rhobs
diff --git a/‎README.md‎
Lines changed: 20 additions & 0 deletions b/‎README.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎api/probes/v1/http.go‎
Lines changed: 185 additions & 0 deletions b/‎api/probes/v1/http.go‎
Lines changed: 185 additions & 0 deletions
diff --git a/‎main.go‎
Lines changed: 95 additions & 3 deletions b/‎main.go‎
Lines changed: 95 additions & 3 deletions
diff --git a/‎test/config/rbac.yaml‎
Lines changed: 15 additions & 0 deletions b/‎test/config/rbac.yaml‎
Lines changed: 15 additions & 0 deletions
@@ -151,6 +151,26 @@ Usage of ./observatorium-api:
     	The gRPC Server Address against which to run rate limit checks when the rate limits are specified for a given tenant. If not specified, local, non-shared rate limiting will be used. Has precedence over other rate limiter options.
   -middleware.rate-limiter.type string
     	The type of rate limiter to use when not using a gRPC rate limiter. Options: 'local' (default), 'redis' (leaky bucket algorithm). (default "local")
+  -probes.dial-timeout duration
+    	The timeout for establishing connections to the probes upstream. (default 30s)
+  -probes.endpoint string
+    	The endpoint against which to make HTTP requests for probes.
+  -probes.keep-alive-timeout duration
+    	The keep-alive timeout for connections to the probes upstream. (default 30s)
+  -probes.tenant-header string
+    	The name of the HTTP header containing the tenant ID to forward to the probes upstream. (default "X-Tenant")
+  -probes.tls-handshake-timeout duration
+    	The TLS handshake timeout for connections to the probes upstream. (default 10s)
+  -probes.tls.ca-file string
+    	File containing the TLS CA against which to upstream probes servers. Leave blank to disable TLS.
+  -probes.tls.cert-file string
+    	File containing the TLS client certificates to authenticate against upstream probes servers. Leave blank to disable mTLS.
+  -probes.tls.key-file string
+    	File containing the TLS client key to authenticate against upstream probes servers. Leave blank to disable mTLS.
+  -probes.tls.watch-certs
+    	Watch for certificate changes and reload
+  -probes.write-timeout duration
+    	The HTTP write timeout for proxied requests to the probes endpoint. Defaults to the server's write timeout. (default 12m0s)
   -rbac.config string
     	Path to the RBAC configuration file. (default "rbac.yaml")
   -server.read-header-timeout duration
 
