Add proxyURL

Signed-off-by: Mario Fernandez <[email protected]>

Author: marioferh

assets/prometheus-k8s/prometheus.yaml

@@ -154,7 +154,14 @@ spec:
     volumeMounts:
     - mountPath: /etc/tls/grpc
       name: secret-grpc-tls
-  - name: prometheus
+  - env:
+    - name: HTTP_PROXY
+      value: ""
+    - name: HTTPS_PROXY
+      value: ""
+    - name: NO_PROXY
+      value: ""
+    name: prometheus
     terminationMessagePolicy: FallbackToLogsOnError
     volumeMounts:
     - mountPath: /etc/pki/ca-trust/extracted/pem/

assets/prometheus-user-workload/prometheus.yaml

@@ -168,7 +168,14 @@ spec:
     volumeMounts:
     - mountPath: /etc/tls/grpc
       name: secret-grpc-tls
-  - name: prometheus
+  - env:
+    - name: HTTP_PROXY
+      value: ""
+    - name: HTTPS_PROXY
+      value: ""
+    - name: NO_PROXY
+      value: ""
+    name: prometheus
     terminationMessagePolicy: FallbackToLogsOnError
     volumeMounts:
     - mountPath: /etc/pki/ca-trust/extracted/pem/

assets/thanos-ruler/thanos-ruler.yaml

@@ -24,6 +24,15 @@ spec:
     key: alertmanagers.yaml
     name: thanos-ruler-alertmanagers-config
   containers:
+  - env:
+    - name: HTTP_PROXY
+      value: ""
+    - name: HTTPS_PROXY
+      value: ""
+    - name: NO_PROXY
+      value: ""
+    name: thanos-ruler
+    terminationMessagePolicy: FallbackToLogsOnError
   - name: thanos-ruler
     securityContext:
       allowPrivilegeEscalation: false

jsonnet/components/prometheus-user-workload.libsonnet

@@ -563,6 +563,16 @@ function(params)
           // See e.g pkg/manifests/manifests.go where the startup probe is added
           {
             name: 'prometheus',
+            env: [{
+              name: 'HTTP_PROXY',
+              value: '',
+            }, {
+              name: 'HTTPS_PROXY',
+              value: '',
+            }, {
+              name: 'NO_PROXY',
+              value: '',
+            }],
             volumeMounts+: [
               {
                 name: $.trustedCaBundle.metadata.name,

jsonnet/components/prometheus.libsonnet

@@ -562,6 +562,16 @@ function(params)
           },
           {
             name: 'prometheus',
+            env: [{
+              name: 'HTTP_PROXY',
+              value: '',
+            }, {
+              name: 'HTTPS_PROXY',
+              value: '',
+            }, {
+              name: 'NO_PROXY',
+              value: '',
+            }],
             volumeMounts+: [
               {
                 name: $.trustedCaBundle.metadata.name,

jsonnet/components/thanos-ruler.libsonnet

@@ -431,6 +431,19 @@ function(params)
         serviceAccountName: tr.config.name,
         priorityClassName: 'openshift-user-critical',
         containers: [
+          {
+            name: 'thanos-ruler',
+            env: [{
+              name: 'HTTP_PROXY',
+              value: '',
+            }, {
+              name: 'HTTPS_PROXY',
+              value: '',
+            }, {
+              name: 'NO_PROXY',
+              value: '',
+            }],
+          },
           {
             // Note: this is performing strategic-merge-patch for thanos-ruler
             // container. the rest of the container configuration is managed by

pkg/manifests/amcfg.go

@@ -29,13 +29,14 @@ func (a PrometheusAdditionalAlertmanagerConfigs) MarshalYAML() (interface{}, err
 
 // amConfigPrometheus is our internal representation of the Prometheus alerting configuration.
 type amConfigPrometheus struct {
-	Scheme        string                  `yaml:"scheme,omitempty"`
-	PathPrefix    string                  `yaml:"path_prefix,omitempty"`
-	Timeout       *string                 `yaml:"timeout,omitempty"`
-	APIVersion    string                  `yaml:"api_version,omitempty"`
-	Authorization amConfigAuthorization   `yaml:"authorization,omitempty"`
-	TLSConfig     amConfigTLS             `yaml:"tls_config,omitempty"`
-	StaticConfigs []amConfigStaticConfigs `yaml:"static_configs,omitempty"`
+	Scheme               string                  `yaml:"scheme,omitempty"`
+	PathPrefix           string                  `yaml:"path_prefix,omitempty"`
+	Timeout              *string                 `yaml:"timeout,omitempty"`
+	APIVersion           string                  `yaml:"api_version,omitempty"`
+	Authorization        amConfigAuthorization   `yaml:"authorization,omitempty"`
+	TLSConfig            amConfigTLS             `yaml:"tls_config,omitempty"`
+	StaticConfigs        []amConfigStaticConfigs `yaml:"static_configs,omitempty"`
+	ProxyFromEnvironment bool                    `yaml:"proxy_from_environment,omitempty"`
 }
 
