openshift · openshift-merge-robot · Aug 31, 2019 · Aug 29, 2019
diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go
@@ -68,6 +68,8 @@ func main() {
 	fK8sMode := fs.String("k8s-mode", "in-cluster", "in-cluster | off-cluster")
 	fK8sModeOffClusterEndpoint := fs.String("k8s-mode-off-cluster-endpoint", "", "URL of the Kubernetes API server.")
 	fK8sModeOffClusterSkipVerifyTLS := fs.Bool("k8s-mode-off-cluster-skip-verify-tls", false, "DEV ONLY. When true, skip verification of certs presented by k8s API server.")
+	fK8sModeOffClusterPrometheus := fs.String("k8s-mode-off-cluster-prometheus", "", "DEV ONLY. URL of the cluster's Prometheus server.")
+	fK8sModeOffClusterAlertmanager := fs.String("k8s-mode-off-cluster-alertmanager", "", "DEV ONLY. URL of the cluster's AlertManager server.")
 
 	fK8sAuth := fs.String("k8s-auth", "service-account", "service-account | bearer-token | oidc | openshift")
 	fK8sAuthBearerToken := fs.String("k8s-auth-bearer-token", "", "Authorization token to send with proxied Kubernetes API requests.")
@@ -144,6 +146,18 @@ func main() {
 		documentationBaseURL = bridge.ValidateFlagIsURL("documentation-base-url", *fDocumentationBaseURL)
 	}
 
+	offClusterPrometheusURL := &url.URL{}
+	if *fK8sModeOffClusterPrometheus != "" && *fK8sMode == "off-cluster" {
+		offClusterPrometheusURL = bridge.ValidateFlagIsURL("k8s-mode-off-cluster-prometheus", *fK8sModeOffClusterPrometheus)
+		offClusterPrometheusURL.Path = "/api"
+	}
+
+	offClusterAlertManagerURL := &url.URL{}
+	if *fK8sModeOffClusterAlertmanager != "" && *fK8sMode == "off-cluster" {
+		offClusterAlertManagerURL = bridge.ValidateFlagIsURL("k8s-mode-off-cluster-alertmanager", *fK8sModeOffClusterAlertmanager)
+		offClusterAlertManagerURL.Path = "/api"
+	}
+
 	branding := *fBranding
 	if branding == "origin" {
 		branding = "okd"
@@ -288,14 +302,36 @@ func main() {
 
 	case "off-cluster":
 		k8sEndpoint = bridge.ValidateFlagIsURL("k8s-mode-off-cluster-endpoint", *fK8sModeOffClusterEndpoint)
-
+		serviceProxyTLSConfig := &tls.Config{
+			InsecureSkipVerify: *fK8sModeOffClusterSkipVerifyTLS,
+		}
 		srv.K8sProxyConfig = &proxy.Config{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: *fK8sModeOffClusterSkipVerifyTLS,
-			},
+			TLSClientConfig: serviceProxyTLSConfig,
 			HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
 			Endpoint:        k8sEndpoint,
 		}
+
+		if offClusterPrometheusURL.String() != "" {
+			srv.PrometheusProxyConfig = &proxy.Config{
+				TLSClientConfig: serviceProxyTLSConfig,
+				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				Endpoint:        offClusterPrometheusURL,
+			}
+			srv.PrometheusTenancyProxyConfig = &proxy.Config{
+				TLSClientConfig: serviceProxyTLSConfig,
+				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				Endpoint:        offClusterPrometheusURL,
+			}
+		}
+
+		if offClusterAlertManagerURL.String() != "" {
+			srv.AlertManagerProxyConfig = &proxy.Config{
+				TLSClientConfig: serviceProxyTLSConfig,
+				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				Endpoint:        offClusterAlertManagerURL,
+			}
+		}
+
 	default:
 		bridge.FlagFatalf("k8s-mode", "must be one of: in-cluster, off-cluster")
 	}

diff --git a/contrib/oc-environment.sh b/contrib/oc-environment.sh
@@ -17,6 +17,8 @@ export BRIDGE_USER_AUTH="disabled"
 export BRIDGE_K8S_MODE="off-cluster"
 export BRIDGE_K8S_MODE_OFF_CLUSTER_ENDPOINT=$(oc whoami --show-server)
 export BRIDGE_K8S_MODE_OFF_CLUSTER_SKIP_VERIFY_TLS=true
+export BRIDGE_K8S_MODE_OFF_CLUSTER_PROMETHEUS=$(oc -n openshift-monitoring get configmap sharing-config -o jsonpath='{.data.prometheusURL}')
+export BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER=$(oc -n openshift-monitoring get configmap sharing-config -o jsonpath='{.data.alertmanagerURL}')
 export BRIDGE_K8S_AUTH="bearer-token"
 export BRIDGE_K8S_AUTH_BEARER_TOKEN=$(oc whoami --show-token)
 

diff --git a/examples/run-bridge.sh b/examples/run-bridge.sh
@@ -14,4 +14,6 @@ set -exuo pipefail
     --user-auth=openshift \
     --user-auth-oidc-client-id=console-oauth-client \
     --user-auth-oidc-client-secret-file=examples/console-client-secret \
-    --user-auth-oidc-ca-file=examples/ca.crt
+    --user-auth-oidc-ca-file=examples/ca.crt \
+    --k8s-mode-off-cluster-prometheus=$(oc -n openshift-monitoring get configmap sharing-config -o jsonpath='{.data.prometheusURL}')  \
+    --k8s-mode-off-cluster-alertmanager=$(oc -n openshift-monitoring get configmap sharing-config -o jsonpath='{.data.alertmanagerURL}')
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -107,15 +107,16 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		r.Header.Del(h)
 	}
 
+	r.Host = p.config.Endpoint.Host
+	r.URL.Host = p.config.Endpoint.Host
+	r.URL.Scheme = p.config.Endpoint.Scheme
+
 	if !isWebsocket {
 		p.reverseProxy.ServeHTTP(w, r)
 		return
 	}
 
-	r.Host = p.config.Endpoint.Host
-	r.URL.Host = p.config.Endpoint.Host
 	r.URL.Path = SingleJoiningSlash(p.config.Endpoint.Path, r.URL.Path)
-	r.URL.Scheme = p.config.Endpoint.Scheme
 
 	if r.URL.Scheme == "https" {
 		r.URL.Scheme = "wss"