From 181d599f9b35f7f469f5362eb567718f08563ef1 Mon Sep 17 00:00:00 2001
From: morenod <dsanzmor@redhat.com>
Date: Wed, 22 Oct 2025 16:14:17 +0200
Subject: [PATCH] feat: add EnableAdminAPI field to PrometheusConfig API

Add the EnableAdminAPI boolean field to the PrometheusConfig struct
to allow users to configure whether the Prometheus Admin API should
be enabled.

This commit only adds the API definition without implementing its
usage in the controller. The field includes appropriate validation
and documentation warning about security implications.

Signed-off-by: morenod <dsanzmor@redhat.com>
---
 .../manifests/monitoring.rhobs_monitoringstacks.yaml |  9 +++++++++
 ...observability-operator.clusterserviceversion.yaml |  2 +-
 .../common/monitoring.rhobs_monitoringstacks.yaml    |  9 +++++++++
 docs/api.md                                          | 12 ++++++++++++
 pkg/apis/monitoring/v1alpha1/types.go                |  8 ++++++++
 5 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml b/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml
index 5ee332657..e0ee53a36 100644
--- a/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml
+++ b/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml
@@ -199,6 +199,15 @@ spec:
                   replicas: 2
                 description: Define prometheus config
                 properties:
+                  enableAdminAPI:
+                    description: |-
+                      Enable Prometheus Admin API.
+                      Defaults to the value of `false`.
+                      WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+                      shutdown Prometheus, and more. Enabling this should be done with care and the
+                      user is advised to add additional authentication authorization via a proxy to
+                      ensure only clients authorized to perform these actions can do so.
+                    type: boolean
                   enableOtlpHttpReceiver:
                     description: |-
                       Enable Prometheus to accept OpenTelemetry Metrics via the otlp/http protocol.
diff --git a/bundle/manifests/observability-operator.clusterserviceversion.yaml b/bundle/manifests/observability-operator.clusterserviceversion.yaml
index ac53ab95c..7e83e3c6e 100644
--- a/bundle/manifests/observability-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/observability-operator.clusterserviceversion.yaml
@@ -42,7 +42,7 @@ metadata:
     categories: Monitoring
     certified: "false"
     containerImage: observability-operator:1.2.0
-    createdAt: "2025-10-16T07:15:08Z"
+    createdAt: "2025-10-27T09:42:32Z"
     description: A Go based Kubernetes operator to setup and manage highly available
       Monitoring Stack using Prometheus, Alertmanager and Thanos Querier.
     operatorframework.io/cluster-monitoring: "true"
diff --git a/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml b/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml
index 7139bec53..7a887c02f 100644
--- a/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml
+++ b/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml
@@ -199,6 +199,15 @@ spec:
                   replicas: 2
                 description: Define prometheus config
                 properties:
+                  enableAdminAPI:
+                    description: |-
+                      Enable Prometheus Admin API.
+                      Defaults to the value of `false`.
+                      WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+                      shutdown Prometheus, and more. Enabling this should be done with care and the
+                      user is advised to add additional authentication authorization via a proxy to
+                      ensure only clients authorized to perform these actions can do so.
+                    type: boolean
                   enableOtlpHttpReceiver:
                     description: |-
                       Enable Prometheus to accept OpenTelemetry Metrics via the otlp/http protocol.
diff --git a/docs/api.md b/docs/api.md
index fad6179ef..078cb5964 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -470,6 +470,18 @@ Define prometheus config
         </tr>
     </thead>
     <tbody><tr>
+        <td><b>enableAdminAPI</b></td>
+        <td>boolean</td>
+        <td>
+          Enable Prometheus Admin API.
+Defaults to the value of `false`.
+WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+shutdown Prometheus, and more. Enabling this should be done with care and the
+user is advised to add additional authentication authorization via a proxy to
+ensure only clients authorized to perform these actions can do so.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
         <td><b>enableOtlpHttpReceiver</b></td>
         <td>boolean</td>
         <td>
diff --git a/pkg/apis/monitoring/v1alpha1/types.go b/pkg/apis/monitoring/v1alpha1/types.go
index ce7a1f303..5234e8eaf 100644
--- a/pkg/apis/monitoring/v1alpha1/types.go
+++ b/pkg/apis/monitoring/v1alpha1/types.go
@@ -236,6 +236,14 @@ type PrometheusConfig struct {
 	// Configure TLS options for the Prometheus web server.
 	// +optional
 	WebTLSConfig *WebTLSConfig `json:"webTLSConfig,omitempty"`
+	// Enable Prometheus Admin API.
+	// Defaults to the value of `false`.
+	// WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+	// shutdown Prometheus, and more. Enabling this should be done with care and the
+	// user is advised to add additional authentication authorization via a proxy to
+	// ensure only clients authorized to perform these actions can do so.
+	// +optional
+	EnableAdminAPI bool `json:"enableAdminAPI,omitempty"`
 }
 
 type AlertmanagerConfig struct {