 type amConfigAuthorization struct {
@@ -64,10 +65,11 @@ type prometheusAdditionalAlertmanagerConfig AdditionalAlertmanagerConfig
 // compatible with the Prometheus configuration.
 func (a prometheusAdditionalAlertmanagerConfig) MarshalYAML() (interface{}, error) {
 	cfg := amConfigPrometheus{
-		Scheme:     a.Scheme,
-		PathPrefix: a.PathPrefix,
-		Timeout:    a.Timeout,
-		APIVersion: a.APIVersion,
+		Scheme:               a.Scheme,
+		PathPrefix:           a.PathPrefix,
+		Timeout:              a.Timeout,
+		APIVersion:           a.APIVersion,
+		ProxyFromEnvironment: true,
 		TLSConfig: amConfigTLS{
 			CA:                 "",
 			Cert:               "",
@@ -126,6 +128,7 @@ type thanosAlertmanagerConfiguration struct {
 	APIVersion    string       `yaml:"api_version,omitempty"`
 	HTTPConfig    amHTTPConfig `yaml:"http_config,omitempty"`
 	StaticConfigs []string     `yaml:"static_configs,omitempty"`
+	ProxyURL      string       `yaml:"proxy_url,omitempty"`
 }
 
 type amHTTPConfig struct {
@@ -183,6 +186,8 @@ func ConvertToThanosAlertmanagerConfiguration(ta []AdditionalAlertmanagerConfig)
 		result[i] = cfg
 	}
 
+	// todo mariofer proxyURL
+
 	return result, nil
 }
 

pkg/manifests/manifests.go

@@ -1460,6 +1460,8 @@ func (f *Factory) PrometheusK8s(grpcTLS *v1.Secret, telemetrySecret *v1.Secret)
 
 	for i, container := range p.Spec.Containers {
 		switch container.Name {
+		case "prometheus":
+			f.injectProxyVariables(&p.Spec.Containers[i])
 		case "kube-rbac-proxy", "kube-rbac-proxy-web", "kube-rbac-proxy-thanos":
 			p.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
 			p.Spec.Containers[i].Args = f.setTLSSecurityConfiguration(container.Args, KubeRbacProxyTLSCipherSuitesFlag, KubeRbacProxyMinTLSVersionFlag)
@@ -1795,6 +1797,7 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret) (*monv1.Prometheus,
 				FailureThreshold: 240,
 			}
 
+			f.injectProxyVariables(&p.Spec.Containers[i])
 		case "kube-rbac-proxy-metrics", "kube-rbac-proxy-federate", "kube-rbac-proxy-thanos":
 			p.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
 			p.Spec.Containers[i].Args = f.setTLSSecurityConfiguration(container.Args, KubeRbacProxyTLSCipherSuitesFlag, KubeRbacProxyMinTLSVersionFlag)
@@ -3222,6 +3225,8 @@ func (f *Factory) ThanosRulerCustomResource(
 
 	for i, container := range t.Spec.Containers {
 		switch container.Name {
+		case "thanos-ruler":
+			f.injectProxyVariables(&t.Spec.Containers[i])
 		case "kube-rbac-proxy-metrics", "kube-rbac-proxy-web":
 			t.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
 			t.Spec.Containers[i].Args = f.setTLSSecurityConfiguration(container.Args, KubeRbacProxyTLSCipherSuitesFlag, KubeRbacProxyMinTLSVersionFlag)

pkg/manifests/manifests_test.go

@@ -2162,6 +2162,23 @@ func TestPrometheusK8sAdditionalAlertManagerConfigsSecret(t *testing.T) {
 `,
 			mountedSecrets: []string{"alertmanager-bearer-token", "alertmanager-ca-tls", "alertmanager-cert-tls", "alertmanager-key-tls"},
 		},
+		{
+			name: "proxy from environment",
+			config: `prometheusK8s:
+  additionalAlertmanagerConfigs:
+  - staticConfigs:
+    - alertmanager1-remote.com
+    - alertmanager1-remotex.com
+    proxyFromEnvironment: true
+`,
+			expected: `- static_configs:
+  - targets:
+    - alertmanager1-remote.com
+    - alertmanager1-remotex.com
+  proxy_from_environment: true
+`,
+			mountedSecrets: []string{},
+		},
 	}
 
 	for _, tt := range testCases {
@@ -4919,6 +4936,144 @@ func TestAlertmanagerProxy(t *testing.T) {
 	}
 }
 
