projects / osm / devops.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add web ui authentication
[osm/devops.git] / installers / charm / prometheus / src / charm.py
1 #!/usr/bin/env python3
2 # Copyright 2021 Canonical Ltd.
3 #
4 # Licensed under the Apache License, Version 2.0 (the "License"); you may
5 # not use this file except in compliance with the License. You may obtain
6 # a copy of the License at
7 #
8 # http://www.apache.org/licenses/LICENSE-2.0
9 #
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 # License for the specific language governing permissions and limitations
14 # under the License.
15 #
16 # For those usages not covered by the Apache License, Version 2.0 please
17 # contact: legal@canonical.com
18 #
19 # To get in touch with the maintainers, please contact:
20 # osm-charmers@lists.launchpad.net
21 ##
22
23 # pylint: disable=E0213
24
25 import base64
26 from ipaddress import ip_network
27 import logging
28 from typing import NoReturn, Optional
29 from urllib.parse import urlparse
30
31 import bcrypt
32 from oci_image import OCIImageResource
33 from ops.framework import EventBase
34 from ops.main import main
35 from opslib.osm.charm import CharmedOsmBase
36 from opslib.osm.interfaces.prometheus import PrometheusServer
37 from opslib.osm.pod import (
38 ContainerV3Builder,
39 FilesV3Builder,
40 IngressResourceV3Builder,
41 PodSpecV3Builder,
42 )
43 from opslib.osm.validator import (
44 ModelValidator,
45 validator,
46 )
47 import requests
48
49
50 logger = logging.getLogger(__name__)
51
52 PORT = 9090
53
54
55 class ConfigModel(ModelValidator):
56 web_subpath: str
57 default_target: str
58 max_file_size: int
59 site_url: Optional[str]
60 cluster_issuer: Optional[str]
61 ingress_class: Optional[str]
62 ingress_whitelist_source_range: Optional[str]
63 tls_secret_name: Optional[str]
64 enable_web_admin_api: bool
65 image_pull_policy: str
66 security_context: bool
67 web_config_username: str
68 web_config_password: str
69
70 @validator("web_subpath")
71 def validate_web_subpath(cls, v):
72 if len(v) < 1:
73 raise ValueError("web-subpath must be a non-empty string")
74 return v
75
76 @validator("max_file_size")
77 def validate_max_file_size(cls, v):
78 if v < 0:
79 raise ValueError("value must be equal or greater than 0")
80 return v
81
82 @validator("site_url")
83 def validate_site_url(cls, v):
84 if v:
85 parsed = urlparse(v)
86 if not parsed.scheme.startswith("http"):
87 raise ValueError("value must start with http")
88 return v
89
90 @validator("ingress_whitelist_source_range")
91 def validate_ingress_whitelist_source_range(cls, v):
92 if v:
93 ip_network(v)
94 return v
95
96 @validator("image_pull_policy")
97 def validate_image_pull_policy(cls, v):
98 values = {
99 "always": "Always",
100 "ifnotpresent": "IfNotPresent",
101 "never": "Never",
102 }
103 v = v.lower()
104 if v not in values.keys():
105 raise ValueError("value must be always, ifnotpresent or never")
106 return values[v]
107
108
109 class PrometheusCharm(CharmedOsmBase):
110
111 """Prometheus Charm."""
112
113 def __init__(self, *args) -> NoReturn:
114 """Prometheus Charm constructor."""
115 super().__init__(*args, oci_image="image")
116
117 # Registering provided relation events
118 self.prometheus = PrometheusServer(self, "prometheus")
119 self.framework.observe(
120 self.on.prometheus_relation_joined, # pylint: disable=E1101
121 self._publish_prometheus_info,
122 )
123
124 # Registering actions
125 self.framework.observe(
126 self.on.backup_action, # pylint: disable=E1101
127 self._on_backup_action,
128 )
129
130 def _publish_prometheus_info(self, event: EventBase) -> NoReturn:
131 self.prometheus.publish_info(self.app.name, PORT)
132
133 def _on_backup_action(self, event: EventBase) -> NoReturn:
134 url = f"http://{self.model.app.name}:{PORT}/api/v1/admin/tsdb/snapshot"
135 result = requests.post(url)
136
137 if result.status_code == 200:
138 event.set_results({"backup-name": result.json()["name"]})
139 else:
140 event.fail(f"status-code: {result.status_code}")
141
142 def _build_config_file(self, config: ConfigModel):
143 files_builder = FilesV3Builder()
144 files_builder.add_file(
145 "prometheus.yml",
146 (
147 "global:\n"
148 " scrape_interval: 15s\n"
149 " evaluation_interval: 15s\n"
150 "alerting:\n"
151 " alertmanagers:\n"
152 " - static_configs:\n"
153 " - targets:\n"
154 "rule_files:\n"
155 "scrape_configs:\n"
156 " - job_name: 'prometheus'\n"
157 " static_configs:\n"
