--- /dev/null
+#!/usr/bin/env python3
+# Copyright 2021 Canonical Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# For those usages not covered by the Apache License, Version 2.0 please
+# contact: legal@canonical.com
+#
+# To get in touch with the maintainers, please contact:
+# osm-charmers@lists.launchpad.net
+##
+
+# pylint: disable=E0213
+
+import base64
+from ipaddress import ip_network
+import logging
+from typing import NoReturn, Optional
+from urllib.parse import urlparse
+
+import bcrypt
+from oci_image import OCIImageResource
+from ops.framework import EventBase
+from ops.main import main
+from opslib.osm.charm import CharmedOsmBase
+from opslib.osm.interfaces.prometheus import PrometheusServer
+from opslib.osm.pod import (
+ ContainerV3Builder,
+ FilesV3Builder,
+ IngressResourceV3Builder,
+ PodSpecV3Builder,
+)
+from opslib.osm.validator import (
+ ModelValidator,
+ validator,
+)
+import requests
+
+
+logger = logging.getLogger(__name__)
+
+PORT = 9090
+
+
+class ConfigModel(ModelValidator):
+ web_subpath: str
+ default_target: str
+ max_file_size: int
+ site_url: Optional[str]
+ cluster_issuer: Optional[str]
+ ingress_class: Optional[str]
+ ingress_whitelist_source_range: Optional[str]
+ tls_secret_name: Optional[str]
+ enable_web_admin_api: bool
+ image_pull_policy: str
+ security_context: bool
+ web_config_username: str
+ web_config_password: str
+
+ @validator("web_subpath")
+ def validate_web_subpath(cls, v):
+ if len(v) < 1:
+ raise ValueError("web-subpath must be a non-empty string")
+ return v
+
+ @validator("max_file_size")
+ def validate_max_file_size(cls, v):
+ if v < 0:
+ raise ValueError("value must be equal or greater than 0")
+ return v
+
+ @validator("site_url")
+ def validate_site_url(cls, v):
+ if v:
+ parsed = urlparse(v)
+ if not parsed.scheme.startswith("http"):
+ raise ValueError("value must start with http")
+ return v
+
+ @validator("ingress_whitelist_source_range")
+ def validate_ingress_whitelist_source_range(cls, v):
+ if v:
+ ip_network(v)
+ return v
+
+ @validator("image_pull_policy")
+ def validate_image_pull_policy(cls, v):
+ values = {
+ "always": "Always",
+ "ifnotpresent": "IfNotPresent",
+ "never": "Never",
+ }
+ v = v.lower()
+ if v not in values.keys():
+ raise ValueError("value must be always, ifnotpresent or never")
+ return values[v]
+
+
+class PrometheusCharm(CharmedOsmBase):
+
+ """Prometheus Charm."""
+
+ def __init__(self, *args) -> NoReturn:
+ """Prometheus Charm constructor."""
+ super().__init__(*args, oci_image="image")
+
+ # Registering provided relation events
+ self.prometheus = PrometheusServer(self, "prometheus")
+ self.framework.observe(
+ self.on.prometheus_relation_joined, # pylint: disable=E1101
+ self._publish_prometheus_info,
+ )
+
+ # Registering actions
+ self.framework.observe(
+ self.on.backup_action, # pylint: disable=E1101
+ self._on_backup_action,
+ )
+
+ def _publish_prometheus_info(self, event: EventBase) -> NoReturn:
+ config = ConfigModel(**dict(self.config))
+ self.prometheus.publish_info(
+ self.app.name,
+ PORT,
+ user=config.web_config_username,
+ password=config.web_config_password,
+ )
+
+ def _on_backup_action(self, event: EventBase) -> NoReturn:
+ url = f"http://{self.model.app.name}:{PORT}/api/v1/admin/tsdb/snapshot"
+ result = requests.post(url)
+
+ if result.status_code == 200:
+ event.set_results({"backup-name": result.json()["name"]})
+ else:
+ event.fail(f"status-code: {result.status_code}")
+
+ def _build_config_file(self, config: ConfigModel):
+ files_builder = FilesV3Builder()
+ files_builder.add_file(
+ "prometheus.yml",
+ (
+ "global:\n"
+ " scrape_interval: 15s\n"
+ " evaluation_interval: 15s\n"
+ "alerting:\n"
+ " alertmanagers:\n"
+ " - static_configs:\n"
+ " - targets:\n"
+ "rule_files:\n"
+ "scrape_configs:\n"
+ " - job_name: 'prometheus'\n"
+ " static_configs:\n"
+ f" - targets: [{config.default_target}]\n"
+ ),
+ )
+ return files_builder.build()
+
+ def _build_webconfig_file(self):
