Take over prometheus agent remote write config from PMO.

go.mod

@@ -1,6 +1,6 @@
 module github.com/giantswarm/observability-operator
 
-go 1.21
+go 1.22.0
 
 require (
 	github.com/go-logr/logr v1.4.1
@@ -11,7 +11,7 @@ require (
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.72.0
 	github.com/prometheus/client_golang v1.19.0
 	github.com/prometheus/common v0.51.1
-	github.com/sirupsen/logrus v1.9.0
+	github.com/sirupsen/logrus v1.9.3
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.29.3
 	k8s.io/apimachinery v0.29.3

helm/observability-operator/templates/deployment.yaml

@@ -24,7 +24,9 @@ spec:
         image: "{{ .Values.image.registry }}/{{ .Values.image.name }}:{{ default .Chart.Version .Values.image.tag }}"
         args:
         - --leader-elect
+        - --management-cluster-base-domain={{ $.Values.managementCluster.baseDomain }}
         - --management-cluster-customer={{ $.Values.managementCluster.customer }}
+        - --management-cluster-insecure-ca={{ $.Values.managementCluster.insecureCA }}
         - --management-cluster-name={{ $.Values.managementCluster.name }}
         - --management-cluster-pipeline={{ $.Values.managementCluster.pipeline }}
         - --management-cluster-region={{ $.Values.managementCluster.region }}

helm/observability-operator/templates/rbac.yaml

@@ -5,6 +5,13 @@ metadata:
     {{- include "labels.common" . | nindent 4 }}
   name: {{ include "resource.default.name" . }}
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - list
+      - watch
   - apiGroups:
       - ""
     resources:

helm/observability-operator/values.schema.json

@@ -32,9 +32,15 @@
         "managementCluster": {
             "type": "object",
             "properties": {
+                "baseDomain": {
+                    "type": "string"
+                },
                 "customer": {
                     "type": "string"
                 },
+                "insecureCA": {
+                    "type": "boolean"
+                },
                 "name": {
                     "type": "string"
                 },
@@ -54,6 +60,9 @@
                 },
                 "opsgenieApiKey": {
                     "type": "string"
+                },
+                "prometheusVersion": {
+                    "type": "string"
                 }
             }
         },

helm/observability-operator/values.yaml

@@ -8,7 +8,9 @@ image:
   tag: ""
 
 managementCluster:
+  baseDomain: domain
   customer: customer
+  insecureCA: false
   name: name
   pipeline: pipeline
   region: region

internal/controller/cluster_monitoring_controller.go

@@ -117,7 +117,7 @@ func (r *ClusterMonitoringReconciler) reconcile(ctx context.Context, cluster *cl
 	}
 
 	// Create or update PrometheusAgent remote write configuration.
-	err := r.PrometheusAgentService.ReconcilePrometheusAgentRemoteWriteConfig(ctx, cluster)
+	err := r.PrometheusAgentService.ReconcileRemoteWriteConfig(ctx, cluster)
 	if err != nil {
 		logger.Error(err, "failed to create or update prometheus agent remote write config")
 		return ctrl.Result{Requeue: true}, errors.WithStack(err)
@@ -138,7 +138,7 @@ func (r *ClusterMonitoringReconciler) reconcileDelete(ctx context.Context, clust
 			}
 		}
 
-		err := r.PrometheusAgentService.DeletePrometheusAgentRemoteWriteConfig(ctx, cluster)
+		err := r.PrometheusAgentService.DeleteRemoteWriteConfig(ctx, cluster)
 		if err != nil {
 			logger.Error(err, "failed to delete prometheus agent remote write config")
 			return ctrl.Result{Requeue: true}, errors.WithStack(err)

main.go

@@ -40,6 +40,7 @@ import (
 	"github.com/giantswarm/observability-operator/internal/controller"
 	"github.com/giantswarm/observability-operator/pkg/common"
 	"github.com/giantswarm/observability-operator/pkg/common/organization"
+	"github.com/giantswarm/observability-operator/pkg/common/password"
 	"github.com/giantswarm/observability-operator/pkg/monitoring/heartbeat"
 	"github.com/giantswarm/observability-operator/pkg/monitoring/prometheusagent"
 	//+kubebuilder:scaffold:imports
@@ -49,17 +50,19 @@ var (
 	scheme   = runtime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
 
