Removing liveness probe to prevent killing prometheus pod during WAL
replay.
This should be reverted around kubernetes 1.21 release. At that point
startupProbe should be added.
When the Thanos spec doesn't configure object storage, there's no need to
configure the Thanos sidecar for block uploads and mount the
Prometheus data volume.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Move logic for building image URLs into the operator package.
This improves the consistency for building image URLs from the
combination of default settings, operator CLI args, and config in the
custom resources.
* refactor: decouple pod labels from selector labels
prometheus pods can not be rolled out without downtime when label's are changed
Fixes#3120
* chore: run go fmt
* fix unit tests
This allows nested PersistentVolumeClaim fields to be validated and
maintain metadata information such as labels and annotations.
Signed-off-by: Paul Gier <pgier@redhat.com>
From the godoc:
ParseTolerant allows for certain version specifications that do not
strictly adhere to semver specs to be parsed by the semver library.
It currently trims spaces, removes a "v" prefix, and adds a
0 patch number to versions with only major and minor components specified.
This moves the default image versions and urls from multiple
packages into a single location in the operator package.
This has the advantage of easier maintenance and ensuring that
the default Thanos sidecar image doesn't become out of
sync with the default image used for Thanos Ruler.
Currently when passing `--config-reloader-(cpu|memory)` values those are
used only for limits. This PR sets the same values for requests.
I wasn't sure if the options for the requests should have been passed
with separate options but I thought this was a good compromise in the
meantime.
The initial question was brought up in https://github.com/coreos/kube-prometheus/issues/376
When the operator transfers all labels and annotations from the source
prometheus object to the generated statefulset this also kubectl managed
annotations.
These annotations will cause the generated statefulset to be pruned when
the source prometheus is applied with kubectl apply --prune.
Cleanup of the statefulset is managed by the garbage collection via
owner references of the prometheus object (which can be pruned).
To fix this do not transfer any kubectl.kubernetes.io/ annotations to
the generated statefulset.
Closes gh-2642
Signed-off-by: Julian Taylor <juliantaylor108@gmail.com>
When using prometheus with listenLocal=true the wget probe in the pod
failed because the created download file prenvents further successfull
wget runs.
Using /dev/null for the wget output file fixes that.
Fixes#2921
To configure a bearer token users could only specify a file path in the
service monitor, pointing to a bearer token file in the Prometheus
container. This enables hostile users, being able to configure a service
monitor and controlling the scrape target, to retrieve arbitrary files
in the Prometheus container.
In cases where users can not be trusted, this patch adds an option to
disallow the above file path specification and replaces it by a secret
reference. This secret has to be in the same namespace as the service
monitor, shrinking the attack vector.
pkg/prometheus: Add option to deny file system access through service monitors
ArbitraryFSAccessThroughSMsConfig enables users to configure, whether
a service monitor selected by the Prometheus instance is allowed to use
arbitrary files on the file system of the Prometheus container. This is
the case when e.g. a service monitor specifies a BearerTokenFile in an
endpoint. A malicious user could create a service monitor
selecting arbitrary secret files in the Prometheus container. Those
secrets would then be send with a scrape request by Prometheus to a
malicious target. Denying the above would prevent the attack, users can
instead use the BearerTokenSecret field.
test/basic-auth-test-app: Add mTLS endpoint
pkg/prometheus: Enable users to configure tls from secret
pkg/prometheus/operator: Validate TLS configs before retrieving assets
Before retrieving TLS assets from Kubernetes secrets for a given service
monitor, make sure the user did not specify both file and secret
reference, e.g. both `CAFile` and `CASecret`.
test: Rename basic-auth-test-app to instrumented-sample-app
Given that the basic-auth-test-app not only supports basic auth, but
also bearer token as well as tls authentication, this patch renames the
app to a more generic name.
test/e2e/prometheus_test: Test ArbitraryFSAccessThroughSM option for tls
The Prometheus custom resource has the option to disable arbitrary
filesystem access configured through service monitors. This commit adds
an end-to-end test for this option in combination with the TLS
configuration via files or secret references in service monitors.
pkg/prometheus/operator: Move check for arbitrary fs access into func
Currently, for service discovery of Prometheus instances
a separate headless service must be deployed.
This adds the Thanos grpc port to the existing Prometheus statefulset governing service
if a Thanos sidecar is given in the Prometheus custom resource specification.
This way no additional service has to be deployed.
Added ability to express additional Volumes on the PrometheusSpec object, and to have those Volumes propagated out to the generated StatefulSet config.
When using default podManagementPolicy it is possible to create a
situation where alertmanager pods objects won't be reconciled with a
statefulset and thus preventing am from being deployed.
One of such cases is when am was deployed and afterwards admin
applied taints to all nodes causing pod eviction. Next tolerations were
applied however due to OrderedReady policy one am pod was still left in
Pending state preventing reconciliation.
This is needed to provide a workaround for a bug in kubernetes detailed
in https://github.com/kubernetes/kubernetes/issues/60164. It is also one
of the knows limitations of StetafulSets mentioned in docs
https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#limitations