+func TestPrometheusProxy(t *testing.T) {
+	for _, tc := range []struct {
+		proxyReader ProxyReader
+		assertFn    func(*testing.T, *v1.Container)
+	}{
+		{
+			proxyReader: &fakeProxyReader{},
+			assertFn: func(t *testing.T, c *v1.Container) {
+				t.Helper()
+
+				require.Len(t, c.Env, 3)
+				require.Equal(t, c.Env[0].Value, "")
+				require.Equal(t, c.Env[1].Value, "")
+				require.Equal(t, c.Env[2].Value, "")
+			},
+		},
+		{
+			proxyReader: &fakeProxyReader{
+				httpProxy:  "http://example.com:8080/",
+				httpsProxy: "https://example.com:8080/",
+				noProxy:    "local.example.com",
+			},
+			assertFn: func(t *testing.T, c *v1.Container) {
+				t.Helper()
+
+				require.Len(t, c.Env, 3)
+				require.Equal(t, c.Env[0].Name, "HTTP_PROXY")
+				require.Equal(t, c.Env[0].Value, "http://example.com:8080/")
+				require.Equal(t, c.Env[1].Name, "HTTPS_PROXY")
+				require.Equal(t, c.Env[1].Value, "https://example.com:8080/")
+				require.Equal(t, c.Env[2].Name, "NO_PROXY")
+				require.Equal(t, c.Env[2].Value, "local.example.com")
+			},
+		},
+	} {
+		t.Run("", func(t *testing.T) {
+			findContainer := func(am *monv1.Prometheus) *v1.Container {
+				for _, c := range am.Spec.Containers {
+					if c.Name == "prometheus" {
+						return &c
+					}
+				}
+
+				return nil
+			}
+
+			f := NewFactory("openshift-monitoring", "openshift-user-workload-monitoring", NewDefaultConfig(), defaultInfrastructureReader(), tc.proxyReader, NewAssets(assetsPath), &APIServerConfig{}, &configv1.Console{})
+
+			t.Run("main", func(t *testing.T) {
+				p, err := f.PrometheusK8s(
+					&v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
+					nil,
+				)
+				require.NoError(t, err)
+
+				amc := findContainer(p)
+				require.NotNil(t, amc)
+				tc.assertFn(t, amc)
+			})
+
+			t.Run("user", func(t *testing.T) {
+				p, err := f.PrometheusUserWorkload(
+					&v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
+				)
+				require.NoError(t, err)
+
+				pc := findContainer(p)
+				require.NotNil(t, pc)
+				tc.assertFn(t, pc)
+			})
+		})
+	}
+}
+
+func TestThanosRulerProxy(t *testing.T) {
+	for _, tc := range []struct {
+		proxyReader ProxyReader
+		assertFn    func(*testing.T, *v1.Container)
+	}{
+		{
+			proxyReader: &fakeProxyReader{},
+			assertFn: func(t *testing.T, c *v1.Container) {
+				t.Helper()
+
+				require.Len(t, c.Env, 3)
+				require.Equal(t, c.Env[0].Value, "")
+				require.Equal(t, c.Env[1].Value, "")
+				require.Equal(t, c.Env[2].Value, "")
+			},
+		},
+		{
+			proxyReader: &fakeProxyReader{
+				httpProxy:  "http://example.com:8080/",
+				httpsProxy: "https://example.com:8080/",
+				noProxy:    "local.example.com",
+			},
+			assertFn: func(t *testing.T, c *v1.Container) {
+				t.Helper()
+
+				require.Len(t, c.Env, 3)
+				require.Equal(t, c.Env[0].Name, "HTTP_PROXY")
+				require.Equal(t, c.Env[0].Value, "http://example.com:8080/")
+				require.Equal(t, c.Env[1].Name, "HTTPS_PROXY")
+				require.Equal(t, c.Env[1].Value, "https://example.com:8080/")
+				require.Equal(t, c.Env[2].Name, "NO_PROXY")
+				require.Equal(t, c.Env[2].Value, "local.example.com")
+			},
+		},
+	} {
+		t.Run("", func(t *testing.T) {
+			findContainer := func(am *monv1.ThanosRuler) *v1.Container {
+				for _, c := range am.Spec.Containers {
+					if c.Name == "thanos-ruler" {
+						return &c
+					}
+				}
+
+				return nil
+			}
+
+			f := NewFactory("openshift-monitoring", "openshift-user-workload-monitoring", NewDefaultConfig(), defaultInfrastructureReader(), tc.proxyReader, NewAssets(assetsPath), &APIServerConfig{}, &configv1.Console{})
+
+			t.Run("main", func(t *testing.T) {
+				tr, err := f.ThanosRulerCustomResource(
+					&v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
+					nil,
+				)
+				require.NoError(t, err)
+
+				trc := findContainer(tr)
+				require.NotNil(t, trc)
+				tc.assertFn(t, trc)
+			})
+
+		})
+	}
+}
+
 func TestDescriptionWithoutPlaceholder(t *testing.T) {
 	tests := []struct {
 		name     string