{"id":23826087,"url":"https://github.com/appuio/openshift-prometheus-proxy","last_synced_at":"2025-07-23T22:33:24.166Z","repository":{"id":38889756,"uuid":"190032156","full_name":"appuio/openshift-prometheus-proxy","owner":"appuio","description":"Filtering OpenShift Prometheus Exporter Proxy ","archived":false,"fork":false,"pushed_at":"2025-06-29T00:07:31.000Z","size":34,"stargazers_count":1,"open_issues_count":16,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-06-29T01:26:27.109Z","etag":null,"topics":["vshn-project-ignore"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/appuio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-06-03T15:26:31.000Z","updated_at":"2022-11-17T10:50:31.000Z","dependencies_parsed_at":"2023-12-09T09:24:39.365Z","dependency_job_id":"0ed3a3d3-78c8-41ac-b378-baa9266189bc","html_url":"https://github.com/appuio/openshift-prometheus-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/appuio/openshift-prometheus-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appuio%2Fopenshift-prometheus-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appuio%2Fopenshift-prometheus-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appuio%2Fopenshift-prometheus-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appuio%2Fopenshift-prometheus-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/appuio","download_url":"https://codeload.github.com/appuio/openshift-prometheus-proxy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appuio%2Fopenshift-prometheus-proxy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266761346,"owners_count":23980289,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["vshn-project-ignore"],"created_at":"2025-01-02T12:15:18.950Z","updated_at":"2025-07-23T22:33:24.109Z","avatar_url":"https://github.com/appuio.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# openshift-prometheus-proxy\n\nopenshift-prometheus-proxy is a filtering proxy for Prometheus on OpenShift. It\nis designed for use on shared OpenShift clusters to give customers access to kube-state-metrics and\nkubelet metrics of their projects only.\n\nopenshift-prometheus-proxy acts a proxy for the federation endpoint of an Prometheus installation,\nusually the Prometheus installation that comes with the OpenShift Container Platform. \nIt requires authentication with a valid OpenShift bearer token. This\ntoken also determines which metrics will be filtered by the proxy. Only metrics with a\n`namespace` label whose value is a namespace the given bearer token has access to will be returned.\nThat is users can only access metrics concerning their namespaces.\n\n## Requirements\n\n* OpenShift Container Platform 3.11 or later\n* OpenShift OAuth Proxy\n\nOpenShift OAuth Proxy is used to restrict access to openshift-prometheus-proxy to select OpenShift users.\n\n## Installation\n\nInstallation of openshift-prometheus-proxy is based on OpenShift templates and parameter files.\nClone the repository and copy the openshift-prometheus-proxy example parameter file:\n\n```sh\ngit clone https://github.com/appuio/openshift-prometheus-proxy\ncd openshift-prometheus-proxy\ncp env/openshift-prometheus-proxy.env.sample env/openshift-prometheus-proxy.env\n```\n\nAdapt `env/openshift-promtheus-proxy.env` to your setup:\n\n* NAMESPACE: OpenShift Namespace to deploy openshift-prometheus-proxy to.\n* OPENSHIFT_PROMETHEUS_PROXY_HOSTNAME: External hostname of openshift-prometheus-proxy.\n* OPENSHIFT_PROMETHEUS_PROXY_UPSTREAM: URL of the upstream Prometheus server.\n* OPENSHIFT_PROMETHEUS_PROXY_TLS_VERIFY: How to verify the upstream SSL/TLS certificate. Can either be 'true' to verify against the root certificate bundle, 'service' to verify against the OpenShift service CA, or 'false' to don't verify at all (not recommended in production).