Merge pull request #2580 from marioferh/proxy_url_alertmanager_

MON-4043: Configuring external Alertmangers with proxy_url

Author: openshift-merge-bot[bot]

assets/prometheus-k8s/prometheus.yaml

@@ -154,7 +154,14 @@ spec:
     volumeMounts:
     - mountPath: /etc/tls/grpc
       name: secret-grpc-tls
-  - name: prometheus
+  - env:
+    - name: HTTP_PROXY
+      value: ""
+    - name: HTTPS_PROXY
+      value: ""
+    - name: NO_PROXY
+      value: ""
+    name: prometheus
     terminationMessagePolicy: FallbackToLogsOnError
     volumeMounts:
     - mountPath: /etc/pki/ca-trust/extracted/pem/

assets/prometheus-user-workload/prometheus.yaml

@@ -168,7 +168,14 @@ spec:
     volumeMounts:
     - mountPath: /etc/tls/grpc
       name: secret-grpc-tls
-  - name: prometheus
+  - env:
+    - name: HTTP_PROXY
+      value: ""
+    - name: HTTPS_PROXY
+      value: ""
+    - name: NO_PROXY
+      value: ""
+    name: prometheus
     terminationMessagePolicy: FallbackToLogsOnError
     volumeMounts:
     - mountPath: /etc/pki/ca-trust/extracted/pem/

go.mod

@@ -25,6 +25,7 @@ require (
 	github.com/prometheus/common v0.60.0
 	github.com/prometheus/prometheus v0.54.1
 	github.com/stretchr/testify v1.9.0
+	golang.org/x/net v0.30.0
 	golang.org/x/sync v0.8.0
 	golang.org/x/text v0.19.0
 	gopkg.in/yaml.v2 v2.4.0
@@ -130,7 +131,6 @@ require (
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.28.0 // indirect
 	golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 // indirect
-	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/term v0.25.0 // indirect

jsonnet/components/prometheus-user-workload.libsonnet

@@ -563,6 +563,16 @@ function(params)
           // See e.g pkg/manifests/manifests.go where the startup probe is added
           {
             name: 'prometheus',
+            env: [{
+              name: 'HTTP_PROXY',
+              value: '',
+            }, {
+              name: 'HTTPS_PROXY',
+              value: '',
+            }, {
+              name: 'NO_PROXY',
+              value: '',
+            }],
             volumeMounts+: [
               {
                 name: $.trustedCaBundle.metadata.name,

jsonnet/components/prometheus.libsonnet

@@ -562,6 +562,16 @@ function(params)
           },
           {
             name: 'prometheus',
+            env: [{
+              name: 'HTTP_PROXY',
+              value: '',
+            }, {
+              name: 'HTTPS_PROXY',
+              value: '',
+            }, {
+              name: 'NO_PROXY',
+              value: '',
+            }],
             volumeMounts+: [
               {
                 name: $.trustedCaBundle.metadata.name,

pkg/manifests/amcfg.go

@@ -2,7 +2,9 @@ package manifests
 
 import (
 	"fmt"
+	"net/url"
 
+	"golang.org/x/net/http/httpproxy"
 	v1 "k8s.io/api/core/v1"
 )
 
@@ -29,13 +31,14 @@ func (a PrometheusAdditionalAlertmanagerConfigs) MarshalYAML() (interface{}, err
 
 // amConfigPrometheus is our internal representation of the Prometheus alerting configuration.
 type amConfigPrometheus struct {
-	Scheme        string                  `yaml:"scheme,omitempty"`
-	PathPrefix    string                  `yaml:"path_prefix,omitempty"`
-	Timeout       *string                 `yaml:"timeout,omitempty"`
-	APIVersion    string                  `yaml:"api_version,omitempty"`
-	Authorization amConfigAuthorization   `yaml:"authorization,omitempty"`
-	TLSConfig     amConfigTLS             `yaml:"tls_config,omitempty"`
-	StaticConfigs []amConfigStaticConfigs `yaml:"static_configs,omitempty"`
+	Scheme               string                  `yaml:"scheme,omitempty"`
+	PathPrefix           string                  `yaml:"path_prefix,omitempty"`
+	Timeout              *string                 `yaml:"timeout,omitempty"`
+	APIVersion           string                  `yaml:"api_version,omitempty"`
+	Authorization        amConfigAuthorization   `yaml:"authorization,omitempty"`
+	TLSConfig            amConfigTLS             `yaml:"tls_config,omitempty"`
+	StaticConfigs        []amConfigStaticConfigs `yaml:"static_configs,omitempty"`
+	ProxyFromEnvironment bool                    `yaml:"proxy_from_environment,omitempty"`
 }
 
