#!/usr/bin/env python3
# Copyright 2021 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# For those usages not covered by the Apache License, Version 2.0 please
# contact: legal@canonical.com
#
# To get in touch with the maintainers, please contact:
# osm-charmers@lists.launchpad.net
##
# pylint: disable=E0213
import base64
from ipaddress import ip_network
import logging
from typing import NoReturn, Optional
from urllib.parse import urlparse
import bcrypt
from oci_image import OCIImageResource
from ops.framework import EventBase
from ops.main import main
from opslib.osm.charm import CharmedOsmBase
from opslib.osm.interfaces.prometheus import PrometheusServer
from opslib.osm.pod import (
ContainerV3Builder,
FilesV3Builder,
IngressResourceV3Builder,
PodSpecV3Builder,
)
from opslib.osm.validator import (
ModelValidator,
validator,
)
import requests
logger = logging.getLogger(__name__)
PORT = 9090
class ConfigModel(ModelValidator):
web_subpath: str
default_target: str
max_file_size: int
site_url: Optional[str]
cluster_issuer: Optional[str]
ingress_class: Optional[str]
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
enable_web_admin_api: bool
image_pull_policy: str
security_context: bool
web_config_username: str
web_config_password: str
@validator("web_subpath")
def validate_web_subpath(cls, v):
if len(v) < 1:
raise ValueError("web-subpath must be a non-empty string")
return v
@validator("max_file_size")
def validate_max_file_size(cls, v):
if v < 0:
raise ValueError("value must be equal or greater than 0")
return v
@validator("site_url")
def validate_site_url(cls, v):
if v:
parsed = urlparse(v)
if not parsed.scheme.startswith("http"):
raise ValueError("value must start with http")
return v
@validator("ingress_whitelist_source_range")
def validate_ingress_whitelist_source_range(cls, v):
if v:
ip_network(v)
return v
@validator("image_pull_policy")
def validate_image_pull_policy(cls, v):
values = {
"always": "Always",
"ifnotpresent": "IfNotPresent",
"never": "Never",
}
v = v.lower()
if v not in values.keys():
raise ValueError("value must be always, ifnotpresent or never")
return values[v]
class PrometheusCharm(CharmedOsmBase):
"""Prometheus Charm."""
def __init__(self, *args) -> NoReturn:
"""Prometheus Charm constructor."""
super().__init__(*args, oci_image="image")
# Registering provided relation events
self.prometheus = PrometheusServer(self, "prometheus")
self.framework.observe(
self.on.prometheus_relation_joined, # pylint: disable=E1101
self._publish_prometheus_info,
)
# Registering actions
self.framework.observe(
self.on.backup_action, # pylint: disable=E1101
self._on_backup_action,
)
def _publish_prometheus_info(self, event: EventBase) -> NoReturn:
config = ConfigModel(**dict(self.config))
self.prometheus.publish_info(
self.app.name,
PORT,
user=config.web_config_username,
password=config.web_config_password,
)
def _on_backup_action(self, event: EventBase) -> NoReturn:
url = f"http://{self.model.app.name}:{PORT}/api/v1/admin/tsdb/snapshot"
result = requests.post(url)
if result.status_code == 200:
event.set_results({"backup-name": result.json()["name"]})
else:
event.fail(f"status-code: {result.status_code}")
def _build_config_file(self, config: ConfigModel):
files_builder = FilesV3Builder()
files_builder.add_file(
"prometheus.yml",
(
"global:\n"
" scrape_interval: 15s\n"
" evaluation_interval: 15s\n"
"alerting:\n"
" alertmanagers:\n"
" - static_configs:\n"
" - targets:\n"
"rule_files:\n"
"scrape_configs:\n"
" - job_name: 'prometheus'\n"
" static_configs:\n"
f" - targets: [{config.default_target}]\n"
),
)
return files_builder.build()
def _build_webconfig_file(self):
files_builder = FilesV3Builder()
files_builder.add_file("web.yml", "web-config-file", secret=True)
return files_builder.build()
def build_pod_spec(self, image_info):
# Validate config
config = ConfigModel(**dict(self.config))
# Create Builder for the PodSpec
pod_spec_builder = PodSpecV3Builder(
enable_security_context=config.security_context
)
# Build Backup Container
backup_image = OCIImageResource(self, "backup-image")
backup_image_info = backup_image.fetch()
backup_container_builder = ContainerV3Builder("prom-backup", backup_image_info)
backup_container = backup_container_builder.build()
# Add backup container to pod spec
pod_spec_builder.add_container(backup_container)
# Add pod secrets
prometheus_secret_name = f"{self.app.name}-secret"
pod_spec_builder.add_secret(
prometheus_secret_name,
{
"web-config-file": (
"basic_auth_users:\n"
f" {config.web_config_username}: {self._hash_password(config.web_config_password)}\n"
)
},
)
# Build Container
container_builder = ContainerV3Builder(
self.app.name,
image_info,
config.image_pull_policy,
run_as_non_root=config.security_context,
)
container_builder.add_port(name=self.app.name, port=PORT)
token = self._base64_encode(
f"{config.web_config_username}:{config.web_config_password}"
)
container_builder.add_http_readiness_probe(
"/-/ready",
PORT,
initial_delay_seconds=10,
timeout_seconds=30,
http_headers=[("Authorization", f"Basic {token}")],
)
container_builder.add_http_liveness_probe(
"/-/healthy",
PORT,
initial_delay_seconds=30,
period_seconds=30,
http_headers=[("Authorization", f"Basic {token}")],
)
command = [
"/bin/prometheus",
"--config.file=/etc/prometheus/prometheus.yml",
"--web.config.file=/etc/prometheus/web-config/web.yml",
"--storage.tsdb.path=/prometheus",
"--web.console.libraries=/usr/share/prometheus/console_libraries",
"--web.console.templates=/usr/share/prometheus/consoles",
f"--web.route-prefix={config.web_subpath}",
f"--web.external-url=http://localhost:{PORT}{config.web_subpath}",
]
if config.enable_web_admin_api:
command.append("--web.enable-admin-api")
container_builder.add_command(command)
container_builder.add_volume_config(
"config", "/etc/prometheus", self._build_config_file(config)
)
container_builder.add_volume_config(
"web-config",
"/etc/prometheus/web-config",
self._build_webconfig_file(),
secret_name=prometheus_secret_name,
)
container = container_builder.build()
# Add container to pod spec
pod_spec_builder.add_container(container)
# Add ingress resources to pod spec if site url exists
if config.site_url:
parsed = urlparse(config.site_url)
annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size": "{}".format(
str(config.max_file_size) + "m"
if config.max_file_size > 0
else config.max_file_size
)
}
if config.ingress_class:
annotations["kubernetes.io/ingress.class"] = config.ingress_class
ingress_resource_builder = IngressResourceV3Builder(
f"{self.app.name}-ingress", annotations
)
if config.ingress_whitelist_source_range:
annotations[
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = config.ingress_whitelist_source_range
if config.cluster_issuer:
annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer
if parsed.scheme == "https":
ingress_resource_builder.add_tls(
[parsed.hostname], config.tls_secret_name
)
else:
annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = "false"
ingress_resource_builder.add_rule(parsed.hostname, self.app.name, PORT)
ingress_resource = ingress_resource_builder.build()
pod_spec_builder.add_ingress_resource(ingress_resource)
return pod_spec_builder.build()
def _hash_password(self, password):
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
return hashed_password.decode()
def _base64_encode(self, phrase: str) -> str:
return base64.b64encode(phrase.encode("utf-8")).decode("utf-8")
if __name__ == "__main__":
main(PrometheusCharm)