wip: connected the thanos-datasource to grafana, need to complete connecting the openshift-userworkload-monitoring as well

2025-10-14 15:53:42 -04:00 · 2025-10-14 15:53:42 -04:00 · 06a0c44c3c
commit 06a0c44c3c
parent 85bec66e58
4 changed files with 165 additions and 74 deletions
--- a/harmony/src/domain/topology/k8s.rs
+++ b/harmony/src/domain/topology/k8s.rs
@ -1,12 +1,20 @@
 use derive_new::new;
 use http::StatusCode;
 use k8s_openapi::{
    ClusterResourceScope, NamespaceResourceScope,
-    api::{apps::v1::Deployment, core::v1::Pod},
+    api::{
        apps::v1::Deployment,
        authentication::v1::{TokenRequest, TokenRequestSpec, TokenRequestStatus},
        core::v1::{Pod, ServiceAccount},
    },
    apimachinery::pkg::version::Info,
 };
 use kube::{
    Client, Config, Discovery, Error, Resource,
-    api::{Api, AttachParams, DeleteParams, ListParams, Patch, PatchParams, ResourceExt},
+    api::{
        Api, AttachParams, DeleteParams, ListParams, ObjectMeta, Patch, PatchParams, PostParams,
        ResourceExt,
    },
    config::{KubeConfigOptions, Kubeconfig},
    core::ErrorResponse,
    runtime::reflector::Lookup,
@ -54,6 +62,11 @@ impl K8sClient {
        })
    }
    pub async fn service_account_api(&self, namespace: &str) -> Api<ServiceAccount> {
        let api: Api<ServiceAccount> = Api::namespaced(self.client.clone(), namespace);
        api
    }
    pub async fn get_apiserver_version(&self) -> Result<Info, Error> {
        let client: Client = self.client.clone();
        let version_info: Info = client.apiserver_version().await?;
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@ -1,8 +1,12 @@
-use std::{collections::BTreeMap, process::Command, sync::Arc};
+use std::{
    collections::{BTreeMap, HashMap},
    process::Command,
    sync::Arc,
 };
 use async_trait::async_trait;
 use k8s_openapi::api::{
-    authentication::v1::{TokenRequest, TokenRequestSpec},
+    authentication::v1::{TokenRequest, TokenRequestSpec, TokenRequestStatus},
    core::v1::{Secret, ServiceAccount},
    rbac::v1::{ClusterRoleBinding, RoleRef, Subject},
 };
@ -150,39 +154,90 @@ impl Grafana for K8sAnywhereTopology {
            match_labels: label.clone(),
            match_expressions: vec![],
        };
-
+        debug!("getting client");
        let client = self.k8s_client().await?;
        let url = format!("{}:9091", self.get_domain("thanos-querier").await.unwrap());
        let sa = self.build_service_account();
        //TODO finish this section 
        //needs apply Api<Secret> or something
        client.apply(&sa, Some(ns)).await?;
        let token_request =self.get_token_request();
        //this wont work needs a new function for apply secret
        client.apply(&token_request, Some(ns)).await?;
        let clusterrolebinding = self.build_cluster_rolebinding();
        client.apply(&clusterrolebinding, Some(ns)).await?;
        let secret = self.build_token_secret();
        client.apply(&secret, Some(ns)).await?;
        let datasource = self.build_grafana_datasource(ns, &label_selector, &url);
        client.apply(&datasource, Some(ns)).await?;
        let dashboard = self.build_grafana_dashboard(ns, &label_selector);
        client.apply(&dashboard, Some(ns)).await?;
        info!("creating grafanas crd");
        let grafana = self.build_grafana(ns, &label);
        client.apply(&grafana, Some(ns)).await?;
        client
            .wait_until_deployment_ready(
                "grafana-grafana-deployment".to_string(),
                Some("grafana"),
                Some(15),
            )
            .await?;
        let sa_name = "grafana-grafana-sa";
        debug!("creating token for sevice account {sa_name}");
        let token = self.create_service_account_token(sa_name, ns).await?;
        debug!("creating secret");
        let secret_name = "grafana-sa-secret";
        let secret = self.build_token_secret(secret_name, &token.token, ns).await;
        client.apply(&secret, Some(ns)).await?;
        debug!("creating grafana clusterrole binding");
        let clusterrolebinding =
            self.build_cluster_rolebinding(sa_name, "cluster-monitoring-view", ns);
        client.apply(&clusterrolebinding, Some(ns)).await?;
        debug!("creating grafana datasource crd");
        let token_str = format!("Bearer {}", token.token);
        let thanos_url = format!(
            "https://{}",
            self.get_domain("thanos-querier-openshift-monitoring")
                .await
                .unwrap()
        );
        let thanos_openshift_datasource = self.build_grafana_datasource(
            "thanos-openshift-monitoring",
            ns,
            &label_selector,
            &thanos_url,
            token_str.clone(),
        );
        client.apply(&thanos_openshift_datasource, Some(ns)).await?;
        //TODO user workload datasource returns 503 -> need to figure out how to correctly add the
        //userworkload thanos-ruler or prometheus-federate to the grafana datasource
