MINOR: prometheus access outside pod

Author: ivanmatmati

pkg/annotations/cfgSnippet.go

@@ -188,7 +188,7 @@ func (a *CfgSnippet) Process(k store.K8s, annotations ...map[string]string) erro
 				processConfigSnippet(a.backend, origin, data)
 			}
 		} else {
-			if a.service != nil && anns[0] != "" {
+			if a.service != nil && a.service.Name != "" && !a.service.Faked && anns[0] != "" {
 				origin := a.service.Namespace + "/" + a.service.Name
 				comment := COMMMENT_SERVICE_PREFIX + a.backend + "/" + origin + COMMENT_ENDING
 				data := strings.Split(strings.Trim(anns[0], "\n"), "\n")

pkg/controller/builder.go

@@ -29,6 +29,7 @@ import (
 
 	"github.com/haproxytech/kubernetes-ingress/pkg/annotations"
 	gateway "github.com/haproxytech/kubernetes-ingress/pkg/gateways"
+	"github.com/haproxytech/kubernetes-ingress/pkg/handler"
 	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy"
 	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/api"
 	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/env"
@@ -198,7 +199,7 @@ func addControllerMetricData(builder *Builder, chShutdown chan struct{}) {
 		runningServices += " pprof"
 	}
 	if builder.osArgs.PrometheusEnabled {
-		rtr.GET("/metrics", fasthttpadaptor.NewFastHTTPHandler(promhttp.Handler()))
+		rtr.GET(handler.PROMETHEUS_URL_PATH, fasthttpadaptor.NewFastHTTPHandler(promhttp.Handler()))
 		runningServices += ", prometheus"
 	}
 	rtr.GET("/healtz", requestHandler)

pkg/controller/handler.go

@@ -56,7 +56,12 @@ func (c *HAProxyController) initHandlers() {
 
 	defer func() { c.updateHandlers = append(c.updateHandlers, handler.Refresh{}) }()
 
-	c.beforeUpdateHandlers = []UpdateHandler{}
+	c.beforeUpdateHandlers = []UpdateHandler{
+		handler.PrometheusEndpoint{
+			EventChan: c.eventChan,
+			PodNs:     c.podNamespace,
+		},
+	}
 	// Need to be before Refresh. If after, maps are refreshed without pprof content
 	if c.osArgs.PprofEnabled {
 		c.beforeUpdateHandlers = append(c.beforeUpdateHandlers, handler.Pprof{})

pkg/handler/prometheus.go

@@ -0,0 +1,130 @@
+package handler
+
+import (
+	"strings"
+
+	"github.com/haproxytech/kubernetes-ingress/pkg/annotations"
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy"
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/instance"
+	"github.com/haproxytech/kubernetes-ingress/pkg/k8s"
+	"github.com/haproxytech/kubernetes-ingress/pkg/store"
+)
+
+type PrometheusEndpoint struct {
+	EventChan chan k8s.SyncDataEvent
+	PodNs     string
+}
+
+//nolint:golint, stylecheck
+const (
+	PROMETHEUS_BACKEND_NAME = "haproxy-controller_prometheus_http"
+	PROMETHEUS_URL_PATH     = "/metrics"
+)
+
+func (handler PrometheusEndpoint) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annotations) (err error) {
+	if handler.PodNs == "" {
+		return
+	}
+
+	status := store.EMPTY
+	var secret *store.Secret
+	_, errBackend := h.BackendGet(PROMETHEUS_BACKEND_NAME)
+	backendExists := errBackend == nil
+
+	annSecret := annotations.String("prometheus-endpoint-auth-secret", k.ConfigMaps.Main.Annotations)
+	var secretExists, secretChanged, userListChanged bool
+	userListExists, _ := h.UserListExistsByGroup("haproxy-controller-prometheus")
+
+	// Does the secret exist in store ? ...
+	if annSecret != "" {
+		secretFQN := strings.Split(annSecret, "/")
+		if len(secretFQN) == 2 {
+			ns := k.Namespaces[secretFQN[0]]
+			if ns != nil {
+				secret = ns.Secret[secretFQN[1]]
+				secretExists = secret != nil && secret.Status != store.DELETED
+				secretChanged = secret.Status == store.MODIFIED
+			}
+		}
+		userListChanged = secretChanged || !userListExists
+	} else {
+		userListChanged = userListExists
+	}
+
+	if !backendExists {
+		status = store.ADDED
+	}
+
+	if !userListChanged && status == store.EMPTY && (!secretExists || (secretExists && secret.Status == store.EMPTY)) {
+		return
+	}
+
+	prometheusSvcName := "prometheus"
+	svc := &store.Service{
+		Namespace:   handler.PodNs,
+		Name:        prometheusSvcName,
+		Status:      status,
+		Annotations: k.ConfigMaps.Main.Annotations,
+		Ports: []store.ServicePort{
+			{
+				Name:     "http",
+				Protocol: "http",
+				Port:     8765,
+				Status:   status,
+			},
+		},
+		Faked: true,
+	}
+	endpoints := &store.Endpoints{
+		Namespace: handler.PodNs,
+		Service:   prometheusSvcName,
+		SliceName: prometheusSvcName,
+		Status:    status,
+		Ports: map[string]*store.PortEndpoints{
+			"http": {
+				Port:      int64(h.Env.ControllerPort),
+				Addresses: map[string]struct{}{"127.0.0.1": {}},
+			},
+		},
+	}
+
+	if status != store.EMPTY {
+		k.EventService(k.GetNamespace(svc.Namespace), svc)
+		k.EventEndpoints(k.GetNamespace(endpoints.Namespace), endpoints, func(*store.RuntimeBackend, bool) error { return nil })
+	}
+
+	ing := &store.Ingress{
+		Status: status,
+		Faked:  true,
+		IngressCore: store.IngressCore{
+			Namespace: handler.PodNs,
+			Name:      "prometheus",
+			Rules: map[string]*store.IngressRule{"": {
+				Paths: map[string]*store.IngressPath{
+					PROMETHEUS_URL_PATH: {
+						SvcNamespace:  svc.Namespace,
+						SvcName:       svc.Name,
+						Path:          PROMETHEUS_URL_PATH,
+						SvcPortString: "http",
+						PathTypeMatch: store.PATH_TYPE_IMPLEMENTATION_SPECIFIC,
+					},
+				},
+			}},
+		},
+	}
+
+	if secretExists {
+		ing.Annotations = map[string]string{
+			"auth-type":   "basic-auth",
+			"auth-secret": annSecret,
+		}
+	}
+
+	if userListChanged || status != store.EMPTY || secretExists && secret.Status != store.EMPTY {
+		k.EventIngress(k.GetNamespace(ing.Namespace), ing)
+	}
+
+	instance.ReloadIf(status != store.EMPTY, "creation/modification of prometheus endpoint")
+
+	return nil
+}

pkg/ingress/ingress.go

@@ -49,6 +49,10 @@ func New(k store.K8s, resource *store.Ingress, class string, emptyClass bool, a
 // ingress.class annotation should have precedence over the IngressClass mechanism implemented
 // in "networking.k8s.io".
 func (i Ingress) Supported(k8s store.K8s, a annotations.Annotations) (supported bool) {
+	if i.resource != nil && i.resource.Faked {
+		return true
+	}
+
 	var igClassAnn, igClassSpec string
 	igClassAnn = a.String("ingress.class", i.resource.Annotations)
 	if igClassResource := k8s.IngressClasses[i.resource.Class]; igClassResource != nil {

pkg/store/types.go

@@ -71,6 +71,7 @@ type Service struct {
 	Status      Status
 	Ports       []ServicePort
 	Addresses   []string // Used only for publish-service
+	Faked       bool
 }
 
 // RuntimeBackend holds the runtime state of an HAProxy backend
@@ -139,6 +140,7 @@ type Ingress struct {
 	Addresses    []string
 	Ignored      bool // true if resource ignored because of non matching Controller Class
 	ClassUpdated bool
+	Faked        bool
 }
 
 // IngressTLS describes the transport layer security associated with an Ingress.