-	metricsAddr               string
-	enableLeaderElection      bool
-	probeAddr                 string
-	secureMetrics             bool
-	enableHTTP2               bool
-	managementClusterCustomer string
-	managementClusterName     string
-	managementClusterPipeline string
-	managementClusterRegion   string
-	monitoringEnabled         bool
-	prometheusVersion         string
+	metricsAddr                 string
+	enableLeaderElection        bool
+	probeAddr                   string
+	secureMetrics               bool
+	enableHTTP2                 bool
+	managementClusterBaseDomain string
+	managementClusterCustomer   string
+	managementClusterInsecureCA bool
+	managementClusterName       string
+	managementClusterPipeline   string
+	managementClusterRegion     string
+	monitoringEnabled           bool
+	prometheusVersion           string
 )
 
 const (
@@ -85,8 +88,12 @@ func main() {
 		"If set the metrics endpoint is served securely")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	flag.StringVar(&managementClusterBaseDomain, "management-cluster-base-domain", "",
+		"The base domain of the management cluster.")
 	flag.StringVar(&managementClusterCustomer, "management-cluster-customer", "",
 		"The customer of the management cluster.")
+	flag.BoolVar(&managementClusterInsecureCA, "management-cluster-insecure-ca", false,
+		"Flag to indicate if the management cluster has an insecure CA that should be trusted")
 	flag.StringVar(&managementClusterName, "management-cluster-name", "",
 		"The name of the management cluster.")
 	flag.StringVar(&managementClusterPipeline, "management-cluster-pipeline", "",
@@ -157,10 +164,12 @@ func main() {
 	record.InitFromRecorder(mgr.GetEventRecorderFor("observability-operator"))
 
 	var managementCluster common.ManagementCluster = common.ManagementCluster{
-		Customer: managementClusterCustomer,
-		Name:     managementClusterName,
-		Pipeline: managementClusterPipeline,
-		Region:   managementClusterRegion,
+		BaseDomain: managementClusterBaseDomain,
+		Customer:   managementClusterCustomer,
+		InsecureCA: managementClusterInsecureCA,
+		Name:       managementClusterName,
+		Pipeline:   managementClusterPipeline,
+		Region:     managementClusterRegion,
 	}
 
 	var opsgenieApiKey = os.Getenv(OpsgenieApiKey)
@@ -181,11 +190,12 @@ func main() {
 	prometheusAgentService := prometheusagent.PrometheusAgentService{
 		Client:                 mgr.GetClient(),
 		OrganizationRepository: organizationRepository,
+		PasswordManager:        password.SimpleManager{},
 		ManagementCluster:      managementCluster,
 		PrometheusVersion:      prometheusVersion,
 	}
 
-	if err = (&controller.ClusterMonitoringReconciler{ 
+	if err = (&controller.ClusterMonitoringReconciler{
 		Client:                 mgr.GetClient(),
 		ManagementCluster:      managementCluster,
 		HeartbeatRepository:    heartbeatRepository,

pkg/common/password/manager.go

@@ -0,0 +1,21 @@
+package password
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+)
+
+type Manager interface {
+	GeneratePassword(length int) (string, error)
+}
+
+type SimpleManager struct {
+}
+
+func (m SimpleManager) GeneratePassword(length int) (string, error) {
+	bytes := make([]byte, length)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(bytes), nil
+}

pkg/common/types.go

@@ -33,8 +33,12 @@ const (
 )
 
 type ManagementCluster struct {
+	// BaseDomain is the base domain of the management cluster.
+	BaseDomain string
 	// Customer is the customer name of the management cluster.
 	Customer string
+	// InsecureCA is a flag to indicate if the management cluster has an insecure CA that should be truster
+	InsecureCA bool
 	// Name is the name of the management cluster.
 	Name string
 	// Pipeline is the pipeline name of the management cluster.