        //it may alrady be included in the overall monitoring stack
        let user_thanos_url = format!(
            "https://{}",
            self.get_domain(
                "thanos-ruler-openshift-user-workload-monitoring.apps.ncd0.harmony.mcd"
            )
            .await
            .unwrap()
        );
        let thanos_openshift_userworkload_datasource = self.build_grafana_datasource(
            "thanos-openshift-userworkload-monitoring",
            ns,
            &label_selector,
            &user_thanos_url,
            token_str.clone(),
        );
        client
            .apply(&thanos_openshift_userworkload_datasource, Some(ns))
            .await?;
        debug!("creating grafana dashboard crd");
        let dashboard = self.build_grafana_dashboard(ns, &label_selector);
        client.apply(&dashboard, Some(ns)).await?;
        debug!("creating grafana ingress");
        let grafana_ingress = self.build_grafana_ingress(ns).await;
        grafana_ingress
@ -368,31 +423,36 @@ impl K8sAnywhereTopology {
    pub fn build_cluster_rolebinding(
        &self,
        service_account_name: &str,
        clusterrole_name: &str,
        ns: &str,
        account_name: &str,
        role: &str,
    ) -> ClusterRoleBinding {
        ClusterRoleBinding {
            metadata: ObjectMeta {
-                name: Some(format!("{}-view-binding", account_name)),
+                name: Some(format!("{}-view-binding", service_account_name)),
                ..Default::default()
            },
            role_ref: RoleRef {
                api_group: "rbac.authorization.k8s.io".into(),
                kind: "ClusterRole".into(),
-                name: role.into(),
+                name: clusterrole_name.into(),
            },
            subjects: Some(vec![Subject {
                kind: "ServiceAccount".into(),
-                name: account_name.into(),
+                name: service_account_name.into(),
                namespace: Some(ns.into()),
                ..Default::default()
            }]),
        }
    }
-    pub fn get_token_request(&self) -> TokenRequest {
+    pub fn get_token_request(&self, ns: &str) -> TokenRequest {
        debug!("building token request");
        TokenRequest {
            metadata: ObjectMeta {
                namespace: Some(ns.to_string()),
                ..Default::default()
            },
            spec: TokenRequestSpec {
                audiences: vec!["https://kubernetes.default.svc".to_string()],
                expiration_seconds: Some(3600),
@ -402,15 +462,39 @@ impl K8sAnywhereTopology {
        }
    }
-    pub fn build_token_secret(&self, token: &str, ns: &str) -> Secret {
+    pub async fn create_service_account_token(
        &self,
        service_account_name: &str,
        ns: &str,
    ) -> Result<TokenRequestStatus, PreparationError> {
        debug!("creating service account token");
        let token_request = self.get_token_request(ns);
        let client = self.k8s_client().await?;
        let pp = PostParams::default();
        let token_requests_api = client.service_account_api(ns).await;
        let data = serde_json::to_vec(&token_request).unwrap();
        let created_token_request = token_requests_api
            .create_subresource::<TokenRequest>("token", service_account_name, &pp, data)
            .await?;
        let status = created_token_request
            .status
            .ok_or_else(|| PreparationError::new("missing token request status".to_string()))?;
        Ok(status)
    }
    pub async fn build_token_secret(&self, secret_name: &str, token: &str, ns: &str) -> Secret {
        Secret {
            metadata: ObjectMeta {
-                name: Some("grafana-credentials".into()),
+                name: Some(secret_name.into()),
                namespace: Some(ns.into()),
                ..Default::default()
            },
            string_data: Some(std::collections::BTreeMap::from([(
-                "PROMETHEUS_TOKEN".into(),
+                secret_name.into(),
                format!("Bearer {}", token),
            )])),
            ..Default::default()
@ -419,39 +503,18 @@ impl K8sAnywhereTopology {
    fn build_grafana_datasource(
        &self,
        name: &str,
        ns: &str,
        label_selector: &LabelSelector,
        url: &str,
        token: String,
    ) -> GrafanaDatasource {
        let mut json_data = BTreeMap::new();
        json_data.insert("timeInterval".to_string(), "5s".to_string());
        //
        // let graf_data_source = GrafanaDatasource {
        //     metadata: ObjectMeta {
        //         name: Some(format!("grafana-datasource-{}", ns)),
        //         namespace: Some(ns.to_string()),
        //         ..Default::default()
        //     },
        //     spec: GrafanaDatasourceSpec {
        //         instance_selector: label_selector.clone(),
        //         allow_cross_namespace_import: Some(false),
        //         datasource: GrafanaDatasourceConfig {
        //             access: "proxy".to_string(),
