Accepts metrics.prometheus endpoint. (#888)

Author: Rodrigo Valin

.action_templates/jobs/tests.yaml

@@ -23,6 +23,8 @@ tests:
           distro: ubi
         - test-name: feature_compatibility_version_upgrade
           distro: ubi
+        - test-name: prometheus
+          distro: ubi
         - test-name: replica_set_tls
           distro: ubi
         - test-name: replica_set_tls_pem_file

.github/workflows/e2e-fork.yml

@@ -105,6 +105,8 @@ jobs:
           distro: ubi
         - test-name: feature_compatibility_version_upgrade
           distro: ubi
+        - test-name: prometheus
+          distro: ubi
         - test-name: replica_set_tls
           distro: ubi
         - test-name: replica_set_tls_pem_file

.github/workflows/e2e.yml

@@ -111,6 +111,8 @@ jobs:
           distro: ubi
         - test-name: feature_compatibility_version_upgrade
           distro: ubi
+        - test-name: prometheus
+          distro: ubi
         - test-name: replica_set_tls
           distro: ubi
         - test-name: replica_set_tls_pem_file

api/v1/mongodbcommunity_types.go

@@ -106,6 +106,10 @@ type MongoDBCommunitySpec struct {
 	// AutomationConfigOverride is merged on top of the operator created automation config. Processes are merged
 	// by name. Currently Only the process.disabled field is supported.
 	AutomationConfigOverride *AutomationConfigOverride `json:"automationConfig,omitempty"`
+
+	// Prometheus configurations.
+	// +optional
+	Prometheus *Prometheus `json:"prometheus,omitempty"`
 }
 
 // ReplicaSetHorizonConfiguration holds the split horizon DNS settings for
@@ -128,6 +132,30 @@ type CustomRole struct {
 	AuthenticationRestrictions []AuthenticationRestriction `json:"authenticationRestrictions,omitempty"`
 }
 
+type Prometheus struct {
+	// Port where metrics endpoint will bind to. Defaults to 9216.
+	// +optional
+	Port int `json:"port,omitempty"`
+
+	// HTTP Basic Auth Username for metrics endpoint.
+	Username string `json:"username"`
+
+	// Name of a Secret containing a HTTP Basic Auth Password.
+	PasswordSecretRef SecretKeyReference `json:"passwordSecretRef"`
+
+	// Indicates path to the metrics endpoint.
+	// +kubebuilder:validation:Pattern=^\/[a-z0-9]+$
+	MetricsPath string `json:"metricsPath,omitempty"`
+}
+
+func (p Prometheus) GetPasswordKey() string {
+	if p.PasswordSecretRef.Key != "" {
+		return p.PasswordSecretRef.Key
+	}
+
+	return "password"
+}
+
 // ConvertToAutomationConfigCustomRole converts between a custom role defined by the crd and a custom role
 // that can be used in the automation config.
 func (c CustomRole) ConvertToAutomationConfigCustomRole() automationconfig.CustomRole {

config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml

@@ -88,6 +88,38 @@ spec:
               members:
                 description: Members is the number of members in the replica set
                 type: integer
+              prometheus:
+                description: Prometheus configurations.
+                properties:
+                  metricsPath:
+                    description: Indicates path to the metrics endpoint.
+                    pattern: ^\/[a-z0-9]+$
+                    type: string
+                  passwordSecretRef:
+                    description: Name of a Secret containing a HTTP Basic Auth Password.
+                    properties:
+                      key:
+                        description: Key is the key in the secret storing this password.
+                          Defaults to "password"
+                        type: string
+                      name:
+                        description: Name is the name of the secret storing this user's
+                          password
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  port:
+                    description: Port where metrics endpoint will bind to. Defaults
+                      to 9216.
+                    type: integer
+                  username:
+                    description: HTTP Basic Auth Username for metrics endpoint.
+                    type: string
+                required:
+                - passwordSecretRef
+                - username
+                type: object
               replicaSetHorizons:
                 description: ReplicaSetHorizons Add this parameter and values if you
                   need your database to be accessed outside of Kubernetes. This setting