+ files_builder = FilesV3Builder()
+ files_builder.add_file("web.yml", "web-config-file", secret=True)
+ return files_builder.build()
+
+ def build_pod_spec(self, image_info):
+ # Validate config
+ config = ConfigModel(**dict(self.config))
+ # Create Builder for the PodSpec
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
+
+ # Build Backup Container
+ backup_image = OCIImageResource(self, "backup-image")
+ backup_image_info = backup_image.fetch()
+ backup_container_builder = ContainerV3Builder("prom-backup", backup_image_info)
+ backup_container = backup_container_builder.build()
+
+ # Add backup container to pod spec
+ pod_spec_builder.add_container(backup_container)
+
+ # Add pod secrets
+ prometheus_secret_name = f"{self.app.name}-secret"
+ pod_spec_builder.add_secret(
+ prometheus_secret_name,
+ {
+ "web-config-file": (
+ "basic_auth_users:\n"
+ f" {config.web_config_username}: {self._hash_password(config.web_config_password)}\n"
+ )
+ },
+ )
+
+ # Build Container
+ container_builder = ContainerV3Builder(
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
+ )
+ container_builder.add_port(name=self.app.name, port=PORT)
+ token = self._base64_encode(
+ f"{config.web_config_username}:{config.web_config_password}"
+ )
+ container_builder.add_http_readiness_probe(
+ "/-/ready",
+ PORT,
+ initial_delay_seconds=10,
+ timeout_seconds=30,
+ http_headers=[("Authorization", f"Basic {token}")],
+ )
+ container_builder.add_http_liveness_probe(
+ "/-/healthy",
+ PORT,
+ initial_delay_seconds=30,
+ period_seconds=30,
+ http_headers=[("Authorization", f"Basic {token}")],
+ )
+ command = [
+ "/bin/prometheus",
+ "--config.file=/etc/prometheus/prometheus.yml",
+ "--web.config.file=/etc/prometheus/web-config/web.yml",
+ "--storage.tsdb.path=/prometheus",
+ "--web.console.libraries=/usr/share/prometheus/console_libraries",
+ "--web.console.templates=/usr/share/prometheus/consoles",
+ f"--web.route-prefix={config.web_subpath}",
+ f"--web.external-url=http://localhost:{PORT}{config.web_subpath}",
+ ]
+ if config.enable_web_admin_api:
+ command.append("--web.enable-admin-api")
+ container_builder.add_command(command)
+ container_builder.add_volume_config(
+ "config", "/etc/prometheus", self._build_config_file(config)
+ )
+ container_builder.add_volume_config(
+ "web-config",
+ "/etc/prometheus/web-config",
+ self._build_webconfig_file(),
+ secret_name=prometheus_secret_name,
+ )
+ container = container_builder.build()
+ # Add container to pod spec
+ pod_spec_builder.add_container(container)
+ # Add ingress resources to pod spec if site url exists
+ if config.site_url:
+ parsed = urlparse(config.site_url)
+ annotations = {
+ "nginx.ingress.kubernetes.io/proxy-body-size": "{}".format(
+ str(config.max_file_size) + "m"
+ if config.max_file_size > 0
+ else config.max_file_size
+ )
+ }
+ if config.ingress_class:
+ annotations["kubernetes.io/ingress.class"] = config.ingress_class
+ ingress_resource_builder = IngressResourceV3Builder(
+ f"{self.app.name}-ingress", annotations
+ )
+
+ if config.ingress_whitelist_source_range:
+ annotations[
+ "nginx.ingress.kubernetes.io/whitelist-source-range"
+ ] = config.ingress_whitelist_source_range
+
+ if config.cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer
+
+ if parsed.scheme == "https":
+ ingress_resource_builder.add_tls(
+ [parsed.hostname], config.tls_secret_name
+ )
+ else:
+ annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = "false"
+
+ ingress_resource_builder.add_rule(parsed.hostname, self.app.name, PORT)
+ ingress_resource = ingress_resource_builder.build()
+ pod_spec_builder.add_ingress_resource(ingress_resource)
+ return pod_spec_builder.build()
+
+ def _hash_password(self, password):
+ hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
+ return hashed_password.decode()
+
+ def _base64_encode(self, phrase: str) -> str:
+ return base64.b64encode(phrase.encode("utf-8")).decode("utf-8")
+
+
+if __name__ == "__main__":
+ main(PrometheusCharm)