Adding oauth-proxy sidecar to prometheus and grafana

deploy/roles/prometheus-clusterrole.yaml

@@ -3,6 +3,18 @@ kind: ClusterRole
 metadata:
   name: prometheus-application-monitoring
 rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
 - apiGroups: [""]
   resources:
   - nodes

pkg/controller/applicationmonitoring/applicationmonitoring_controller.go

@@ -142,7 +142,7 @@ func (r *ReconcileApplicationMonitoring) Reconcile(request reconcile.Request) (r
 func (r *ReconcileApplicationMonitoring) InstallPrometheusOperator(cr *applicationmonitoringv1alpha1.ApplicationMonitoring) (reconcile.Result, error) {
 	log.Info("Phase: Install PrometheusOperator")
 
-	for _, resourceName := range []string{PrometheusOperatorServiceAccountName, PrometheusOperatorName} {
+	for _, resourceName := range []string{PrometheusOperatorServiceAccountName, PrometheusOperatorName, PrometheusProxySecretsName} {
 		if _, err := r.CreateResource(cr, resourceName); err != nil {
 			log.Info(fmt.Sprintf("Error in InstallPrometheusOperator, resourceName=%s : err=%s", resourceName, err))
 			// Requeue so it can be attempted again
@@ -168,7 +168,7 @@ func (r *ReconcileApplicationMonitoring) CreatePrometheusCRs(cr *applicationmoni
 		return reconcile.Result{Requeue: true}, err
 	}
 
-	for _, resourceName := range []string{PrometheusServiceAccountName, PrometheusServiceName, PrometheusRouteName, PrometheusCrName} {
+	for _, resourceName := range []string{PrometheusServiceAccountName, PrometheusServiceName, PrometheusCrName} {
 		if _, err := r.CreateResource(cr, resourceName); err != nil {
 			log.Info(fmt.Sprintf("Error in CreatePrometheusCRs, resourceName=%s : err=%s", resourceName, err))
 			// Requeue so it can be attempted again

pkg/controller/applicationmonitoring/templateHelper.go

@@ -2,6 +2,8 @@ package applicationmonitoring
 
 import (
 	"bytes"
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -21,6 +23,7 @@ const (
 	PrometheusOperatorServiceAccountName = "prometheus-operator-service-account"
 	PrometheusCrName                     = "prometheus"
 	PrometheusRouteName                  = "prometheus-route"
+	PrometheusProxySecretsName           = "prometheus-proxy-secret"
 	PrometheusServiceAccountName         = "prometheus-service-account"
 	PrometheusServiceName                = "prometheus-service"
 	AlertManagerServiceAccountName       = "alertmanager-service-account"
@@ -45,6 +48,7 @@ type Parameters struct {
 	PrometheusCrName               string
 	PrometheusRouteName            string
 	PrometheusServiceName          string
+	PrometheusSessionSecret        string
 	AlertManagerServiceAccountName string
 	AlertManagerCrName             string
 	AlertManagerServiceName        string
@@ -76,6 +80,7 @@ func newTemplateHelper(cr *applicationmonitoring.ApplicationMonitoring, extraPar
 		PrometheusCrName:               PrometheusCrName,
 		PrometheusRouteName:            PrometheusRouteName,
 		PrometheusServiceName:          PrometheusServiceName,
+		PrometheusSessionSecret:        PopulatePrometheusProxySecret(),
 		AlertManagerServiceAccountName: AlertManagerServiceAccountName,
 		AlertManagerCrName:             AlertManagerCrName,
 		AlertManagerServiceName:        AlertManagerServiceName,
@@ -102,6 +107,15 @@ func newTemplateHelper(cr *applicationmonitoring.ApplicationMonitoring, extraPar
 	}
 }
 