config/samples/mongodb.com_v1_mongodbcommunity_prometheus.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: example-prometheus
+spec:
+  members: 3
+  type: ReplicaSet
+  version: "5.0.6"
+
+  # You can expose metrics for Prometheus polling using the
+  # `prometheus` entry.
+  prometheus:
+    # Metrics endpoint HTTP Basic Auth username
+    username: <username>
+
+    # Metrics endpoint HTTP Basic Auth password
+    passwordSecretRef:
+      name: metrics-endpoint-password
+
+    # Optional, defaults to `/metrics`
+    # metricsPath: /metrics
+
+    # Optional defaults to 9216
+    # port: 9216
+
+  security:
+    authentication:
+      modes: ["SCRAM"]
+
+  users:
+    - name: my-user
+      db: admin
+      passwordSecretRef:
+        name: my-user-password
+      roles:
+        - name: clusterAdmin
+          db: admin
+        - name: userAdminAnyDatabase
+          db: admin
+      scramCredentialsSecretName: my-scram
+
+# the user credentials will be generated from this secret
+# once the credentials are generated, this secret is no longer required
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-user-password
+type: Opaque
+stringData:
+  password: <your-user-password>
+
+# Secret holding the prometheus metrics endpoint HTTP Password.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: metrics-endpoint-password
+type: Opaque
+stringData:
+  password: <your-metrics-endpoint-password>

controllers/replica_set_controller.go

@@ -15,6 +15,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/container"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/secret"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/monitoring"
 
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/functions"
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/merge"
@@ -578,12 +580,30 @@ func (r ReplicaSetReconciler) buildAutomationConfig(mdb mdbv1.MongoDBCommunity)
 		return automationconfig.AutomationConfig{}, errors.Errorf("could not configure scram authentication: %s", err)
 	}
 
+	prometheusModification := automationconfig.NOOP()
+	if mdb.Spec.Prometheus != nil {
+		secretNamespacedName := types.NamespacedName{Name: mdb.Spec.Prometheus.PasswordSecretRef.Name, Namespace: mdb.Namespace}
+		r.secretWatcher.Watch(secretNamespacedName, mdb.NamespacedName())
+
+		password, err := secret.ReadKey(r.client, mdb.Spec.Prometheus.GetPasswordKey(), secretNamespacedName)
+		if err != nil {
+			if apiErrors.IsNotFound(err) {
+				r.log.Infof("Could not read Secret %s. Prometheus will not be configured during this reconciliation, %s", mdb.Spec.Prometheus.PasswordSecretRef.Name, err)
+			} else {
+				return automationconfig.AutomationConfig{}, errors.Errorf("could not configure Prometheus modification: %s", err)
+			}
+		} else {
+			prometheusModification = monitoring.PrometheusModification(mdb, password)
+		}
+	}
+
 	automationConfig, err := buildAutomationConfig(
 		mdb,
 		auth,
 		currentAC,
 		tlsModification,
 		customRolesModification,
+		prometheusModification,
 	)
 	if err != nil {
 		return automationconfig.AutomationConfig{}, errors.Errorf("could not create an automation config: %s", err)

go.mod

@@ -23,6 +23,7 @@ require (
 )
 
 require (
+	cloud.google.com/go v0.54.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

go.sum

@@ -8,6 +8,7 @@ cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg
 cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
 cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
 cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go v0.54.0 h1:3ithwDMr7/3vpAMXiH+ZQnYbuIsh+OPhUPMFC9enmn0=
 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
@@ -661,6 +662,7 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.5 h1:ouewzE6p+/VEB31YYnTbEJdi8pFqKp4P4n85vwo3DHA=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

pkg/automationconfig/automation_config.go

@@ -20,6 +20,7 @@ type AutomationConfig struct {
 	Processes   []Process    `json:"processes"`
 	ReplicaSets []ReplicaSet `json:"replicaSets"`
 	Auth        Auth         `json:"auth"`
+	Prometheus  *Prometheus  `json:"prometheus,omitempty"`
 
 	// TLSConfig and SSLConfig exist to allow configuration of older agents which accept the "ssl" field rather or "tls"
 	// only one of these should be set.
@@ -185,6 +186,31 @@ type Auth struct {
 	AutoPwd string `json:"autoPwd,omitempty"`
 }
 
+type Prometheus struct {
+	Enabled          bool   `json:"enabled"`
+	Username         string `json:"username"`
+	Password         string `json:"password"`
+	Scheme           string `json:"scheme"`
+	TLSPemPath       string `json:"tlsPemPath"`
+	TLSPemPassword   string `json:"tlsPemPassword"`
+	Mode             string `json:"mode"`
+	ListenAddress    string `json:"listenAddress"`
+	MetricsPath      string `json:"metricsPath"`
+	ServiceDiscovery string `json:"serviceDiscovery"`
+}
+
+func NewDefaultPrometheus(username string) Prometheus {
+	return Prometheus{
+		Enabled:          true,
+		Username:         username,
+		Scheme:           "http",
+		Mode:             "opsManager",
+		ListenAddress:    "0.0.0.0:9216",
+		MetricsPath:      "/metrics",
+		ServiceDiscovery: "file",
+	}
+}
+
 type CustomRole struct {
 	Role                       string                      `json:"role"`
 	DB                         string                      `json:"db"`