        //             database: Some("prometheus".to_string()),
        //             json_data: Some(json_data),
        //             //this is fragile
        //             name: format!("prometheus-{}-0", ns),
        //             r#type: "prometheus".to_string(),
        //             url: url.to_string(),
        //             //url: format!("http://prometheus-operated.{}.svc.cluster.local:9090", ns),
        //         },
        //     },
        // };
        // graf_data_source
        GrafanaDatasource {
            metadata: ObjectMeta {
-                name: Some("thanos-prometheus".to_string()),
+                name: Some(name.to_string()),
                namespace: Some(ns.to_string()),
                ..Default::default()
            },
@ -460,20 +523,21 @@ impl K8sAnywhereTopology {
                allow_cross_namespace_import: Some(true),
                datasource: GrafanaDatasourceConfig {
                    access: "proxy".to_string(),
-                    name: "OpenShift-Thanos".to_string(),
+                    name: name.to_string(),
                    r#type: "prometheus".to_string(),
                    url: url.to_string(),
                    database: None,
                    json_data: Some(GrafanaDatasourceJsonData {
                        time_interval: Some("60s".to_string()),
                        http_header_name1: Some("Authorization".to_string()),
                        tls_skip_verify: Some(true),
                        oauth_pass_thru: Some(true),
                    }),
                    secure_json_data: Some(GrafanaDatasourceSecureJsonData {
-                        http_header_value1: Some("Bearer eyJhbGc...".to_string()),
+                        http_header_value1: Some(token),
                    }),
                    is_default: Some(false),
                    editable: Some(true),
                    version: Some(1),
                },
            },
        }
--- a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
+++ b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
@ -132,6 +132,7 @@ pub struct GrafanaDatasourceSpec {
 #[serde(rename_all = "camelCase")]
 pub struct GrafanaDatasourceConfig {
    pub access: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub database: Option<String>,
    pub name: String,
    pub r#type: String,
@ -149,9 +150,6 @@ pub struct GrafanaDatasourceConfig {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub editable: Option<bool>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub version: Option<i32>,
 }
 #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
@ -162,6 +160,14 @@ pub struct GrafanaDatasourceJsonData {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub http_header_name1: Option<String>,
    /// Disable TLS skip verification (false = verify)
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub tls_skip_verify: Option<bool>,
    /// Auth type - set to "forward" for OpenShift OAuth identity
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub oauth_pass_thru: Option<bool>,
 }
 #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
--- a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
+++ b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
@ -12,7 +12,7 @@ use crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::C
 use crate::modules::monitoring::kube_prometheus::crd::crd_default_rules::build_default_application_rules;
 use crate::modules::monitoring::kube_prometheus::crd::crd_grafana::{
    Grafana, GrafanaDashboard, GrafanaDashboardSpec, GrafanaDatasource, GrafanaDatasourceConfig,
-    GrafanaDatasourceSpec, GrafanaSpec,
+    GrafanaDatasourceJsonData, GrafanaDatasourceSpec, GrafanaSpec,
 };
 use crate::modules::monitoring::kube_prometheus::crd::crd_prometheus_rules::{
    PrometheusRule, PrometheusRuleSpec, RuleGroup,
@ -466,10 +466,15 @@ impl K8sPrometheusCRDAlertingInterpret {
            match_labels: label.clone(),
            match_expressions: vec![],
        };
-        let mut json_data = BTreeMap::new();
+        // let mut json_data = BTreeMap::new();
-        json_data.insert("timeInterval".to_string(), "5s".to_string());
+        // json_data.insert("timeInterval".to_string(), "5s".to_string());
        let namespace = self.sender.namespace.clone();
-
+        let json_data = GrafanaDatasourceJsonData {
            time_interval: Some("5s".to_string()),
            http_header_name1: None,
            tls_skip_verify: Some(true),
            oauth_pass_thru: Some(true),
        };
        let json = build_default_dashboard(&namespace);
        let graf_data_source = GrafanaDatasource {
@ -495,6 +500,9 @@ impl K8sPrometheusCRDAlertingInterpret {
                        "http://prometheus-operated.{}.svc.cluster.local:9090",
                        self.sender.namespace.clone()
                    ),
                    secure_json_data: None,
                    is_default: None,
                    editable: None,
                },
            },
        };