@@ -0,0 +1,185 @@
+package v1
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"time"
+
+	"github.com/go-chi/chi"
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
+	"github.com/observatorium/api/authentication"
+	"github.com/observatorium/api/tls"
+)
+
+type handlerOptions struct {
+	logger              log.Logger
+	tenantHeader        string
+	tlsOptions          *tls.UpstreamOptions
+	dialTimeout         time.Duration
+	keepAliveTimeout    time.Duration
+	tlsHandshakeTimeout time.Duration
+	readMiddlewares     []func(http.Handler) http.Handler
+	writeMiddlewares    []func(http.Handler) http.Handler
+}
+
+// HandlerOption is a function that configures the handler.
+type HandlerOption func(*handlerOptions)
+
+// WithLogger sets the logger for the handler.
+func WithLogger(l log.Logger) HandlerOption {
+	return func(o *handlerOptions) {
+		o.logger = l
+	}
+}
+
+// WithTenantHeader sets the tenant header for the handler.
+func WithTenantHeader(h string) HandlerOption {
+	return func(o *handlerOptions) {
+		o.tenantHeader = h
+	}
+}
+
+// WithUpstreamTLSOptions sets the upstream TLS options for the handler.
+func WithUpstreamTLSOptions(opts *tls.UpstreamOptions) HandlerOption {
+	return func(o *handlerOptions) {
+		o.tlsOptions = opts
+	}
+}
+
+// WithDialTimeout sets the dial timeout for upstream connections.
+func WithDialTimeout(timeout time.Duration) HandlerOption {
+	return func(o *handlerOptions) {
+		o.dialTimeout = timeout
+	}
+}
+
+// WithKeepAliveTimeout sets the keep-alive timeout for upstream connections.
+func WithKeepAliveTimeout(timeout time.Duration) HandlerOption {
+	return func(o *handlerOptions) {
+		o.keepAliveTimeout = timeout
+	}
+}
+
+// WithTLSHandshakeTimeout sets the TLS handshake timeout for upstream connections.
+func WithTLSHandshakeTimeout(timeout time.Duration) HandlerOption {
+	return func(o *handlerOptions) {
+		o.tlsHandshakeTimeout = timeout
+	}
+}
+
+// WithReadMiddleware adds a middleware for read operations.
+func WithReadMiddleware(m func(http.Handler) http.Handler) HandlerOption {
+	return func(o *handlerOptions) {
+		o.readMiddlewares = append(o.readMiddlewares, m)
+	}
+}
+
+// WithWriteMiddleware adds a middleware for write operations.
+func WithWriteMiddleware(m func(http.Handler) http.Handler) HandlerOption {
+	return func(o *handlerOptions) {
+		o.writeMiddlewares = append(o.writeMiddlewares, m)
+	}
+}
+
+// NewHandler creates a new handler for the probes API.
+func NewHandler(downstream *url.URL, opts ...HandlerOption) (http.Handler, error) {
+	options := &handlerOptions{
+		logger:              log.NewNopLogger(),
+		dialTimeout:         30 * time.Second,
+		keepAliveTimeout:    30 * time.Second,
+		tlsHandshakeTimeout: 10 * time.Second,
+	}
+	for _, o := range opts {
+		o(options)
+	}
+
+	r := chi.NewRouter()
+	proxy := httputil.NewSingleHostReverseProxy(downstream)
+
+	proxy.Transport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   options.dialTimeout,
+			KeepAlive: options.keepAliveTimeout,
+		}).DialContext,
+		TLSHandshakeTimeout: options.tlsHandshakeTimeout,
+		TLSClientConfig:     options.tlsOptions.NewClientConfig(),
+	}
+
+	if options.tenantHeader != "" {
+		originalDirector := proxy.Director
+		proxy.Director = func(req *http.Request) {
+			originalDirector(req)
+			tenant, ok := authentication.GetTenant(req.Context())
+			if !ok {
+				level.Warn(options.logger).Log("msg", "could not find tenant in request context for proxy")
+				return
+			}
+
+			// Set tenant header
+			req.Header.Set(options.tenantHeader, tenant)
+
+			// Inject tenant label into POST request body.
+			if req.Method == http.MethodPost {
+				if req.Body == nil {
+					return // Nothing to do
+				}
+
+				bodyBytes, err := io.ReadAll(req.Body)
+				if err != nil {
+					level.Error(options.logger).Log("msg", "failed to read request body", "err", err)
+					req.Body = io.NopCloser(bytes.NewBuffer(bodyBytes)) // Restore body
+					return
+				}
+				// Restore body since it's been consumed
+				req.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
+
+				var payload map[string]interface{}
+				if err := json.Unmarshal(bodyBytes, &payload); err != nil {
+					level.Warn(options.logger).Log("msg", "failed to unmarshal JSON body, forwarding unmodified", "err", err)
+					return
+				}
+
+				labels, ok := payload["labels"].(map[string]interface{})
+				if !ok {
+					labels = make(map[string]interface{})
+				}
+
+				labels["tenant"] = tenant
+				payload["labels"] = labels
+
+				newBodyBytes, err := json.Marshal(payload)
+				if err != nil {
+					level.Error(options.logger).Log("msg", "failed to marshal modified JSON body, forwarding unmodified", "err", err)
+					return
+				}
+
+				req.Body = io.NopCloser(bytes.NewBuffer(newBodyBytes))
+				req.ContentLength = int64(len(newBodyBytes))
+				req.Header.Set("Content-Length", fmt.Sprint(len(newBodyBytes)))
+			}
+		}
+	}
+	proxyHandler := http.HandlerFunc(proxy.ServeHTTP)
+
+	r.Group(func(r chi.Router) {
+		r.Use(options.readMiddlewares...)
+		r.Get("/*", proxyHandler)
+	})
+
+	r.Group(func(r chi.Router) {
+		r.Use(options.writeMiddlewares...)
+		r.Post("/*", proxyHandler)
+		r.Patch("/*", proxyHandler)
+		r.Delete("/*", proxyHandler)
+	})
+
+	return r, nil
+}
@@ -50,6 +50,7 @@ import (
 	logsv1 "github.com/observatorium/api/api/logs/v1"
 	metricslegacy "github.com/observatorium/api/api/metrics/legacy"
 	metricsv1 "github.com/observatorium/api/api/metrics/v1"
+	probesv1 "github.com/observatorium/api/api/probes/v1"
 	tracesv1 "github.com/observatorium/api/api/traces/v1"
 	"github.com/observatorium/api/authentication"
 	"github.com/observatorium/api/authorization"
@@ -102,6 +103,7 @@ type config struct {
 	metrics         metricsConfig
 	logs            logsConfig
 	traces          tracesConfig
+	probes          probesConfig
 	middleware      middlewareConfig
 	internalTracing internalTracingConfig
 }
@@ -194,6 +196,21 @@ type tracesConfig struct {
 	enableCertWatcher bool
 }
 
