feat: add parameter enableAdminAPI to prometheus configuration

morenod · morenod · commit 8be8e9513927 · 2025-10-22T10:01:23.000+02:00
Signed-off-by: morenod &lt;dsanzmor@redhat.com&gt;
diff --git a/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml b/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml
@@ -199,6 +199,11 @@ spec:
                   replicas: 2
                 description: Define prometheus config
                 properties:
+                  enableAdminAPI:
+                    description: |-
+                      Enable Prometheus Admin API
+                      Default to the value of `false`.
+                    type: boolean
                   enableOtlpHttpReceiver:
                     description: |-
                       Enable Prometheus to accept OpenTelemetry Metrics via the otlp/http protocol.
diff --git a/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml b/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml
@@ -199,6 +199,15 @@ spec:
                   replicas: 2
                 description: Define prometheus config
                 properties:
+                  enableAdminAPI:
+                    description: |-
+                      Enable Prometheus Admin API.
+                      Defaults to the value of `false`.
+                      WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+                      shutdown Prometheus, and more. Enabling this should be done with care and the
+                      user is advised to add additional authentication authorization via a proxy to
+                      ensure only clients authorized to perform these actions can do so.
+                    type: boolean
                   enableOtlpHttpReceiver:
                     description: |-
                       Enable Prometheus to accept OpenTelemetry Metrics via the otlp/http protocol.
diff --git a/docs/api.md b/docs/api.md
@@ -470,6 +470,18 @@ Define prometheus config
         </tr>
     </thead>
     <tbody><tr>
+        <td><b>enableAdminAPI</b></td>
+        <td>boolean</td>
+        <td>
+          Enable Prometheus Admin API.
+Defaults to the value of `false`.
+WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+shutdown Prometheus, and more. Enabling this should be done with care and the
+user is advised to add additional authentication authorization via a proxy to
+ensure only clients authorized to perform these actions can do so.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
         <td><b>enableOtlpHttpReceiver</b></td>
         <td>boolean</td>
         <td>
diff --git a/go.sum b/go.sum
@@ -438,8 +438,6 @@ github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.86.1-rhobs1 h1:T
 github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.86.1-rhobs1/go.mod h1:l986kUrEUzfrbYEsqRvSAJThNbF4SUKkM5eZR+L3uf0=
 github.com/rhobs/obo-prometheus-operator/pkg/client v0.86.1-rhobs1 h1:hKGd+NRtZkrTBFcoApy/3IkKJJprjwE3zsF4bZZxG7Y=
 github.com/rhobs/obo-prometheus-operator/pkg/client v0.86.1-rhobs1/go.mod h1:Ad3ru/JHiOZNEwAsaPMxzUq5Ft/qRs2kzBQXhw/9yJc=
-github.com/rhobs/observability-operator/pkg/apis v0.0.0-20251009091129-76135c924ed6 h1:f+J6l48RMDomN9YrDxd0cZVo7+L+a/TCzH6ycat5tMI=
-github.com/rhobs/observability-operator/pkg/apis v0.0.0-20251009091129-76135c924ed6/go.mod h1:bNP815/mCv8ydNQ2Q3a9gqlx9b2XouWa6hws9vthq78=
 github.com/rhobs/perses v0.0.0-20250612171017-5d7686af9ae4 h1:IxpxGJ/fbnRkZZYFm17NMedFyEuOKuf4TS23g+6jMvU=
 github.com/rhobs/perses v0.0.0-20250612171017-5d7686af9ae4/go.mod h1:Mxs4sXawWiV50qokKG1UZCV9NJEdJWsALY71/z38NKA=
 github.com/rhobs/perses-operator v0.1.10-0.20250612173146-78eb619430df h1:rwtqpvrowEF6EjSiO3PPcqC6s2jo7NU3VsGU6yrpxTg=
diff --git a/pkg/apis/monitoring/v1alpha1/types.go b/pkg/apis/monitoring/v1alpha1/types.go
@@ -236,6 +236,14 @@ type PrometheusConfig struct {
 	// Configure TLS options for the Prometheus web server.
 	// +optional
 	WebTLSConfig *WebTLSConfig `json:"webTLSConfig,omitempty"`
+	// Enable Prometheus Admin API.
+	// Defaults to the value of `false`.
+	// WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+	// shutdown Prometheus, and more. Enabling this should be done with care and the
+	// user is advised to add additional authentication authorization via a proxy to
+	// ensure only clients authorized to perform these actions can do so.
+	// +optional
+	EnableAdminAPI bool `json:"enableAdminAPI,omitempty"`
 }
 
 type AlertmanagerConfig struct {
diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go
@@ -209,6 +209,7 @@ func newPrometheus(
 					return []monv1.EnableFeature{}
 				}(),
 			},
+			EnableAdminAPI:        config.EnableAdminAPI,
 			Retention:             ms.Spec.Retention,
 			RuleSelector:          prometheusSelector,
 			RuleNamespaceSelector: ms.Spec.NamespaceSelector,
diff --git a/test/e2e/monitoring_stack_controller_test.go b/test/e2e/monitoring_stack_controller_test.go
@@ -758,6 +758,8 @@ func assertPrometheusManagedFields(t *testing.T) {
 			},
 		},
 	}
+	ms.Spec.PrometheusConfig.EnableAdminAPI = true
+
 	ms.Spec.NamespaceSelector = &metav1.LabelSelector{
 		MatchLabels: map[string]string{
 			"label": "label-value",
@@ -947,6 +949,7 @@ const oboManagedFieldsJson = `
     "f:alertmanagers": {}
   },
   "f:arbitraryFSAccessThroughSMs": {},
+  "f:enableAdminAPI": {},
   "f:enableRemoteWriteReceiver": {},
   "f:externalLabels": {
     "f:key": {}
