Generate endpoints for X-Scope-OrgID injection (multi-tenancy) (#180)

* adding optional auth-org generation code

Signed-off-by: Jeff Kolb <[email protected]>

* Added documentation

Signed-off-by: Jeff Kolb <[email protected]>

* Bumping version number

Signed-off-by: Jeff Kolb <[email protected]>

* Un-Bumping version number

Signed-off-by: Jeff Kolb <[email protected]>

* Adding changelog description

Signed-off-by: Jeff Kolb <[email protected]>

* added alertmanager-config example, added value attributes (#181)

Signed-off-by: Raphael Grömmer <[email protected]>
Signed-off-by: Jeff Kolb <[email protected]>

* Passing DCO test one hopes

Signed-off-by: Jeff Kolb <[email protected]>

* update docs also in the tmpl file (#186)

Signed-off-by: ShuzZzle <[email protected]>
Signed-off-by: Jeff Kolb <[email protected]>

* add autoscaler for ingesters (#182)

Signed-off-by: Tom Hayward <[email protected]>
Signed-off-by: Jeff Kolb <[email protected]>

* define namespace in templates (#184)

Signed-off-by: Tom Hayward <[email protected]>
Signed-off-by: Jeff Kolb <[email protected]>

* fix: documentation to match helm-docs spec

Signed-off-by: ShuzZzle <[email protected]>

* fix: auth_orgs under wrong section and use %d for http listen port

Signed-off-by: ShuzZzle <[email protected]>

Co-authored-by: Raphael Grömmer <[email protected]>
Co-authored-by: Niclas Schad <[email protected]>
Co-authored-by: Tom Hayward <[email protected]>

Author: 4 people

CHANGELOG.md

@@ -6,6 +6,7 @@
 * [FEATURE] Add autoscaler for ingesters #182
 * [ENHANCEMENT] Define namespace in templates #184
 * [ENHANCEMENT] Use FQDN for memcached addresses #175
+* [ENHANCEMENT] Optionally generate endpoints for `X-Scope-OrgID` injection (multi-tenancy) #180
 
 ## 0.6.0 / 2021-06-28
 

README.md

@@ -580,6 +580,7 @@ Kubernetes: `^1.19.0-0`
 | memcached.resources | object | `{}` |  |
 | nginx.affinity | object | `{}` |  |
 | nginx.annotations | object | `{}` |  |
+| nginx.config.auth_orgs | list | `[]` | (optional) List of [auth tenants](https://cortexmetrics.io/docs/guides/auth/) to set in the nginx config |
 | nginx.config.client_max_body_size | string | `"1M"` |  |
 | nginx.config.dnsResolver | string | `"kube-dns.kube-system.svc.cluster.local"` |  |
 | nginx.config.setHeaders | object | `{}` |  |

templates/nginx/nginx-config.yaml

@@ -1,4 +1,5 @@
 {{- if .Values.nginx.enabled }}
+{{- $rootDomain := printf "%s.svc.%s:%d" .Release.Namespace .Values.clusterDomain (.Values.config.server.http_listen_port | int) }}
 kind: ConfigMap
 apiVersion: v1
 metadata:
@@ -15,8 +16,7 @@ data:
 
     events {
       worker_connections  4096;  ## Default: 1024
-    }
-
+    } 
 
     http {
       default_type application/octet-stream;
@@ -46,64 +46,71 @@ data:
 
         # Distributor Config
         location = /ring {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ $rootDomain }}$request_uri;
         }
 
         location = /all_user_stats {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ $rootDomain }}$request_uri;
         }
 
         location = /api/prom/push {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ $rootDomain }}$request_uri;
         }
 
         ## New Remote write API. Ref: https://cortexmetrics.io/docs/api/#remote-write
         location = /api/v1/push {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ $rootDomain }}$request_uri;
         }
 
-
         # Alertmanager Config
         location ~ /api/prom/alertmanager/.* {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-alertmanager.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-alertmanager.{{ $rootDomain }}$request_uri;
         }
 
         location ~ /api/v1/alerts {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-alertmanager.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-alertmanager.{{ $rootDomain }}$request_uri;
         }
 
         location ~ /multitenant_alertmanager/status {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-alertmanager.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-alertmanager.{{ $rootDomain }}$request_uri;
         }
 
         # Ruler Config
         location ~ /api/v1/rules {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-ruler.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-ruler.{{ $rootDomain }}$request_uri;
         }
 
         location ~ /ruler/ring {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-ruler.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-ruler.{{ $rootDomain }}$request_uri;
         }
 
         # Config Config
         location ~ /api/prom/configs/.* {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-configs.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-configs.{{ $rootDomain }}$request_uri;
         }
 
         # Query Config
         location ~ /api/prom/.* {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-query-frontend.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-query-frontend.{{ $rootDomain }}$request_uri;
         }
 
         ## New Query frontend APIs as per https://cortexmetrics.io/docs/api/#querier--query-frontend
         location ~ ^{{.Values.config.api.prometheus_http_prefix}}/api/v1/(read|metadata|labels|series|query_range|query) {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-query-frontend.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-query-frontend.{{ $rootDomain }}$request_uri;
         }
 
         location ~ {{.Values.config.api.prometheus_http_prefix}}/api/v1/label/.* {
-          proxy_pass      http://{{ template "cortex.fullname" . }}-query-frontend.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.server.http_listen_port }}$request_uri;
+          proxy_pass      http://{{ template "cortex.fullname" . }}-query-frontend.{{ $rootDomain }}$request_uri;
         }
-
+        {{- if and (.Values.config.auth_enabled) (.Values.nginx.config.auth_orgs) }}
+        # Auth orgs
+        {{- range $org := compact .Values.nginx.config.auth_orgs | uniq }}
+        location = /api/v1/push/{{ $org }} {
+          proxy_set_header      X-Scope-OrgID {{ $org }};
+          proxy_pass      http://{{ template "cortex.fullname" $ }}-distributor.{{ $rootDomain }}$request_uri;
+        }
+        {{- end }}
+        {{- end }}
       }
     }
 {{- end }}

values.yaml

@@ -1115,7 +1115,8 @@ nginx:
     ## ref: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
     client_max_body_size: 1M
     setHeaders: {}
-      # X-Scope-OrgID: 0
+    # -- (optional) List of [auth tenants](https://cortexmetrics.io/docs/guides/auth/) to set in the nginx config
+    auth_orgs: []
   image:
     repository: nginx
     tag: 1.21