Prometheus/Agent
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
* Detect whether PrometheusAgent CRD is installed or not
If the operator's service account has all permissions on the cluster and
the CRD isn't installed then the PrometheusAgent controller will run
but fail because of the absence of the CRD.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* Create dedicated governing service for Prometheus agent
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
---------
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Co-authored-by: Simon Pasquier <spasquie@redhat.com>
The admission webhook service has to deployed with TLS enabled because
the Kubernetes API only supports webhook URLs with a "https://" scheme.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* test: re-add e2e test for Prometheus Operator upgrade path
PR #4758 was reverted because it broke CI. CI failed because it
was out of sync with the main branch for a long time and some of
the function signature changed.
This commit is based on PR #4758 and fix CI function signature
error.
Fixes: #4067
Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
* test: handle Prometheus observedGeneration status check
Current version is 0.59.1. The Prometheus CRD observedGeneration
will be released at version 0.60.0. This commit set the framework
version to next minor version and only check observedGeneration
status when operator version >= 0.60.0.
Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
* test/framework: cleanup 0.57.0
Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
- add operatorVersion, opImage, exampleDir, resourcesDir as framework struct field
- create previousVersionFramework singleton in main_test.go
- set createResourceAdmissionHooks to true for CreateOrUpdatePrometheusOperator in upgradepath_test.go to also experience the upgrade of webhook server
- for deployment and service, remain the Create function(CreateDeployment) and create a new CreateOrUpdate function(CreateOrUpdateDeploymentAndWaitUntilReady), since the method to wait for a upgrade operation to be done is different from the create operation.
Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
* *: add v1beta1 for AlertmanagerConfig CRD
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* *: implement conversion webhook for AlertmanagerConfig
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* *: add jsonnet support for CRD conversion webhook
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* test: configure conversion webhook for AlertmanagerConfig
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* test/e2e: add test for v1alpha1<->v1beta1 conversion
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* Documentation: update webhook documentation
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* pkg/apis/monitoring/v1beta1: remove Regex field from Matcher type
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* *: rename muteTimeIntervals field to timeIntervals (v1beta1)
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* *: restore short name for AlertmanagerConfig
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* pkg/admission: add unit test for conversion webhook
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* pkg/apis/monitoring/v1beta1: replace v1.SecretKeySelector by SecretKeySelector
v1.SecretKeySelector has an `Optional` field which doesn't make sense
in the context of the AlertmanagerConfig CRD. Not depending on an
external type also means that we can enforce that key and name values
are not empty.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* *: regenerate
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* *: make AlertmanagerConfig v1beta1 an opt-in choice
Enabling by default AlertmanagerConfig v1beta1 by default means that
users would have to configure the conversion webhook and it must be
performed in advance or at the same time users upgrade to the latest
operator version. To offer a smoother transition, we offer
AlertmanagerConfig v1beta1 as an opt-in feature: it's neither included
in the bundle.yaml file nor in the example/prometheus-operator-crd/
manifests.
People that want to enable v1beta1 should use the
example/prometheus-operator-crd-full manifests. For jsonnet users, the
Prometheus operator jsonnet library has a new
`enableAlertmanagerConfigV1beta1` configuration option that can be set
to `true`.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* *: add Telegram support in v1beta1
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* *: synchronize with latest main changes
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* Documentation/user-guides/webhook.md: clarify mutation webhook
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* example: regenerate
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
The end-to-end tests and jsonnet code were using
`quay.io/prometheus-operator/prometheus-admission-webhook` which doesn't
exist.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* alertmanager: Expose validation function for AmConfig CR
* admission: Extend admission controller for AmConf validation
* cmd:operator: Register metrics for am validating webhook
* test:e2e: Setup and test validating webhook for AmConf CR
* test/framework/*.go: Remove context.TODO() from framework
Converts most of the func to framework methods
Fixes #3158
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
* /test/e2e/*.go: Remove context.TODO() from e2e tests
Update function calls to refelect method changes
Fixes #3158
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
* pkg/alertmanager/amcfg_test.go: Remove context.TODO()
Add context field in testcase
Fixes #3158
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
* pkg/k8sutil/k8sutil_test.go: Remove context.TODO()
Add context field in testcase
Fixes #3158
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
* test/framework/*.go: Fix lint errors
* pkg: Move context to testing function
* test: Update NewTestCtx method return type
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
* test/e2e/*.go : Fix Nit
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
* test/framework: Remove extra spaces to fix generate
* test/framework/namespace.go: Change funcs to receivers
* test/e2e: Propagate the func to receiver change
* pkg/prometheus/operator.go: Remove context.TODO()
Related to #3158
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
* test/framework/*.go: Remove context.TODO()
Propagate context from framework struct instead of using context.TODO()
Related to #3158
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
* test/e2e/*.go Remove context.TODO()
Propagate context from Framework struct instead of using context.TODO()
Related to #3158
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
This commit bumps the kubernetes version dependencies from v1.17
to v1.18.
The kubernetes client-go library introduced breaking
changes in v1.18 by adding context.Context to many of its function
signatures. The kubernetes-sigs/clientgofix tools was used in this
commit to automatically add the necessary context.TODO() arguments
to all client-go usage in the repo.
Fixes #3146
To configure a bearer token users could only specify a file path in the
service monitor, pointing to a bearer token file in the Prometheus
container. This enables hostile users, being able to configure a service
monitor and controlling the scrape target, to retrieve arbitrary files
in the Prometheus container.
In cases where users can not be trusted, this patch adds an option to
disallow the above file path specification and replaces it by a secret
reference. This secret has to be in the same namespace as the service
monitor, shrinking the attack vector.
pkg/prometheus: Add option to deny file system access through service monitors
ArbitraryFSAccessThroughSMsConfig enables users to configure, whether
a service monitor selected by the Prometheus instance is allowed to use
arbitrary files on the file system of the Prometheus container. This is
the case when e.g. a service monitor specifies a BearerTokenFile in an
endpoint. A malicious user could create a service monitor
selecting arbitrary secret files in the Prometheus container. Those
secrets would then be send with a scrape request by Prometheus to a
malicious target. Denying the above would prevent the attack, users can
instead use the BearerTokenSecret field.
test/basic-auth-test-app: Add mTLS endpoint
pkg/prometheus: Enable users to configure tls from secret
pkg/prometheus/operator: Validate TLS configs before retrieving assets
Before retrieving TLS assets from Kubernetes secrets for a given service
monitor, make sure the user did not specify both file and secret
reference, e.g. both `CAFile` and `CASecret`.
test: Rename basic-auth-test-app to instrumented-sample-app
Given that the basic-auth-test-app not only supports basic auth, but
also bearer token as well as tls authentication, this patch renames the
app to a more generic name.
test/e2e/prometheus_test: Test ArbitraryFSAccessThroughSM option for tls
The Prometheus custom resource has the option to disable arbitrary
filesystem access configured through service monitors. This commit adds
an end-to-end test for this option in combination with the TLS
configuration via files or secret references in service monitors.
pkg/prometheus/operator: Move check for arbitrary fs access into func
This adds two new command line parameters to prometheus operator:
--prometheus-instance-namespaces: Namespaces where Prometheus custom resources
and corresponding Secrets, Configmaps and StatefulSets are watched/created.
If set this takes precedence over --namespaces or --deny-namespaces
for Prometheus custom resources.
--alertmanager-instance-namespaces: Namespaces where Alertmanager custom resources
and corresponding StatefulSets are watched/created.
If set this takes precedence over --namespaces or --deny-namespaces
for Alertmanager custom resources.
This allows fine grained configuration of reconcilation for prometheus/alertmanager
instances to certain namespaces while allow- or deny-listing other namespaces for less
critical custom resources like ServiceMonitors, PodMonitors, etc.
Currently, it is possible to explicitly watch for namespaces with the --namespaces option.
If unset, all namespaces are being watched.
The reverse is not possible today, namely exclude (deny) namespaces from being watched.
This fixes it by introducing the --deny-namespaces option.
It is mutually exclusive with --namespaces.
