Merge pull request #6754 from zalando-incubator/prometheus/oauth-grant

AlexanderYastrebov · web-flow · commit 06328d1099fb · 2024-01-10T10:25:42.000+01:00
prometheus: enable OAuth Grant flow for configured users
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -404,6 +404,9 @@ prometheus_remote_min_backoff: "3s"
 # Maximum retry delay.
 prometheus_remote_max_backoff: "10s"
 
+# Comma-separated list of user ids allowed to access Prometheus UI
+prometheus_ui_users: ""
+
 # dashboard metrics scraper resource limits
 dashboard_metrics_scraper_cpu_min: "50m"
 dashboard_metrics_scraper_mem_min: "200Mi"
diff --git a/cluster/manifests/prometheus/ingress.yaml b/cluster/manifests/prometheus/ingress.yaml
@@ -1,3 +1,4 @@
+# TODO: Remove
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -11,12 +12,49 @@ metadata:
     component: prometheus
 spec:
   rules:
-  - host: system-prometheus.{{ .Values.hosted_zone }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: prometheus
-            port:
-              number: 80
-        pathType: ImplementationSpecific
+    - host: system-prometheus.{{ .Values.hosted_zone }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: prometheus
+                port:
+                  number: 80
+            pathType: ImplementationSpecific
+---
+apiVersion: zalando.org/v1
+kind: RouteGroup
+metadata:
+  name: prometheus
+  namespace: kube-system
+  labels:
+    application: kubernetes
+    component: prometheus
+spec:
+  hosts:
+    - system-prometheus.{{ .Values.hosted_zone }}
+  backends:
+    - name: prometheus
+      type: service
+      serviceName: prometheus
+      servicePort: 80
+  defaultBackends:
+    - backendName: prometheus
+  routes:
+    - pathSubtree: /
+      predicates:
+        - HeaderRegexp("Authorization", "Bearer .+")
+      filters:
+        - oauthTokeninfoAnyKV("realm", "/employees", "realm", "/services")
+
+    # {{ if .Cluster.ConfigItems.prometheus_ui_users }}
+    #   {{ $uidKVs := "" }}
+    #   {{ range $uid := split .Cluster.ConfigItems.prometheus_ui_users "," }}
+    #     {{ if $uidKVs }}{{ $uidKVs = printf `%s, ` $uidKVs }}{{ end }}
+    #     {{ $uidKVs = printf `%s"uid", "%s"` $uidKVs $uid }}
+    #   {{ end }}
+    - pathSubtree: /
+      filters:
+        - oauthGrant()
+        - oauthTokeninfoAnyKV({{ $uidKVs }})
+    # {{ end }}