158 f" - targets: [{config.default_target}]\n"
159 ),
160 )
161 return files_builder.build()
162
163 def _build_webconfig_file(self):
164 files_builder = FilesV3Builder()
165 files_builder.add_file("web.yml", "web-config-file", secret=True)
166 return files_builder.build()
167
168 def build_pod_spec(self, image_info):
169 # Validate config
170 config = ConfigModel(**dict(self.config))
171 # Create Builder for the PodSpec
172 pod_spec_builder = PodSpecV3Builder(
173 enable_security_context=config.security_context
174 )
175
176 # Build Backup Container
177 backup_image = OCIImageResource(self, "backup-image")
178 backup_image_info = backup_image.fetch()
179 backup_container_builder = ContainerV3Builder("prom-backup", backup_image_info)
180 backup_container = backup_container_builder.build()
181
182 # Add backup container to pod spec
183 pod_spec_builder.add_container(backup_container)
184
185 # Add pod secrets
186 prometheus_secret_name = f"{self.app.name}-secret"
187 pod_spec_builder.add_secret(
188 prometheus_secret_name,
189 {
190 "web-config-file": (
191 "basic_auth_users:\n"
192 f" {config.web_config_username}: {self._hash_password(config.web_config_password)}\n"
193 )
194 },
195 )
196
197 # Build Container
198 container_builder = ContainerV3Builder(
199 self.app.name,
200 image_info,
201 config.image_pull_policy,
202 run_as_non_root=config.security_context,
203 )
204 container_builder.add_port(name=self.app.name, port=PORT)
205 token = self._base64_encode(
206 f"{config.web_config_username}:{config.web_config_password}"
207 )
208 container_builder.add_http_readiness_probe(
209 "/-/ready",
210 PORT,
211 initial_delay_seconds=10,
212 timeout_seconds=30,
213 http_headers=[("Authorization", f"Basic {token}")],
214 )
215 container_builder.add_http_liveness_probe(
216 "/-/healthy",
217 PORT,
218 initial_delay_seconds=30,
219 period_seconds=30,
220 http_headers=[("Authorization", f"Basic {token}")],
221 )
222 command = [
223 "/bin/prometheus",
224 "--config.file=/etc/prometheus/prometheus.yml",
225 "--web.config.file=/etc/prometheus/web-config/web.yml",
226 "--storage.tsdb.path=/prometheus",
227 "--web.console.libraries=/usr/share/prometheus/console_libraries",
228 "--web.console.templates=/usr/share/prometheus/consoles",
229 f"--web.route-prefix={config.web_subpath}",
230 f"--web.external-url=http://localhost:{PORT}{config.web_subpath}",
231 ]
232 if config.enable_web_admin_api:
233 command.append("--web.enable-admin-api")
234 container_builder.add_command(command)
235 container_builder.add_volume_config(
236 "config", "/etc/prometheus", self._build_config_file(config)
237 )
238 container_builder.add_volume_config(
239 "web-config",
240 "/etc/prometheus/web-config",
241 self._build_webconfig_file(),
242 secret_name=prometheus_secret_name,
243 )
244 container = container_builder.build()
245 # Add container to pod spec
246 pod_spec_builder.add_container(container)
247 # Add ingress resources to pod spec if site url exists
248 if config.site_url:
249 parsed = urlparse(config.site_url)
250 annotations = {
251 "nginx.ingress.kubernetes.io/proxy-body-size": "{}".format(
252 str(config.max_file_size) + "m"
253 if config.max_file_size > 0
254 else config.max_file_size
255 )
256 }
257 if config.ingress_class:
258 annotations["kubernetes.io/ingress.class"] = config.ingress_class
259 ingress_resource_builder = IngressResourceV3Builder(
260 f"{self.app.name}-ingress", annotations
261 )
262
263 if config.ingress_whitelist_source_range:
264 annotations[
265 "nginx.ingress.kubernetes.io/whitelist-source-range"
266 ] = config.ingress_whitelist_source_range
267
268 if config.cluster_issuer:
269 annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer
270
271 if parsed.scheme == "https":
272 ingress_resource_builder.add_tls(
273 [parsed.hostname], config.tls_secret_name
274 )
275 else:
276 annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = "false"
277
278 ingress_resource_builder.add_rule(parsed.hostname, self.app.name, PORT)
279 ingress_resource = ingress_resource_builder.build()
280 pod_spec_builder.add_ingress_resource(ingress_resource)
281 return pod_spec_builder.build()
282
283 def _hash_password(self, password):
284 hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
285 return hashed_password.decode()
286
287 def _base64_encode(self, phrase: str) -> str:
288 return base64.b64encode(phrase.encode("utf-8")).decode("utf-8")
289
290
291 if __name__ == "__main__":
292 main(PrometheusCharm)