\n\n### openshift-prometheus-proxy\n\nopenshift-prometheus-proxy can be installed with the following commands:\n\n```sh\n. env/openshift-prometheus-proxy.env\noc new-project ${NAMESPACE}\noc adm policy add-cluster-role-to-user -n ${NAMESPACE} --rolebinding-name=system:auth-delegator system:auth-delegator -z openshift-prometheus-proxy\noc adm policy add-cluster-role-to-user -n ${NAMESPACE} --rolebinding-name=cluster-monitoring-view cluster-monitoring-view -z openshift-prometheus-proxy\noc process -f template/openshift-prometheus-proxy.yaml --param-file=env/openshift-prometheus-proxy.env --ignore-unknown-parameters | oc apply -n ${NAMESPACE} -f -\n```\n\nThe `system:auto-delegator` cluster role is needed by the OpenShift OAuth Proxy for bearer token authentication and the\n`cluster-monitoring-view` role is needed for read access to the OpenShift Prometheus instance.\n\nBy default customers aren't allowed to use openshift-prometheus-proxy. To give customers access the `access-openshift-prometheus-proxy`\nrole needs to be added to their Prometheus service account, e.g.:\n\n```sh\n. env/openshift-prometheus-proxy.env\nPROMETHEUS_NAMESPACE=\u003ccustomer prometheus namespace\u003e\nPROMETHEUS_SA=\u003ccustomer prometheus service account, e.g. prometheus-apps\u003e\noc policy add-role-to-user -n ${NAMESPACE} --role-namespace=${NAMESPACE} access-openshift-prometheus-proxy system:serviceaccount:${PROMETHEUS_NAMESPACE}:${PROMETHEUS_SA} \n```\n\n## Usage\n\nopenshift-prometheus-proxy supports URLs of the same form as the \n[Prometheus federation endpoint](https://prometheus.io/docs/prometheus/latest/federation/),\ni.e. `https://\u003copenshift-prometheus-proxy hostname\u003e/federate?match[]=\u003cselector\u003e`.\nWhere `\u003cselector` is any [Prometheus instant vector selector](https://prometheus.io/docs/prometheus/latest/querying/basics/#instant-vector-selectors),\ne.g. `{job=\"kubelet\"}`. Additionally you can use `match[]={}` to select all metrics concerning your namespaces.\n\nYou can use curl to retrieve a list of available jobs: \n`curl -kH \"Authorization: Bearer $(oc sa get-token -n $PROMETHEUS_NAMESPACE $PROMETHEUS_SA)\" https://${OPENSHIFT_PROMETHEUS_PROXY_HOSTNAME}/jobs`.\nNote that some metrics have an empty job label, i.e. `job=\"\"`, e.g. metrics created by recording rules.\n\nThis repository contains a template with an example ServiceMonitor to scrape kubelet and kube-state-metrics\nthrough openshift-prometheus-proxy. The template can be instantiated in the customers namespaces as follows.\n\nCopy the sample parameter file for the templates:\n\n```sh\ncp env/monitor-openshift.env.sample env/monitor-openshift.env\n```\n\nAdapt `env/monitor-openshift.env` to your setup:\n\n* NAMESPACE: Namespace of customer Prometheus instance.\n* PROMETHEUS_ID: Value of the `prometheus` label of the ServiceMonitor. Must correspond to the `serviceMonitorSelector` in the customers `Prometheus` object. Defaults to 'app'.\n* OPENSHIFT_PROMETHEUS_PROXY_SCRAPE_ENDPOINT: Endpoint of the OpenShift Prometheus Proxy to scrape, either the service or the route of the proxy.\n* OPENSHIFT_PROMETHEUS_PROXY_SCRAPE_SKIP_TLS_VERIFY: Whether to skip TLS certificate verification when scraping OpenShift Prometheus Proxy. Not recommended on production. Defaults to 'false'.\n\nInstantiate the openshift-prometheus-proxy scrape config template in the customer Prometheus namespace:\n\n```sh\n. env/monitor-openshift.env\noc process -f template/monitor-openshift-prometheus-proxy.yaml --param-file=env/monitor-openshift.env --ignore-unknown-parameters | oc apply -n ${NAMESPACE} -f -\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fappuio%2Fopenshift-prometheus-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fappuio%2Fopenshift-prometheus-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fappuio%2Fopenshift-prometheus-proxy/lists"}