add a Kubernetes External Metrics metrics provider

Co-authored-by: Johan Lore <johan.lore@decathlon.com>
Co-authored-by: Maxime Véroone <maxime.veroone@decathlon.com>
Signed-off-by: Johan Lore <johan.lore@decathlon.com>

Author: jlore-decathlon

artifacts/flagger/crd.yaml

@@ -1344,6 +1344,7 @@ spec:
                         - prometheus
                         - influxdb
                         - datadog
+                        - externalmetrics
                         - stackdriver
                         - cloudwatch
                         - newrelic

charts/flagger/crds/crd.yaml

@@ -1344,6 +1344,7 @@ spec:
                         - prometheus
                         - influxdb
                         - datadog
+                        - externalmetrics
                         - stackdriver
                         - cloudwatch
                         - newrelic

charts/flagger/templates/rbac.yaml

@@ -289,6 +289,14 @@ rules:
       - revisions
     verbs:
       - get
+  - apiGroups:
+      - external.metrics.k8s.io
+    resources:
+      - externalmetrics
+    verbs:
+      - get
+      - watch
+      - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

go.mod

@@ -24,11 +24,12 @@ require (
 	google.golang.org/grpc v1.76.0
 	google.golang.org/protobuf v1.36.10
 	gopkg.in/h2non/gock.v1 v1.1.2
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
-	k8s.io/client-go v0.34.1
-	k8s.io/code-generator v0.34.1
+	k8s.io/api v0.34.2
+	k8s.io/apimachinery v0.34.2
+	k8s.io/client-go v0.34.2
+	k8s.io/code-generator v0.34.2
 	k8s.io/klog/v2 v2.130.1
+	k8s.io/metrics v0.34.2
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	knative.dev/serving v0.46.6
 )

go.sum

@@ -275,20 +275,22 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
-k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
-k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
-k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
-k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
-k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
-k8s.io/code-generator v0.34.1 h1:WpphT26E+j7tEgIUfFr5WfbJrktCGzB3JoJH9149xYc=
-k8s.io/code-generator v0.34.1/go.mod h1:DeWjekbDnJWRwpw3s0Jat87c+e0TgkxoR4ar608yqvg=
+k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY=
+k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw=
+k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4=
+k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
+k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M=
+k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE=
+k8s.io/code-generator v0.34.2 h1:9bG6jTxmsU3HXE5BNYJTC8AZ1D6hVVfkm8yYSkdkGY0=
+k8s.io/code-generator v0.34.2/go.mod h1:dnDDEd6S/z4uZ+PG1aE58ySCi/lR4+qT3a4DddE4/2I=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
 k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
+k8s.io/metrics v0.34.2 h1:zao91FNDVPRGIiHLO2vqqe21zZVPien1goyzn0hsz90=
+k8s.io/metrics v0.34.2/go.mod h1:Ydulln+8uZZctUM8yrUQX4rfq/Ay6UzsuXf24QJ37Vc=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 knative.dev/networking v0.0.0-20250902160145-7dad473f6351 h1:Gv/UqbN0AK+ORoT5e2Kg+3+uMW/y9CCdhpXKxYaVV6k=

kustomize/base/flagger/crd.yaml

@@ -1344,6 +1344,7 @@ spec:
                         - prometheus
                         - influxdb
                         - datadog
+                        - externalmetrics
                         - stackdriver
                         - cloudwatch
                         - newrelic