+type probesConfig struct {
+	endpoint             *url.URL
+	upstreamWriteTimeout time.Duration
+	dialTimeout          time.Duration
+	keepAliveTimeout     time.Duration
+	tlsHandshakeTimeout  time.Duration
+	upstreamCAFile       string
+	upstreamCertFile     string
+	upstreamKeyFile      string
+	tenantHeader         string
+	// enable probes if endpoint is provided.
+	enabled           bool
+	enableCertWatcher bool
+}
+
 type middlewareConfig struct {
 	grpcRateLimiterAddress            string
 	rateLimiterType                   string
@@ -286,9 +303,9 @@ func main() {
 
 	stdlog.Println(version.Info())
 
-	if !cfg.metrics.enabled && !cfg.logs.enabled && !cfg.traces.enabled {
-		stdlog.Fatal("Neither logging, metrics not traces endpoints are enabled. " +
-			"Specifying at least a logging or a metrics endpoint is mandatory")
+	if !cfg.metrics.enabled && !cfg.logs.enabled && !cfg.traces.enabled && !cfg.probes.enabled {
+		stdlog.Fatal("Neither logging, metrics, traces, nor probes endpoints are enabled. " +
+			"Specifying at least one endpoint is mandatory")
 	}
 
 	logger := logger.NewLogger(cfg.logLevel, cfg.logFormat, cfg.debug.name)
@@ -669,6 +686,51 @@ func main() {
 						metricslegacy.WithUIMiddleware(authorization.WithAuthorizers(authorizers, rbac.Read, "metrics")),
 					))
 
+					// enable probes if endpoint is provided.
+					// Since probes are part of the metrics API, we mount them within the metrics route group.
+					if cfg.probes.enabled {
+						var loadInterval *time.Duration
+						if cfg.probes.enableCertWatcher {
+							loadInterval = &cfg.tls.reloadInterval
+						}
+
+						probesUpstreamClientOptions, err := tls.NewUpstreamOptions(
+							context.Background(),
+							cfg.probes.upstreamCertFile,
+							cfg.probes.upstreamKeyFile,
+							cfg.probes.upstreamCAFile,
+							loadInterval,
+							logger,
+							g,
+						)
+						if err != nil {
+							stdlog.Fatalf("failed to read upstream probes TLS: %v", err)
+						}
+
+						probesHandler, err := probesv1.NewHandler(
+							cfg.probes.endpoint,
+							probesv1.WithLogger(logger),
+							probesv1.WithUpstreamTLSOptions(probesUpstreamClientOptions),
+							probesv1.WithTenantHeader(cfg.probes.tenantHeader),
+							probesv1.WithDialTimeout(cfg.probes.dialTimeout),
+							probesv1.WithKeepAliveTimeout(cfg.probes.keepAliveTimeout),
+							probesv1.WithTLSHandshakeTimeout(cfg.probes.tlsHandshakeTimeout),
+							probesv1.WithReadMiddleware(authentication.WithTenantMiddlewares(pm.Middlewares)),
+							probesv1.WithReadMiddleware(rateLimitMiddleware),
+							probesv1.WithReadMiddleware(authorization.WithAuthorizers(authorizers, rbac.Read, "probes")),
+							probesv1.WithWriteMiddleware(authentication.WithTenantMiddlewares(pm.Middlewares)),
+							probesv1.WithWriteMiddleware(rateLimitMiddleware),
+							probesv1.WithWriteMiddleware(authorization.WithAuthorizers(authorizers, rbac.Write, "probes")),
+						)
+						if err != nil {
+							level.Error(logger).Log("msg", "failed to create probes handler", "err", err)
+						} else {
+							r.Mount("/api/metrics/v1/{tenant}/probes",
+								stripTenantPrefix("/api/metrics/v1", probesHandler),
+							)
+						}
+					}
+
 					const matchParamName = "match[]"
 					r.Mount("/api/metrics/v1/{tenant}", metricsv1.NewHandler(
 						eps,
@@ -1056,6 +1118,7 @@ func parseFlags() (config, error) {
 		rawTracesTempoEndpoint         string
 		rawTracesWriteOTLPGRPCEndpoint string
 		rawTracesWriteOTLPHTTPEndpoint string
+		rawProbesEndpoint              string
 	)
 
