mirror of
https://github.com/prometheus/prometheus.git
synced 2024-12-26 22:19:40 -08:00
0af7250c52
This change sets the scheme to https when a rule specified by Ingress matches a wildcard DNS entry in the ingress TLS hosts Signed-off-by: Philip Gough <philip.p.gough@gmail.com>
252 lines
6.7 KiB
Go
252 lines
6.7 KiB
Go
// Copyright 2016 The Prometheus Authors
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package kubernetes
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
|
|
"github.com/go-kit/log"
|
|
"github.com/go-kit/log/level"
|
|
"github.com/pkg/errors"
|
|
"github.com/prometheus/common/model"
|
|
v1 "k8s.io/api/networking/v1"
|
|
"k8s.io/api/networking/v1beta1"
|
|
"k8s.io/client-go/tools/cache"
|
|
"k8s.io/client-go/util/workqueue"
|
|
|
|
"github.com/prometheus/prometheus/discovery/targetgroup"
|
|
"github.com/prometheus/prometheus/util/strutil"
|
|
)
|
|
|
|
var (
|
|
ingressAddCount = eventCount.WithLabelValues("ingress", "add")
|
|
ingressUpdateCount = eventCount.WithLabelValues("ingress", "update")
|
|
ingressDeleteCount = eventCount.WithLabelValues("ingress", "delete")
|
|
)
|
|
|
|
// Ingress implements discovery of Kubernetes ingress.
|
|
type Ingress struct {
|
|
logger log.Logger
|
|
informer cache.SharedInformer
|
|
store cache.Store
|
|
queue *workqueue.Type
|
|
}
|
|
|
|
// NewIngress returns a new ingress discovery.
|
|
func NewIngress(l log.Logger, inf cache.SharedInformer) *Ingress {
|
|
s := &Ingress{logger: l, informer: inf, store: inf.GetStore(), queue: workqueue.NewNamed("ingress")}
|
|
s.informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
|
|
AddFunc: func(o interface{}) {
|
|
ingressAddCount.Inc()
|
|
s.enqueue(o)
|
|
},
|
|
DeleteFunc: func(o interface{}) {
|
|
ingressDeleteCount.Inc()
|
|
s.enqueue(o)
|
|
},
|
|
UpdateFunc: func(_, o interface{}) {
|
|
ingressUpdateCount.Inc()
|
|
s.enqueue(o)
|
|
},
|
|
})
|
|
return s
|
|
}
|
|
|
|
func (i *Ingress) enqueue(obj interface{}) {
|
|
key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(obj)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
i.queue.Add(key)
|
|
}
|
|
|
|
// Run implements the Discoverer interface.
|
|
func (i *Ingress) Run(ctx context.Context, ch chan<- []*targetgroup.Group) {
|
|
defer i.queue.ShutDown()
|
|
|
|
if !cache.WaitForCacheSync(ctx.Done(), i.informer.HasSynced) {
|
|
if ctx.Err() != context.Canceled {
|
|
level.Error(i.logger).Log("msg", "ingress informer unable to sync cache")
|
|
}
|
|
return
|
|
}
|
|
|
|
go func() {
|
|
for i.process(ctx, ch) {
|
|
}
|
|
}()
|
|
|
|
// Block until the target provider is explicitly canceled.
|
|
<-ctx.Done()
|
|
}
|
|
|
|
func (i *Ingress) process(ctx context.Context, ch chan<- []*targetgroup.Group) bool {
|
|
keyObj, quit := i.queue.Get()
|
|
if quit {
|
|
return false
|
|
}
|
|
defer i.queue.Done(keyObj)
|
|
key := keyObj.(string)
|
|
|
|
namespace, name, err := cache.SplitMetaNamespaceKey(key)
|
|
if err != nil {
|
|
return true
|
|
}
|
|
|
|
o, exists, err := i.store.GetByKey(key)
|
|
if err != nil {
|
|
return true
|
|
}
|
|
if !exists {
|
|
send(ctx, ch, &targetgroup.Group{Source: ingressSourceFromNamespaceAndName(namespace, name)})
|
|
return true
|
|
}
|
|
|
|
var ia ingressAdaptor
|
|
switch ingress := o.(type) {
|
|
case *v1.Ingress:
|
|
ia = newIngressAdaptorFromV1(ingress)
|
|
case *v1beta1.Ingress:
|
|
ia = newIngressAdaptorFromV1beta1(ingress)
|
|
default:
|
|
level.Error(i.logger).Log("msg", "converting to Ingress object failed", "err",
|
|
errors.Errorf("received unexpected object: %v", o))
|
|
return true
|
|
}
|
|
send(ctx, ch, i.buildIngress(ia))
|
|
return true
|
|
}
|
|
|
|
func ingressSource(s ingressAdaptor) string {
|
|
return ingressSourceFromNamespaceAndName(s.namespace(), s.name())
|
|
}
|
|
|
|
func ingressSourceFromNamespaceAndName(namespace, name string) string {
|
|
return "ingress/" + namespace + "/" + name
|
|
}
|
|
|
|
const (
|
|
ingressNameLabel = metaLabelPrefix + "ingress_name"
|
|
ingressLabelPrefix = metaLabelPrefix + "ingress_label_"
|
|
ingressLabelPresentPrefix = metaLabelPrefix + "ingress_labelpresent_"
|
|
ingressAnnotationPrefix = metaLabelPrefix + "ingress_annotation_"
|
|
ingressAnnotationPresentPrefix = metaLabelPrefix + "ingress_annotationpresent_"
|
|
ingressSchemeLabel = metaLabelPrefix + "ingress_scheme"
|
|
ingressHostLabel = metaLabelPrefix + "ingress_host"
|
|
ingressPathLabel = metaLabelPrefix + "ingress_path"
|
|
ingressClassNameLabel = metaLabelPrefix + "ingress_class_name"
|
|
)
|
|
|
|
func ingressLabels(ingress ingressAdaptor) model.LabelSet {
|
|
// Each label and annotation will create two key-value pairs in the map.
