Connect self-monitoring project to internal Prometheus
What does this MR do?
Why do we need this change?
The self-monitoring project (#26370 (closed)) needs to be able to connect to the internal Prometheus instance in order to be able to display charts and metrics about the performance of the GitLab instance.
The internal Prometheus instance URL is a localhost URL usually. However, by default GitLab does not allow localhost URLs to be used in webhooks.
Possible solutions
-
There is a whitelist which allows specific localhost URLs to be whitelisted, but that allows any project/webhook in the entire GitLab instance to connect to the whitelisted URL.
-
An ideal solution would be to have a project specific whitelist which will only whitelist a localhost URL for a specific project. However, this feature does not exist as yet.
-
Another option (the one we've chosen) is to allow the
PrometheusService
to use a localhost URL in itsapi_url
attribute when the following conditions are met:-
The project that the
PrometheusService
belongs to is the self-monitoring project. -
The
api_url
is the address of the internal Prometheus instance.
-
Summary of changes
In summary, the changes that this MR contains are:
- In
PrometheusService
model:-
Use the
AddressableUrlValidator
to validate theapi_url
if the project it belongs to is the self-monitoring project and theapi_url
contains the Prometheus internal URL. This will allow the self-monitoring project to connect to the internal Prometheus URL. -
Use the
PublicUrlValidator
in all other cases.
-
Issue: #32353 (closed)
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team