pkg/metrics/providers/externalmetrics.go

@@ -0,0 +1,156 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package providers
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"net"
+	"net/http"
+	"net/url"
+	"time"
+
+	flaggerv1 "github.com/fluxcd/flagger/pkg/apis/flagger/v1beta1"
+	"k8s.io/metrics/pkg/apis/external_metrics"
+)
+
+const (
+	metricServiceEndpointPath = "/apis/external.metrics.k8s.io/v1beta1"
+	namespacesPath            = "/namespaces/"
+
+	authorizationHeaderKey  = "Authorization"
+	applicationBearerToken = "token"
+)
+
+// ExternalMetricsProvider executes datadog queries
+type ExternalMetricsProvider struct {
+	metricServiceEndpoint string
+	bearerToken           string // Find out if we can get authoritative answer that this is the standard
+
+	timeout   time.Duration
+	client   *http.Client
+}
+
+// NewExternalMetricsProvider takes a canary spec, a provider spec, and
+// returns a client ready to execute queries against the Service
+func NewExternalMetricsProvider(metricInterval string,
+	provider flaggerv1.MetricTemplateProvider,
+	credentials map[string][]byte) (*ExternalMetricsProvider, error) {
+
+	if provider.Address == "" {
+		return nil, fmt.Errorf("the Url of the external metric service must be provided")
+	}
+
+	externalMetrics := ExternalMetricsProvider{
+		metricServiceEndpoint: fmt.Sprintf("%s%s", provider.Address, metricServiceEndpointPath),
+		timeout:               5 * time.Second,
+		client:	               http.DefaultClient,
+	}
+
+	if provider.InsecureSkipVerify {
+		t := http.DefaultTransport.(*http.Transport).Clone()
+		t.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		externalMetrics.client = &http.Client{Transport: t}
+	}
+
+	if b, ok := credentials[applicationBearerToken]; ok {
+		externalMetrics.bearerToken = string(b)
+	} else {
+		// Read service account token from volume mount
+		token, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
+		if err != nil {
+			return nil, fmt.Errorf("error reading service account token: %w", err)
+		}
+		if len(token) == 0 {
+			return nil, fmt.Errorf("pod's service account token is empty")
+		}
+		externalMetrics.bearerToken = string(token)
+	}
+
+	return &externalMetrics, nil
+}
+
+// RunQuery retrieves the ExternalMetricValue from the ExternalMetricsProvider.metricServiceUrl
+// and returns the first result as a float64
+func (p *ExternalMetricsProvider) RunQuery(query string) (float64, error) {
+
+	metricsQueryUrl := fmt.Sprintf("%s%s%s", p.metricServiceEndpoint, namespacesPath, query)
+	//TODO add labelSelector as queryString (in the docs of this provider as it's embedded in the query string)
+
+	req, err := http.NewRequest("GET", metricsQueryUrl, nil)
+	if err != nil {
+		return 0, fmt.Errorf("error http.NewRequest: %w", err)
+	}
+	if p.bearerToken != "" {
+		req.Header.Add(authorizationHeaderKey, fmt.Sprintf("Bearer %s", p.bearerToken))
+	}
+
+	ctx, cancel := context.WithTimeout(req.Context(), p.timeout)
+	defer cancel()
+	r, err := p.client.Do(req.WithContext(ctx))
+	if err != nil {
+		return 0, fmt.Errorf("request failed: %w", err)
+	}
+
+	defer r.Body.Close()
+	b, err := io.ReadAll(r.Body)
+	if err != nil {
+		return 0, fmt.Errorf("error reading body: %w", err)
+	}
+
+	if r.StatusCode != http.StatusOK {
+		return 0, fmt.Errorf("error response: %s: %w", string(b), err)
+	}
+
+	var res external_metrics.ExternalMetricValueList
+	if err := json.Unmarshal(b, &res); err != nil {
+		return 0, fmt.Errorf("error unmarshaling result: %w, '%s'", err, string(b))
+	}
+
+	if len(res.Items) < 1 {
+		return 0, fmt.Errorf("invalid response: %s: %w", string(b), ErrNoValuesFound)
+	}
+
+	vs := res.Items[0].Value.AsApproximateFloat64()
+
+	return vs, nil
+}
+
+// IsOnline will only check the TCP endpoint reachability,
+// given that external metric servers don't have a common health check endpoint defined
+func (p *ExternalMetricsProvider) IsOnline() (bool, error) {
+	var d net.Dialer
+
+	ctx, cancel := context.WithTimeout(context.Background(), p.timeout)
+	defer cancel()
+
+	metricServiceUrl, err := url.Parse(p.metricServiceEndpoint)
+	if err != nil {
+		return false, fmt.Errorf("error parsing metric service url: %w", err)
+	}
+
+	conn, err := d.DialContext(ctx, "tcp", metricServiceUrl.Host)
+	defer conn.Close()
+	if err != nil {
+		return false, fmt.Errorf("connection failed: %w", err)
+	}
+	return true, err
+}