 	cfg := config{}
@@ -1167,6 +1230,26 @@ func parseFlags() (config, error) {
 		"The name of the HTTP header containing the tenant ID to forward to upstream OpenTelemetry collector.")
 	flag.BoolVar(&cfg.traces.queryRBAC, "traces.query-rbac", false,
 		"Enables query RBAC. A user will be able to see attributes only from namespaces it has access to. Only the spans with allowed k8s.namespace.name attribute are fully visible.")
+	flag.StringVar(&rawProbesEndpoint, "probes.endpoint", "",
+		"The endpoint against which to make HTTP requests for probes.")
+	flag.DurationVar(&cfg.probes.upstreamWriteTimeout, "probes.write-timeout", writeTimeout,
+		"The HTTP write timeout for proxied requests to the probes endpoint. Defaults to the server's write timeout.")
+	flag.StringVar(&cfg.probes.upstreamCAFile, "probes.tls.ca-file", "",
+		"File containing the TLS CA against which to upstream probes servers. Leave blank to disable TLS.")
+	flag.StringVar(&cfg.probes.upstreamCertFile, "probes.tls.cert-file", "",
+		"File containing the TLS client certificates to authenticate against upstream probes servers. Leave blank to disable mTLS.")
+	flag.StringVar(&cfg.probes.upstreamKeyFile, "probes.tls.key-file", "",
+		"File containing the TLS client key to authenticate against upstream probes servers. Leave blank to disable mTLS.")
+	flag.BoolVar(&cfg.probes.enableCertWatcher, "probes.tls.watch-certs", false,
+		"Watch for certificate changes and reload")
+	flag.StringVar(&cfg.probes.tenantHeader, "probes.tenant-header", "X-Tenant",
+		"The name of the HTTP header containing the tenant ID to forward to the probes upstream.")
+	flag.DurationVar(&cfg.probes.dialTimeout, "probes.dial-timeout", 30*time.Second,
+		"The timeout for establishing connections to the probes upstream.")
+	flag.DurationVar(&cfg.probes.keepAliveTimeout, "probes.keep-alive-timeout", 30*time.Second,
+		"The keep-alive timeout for connections to the probes upstream.")
+	flag.DurationVar(&cfg.probes.tlsHandshakeTimeout, "probes.tls-handshake-timeout", 10*time.Second,
+		"The TLS handshake timeout for connections to the probes upstream.")
 	flag.StringVar(&cfg.tls.serverCertFile, "tls.server.cert-file", "",
 		"File containing the default x509 Certificate for HTTPS. Leave blank to disable TLS.")
 	flag.StringVar(&cfg.tls.serverKeyFile, "tls.server.key-file", "",
@@ -1378,6 +1461,15 @@ func parseFlags() (config, error) {
 		cfg.traces.writeOTLPHTTPEndpoint = tracesOTLPHTTPEndpoint
 	}
 
+	if rawProbesEndpoint != "" {
+		cfg.probes.enabled = true
+		var err error
+		cfg.probes.endpoint, err = url.ParseRequestURI(rawProbesEndpoint)
+		if err != nil {
+			return cfg, fmt.Errorf("failed to parse probes endpoint: %w", err)
+		}
+	}
+
 	if cfg.traces.enabled && cfg.server.grpcListen == "" {
 		return cfg, fmt.Errorf("-traces.write.endpoint is set to %q but -grpc.listen is not set", cfg.traces.writeOTLPGRPCEndpoint)
 	}
 
@@ -4,6 +4,7 @@ roles:
   - metrics
   - logs
   - traces
+  - probes
   tenants:
   - test-oidc
   permissions:
@@ -36,6 +37,14 @@ roles:
   permissions:
   - read
   - write
+- name: read-write-probes
+  resources:
+  - probes
+  tenants:
+  - test-probes
+  permissions:
+  - read
+  - write
 roleBindings:
 - name: test-oidc
   roles:
@@ -56,3 +65,9 @@ roleBindings:
   subjects:
   - name: test
     kind: group
+- name: test-probes
+  roles:
+  - read-write-probes
+  subjects:
+  - name: [email protected]
+    kind: user