diff --git a/pkg/agent/entry.go b/pkg/agent/entry.go index 08a7e2e..bcc78ad 100644 --- a/pkg/agent/entry.go +++ b/pkg/agent/entry.go @@ -5,7 +5,7 @@ import ( "fmt" "net" "net/http" - _ "net/http/pprof" + _ "net/http/pprof" //nolint: gosec // enable profiler "net/url" "os" "strings" @@ -55,7 +55,7 @@ func Run(cliContext *cli.Context) { } cfg.proxyURL = proxyURL - accessTokenPath := "/var/run/secrets/kubernetes.io/serviceaccount/token" + accessTokenPath := "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint: gosec // read token from file accessTokenBytes, err := os.ReadFile(accessTokenPath) if err != nil { log.WithError(err).Panicf("Failed to read token file %q", accessTokenPath) diff --git a/pkg/agent/http_api_context.go b/pkg/agent/http_api_context.go index 8b1157f..8ace16f 100644 --- a/pkg/agent/http_api_context.go +++ b/pkg/agent/http_api_context.go @@ -17,9 +17,9 @@ import ( "k8s.io/apimachinery/pkg/util/runtime" ) -const ( - apiContextKey = "_apiContext_" -) +type apiContextKeyT string + +const apiContextKey apiContextKeyT = "_apiContextKey_" var ( badRequestErr = errors.BadRequestf("bad_data") @@ -115,14 +115,6 @@ func (c *apiContext) responseMetrics(data *promgo.MetricFamily) (err error) { return } -func (c *apiContext) proxy() error { - c.Do(func() { - c.proxyHandler.ServeHTTP(c.response, c.request) - }) - - return nil -} - func (c *apiContext) proxyWith(request *http.Request) error { c.Do(func() { c.proxyHandler.ServeHTTP(c.response, request) @@ -171,8 +163,8 @@ func (f apiContextHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { contentTypeHeaderValue := w.Header().Get("Content-Type") if !strings.Contains(acceptHeaderValue, "application/json") && !strings.EqualFold(contentTypeHeaderValue, "application/json") { - http.Error(w, causeErrMsg, responseCode) + log.WithError(err).Errorf("failed to write %q into http response", causeErrMsg) return } @@ -186,7 +178,6 @@ func (f apiContextHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { if marshalErr != nil { log.WithError(err).Errorf("unable to marshal responseData %#v", responseData) http.Error(w, "internal error", http.StatusInternalServerError) - return } diff --git a/pkg/agent/http_hijack.go b/pkg/agent/http_hijack.go index 1833be3..8cd3e37 100644 --- a/pkg/agent/http_hijack.go +++ b/pkg/agent/http_hijack.go @@ -6,7 +6,6 @@ import ( "net/http" "net/url" "strconv" - "strings" "time" "github.com/caas-team/prometheus-auth/pkg/data" @@ -23,6 +22,10 @@ import ( log "github.com/sirupsen/logrus" ) +// the global namespace to add to all hijacked queries +// to allow users to get some global metrics +const globalNamespace = "caasglobal" + func hijackFederate(apiCtx *apiContext) error { // pre check queries, err := url.ParseQuery(apiCtx.request.URL.RawQuery) @@ -43,6 +46,9 @@ func hijackFederate(apiCtx *apiContext) error { return apiCtx.responseMetrics(nil) } + ns := append(apiCtx.namespaceSet.Values(), globalNamespace) + apiCtx.namespaceSet = data.NewSet(ns...) + // hijack queries.Del("match[]") for idx, rawValue := range matchFormValues { @@ -53,12 +59,6 @@ func hijackFederate(apiCtx *apiContext) error { log.Debugf("raw federate[%s - %d] => %s", apiCtx.tag, idx, rawValue) hjkValue := modifyExpression(expr, apiCtx.namespaceSet) - - // introduce a new label namespace="caasglobal", - // all metrics with this label will pass the auth gate - caasNs := "|caasglobal\"}" - hjkValue = strings.ReplaceAll(hjkValue, "\"}", caasNs) - log.Debugf("hjk federate[%s - %d] => %s", apiCtx.tag, idx, hjkValue) queries.Add("match[]", hjkValue) @@ -446,7 +446,7 @@ func parseDuration(s string) (time.Duration, error) { return 0, errors.Errorf("cannot parse %q to a valid duration", s) } -func modifyExpression(originalExpr parser.Expr, namespaceSet data.Set) (modifiedExpr string) { +func modifyExpression(originalExpr parser.Expr, namespaceSet data.Set) string { parser.Inspect(originalExpr, func(node parser.Node, _ []parser.Node) error { switch n := node.(type) { case *parser.VectorSelector: