Accept label value as regexp #171
Conversation
There was a problem hiding this comment.
Thanks for tackling this! Reading the issue, I have the impression that supporting regexp label values only for --label-value was enough (e.g. only for static values). Do you have a use case for supporting the same for --query-param and --header-name?
Given the security implications (e.g. it's easy to get the regexp wrong and expose too many metrics by accident), I'd be more inclined to limit the scope for now.
Yes. Here is my usecase : I have multiple (soft-)tenants in a Kubernetes cluster. Each can include a list of namespace ( Alternatively, a new
I understand. But I need it 😉 . Maybe add a warning in the docs? |
|
Thanks for the details, it helps a lot! I could agree to the feature being marked as experimental with an very clear warning in the CLI help + README.md file. The proxy needs also to validate that the regexp is valid. Also what should the proxy's response when it gets several label values? My gut feeling is that it should fail. |
sathieu
force-pushed
the
label_regexp
branch
from
6c387f7 to
9d4dfd7
Compare
|
Thanks @simonpasquier I've rebased, added warnings in README, added checks for invalid regex and multiple values. Back to you 🏓 ! |
README.md
Outdated
| -header-name X-Namespace \ | ||
| -label namespace \ |
There was a problem hiding this comment.
(suggestion) I'd use a static label value to make it more "visible".
| -header-name X-Namespace \ | |
| -label namespace \ | |
| -label-value '^foo-.+$' \ | |
| -label namespace \ |
There was a problem hiding this comment.
I wonder if we shouldn't anchor the regexp by default (like Prometheus does for relabelings)? It would at least prevent too-permissive configurations.
It'd also be good to require that the compiled regex doesn't match the empty string.
There was a problem hiding this comment.
I wonder if we shouldn't anchor the regexp by default (like Prometheus does for relabelings)? It would at least prevent too-permissive configurations.
Prometheus anchors already.
It'd also be good to require that the compiled regex doesn't match the empty string.
Good idea.
sathieu
force-pushed
the
label_regexp
branch
3 times, most recently
from
423ccc9 to
372db15
Compare
|
@simonpasquier I've merged your suggestions, added tests for regexp matching empty strings, and added tests early when using |
sathieu
force-pushed
the
label_regexp
branch
2 times, most recently
from
646a9f5 to
791471e
Compare
|
@simonpasquier Thanks for your review. I've merged your suggestions, and silence API is now returning Back to you 🏸 ! |
injectproxy/routes.go
Outdated
| mux.Handle("/api/v2/silences", r.el.ExtractLabel( | ||
| enforceMethods( | ||
| assertSingleLabelValue(r.silences), | ||
| if opt.regexMatch { |
There was a problem hiding this comment.
(suggestion) to avoid duplicating the mux.Handle() calls, we might do something like this:
errs.Add(
mux.Handle("/api/v2/silences", r.errorIfRegexpMatch(
r.el.ExtractLabel(...
[...]
func (r *routes) errorIfRegexpMatch(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, req *http.Request) {
if r.regexMatch {
prometheusAPIError(w, "support for regex match not implemented", http.StatusNotImplemented)
return
}
return next(w, req)
}
}There was a problem hiding this comment.
Done @simonpasquier. Back to you ⚾ !
sathieu
force-pushed
the
label_regexp
branch
from
791471e to
1f6a4d9
Compare
There was a problem hiding this comment.
Thanks! 👍 for me.
@squat do you have any concern with this addition? From my side, the warning in the README.md is clear enough that users know about the potential issues if they mess up with their regexp.
Fixes: prometheus-community#82 Signed-off-by: Mathieu Parent <[email protected]>
sathieu
force-pushed
the
label_regexp
branch
from
1f6a4d9 to
779c3bd
Compare
PR prometheus-community#171 implemented support for regex label values but only for the query endpoints. This change adds support for all other Prometheus API endpoints. Signed-off-by: Simon Pasquier <[email protected]>
PR prometheus-community#171 implemented support for regex label values but only for the query endpoints. This change adds support for all other Prometheus API endpoints. Signed-off-by: Simon Pasquier <[email protected]>
PR prometheus-community#171 implemented support for regex label values but only for the query endpoints. This change adds support for all other Prometheus API endpoints. Signed-off-by: Simon Pasquier <[email protected]>
Fixes: #82