Skip to content

MON: rename remote write SafeAuthorization to Authorization #2901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
marioferh wants to merge 1 commit into
base: master
Choose a base branch
from
Open

MON: rename remote write SafeAuthorization to Authorization #2901

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 13 additions & 22 deletions config/v1alpha1/types_cluster_monitoring.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1552,7 +1552,7 @@ type RemoteWriteSpec struct {
Name string `json:"name,omitempty"`
// authorization defines the authorization method for the remote write endpoint.
// When omitted, no authorization is performed.
// When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).
// When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).
// +optional
AuthorizationConfig RemoteWriteAuthorization `json:"authorization,omitzero"`
// headers specifies the custom HTTP headers to be sent along with each remote write request.
Expand Down Expand Up @@ -1654,62 +1654,53 @@ type BasicAuth struct {
}

// RemoteWriteAuthorizationType defines the authorization method for remote write endpoints.
// +kubebuilder:validation:Enum=BearerToken;BasicAuth;OAuth2;SigV4;SafeAuthorization;ServiceAccount
// +kubebuilder:validation:Enum=Authorization;BasicAuth;OAuth2;SigV4;ServiceAccount
type RemoteWriteAuthorizationType string

const (
// RemoteWriteAuthorizationTypeBearerToken indicates bearer token from a secret.
RemoteWriteAuthorizationTypeBearerToken RemoteWriteAuthorizationType = "BearerToken"
// RemoteWriteAuthorizationTypeAuthorization indicates authorization credentials from a secret.
// The secret key contains the credentials (e.g. a Bearer token). Use the credentials field.
RemoteWriteAuthorizationTypeAuthorization RemoteWriteAuthorizationType = "Authorization"
// RemoteWriteAuthorizationTypeBasicAuth indicates HTTP basic authentication.
RemoteWriteAuthorizationTypeBasicAuth RemoteWriteAuthorizationType = "BasicAuth"
// RemoteWriteAuthorizationTypeOAuth2 indicates OAuth2 client credentials.
RemoteWriteAuthorizationTypeOAuth2 RemoteWriteAuthorizationType = "OAuth2"
// RemoteWriteAuthorizationTypeSigV4 indicates AWS Signature Version 4.
RemoteWriteAuthorizationTypeSigV4 RemoteWriteAuthorizationType = "SigV4"
// RemoteWriteAuthorizationTypeSafeAuthorization indicates authorization from a secret (Prometheus SafeAuthorization pattern).
// The secret key contains the credentials (e.g. a Bearer token). Use the safeAuthorization field.
RemoteWriteAuthorizationTypeSafeAuthorization RemoteWriteAuthorizationType = "SafeAuthorization"
Comment on lines -1661 to -1671

@everettraven everettraven Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removed constants need to be tombstoned so we do not add these options back as valid options in the future.

// RemoteWriteAuthorizationTypeServiceAccount indicates use of the pod's service account token for machine identity.
// No additional field is required; the operator configures the token path.
RemoteWriteAuthorizationTypeServiceAccount RemoteWriteAuthorizationType = "ServiceAccount"
)

