MON-3134: allow to query alerts from thanos-querier tenancy port

slashpai · slashpai · commit a04d85064db7 · 2023-12-07T16:51:28.000+05:30
Allows to query alerts from application
namespaces as an application user.

Add e2e test to verify alerts tenancy

Signed-off-by: Jayapriya Pai &lt;janantha@redhat.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 - [#2022](https://github.com/openshift/cluster-monitoring-operator/pull/2022) Add support to switch to metrics server from prometheus-adapter when the `MetricsServer` feature gate is enabled.
 - [#2161](https://github.com/openshift/cluster-monitoring-operator/pull/2161) Add `PrometheusRestrictedConfig.RemoteWrite[].SendExemplars`.
+- [#2184](https://github.com/openshift/cluster-monitoring-operator/issues/2184) Allow to query alerts of application namespaces as an application user from command line.
 
 ## 4.14
 
diff --git a/assets/thanos-querier/deployment.yaml b/assets/thanos-querier/deployment.yaml
@@ -201,7 +201,7 @@ spec:
         - --tls-cert-file=/etc/tls/private/tls.crt
         - --tls-private-key-file=/etc/tls/private/tls.key
         - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-        - --allow-paths=/api/v1/rules
+        - --allow-paths=/api/v1/rules,/api/v1/alerts
         image: quay.io/brancz/kube-rbac-proxy:v0.15.0
         name: kube-rbac-proxy-rules
         ports:
diff --git a/jsonnet/components/thanos-querier.libsonnet b/jsonnet/components/thanos-querier.libsonnet
@@ -555,7 +555,10 @@ function(params)
                   '--tls-cert-file=/etc/tls/private/tls.crt',
                   '--tls-private-key-file=/etc/tls/private/tls.key',
                   '--tls-cipher-suites=' + cfg.tlsCipherSuites,
-                  '--allow-paths=/api/v1/rules',
+                  '--allow-paths=' + std.join(',', [
+                    '/api/v1/rules',
+                    '/api/v1/alerts',
+                  ]),
                 ],
                 terminationMessagePolicy: 'FallbackToLogsOnError',
                 volumeMounts: [
diff --git a/test/e2e/user_workload_monitoring_test.go b/test/e2e/user_workload_monitoring_test.go
@@ -129,8 +129,8 @@ func TestUserWorkloadMonitoringAlerting(t *testing.T) {
 			f:    assertUserWorkloadRules,
 		},
 		{
-			name: "assert tenancy model is enforced for rules",
-			f:    assertTenancyForRules,
+			name: "assert tenancy model is enforced for rules and alerts",
+			f:    assertTenancyForRulesAndAlerts,
 		},
 		{
 			name: "assert prometheus is not deployed in user namespace",
@@ -664,44 +664,46 @@ func assertTenancyForMetrics(t *testing.T) {
 		})
 	}
 
-	// Check that the account doesn't have to access the rules endpoint.
-	err = framework.Poll(5*time.Second, time.Minute, func() error {
-		// The tenancy port (9092) is only exposed in-cluster so we need to use
-		// port forwarding to access kube-rbac-proxy.
-		host, cleanUp, err := f.ForwardPort(t, f.Ns, "thanos-querier", 9092)
-		if err != nil {
-			t.Fatal(err)
-		}
-		defer cleanUp()
+	// Check that the account doesn't have to access the rules and alerts endpoint.
+	for _, path := range []string{"/api/v1/rules", "/api/v1/alerts"} {
+		err = framework.Poll(5*time.Second, time.Minute, func() error {
+			// The tenancy port (9092) is only exposed in-cluster so we need to use
+			// port forwarding to access kube-rbac-proxy.
+			host, cleanUp, err := f.ForwardPort(t, f.Ns, "thanos-querier", 9092)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer cleanUp()
 
-		client := framework.NewPrometheusClient(
-			host,
-			token,
-			&framework.QueryParameterInjector{
-				Name:  "namespace",
-				Value: userWorkloadTestNs,
-			},
-		)
+			client := framework.NewPrometheusClient(
+				host,
+				token,
+				&framework.QueryParameterInjector{
+					Name:  "namespace",
+					Value: userWorkloadTestNs,
+				},
+			)
 
-		resp, err := client.Do("GET", "/api/v1/rules", nil)
-		if err != nil {
-			return err
-		}
-		defer resp.Body.Close()
+			resp, err := client.Do("GET", path, nil)
+			if err != nil {
+				return err
+			}
+			defer resp.Body.Close()
 
-		b, err := io.ReadAll(resp.Body)
-		if err != nil {
-			return err
-		}
+			b, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return err
+			}
 
-		if resp.StatusCode/100 == 2 {
-			return fmt.Errorf("expected request to be rejected, but got status code %d (%s)", resp.StatusCode, framework.ClampMax(b))
-		}
+			if resp.StatusCode/100 == 2 {
+				return fmt.Errorf("expected request to be rejected, but got status code %d (%s)", resp.StatusCode, framework.ClampMax(b))
+			}
 
-		return nil
-	})
-	if err != nil {
-		t.Fatalf("the account has access to the rules endpoint of Thanos querier: %v", err)
+			return nil
+		})
+		if err != nil {
+			t.Fatalf("the account has access to the %q endpoint of Thanos querier: %v", path, err)
+		}
 	}
 
 	for _, tc := range []struct {
@@ -821,8 +823,8 @@ func assertTenancyForMetrics(t *testing.T) {
 	}
 }
 
-// assertTenancyForRules ensures that a tenant can access rules from her namespace (and only from this one).
-func assertTenancyForRules(t *testing.T) {
+// assertTenancyForRulesAndAlerts ensures that a tenant can access rules and alerts from her namespace (and only from this one).
+func assertTenancyForRulesAndAlerts(t *testing.T) {
 	const testAccount = "test-rules"
 
 	_, err := f.CreateServiceAccount(userWorkloadTestNs, testAccount)
@@ -951,6 +953,27 @@ func assertTenancyForRules(t *testing.T) {
 		t.Fatalf("failed to query rules from Thanos querier: %v", err)
 	}
 
+	err = framework.Poll(5*time.Second, time.Minute, func() error {
+		resp, err := client.Do("GET", "/api/v1/alerts", nil)
+		if err != nil {
+			return err
+		}
+		defer resp.Body.Close()
+
+		b, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return err
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			return fmt.Errorf("unexpected status code response, want %d, got %d (%s)", http.StatusOK, resp.StatusCode, framework.ClampMax(b))
+		}
+		return nil
+		})
+	if err != nil {
+		t.Fatalf("failed to query alerts from Thanos querier: %v", err)
+	}
+
 	// Check that the account doesn't have to access the query endpoints.
 	for _, path := range []string{"/api/v1/range?query=up", "/api/v1/query_range?query=up&start=0&end=0&step=1s"} {
 		err = framework.Poll(5*time.Second, time.Minute, func() error {
