mirrors/prometheus-operator
mirrors/prometheus-operator
1
0
Fork 0
mirror of https://github.com/prometheus-operator/prometheus-operator.git synced 2025-04-16 09:16:38 +00:00
Code Activity

chore: add RBAC for endpointslices to Prometheus SA

Browse source 
This change also adds e2e tests for the new EndpointSlice discovery
role.

Signed-off-by: Simon Pasquier <spasquie@redhat.com>
This commit is contained in:
Simon Pasquier 2024-07-25 10:16:30 +02:00
parent 813bc2b6b9
commit 309b7d06ad
No known key found for this signature in database
GPG key ID: 0190A66C0A10FC4F
5 changed files with 66 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
Documentation/rbac.md
View file

@ -169,6 +169,11 @@ rules:
resources: resources:
- configmaps - configmaps
verbs: ["get"] verbs: ["get"]
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs: ["get", "list", "watch"]
- apiGroups: - apiGroups:
- networking.k8s.io - networking.k8s.io
resources: resources:

5
Documentation/user-guides/getting-started.md
View file

@ -166,6 +166,11 @@ rules:
resources: resources:
- configmaps - configmaps
verbs: ["get"] verbs: ["get"]
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs: ["get", "list", "watch"]
- apiGroups: - apiGroups:
- networking.k8s.io - networking.k8s.io
resources: resources:

5
example/rbac/prometheus/prometheus-cluster-role.yaml
View file

@ -15,6 +15,11 @@ rules:
resources: resources:
- configmaps - configmaps
verbs: ["get"] verbs: ["get"]
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs: ["get", "list", "watch"]
- apiGroups: - apiGroups:
- networking.k8s.io - networking.k8s.io
resources: resources:

25
pkg/prometheus/promcfg.go
View file

@ -70,9 +70,11 @@ type ConfigGenerator struct {
} }
// NewConfigGenerator creates a ConfigGenerator for the provided Prometheus resource. // NewConfigGenerator creates a ConfigGenerator for the provided Prometheus resource.
func NewConfigGenerator(logger log.Logger, func NewConfigGenerator(
logger log.Logger,
p monitoringv1.PrometheusInterface, p monitoringv1.PrometheusInterface,
endpointSliceSupported bool) (*ConfigGenerator, error) { endpointSliceSupported bool,
) (*ConfigGenerator, error) {
if logger == nil { if logger == nil {
logger = log.NewNopLogger() logger = log.NewNopLogger()
} }
@ -96,28 +98,11 @@ func NewConfigGenerator(logger log.Logger,
return nil, fmt.Errorf("failed to parse scrape classes: %w", err) return nil, fmt.Errorf("failed to parse scrape classes: %w", err)
} }
endpointSliceConfigured := false // Always assume false to preserve original prometheus-operator behaviour.
// Check if the user has explicitly set the service discovery role to use.
switch serviceDiscoveryRole := ptr.Deref(cpf.ServiceDiscoveryRole, monitoringv1.EndpointsRole); serviceDiscoveryRole {
case monitoringv1.EndpointSliceRole:
level.Info(logger).Log("msg", "using endpointslice as service discovery role")
endpointSliceConfigured = true
case monitoringv1.EndpointsRole:
level.Info(logger).Log("msg", "using endpoints as service discovery role")
endpointSliceConfigured = false
default:
level.Warn(logger).Log("msg",
"unknown service discovery role %q, defaulting to endpoints. Configure serviceDiscoveryRole to 'EndpointSlice' to use endpointslice as service discovery role.",
serviceDiscoveryRole)
endpointSliceConfigured = false
}
return &ConfigGenerator{ return &ConfigGenerator{
logger: logger, logger: logger,
version: version, version: version,
prom: p, prom: p,
useEndpointSlice: endpointSliceConfigured && endpointSliceSupported, useEndpointSlice: endpointSliceSupported && ptr.Deref(cpf.ServiceDiscoveryRole, monitoringv1.EndpointsRole) == monitoringv1.EndpointSliceRole,
scrapeClasses: scrapeClasses, scrapeClasses: scrapeClasses,
defaultScrapeClassName: defaultScrapeClassName, defaultScrapeClassName: defaultScrapeClassName,
}, nil }, nil

75
test/e2e/prometheus_test.go
View file

@ -2110,41 +2110,58 @@ func testPromWhenDeleteCRDCleanUpViaOwnerRef(t *testing.T) {
} }
func testPromDiscovery(t *testing.T) { func testPromDiscovery(t *testing.T) {
t.Parallel() for _, tc := range []struct {
testCtx := framework.NewTestCtx(t) role *monitoringv1.ServiceDiscoveryRole
defer testCtx.Cleanup(t) }{
ns := framework.CreateNamespace(context.Background(), t, testCtx) {
framework.SetupPrometheusRBAC(context.Background(), t, testCtx, ns) role: nil,
},
{
role: ptr.To(monitoringv1.EndpointsRole),
},
{
role: ptr.To(monitoringv1.EndpointSliceRole),
},
} {
t.Run(fmt.Sprintf("role=%s", ptr.Deref(tc.role, "<nil>")), func(t *testing.T) {
t.Parallel()
testCtx := framework.NewTestCtx(t)
defer testCtx.Cleanup(t)
ns := framework.CreateNamespace(context.Background(), t, testCtx)
framework.SetupPrometheusRBAC(context.Background(), t, testCtx, ns)
prometheusName := "test" prometheusName := "test"
group := "servicediscovery-test" group := "servicediscovery-test"
svc := framework.MakePrometheusService(prometheusName, group, v1.ServiceTypeClusterIP) svc := framework.MakePrometheusService(prometheusName, group, v1.ServiceTypeClusterIP)
s := framework.MakeBasicServiceMonitor(group) s := framework.MakeBasicServiceMonitor(group)
if _, err := framework.MonClientV1.ServiceMonitors(ns).Create(context.Background(), s, metav1.CreateOptions{}); err != nil { if _, err := framework.MonClientV1.ServiceMonitors(ns).Create(context.Background(), s, metav1.CreateOptions{}); err != nil {
t.Fatal("Creating ServiceMonitor failed: ", err) t.Fatal("Creating ServiceMonitor failed: ", err)
} }
p := framework.MakeBasicPrometheus(ns, prometheusName, group, 1) p := framework.MakeBasicPrometheus(ns, prometheusName, group, 1)
_, err := framework.CreatePrometheusAndWaitUntilReady(context.Background(), ns, p) p.Spec.ServiceDiscoveryRole = tc.role
if err != nil { _, err := framework.CreatePrometheusAndWaitUntilReady(context.Background(), ns, p)
t.Fatal(err) if err != nil {
} t.Fatal(err)
}
if finalizerFn, err := framework.CreateOrUpdateServiceAndWaitUntilReady(context.Background(), ns, svc); err != nil { if finalizerFn, err := framework.CreateOrUpdateServiceAndWaitUntilReady(context.Background(), ns, svc); err != nil {
t.Fatal(fmt.Errorf("creating prometheus service failed: %w", err)) t.Fatal(fmt.Errorf("creating prometheus service failed: %w", err))
} else { } else {
testCtx.AddFinalizerFn(finalizerFn) testCtx.AddFinalizerFn(finalizerFn)
} }
_, err = framework.KubeClient.CoreV1().Secrets(ns).Get(context.Background(), fmt.Sprintf("prometheus-%s", prometheusName), metav1.GetOptions{}) _, err = framework.KubeClient.CoreV1().Secrets(ns).Get(context.Background(), fmt.Sprintf("prometheus-%s", prometheusName), metav1.GetOptions{})
if err != nil { if err != nil {
t.Fatal("Generated Secret could not be retrieved: ", err) t.Fatal("Generated Secret could not be retrieved: ", err)
} }
err = framework.WaitForDiscoveryWorking(context.Background(), ns, svc.Name, prometheusName) err = framework.WaitForDiscoveryWorking(context.Background(), ns, svc.Name, prometheusName)
if err != nil { if err != nil {
t.Fatal(fmt.Errorf("validating Prometheus target discovery failed: %w", err)) t.Fatal(fmt.Errorf("validating Prometheus target discovery failed: %w", err))
}
})
} }
} }