// RemoteWriteAuthorization defines the authorization method for a remote write endpoint.
// Exactly one of the nested configs must be set according to the type discriminator.
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BearerToken' ? has(self.bearerToken) : !has(self.bearerToken)",message="bearerToken is required when type is BearerToken, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Authorization' ? has(self.credentials) : !has(self.credentials)",message="credentials is required when type is Authorization, and forbidden otherwise"
Comment thread
coderabbitai[bot] marked this conversation as resolved.
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BasicAuth' ? has(self.basicAuth) : !has(self.basicAuth)",message="basicAuth is required when type is BasicAuth, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'OAuth2' ? has(self.oauth2) : !has(self.oauth2)",message="oauth2 is required when type is OAuth2, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SigV4' ? has(self.sigv4) : !has(self.sigv4)",message="sigv4 is required when type is SigV4, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SafeAuthorization' ? has(self.safeAuthorization) : !has(self.safeAuthorization)",message="safeAuthorization is required when type is SafeAuthorization, and forbidden otherwise"
// +union
type RemoteWriteAuthorization struct {
// type specifies the authorization method to use.
// Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.
// Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.
//
// When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.
// When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.
//
// When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.
//
// When set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.
//
// When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.
//
// When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.
//
// When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.
// +unionDiscriminator
// +required
Type RemoteWriteAuthorizationType `json:"type,omitempty"`
// safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token).
// Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.
// +unionMember
// +optional
SafeAuthorization *v1.SecretKeySelector `json:"safeAuthorization,omitempty"`
// bearerToken defines the secret reference containing the bearer token.
// Required when type is "BearerToken", and forbidden otherwise.
// +unionMember
// credentials defines the secret reference containing the authorization credentials (e.g. Bearer token).
// Required when type is "Authorization", and forbidden otherwise.
// The secret must exist in the openshift-monitoring namespace.
// +unionMember=Authorization
// +optional
BearerToken SecretKeySelector `json:"bearerToken,omitempty,omitzero"`
Comment on lines -1703 to -1712

@everettraven everettraven Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removed fields must be tombstoned so we never add them back in the future for this api version.

Credentials SecretKeySelector `json:"credentials,omitempty,omitzero"`

@everettraven everettraven Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following discriminated union patterns, this field name would need to be authorization.

// basicAuth defines HTTP basic authentication credentials.
// Required when type is "BasicAuth", and forbidden otherwise.
// +unionMember
Expand Down
54 changes: 11 additions & 43 deletions ...1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3381,7 +3381,7 @@ spec:
description: |-
authorization defines the authorization method for the remote write endpoint.
When omitted, no authorization is performed.
When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).
When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).
properties:
basicAuth:
description: |-
Expand Down Expand Up @@ -3462,10 +3462,11 @@ spec:
- password
- username
type: object
bearerToken:
credentials:
description: |-
bearerToken defines the secret reference containing the bearer token.
Required when type is "BearerToken", and forbidden otherwise.
credentials defines the secret reference containing the authorization credentials (e.g. Bearer token).
Required when type is "Authorization", and forbidden otherwise.
The secret must exist in the openshift-monitoring namespace.
properties:
key:
description: |-
Expand Down Expand Up @@ -3638,32 +3639,6 @@ spec:
- clientSecret
- tokenUrl
type: object
safeAuthorization:
description: |-
safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token).
Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
sigv4:
description: |-
sigv4 defines AWS Signature Version 4 authentication.
Expand Down Expand Up @@ -3775,35 +3750,32 @@ spec:
type:
description: |-
type specifies the authorization method to use.
Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.
Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.

When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.
When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.

When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.

When set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.

When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.

When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.

When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.
enum:
- BearerToken
- Authorization
- BasicAuth
- OAuth2
- SigV4
- SafeAuthorization
- ServiceAccount
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: bearerToken is required when type is BearerToken,
- message: credentials is required when type is Authorization,
and forbidden otherwise
rule: 'has(self.type) && self.type == ''BearerToken''
? has(self.bearerToken) : !has(self.bearerToken)'
rule: 'has(self.type) && self.type == ''Authorization''
? has(self.credentials) : !has(self.credentials)'
- message: basicAuth is required when type is BasicAuth,
and forbidden otherwise
rule: 'has(self.type) && self.type == ''BasicAuth'' ?
Expand All @@ -3816,10 +3788,6 @@ spec:
otherwise
rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4)
: !has(self.sigv4)'
- message: safeAuthorization is required when type is SafeAuthorization,
and forbidden otherwise
rule: 'has(self.type) && self.type == ''SafeAuthorization''
? has(self.safeAuthorization) : !has(self.safeAuthorization)'
exemplarsMode:
description: |-
exemplarsMode controls whether exemplars are sent via remote write.
Expand Down
7 changes: 1 addition & 6 deletions config/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading