upstream pr tweaks

Signed-off-by: Tyler Horvath <[email protected]>

Author: ts-mini

templates/ingress-distributor.yaml

@@ -0,0 +1,43 @@
+{{- $root := . -}}
+{{- if .Values.distributor.ingresses.enabled -}}
+{{- $svcPort := .Values.distributor.service.port -}}
+{{- range .Values.distributor.ingresses.scopeIDs }}
+{{- $rootScope := . -}}
+{{- if semverCompare ">=1.14-0" $root.Capabilities.KubeVersion.GitVersion -}}
+---
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ template "cortex.fullname" $root }}-{{ .scopeName }}
+  labels:
+    app: {{ template "cortex.name" $root }}
+    chart: {{ template "cortex.chart" $root }}
+    release: {{ $root.Release.Name }}
+    heritage: {{ $root.Release.Service }}
+  {{- with .annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Org-ScopeID {{ $rootScope.scopeID }};
+  {{- end }}
+spec:
+{{- if .tls }}
+  tls:
+    - hosts:
+        - {{ .tls.host | quote }}
+      secretName: {{ .tls.secretName }}
+{{- end }}
+  rules:
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          - path: /api/prom/push
+            backend:
+              serviceName: {{ template "cortex.fullname" $root }}
+              servicePort: {{ $svcPort }}
+---
+{{- end }}
+{{- end }}

templates/nginx-config.yaml

@@ -20,23 +20,31 @@ data:
       worker_connections  4096;  ## Default: 1024
     }
 
+
     http {
       default_type application/octet-stream;
       log_format   main '$remote_addr - $remote_user [$time_local]  $status '
         '"$request" $body_bytes_sent "$http_referer" '
-        '"$http_user_agent" "$http_x_forwarded_for"';
+        '"$http_user_agent" "$http_x_forwarded_for" $http_x_scope_orgid';
       access_log   /dev/stderr  main;
       sendfile     on;
       tcp_nopush   on;
       resolver {{ default "kube-dns.kube-system.svc.cluster.local" .Values.nginx.config.dnsResolver }};
-
+{{- if .Values.config.auth_enabled }}
+      map $http_x_org_scopeid $scopeid {
+            default   $http_x_org_scopeid;
+            ""        "{{ .Values.auth.defaultScope }}";
+      }
+{{- end }}
       server { # simple reverse-proxy
         listen {{ .Values.nginx.http_listen_port }};
-        #proxy_set_header X-Scope-OrgID 0;
+{{- if .Values.config.auth_enabled }}
+        proxy_set_header X-Scope-OrgID $scopeid;
+{{- end }}
         proxy_connect_timeout 300s;
         proxy_send_timeout 300s;
         proxy_read_timeout 300s;
-        
+
         location = /healthz {
           return 200 'alive';
         }
@@ -48,13 +56,46 @@ data:
         location = /ring {
           proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ .Release.Namespace }}.svc.cluster.local$request_uri;
         }
+
         location = /all_user_stats {
           proxy_pass      http://{{ template "cortex.fullname" . }}-distributor.{{ .Release.Namespace }}.svc.cluster.local$request_uri;
         }
 
         location ~ /api/prom/.* {
           proxy_pass      http://{{ template "cortex.fullname" . }}-query-frontend.{{ .Release.Namespace }}.svc.cluster.local$request_uri;
         }
+
+        # Alertmanager Config
+        location ~ /api/v1/alerts {
+          proxy_pass      http://{{ template "cortex.fullname" . }}-alertmanager.{{ .Release.Namespace }}.svc.cluster.local$request_uri;
+        }
+
+        location ~ /multitenant_alertmanager/status {
+          proxy_pass      http://{{ template "cortex.fullname" . }}-alertmanager.{{ .Release.Namespace }}.svc.cluster.local$request_uri;
+        }
+
+{{- $root := . }}
+{{- range .Values.alertmanager.ui.scopeIDs }}
+{{ $rootScope := . }}
+        location = /alerts/{{ $rootScope.scopeName }} {
+          proxy_set_header X-Scope-OrgID {{ $rootScope.scopeID }};
+          proxy_pass      http://{{ template "cortex.fullname" $root }}-alertmanager.{{ $root.Release.Namespace }}.svc.cluster.local/api/prom/alertmanager/;
+        }
+
+        location ~ /alerts/{{ $rootScope.scopeName }}/(.*) {
+          proxy_set_header X-Scope-OrgID {{ $rootScope.scopeID }};
+          proxy_pass      http://{{ template "cortex.fullname" $root }}-alertmanager.{{ $root.Release.Namespace }}.svc.cluster.local/api/prom/alertmanager/$1;
+        }
+{{- end }}
+
+        # Ruler Config
+        location ~ /api/v1/rules {
+          proxy_pass      http://{{ template "cortex.fullname" . }}-ruler.{{ .Release.Namespace }}.svc.cluster.local$request_uri;
+        }
+
+        location ~ /ruler/ring {
+          proxy_pass      http://{{ template "cortex.fullname" . }}-ruler.{{ .Release.Namespace }}.svc.cluster.local$request_uri;
+        }
       }
     }
-{{- end}}
+{{- end }}

templates/ruler-dep.yaml

@@ -60,7 +60,8 @@ spec:
             - "-target=ruler"
             - "-config.file=/etc/cortex/cortex.yaml"
             - "-ruler.configs.url=http://{{ template "cortex.fullname" . }}-configs.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.config.server.http_listen_port }}"
-            - "-ruler.alertmanager-url=http://{{ template "cortex.fullname" . }}-alertmanager.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.config.server.http_listen_port }}/api/prom/alertmanager/"
+            - "-ruler.alertmanager-discovery=true"
+            - "-ruler.alertmanager-url=http://_http-metrics._tcp.{{ template "cortex.name" . }}-alertmanager-headless/api/prom/alertmanager/"
             {{- if .Values.memcached.enabled }}
             - -store.chunks-cache.memcached.addresses=dns+{{ template "cortex.fullname" . }}-memcached.{{ .Release.Namespace }}.svc.cluster.local:11211
             - -store.chunks-cache.memcached.timeout=100ms

values.yaml

@@ -36,6 +36,11 @@ serviceAccount:
 useExternalConfig: false
 externalConfigSecretName: 'secret-with-config.yaml'
 externalConfigVersion: '0'
+
+auth:
+  # Make sure you enabled config.auth_enabled if you want to use auth
+  defaultScope: "defaultScope"
+
 config:
   auth_enabled: false
   ingester:
@@ -155,6 +160,12 @@ rbac:
 
 alertmanager:
   replicas: 1
+  ui:
+    # If nginx is enabled, this will create a path at your ingress
+    # at hostname/alerts/scopeName - allowing you to visit the alertmanager UI per scopeID
+    scopeIDs:
+      - scopeName: default
+        scopeID: "defaultScope"
 
   statefulSet:
     ## If true, use a statefulset instead of a deployment for pod management.
@@ -312,6 +323,24 @@ alertmanager:
 
 distributor:
   replicas: 2
+  ingresses:
+    ## If true - can be used to make an ingress per scopeID.  It still forwards to the nginx
+    # service, but its meant to allow seperate ingress routes (and subsequently annotations)
+    # for different auth/scope ids - allowing distinct things like basic auth to be configured per
+    # client
+    enabled: false
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+    scopeIDs:
+      - scopeID: someScopeID
+        host: someScopeID.chart-example.local
+        paths:
+          - /api/prom/push
+    tls: []
+    #  - secretName: chart-example-tls
+    #    hosts:
+    #      - chart-example.local
 
   service:
     annotations: {}