 type amConfigAuthorization struct {
@@ -64,10 +67,11 @@ type prometheusAdditionalAlertmanagerConfig AdditionalAlertmanagerConfig
 // compatible with the Prometheus configuration.
 func (a prometheusAdditionalAlertmanagerConfig) MarshalYAML() (interface{}, error) {
 	cfg := amConfigPrometheus{
-		Scheme:     a.Scheme,
-		PathPrefix: a.PathPrefix,
-		Timeout:    a.Timeout,
-		APIVersion: a.APIVersion,
+		Scheme:               a.Scheme,
+		PathPrefix:           a.PathPrefix,
+		Timeout:              a.Timeout,
+		APIVersion:           a.APIVersion,
+		ProxyFromEnvironment: true,
 		TLSConfig: amConfigTLS{
 			CA:                 "",
 			Cert:               "",
@@ -126,14 +130,15 @@ type thanosAlertmanagerConfiguration struct {
 	APIVersion    string       `yaml:"api_version,omitempty"`
 	HTTPConfig    amHTTPConfig `yaml:"http_config,omitempty"`
 	StaticConfigs []string     `yaml:"static_configs,omitempty"`
+	ProxyURL      string       `yaml:"proxy_url,omitempty"`
 }
 
 type amHTTPConfig struct {
 	BearerTokenFile string      `yaml:"bearer_token_file,omitempty"`
 	TLSConfig       amConfigTLS `yaml:"tls_config,omitempty"`
 }
 
-func ConvertToThanosAlertmanagerConfiguration(ta []AdditionalAlertmanagerConfig) ([]thanosAlertmanagerConfiguration, error) {
+func (f *Factory) ConvertToThanosAlertmanagerConfiguration(ta []AdditionalAlertmanagerConfig) ([]thanosAlertmanagerConfiguration, error) {
 	result := make([]thanosAlertmanagerConfiguration, len(ta))
 
 	for i, a := range ta {
@@ -180,6 +185,36 @@ func ConvertToThanosAlertmanagerConfiguration(ta []AdditionalAlertmanagerConfig)
 
 		cfg.StaticConfigs = a.StaticConfigs
 
+		httpConfig := httpproxy.Config{
+			HTTPProxy:  f.proxy.HTTPProxy(),
+			HTTPSProxy: f.proxy.HTTPSProxy(),
+			NoProxy:    f.proxy.NoProxy(),
+		}
+
+		proxyFunc := httpConfig.ProxyFunc()
+
+		for _, host := range cfg.StaticConfigs {
+			if host == "" {
+				continue
+			}
+
+			u := &url.URL{
+				Scheme: cfg.Scheme,
+				Host:   host,
+			}
+
+			proxyURL, err := proxyFunc(u)
+			if err != nil {
+				return nil, err
+			}
+
+			// Assumes that all hosts share the same proxy policy
+			if proxyURL != nil {
+				cfg.ProxyURL = proxyURL.String()
+				break
+			}
+		}
+
 		result[i] = cfg
 	}
 

pkg/manifests/manifests.go

@@ -1177,7 +1177,7 @@ func (f *Factory) ThanosRulerAlertmanagerConfigSecret() (*v1.Secret, error) {
 		alertingConfiguration.Alertmanagers = []thanosAlertmanagerConfiguration{}
 	}
 
-	additionalConfigs, err := ConvertToThanosAlertmanagerConfiguration(f.config.GetThanosRulerAlertmanagerConfigs())
+	additionalConfigs, err := f.ConvertToThanosAlertmanagerConfiguration(f.config.GetThanosRulerAlertmanagerConfigs())
 	if err != nil {
 		return nil, err
 	}
@@ -1460,6 +1460,9 @@ func (f *Factory) PrometheusK8s(grpcTLS *v1.Secret, telemetrySecret *v1.Secret)
 
 	for i, container := range p.Spec.Containers {
 		switch container.Name {
+		case "prometheus":
+			// Inject the proxy env vars into the Prometheus container for configuring external Alertmanagers
+			f.injectProxyVariables(&p.Spec.Containers[i])
 		case "kube-rbac-proxy", "kube-rbac-proxy-web", "kube-rbac-proxy-thanos":
 			p.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
 			p.Spec.Containers[i].Args = f.setTLSSecurityConfiguration(container.Args, KubeRbacProxyTLSCipherSuitesFlag, KubeRbacProxyMinTLSVersionFlag)
@@ -1794,7 +1797,8 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret) (*monv1.Prometheus,
 				PeriodSeconds:    15,
 				FailureThreshold: 240,
 			}
-
+			// Inject the proxy env vars into the Prometheus container for configuring external Alertmanagers
+			f.injectProxyVariables(&p.Spec.Containers[i])
 		case "kube-rbac-proxy-metrics", "kube-rbac-proxy-federate", "kube-rbac-proxy-thanos":
 			p.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
 			p.Spec.Containers[i].Args = f.setTLSSecurityConfiguration(container.Args, KubeRbacProxyTLSCipherSuitesFlag, KubeRbacProxyMinTLSVersionFlag)