add limitScrapeBodySize to CMO ConfigMap

Author: raptorsun

Diff for: pkg/manifests/config.go

@@ -29,6 +29,11 @@ import (
 
 const (
 	DefaultRetentionValue = "15d"
+
+	// Limit the body size from scrape queries
+	// Assumptions: one node has maximum 110 pods, each pod exposes 100 metrics, each metric is expressed by at most 100 bytes.
+	// 1.5x the size for a safe margin, it rounds up to 2MB.
+	DefaultScrapeBodySizeLimit = "2MB"
 )
 
 type Config struct {
@@ -105,6 +110,7 @@ type ClusterMonitoringConfiguration struct {
 	K8sPrometheusAdapter     *K8sPrometheusAdapter        `json:"k8sPrometheusAdapter"`
 	ThanosQuerierConfig      *ThanosQuerierConfig         `json:"thanosQuerier"`
 	UserWorkloadEnabled      *bool                        `json:"enableUserWorkload"`
+	LimitScrapeBodySize      *bool                        `json:"limitScrapeBodySize"`
 }
 
 type Images struct {
@@ -168,17 +174,18 @@ type RemoteWriteSpec struct {
 }
 
 type PrometheusK8sConfig struct {
-	LogLevel            string                               `json:"logLevel"`
-	Retention           string                               `json:"retention"`
-	NodeSelector        map[string]string                    `json:"nodeSelector"`
-	Tolerations         []v1.Toleration                      `json:"tolerations"`
-	Resources           *v1.ResourceRequirements             `json:"resources"`
-	ExternalLabels      map[string]string                    `json:"externalLabels"`
-	VolumeClaimTemplate *monv1.EmbeddedPersistentVolumeClaim `json:"volumeClaimTemplate"`
-	RemoteWrite         []RemoteWriteSpec                    `json:"remoteWrite"`
-	TelemetryMatches    []string                             `json:"-"`
-	AlertmanagerConfigs []AdditionalAlertmanagerConfig       `json:"additionalAlertmanagerConfigs"`
-	QueryLogFile        string                               `json:"queryLogFile"`
+	LogLevel              string                               `json:"logLevel"`
+	Retention             string                               `json:"retention"`
+	NodeSelector          map[string]string                    `json:"nodeSelector"`
+	Tolerations           []v1.Toleration                      `json:"tolerations"`
+	Resources             *v1.ResourceRequirements             `json:"resources"`
+	ExternalLabels        map[string]string                    `json:"externalLabels"`
+	VolumeClaimTemplate   *monv1.EmbeddedPersistentVolumeClaim `json:"volumeClaimTemplate"`
+	RemoteWrite           []RemoteWriteSpec                    `json:"remoteWrite"`
+	TelemetryMatches      []string                             `json:"-"`
+	AlertmanagerConfigs   []AdditionalAlertmanagerConfig       `json:"additionalAlertmanagerConfigs"`
+	QueryLogFile          string                               `json:"queryLogFile"`
+	EnforcedBodySizeLimit string                               `json:"enforcedBodySizeLimit,omitempty"`
 }
 
 type AdditionalAlertmanagerConfig struct {
@@ -385,6 +392,25 @@ func (c *Config) applyDefaults() {
 	if c.ClusterMonitoringConfiguration.EtcdConfig == nil {
 		c.ClusterMonitoringConfiguration.EtcdConfig = &EtcdConfig{}
 	}
+	if c.ClusterMonitoringConfiguration.LimitScrapeBodySize == nil {
+		disable := false
+		c.ClusterMonitoringConfiguration.LimitScrapeBodySize = &disable
+	} else if *c.ClusterMonitoringConfiguration.LimitScrapeBodySize {
+		c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit = DefaultScrapeBodySizeLimit
+	}
+}
+
+func (c *Config) ActivatePromEnforceBodyLimit() {
+	c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit = DefaultScrapeBodySizeLimit
+	if *c.ClusterMonitoringConfiguration.UserWorkloadEnabled {
+		c.UserWorkloadConfiguration.Prometheus.EnforcedBodySizeLimit = DefaultScrapeBodySizeLimit
+	}
+}
+func (c *Config) DeactivatePromEnforceBodyLimit() {
+	c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit = ""
+	if *c.ClusterMonitoringConfiguration.UserWorkloadEnabled {
+		c.UserWorkloadConfiguration.Prometheus.EnforcedBodySizeLimit = ""
+	}
 }
 
 func (c *Config) SetImages(images map[string]string) {
@@ -498,18 +524,19 @@ type UserWorkloadConfiguration struct {
 }
 
 type PrometheusRestrictedConfig struct {
-	LogLevel            string                               `json:"logLevel"`
-	Retention           string                               `json:"retention"`
-	NodeSelector        map[string]string                    `json:"nodeSelector"`
-	Tolerations         []v1.Toleration                      `json:"tolerations"`
-	Resources           *v1.ResourceRequirements             `json:"resources"`
-	ExternalLabels      map[string]string                    `json:"externalLabels"`
-	VolumeClaimTemplate *monv1.EmbeddedPersistentVolumeClaim `json:"volumeClaimTemplate"`
-	RemoteWrite         []RemoteWriteSpec                    `json:"remoteWrite"`
-	EnforcedSampleLimit *uint64                              `json:"enforcedSampleLimit"`
-	EnforcedTargetLimit *uint64                              `json:"enforcedTargetLimit"`
-	AlertmanagerConfigs []AdditionalAlertmanagerConfig       `json:"additionalAlertmanagerConfigs"`
-	QueryLogFile        string                               `json:"queryLogFile"`
+	LogLevel              string                               `json:"logLevel"`
+	Retention             string                               `json:"retention"`
+	NodeSelector          map[string]string                    `json:"nodeSelector"`
+	Tolerations           []v1.Toleration                      `json:"tolerations"`
+	Resources             *v1.ResourceRequirements             `json:"resources"`
+	ExternalLabels        map[string]string                    `json:"externalLabels"`
+	VolumeClaimTemplate   *monv1.EmbeddedPersistentVolumeClaim `json:"volumeClaimTemplate"`
+	RemoteWrite           []RemoteWriteSpec                    `json:"remoteWrite"`
+	EnforcedSampleLimit   *uint64                              `json:"enforcedSampleLimit"`
+	EnforcedTargetLimit   *uint64                              `json:"enforcedTargetLimit"`
+	AlertmanagerConfigs   []AdditionalAlertmanagerConfig       `json:"additionalAlertmanagerConfigs"`
+	QueryLogFile          string                               `json:"queryLogFile"`
+	EnforcedBodySizeLimit string                               `json:"enforcedBodySizeLimit,omitempty"`
 }
 