+// Populate the PrometheusServiceName values
+func PopulatePrometheusProxySecret() string {
+	p, err := GeneratePassword(43)
+	if err != nil {
+		log.Info("Error creating PopulatePrometheusProxySecret")
+	}
+	return p
+}
+
 // load a templates from a given resource name. The templates must be located
 // under ./templates and the filename must be <resource-name>.yaml
 func (h *TemplateHelper) loadTemplate(name string) ([]byte, error) {
@@ -124,3 +138,14 @@ func (h *TemplateHelper) loadTemplate(name string) ([]byte, error) {
 
 	return buffer.Bytes(), nil
 }
+
+// GeneratePassword returns a base64 encoded securely random bytes.
+func GeneratePassword(n int) (string, error) {
+	b := make([]byte, n)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+
+	return base64.StdEncoding.EncodeToString(b), err
+}

templates/prometheus-proxy-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  session_secret: >-
+    {{.PrometheusSessionSecret}}
+kind: Secret
+metadata:
+  labels:
+    k8s-app: prometheus-k8s
+  name: prometheus-k8s-proxy
+  namespace: {{.Namespace }}
+type: Opaque

templates/prometheus-route.yaml

@@ -7,7 +7,7 @@ spec:
   port:
     targetPort: web
   tls:
-    termination: edge
+    termination: Reencrypt
   to:
     kind: Service
     name: {{ .PrometheusServiceName }}

templates/prometheus-service-account.yaml

@@ -2,4 +2,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: prometheus-application-monitoring
-  namespace: {{ .Namespace }}
+  namespace: {{ .Namespace }}
+  annotations:
+    serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"{{ .PrometheusRouteName }}"}}'

templates/prometheus-service.yaml

@@ -3,15 +3,17 @@ kind: Service
 metadata:
   name: {{ .PrometheusServiceName }}
   namespace: {{ .Namespace }}
+  annotations:
+    service.alpha.openshift.io/serving-cert-secret-name: prometheus-k8s-tls
   labels:
     application-monitoring: "true"
 spec:
   type: ClusterIP
   ports:
     - name: web
-      port: 9090
+      port: 9091
       protocol: TCP
-      targetPort: web
+      targetPort: oproxy
   selector:
     app: prometheus
   sessionAffinity: None

templates/prometheus.yaml

@@ -6,6 +6,34 @@ metadata:
   labels:
     prometheus: {{ .ApplicationMonitoringName }}
 spec:
+  containers:
+    - args:
+        - '-provider=openshift'
+        - '-https-address=:9091'
+        - '-http-address='
+        - '-email-domain=*'
+        - '-upstream=http://localhost:9090'
+        - '-openshift-service-account=prometheus-application-monitoring'
+        - '-openshift-sar={"resource": "namespaces", "verb": "get"}'
+        - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb":"get"}}'
+        - '-tls-cert=/etc/tls/private/tls.crt'
+        - '-tls-key=/etc/tls/private/tls.key'
+        - '-client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token'
+        - '-cookie-secret-file=/etc/proxy/secrets/session_secret'
+        - '-openshift-ca=/etc/pki/tls/cert.pem'
+        - '-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+        - '-skip-auth-regex=^/metrics'
+      image: 'registry.redhat.io/openshift3/oauth-proxy:v3.11.43'
+      name: prometheus-proxy
+      ports:
+        - containerPort: 9091
+          name: oproxy
+      resources: {}
+      volumeMounts:
+        - mountPath: /etc/tls/private
+          name: secret-prometheus-k8s-tls
+        - mountPath: /etc/proxy/secrets
+          name: secret-prometheus-k8s-proxy
   externalUrl: https://{{ index .ExtraParams "prometheusHost" }}
   alerting:
     alertmanagers:
@@ -15,6 +43,9 @@ spec:
   resources:
     requests:
       memory: 400Mi
+  secrets:
+    - prometheus-k8s-tls
+    - prometheus-k8s-proxy
   serviceAccountName: prometheus-application-monitoring
   serviceMonitorNamespaceSelector:
     matchLabels:
@@ -27,4 +58,4 @@ spec:
       monitoring-key: {{ .MonitoringKey }}
   ruleNamespaceSelector:
     matchLabels:
-      monitoring-key: {{ .MonitoringKey }}
+      monitoring-key: {{ .MonitoringKey }}