pkg/monitoring/mimir/querier/querier.go

@@ -51,7 +51,8 @@ func QueryTSDBHeadSeries(ctx context.Context, clusterName string) (float64, erro
 	api := v1.NewAPI(c)
 
 	queryContext, cancel := context.WithTimeout(ctx, 2*time.Minute)
-	val, _, err := api.Query(queryContext, fmt.Sprintf("max_over_time(count({cluster_id=\"%s\"})[6h])", clusterName), time.Now())
+	query := fmt.Sprintf("max_over_time(prometheus_tsdb_head_series{cluster_id=\"%s\"}[6h])", clusterName)
+	val, _, err := api.Query(queryContext, query, time.Now())
 	cancel()
 	if err != nil {
 		return 0, err

pkg/monitoring/prometheusagent/config.go

@@ -0,0 +1,119 @@
+package prometheusagent
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v2"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+
+	"github.com/giantswarm/observability-operator/pkg/common"
+	"github.com/giantswarm/observability-operator/pkg/monitoring"
+	"github.com/giantswarm/observability-operator/pkg/monitoring/mimir/querier"
+	"github.com/giantswarm/observability-operator/pkg/monitoring/prometheusagent/shards"
+)
+
+func (pas PrometheusAgentService) buildRemoteWriteConfig(ctx context.Context,
+	cluster *clusterv1.Cluster, logger logr.Logger, currentShards int) (*corev1.ConfigMap, error) {
+
+	organization, err := pas.OrganizationRepository.Read(ctx, cluster)
+	if err != nil {
+		logger.Error(err, "failed to get cluster organization")
+		return nil, errors.WithStack(err)
+	}
+
+	provider, err := common.GetClusterProvider(cluster)
+	if err != nil {
+		logger.Error(err, "failed to get cluster provider")
+		return nil, errors.WithStack(err)
+	}
+
+	clusterType := "workload_cluster"
+	if val, ok := cluster.Labels["cluster.x-k8s.io/cluster-name"]; ok && val == pas.ManagementCluster.Name {
+		clusterType = "management_cluster"
+	}
+
+	externalLabels := map[string]string{
+		"cluster_id":       cluster.Name,
+		"cluster_type":     clusterType,
+		"customer":         pas.ManagementCluster.Customer,
+		"installation":     pas.ManagementCluster.Name,
+		"organization":     organization,
+		"pipeline":         pas.ManagementCluster.Pipeline,
+		"provider":         provider,
+		"region":           pas.ManagementCluster.Region,
+		"service_priority": getServicePriority(cluster),
+	}
+
+	shards, err := getShardsCountForCluster(ctx, cluster, currentShards)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	config, err := yaml.Marshal(RemoteWriteConfig{
+		PrometheusAgentConfig: PrometheusAgentConfig{
+			ExternalLabels: externalLabels,
+			Image: PrometheusAgentImage{
+				Tag: pas.PrometheusVersion,
+			},
+			Shards:  shards,
+			Version: pas.PrometheusVersion,
+		},
+	})
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getPrometheusAgentRemoteWriteConfigName(cluster),
+			Namespace: cluster.Namespace,
+			Finalizers: []string{
+				monitoring.MonitoringFinalizer,
+			},
+		},
+		Data: map[string]string{
+			"values": string(config),
+		},
+	}, nil
+}
+
+func getPrometheusAgentRemoteWriteConfigName(cluster *clusterv1.Cluster) string {
+	return fmt.Sprintf("%s-remote-write-config", cluster.Name)
+}
+
+func getServicePriority(cluster *clusterv1.Cluster) string {
+	if servicePriority, ok := cluster.GetLabels()[servicePriorityLabel]; ok && servicePriority != "" {
+		return servicePriority
+	}
+	return defaultServicePriority
+}
+
+// We want to compute the number of shards based on the number of nodes.
+func getShardsCountForCluster(ctx context.Context, cluster *clusterv1.Cluster, currentShardCount int) (int, error) {
+	headSeries, err := querier.QueryTSDBHeadSeries(ctx, cluster.Name)
+	if err != nil {
+		// Verify that Prometheus is accessible. If not, return the default number of shards.
+		var dnsError *net.DNSError
+		if errors.As(err, &dnsError) {
+			return shards.ComputeShards(currentShardCount, defaultShards), nil
+		}
+		return 0, errors.WithStack(err)
+	}
+	return shards.ComputeShards(currentShardCount, headSeries), nil
+}
+
+func readCurrentShardsFromConfig(configMap corev1.ConfigMap) (int, error) {
+	remoteWriteConfig := RemoteWriteConfig{}
+	err := yaml.Unmarshal([]byte(configMap.Data["values"]), &remoteWriteConfig)
+	if err != nil {
+		return 0, errors.WithStack(err)
+	}
+
+	return remoteWriteConfig.PrometheusAgentConfig.Shards, nil
+}