|
|
ls := make(model.LabelSet, 2*(len(ingress.labels())+len(ingress.annotations()))+2)
|
|
ls[ingressNameLabel] = lv(ingress.name())
|
|
ls[namespaceLabel] = lv(ingress.namespace())
|
|
if cls := ingress.ingressClassName(); cls != nil {
|
|
ls[ingressClassNameLabel] = lv(*cls)
|
|
}
|
|
|
|
for k, v := range ingress.labels() {
|
|
ln := strutil.SanitizeLabelName(k)
|
|
ls[model.LabelName(ingressLabelPrefix+ln)] = lv(v)
|
|
ls[model.LabelName(ingressLabelPresentPrefix+ln)] = presentValue
|
|
}
|
|
|
|
for k, v := range ingress.annotations() {
|
|
ln := strutil.SanitizeLabelName(k)
|
|
ls[model.LabelName(ingressAnnotationPrefix+ln)] = lv(v)
|
|
ls[model.LabelName(ingressAnnotationPresentPrefix+ln)] = presentValue
|
|
}
|
|
return ls
|
|
}
|
|
|
|
func pathsFromIngressPaths(ingressPaths []string) []string {
|
|
if ingressPaths == nil {
|
|
return []string{"/"}
|
|
}
|
|
paths := make([]string, len(ingressPaths))
|
|
for n, p := range ingressPaths {
|
|
path := p
|
|
if p == "" {
|
|
path = "/"
|
|
}
|
|
paths[n] = path
|
|
}
|
|
return paths
|
|
}
|
|
|
|
func (i *Ingress) buildIngress(ingress ingressAdaptor) *targetgroup.Group {
|
|
tg := &targetgroup.Group{
|
|
Source: ingressSource(ingress),
|
|
}
|
|
tg.Labels = ingressLabels(ingress)
|
|
|
|
for _, rule := range ingress.rules() {
|
|
scheme := "http"
|
|
paths := pathsFromIngressPaths(rule.paths())
|
|
|
|
out:
|
|
for _, pattern := range ingress.tlsHosts() {
|
|
if matchesHostnamePattern(pattern, rule.host()) {
|
|
scheme = "https"
|
|
break out
|
|
}
|
|
}
|
|
|
|
for _, path := range paths {
|
|
tg.Targets = append(tg.Targets, model.LabelSet{
|
|
model.AddressLabel: lv(rule.host()),
|
|
ingressSchemeLabel: lv(scheme),
|
|
ingressHostLabel: lv(rule.host()),
|
|
ingressPathLabel: lv(path),
|
|
})
|
|
}
|
|
}
|
|
|
|
return tg
|
|
}
|
|
|
|
// matchesHostnamePattern returns true if the host matches a wildcard DNS
|
|
// pattern or pattern and host are equal
|
|
func matchesHostnamePattern(pattern, host string) bool {
|
|
// check for exact match
|
|
if pattern == host {
|
|
return true
|
|
}
|
|
|
|
patternParts := strings.Split(pattern, ".")
|
|
hostParts := strings.Split(host, ".")
|
|
|
|
// if they are not equal, we cna check if we need to match
|
|
// on a wildcard or else give up
|
|
if len(patternParts) == 0 || patternParts[0] != "*" {
|
|
return false
|
|
}
|
|
|
|
// to get a valid wildcard match the parts will need to be the same length
|
|
if len(patternParts) != len(hostParts) {
|
|
return false
|
|
}
|
|
|
|
for i := 1; i < len(patternParts); i++ {
|
|
if patternParts[i] != hostParts[i] {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|