 func (u *UserWorkloadConfiguration) applyDefaults() {

Diff for: pkg/manifests/manifests.go

@@ -1582,6 +1582,10 @@ func (f *Factory) PrometheusK8s(host string, grpcTLS *v1.Secret, trustedCABundle
 		p.Spec.Secrets = append(p.Spec.Secrets, getAdditionalAlertmanagerSecrets(f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.AlertmanagerConfigs)...)
 	}
 
+	if f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit != "" {
+		p.Spec.EnforcedBodySizeLimit = f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit
+	}
+
 	return p, nil
 }
 
@@ -1673,6 +1677,10 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret) (*monv1.Prometheus,
 		p.Spec.EnforcedTargetLimit = f.config.UserWorkloadConfiguration.Prometheus.EnforcedTargetLimit
 	}
 
+	if f.config.UserWorkloadConfiguration.Prometheus.EnforcedBodySizeLimit != "" {
+		p.Spec.EnforcedBodySizeLimit = f.config.UserWorkloadConfiguration.Prometheus.EnforcedBodySizeLimit
+	}
+
 	if f.config.Images.Thanos != "" {
 		p.Spec.Thanos.Image = &f.config.Images.Thanos
 	}

Diff for: pkg/manifests/manifests_test.go

@@ -1068,8 +1068,13 @@ ingress:
 		t.Fatal("Prometheus image is not configured correctly")
 	}
 
+	if p.Spec.EnforcedBodySizeLimit != "" {
+		t.Fatal("EnforcedBodySizeLimit is not set to empty by default")
+	}
+
 	kubeRbacProxyTLSCipherSuitesArg := ""
 	kubeRbacProxyMinTLSVersionArg := ""
+
 	for _, container := range p.Spec.Containers {
 		switch container.Name {
 		case "prometheus-proxy":
@@ -1175,6 +1180,31 @@ ingress:
 	}
 }
 
+func TestPrometheusK8sConfigurationBodySizeLimit(t *testing.T) {
+	c, err := NewConfigFromString(`
+limitScrapeBodySize: true
+  `)
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	f := NewFactory("openshift-monitoring", "openshift-user-workload-monitoring", c, defaultInfrastructureReader(), &fakeProxyReader{}, NewAssets(assetsPath), &APIServerConfig{})
+	p, err := f.PrometheusK8s(
+		"prometheus-k8s.openshift-monitoring.svc",
+		&v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
+		&v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if p.Spec.EnforcedBodySizeLimit != DefaultScrapeBodySizeLimit {
+		t.Fatalf("EnforcedBodySizeLimit is not configured correctly, expected %v, but got %v", DefaultScrapeBodySizeLimit, p.Spec.EnforcedBodySizeLimit)
+	}
+
+}
+
 func TestPrometheusK8sAdditionalAlertManagerConfigsSecret(t *testing.T) {
 	testCases := []struct {
 		name           string
@@ -1229,7 +1259,7 @@ func TestPrometheusK8sAdditionalAlertManagerConfigsSecret(t *testing.T) {
 			config: `prometheusK8s:
   additionalAlertmanagerConfigs:
   - apiVersion: v2
-    scheme: https    
+    scheme: https
     bearerToken:
       name: alertmanager1-bearer-token
       key: token
@@ -1252,7 +1282,7 @@ func TestPrometheusK8sAdditionalAlertManagerConfigsSecret(t *testing.T) {
 			config: `prometheusK8s:
   additionalAlertmanagerConfigs:
   - apiVersion: v2
-    scheme: https    
+    scheme: https
     tlsConfig:
       ca:
         name: alertmanager-tls
@@ -1286,7 +1316,7 @@ func TestPrometheusK8sAdditionalAlertManagerConfigsSecret(t *testing.T) {
 			config: `prometheusK8s:
   additionalAlertmanagerConfigs:
   - apiVersion: v2
-    scheme: https    
+    scheme: https
     tlsConfig:
       ca:
         name: alertmanager-ca-tls

Diff for: pkg/operator/operator.go

@@ -785,6 +785,12 @@ func (o *Operator) Config(ctx context.Context, key string) (*manifests.Config, e
 	}
 	o.userWorkloadEnabled = *c.ClusterMonitoringConfiguration.UserWorkloadEnabled
 
+	if *c.ClusterMonitoringConfiguration.LimitScrapeBodySize {
+		c.ActivatePromEnforceBodyLimit()
+	} else {
+		c.DeactivatePromEnforceBodyLimit()
+	}
+
 	// Only fetch the token and cluster ID if they have not been specified in the config.
 	if c.ClusterMonitoringConfiguration.TelemeterClientConfig.ClusterID == "" || c.ClusterMonitoringConfiguration.TelemeterClientConfig.Token == "" {
 		err := c.LoadClusterID(func() (*configv1.ClusterVersion, error) {