feat: Configure Prometheus endpoint via Helm chart (#4562)

Add PrometheusEndpoint to backend config and API
- Update frontend to use configured endpoint for Prometheus plugin
- Add config.prometheus.endpoint to Helm chart values
- Use safe quoting for Helm value injection
- Add backend validation for Prometheus URL

Signed-off-by: zyzzmohit <mohitray949@gmail.com>

Author: zyzzmohit

backend/cmd/headlamp.go

@@ -97,6 +97,7 @@ const (
 type clientConfig struct {
 	Clusters                []Cluster `json:"clusters"`
 	IsDynamicClusterEnabled bool      `json:"isDynamicClusterEnabled"`
+	PrometheusEndpoint      string    `json:"prometheusEndpoint"`
 }
 
 type OauthConfig struct {
@@ -1750,7 +1751,7 @@ func parseClusterFromKubeConfig(kubeConfigs []string) ([]Cluster, []error) {
 func (c *HeadlampConfig) getConfig(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 
-	clientConfig := clientConfig{c.getClusters(), c.EnableDynamicClusters}
+	clientConfig := clientConfig{c.getClusters(), c.EnableDynamicClusters, c.PrometheusEndpoint}
 
 	if err := json.NewEncoder(w).Encode(&clientConfig); err != nil {
 		logger.Log(logger.LevelError, nil, err, "encoding config")

backend/cmd/server.go

@@ -101,6 +101,7 @@ func buildHeadlampCFG(conf *config.Config, kubeConfigStore kubeconfig.ContextSto
 		TLSCertPath:           conf.TLSCertPath,
 		TLSKeyPath:            conf.TLSKeyPath,
 		SessionTTL:            conf.SessionTTL,
+		PrometheusEndpoint:    *conf.PrometheusEndpoint,
 	}
 }
 

backend/cmd/stateless.go

@@ -178,7 +178,7 @@ func (c *HeadlampConfig) parseKubeConfig(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	clientConfig := clientConfig{contexts, c.EnableDynamicClusters}
+	clientConfig := clientConfig{contexts, c.EnableDynamicClusters, c.PrometheusEndpoint}
 
 	if err := json.NewEncoder(w).Encode(&clientConfig); err != nil {
 		logger.Log(logger.LevelError, nil, err, "encoding config")

backend/pkg/config/config.go

@@ -85,6 +85,7 @@ type Config struct {
 	// TLS config
 	TLSCertPath string `koanf:"tls-cert-path"`
 	TLSKeyPath  string `koanf:"tls-key-path"`
+	PrometheusEndpoint *string `koanf:"prometheus-endpoint"`
 }
 
 func (c *Config) Validate() error {
@@ -144,6 +145,12 @@ func (c *Config) Validate() error {
 		}
 	}
 
+	if c.PrometheusEndpoint != nil && *c.PrometheusEndpoint != "" {
+		if !strings.HasPrefix(*c.PrometheusEndpoint, "http://") && !strings.HasPrefix(*c.PrometheusEndpoint, "https://") {
+			return errors.New("prometheus-endpoint must start with http:// or https://")
+		}
+	}
+
 	return nil
 }
 
@@ -448,6 +455,7 @@ func addGeneralFlags(f *flag.FlagSet) {
 	f.Uint("port", defaultPort, "Port to listen from")
 	f.String("proxy-urls", "", "Allow proxy requests to specified URLs")
 	f.Bool("enable-helm", false, "Enable Helm operations")
+	f.String("prometheus-endpoint", "", "Prometheus endpoint for the cluster")
 }
 
 func addOIDCFlags(f *flag.FlagSet) {

backend/pkg/headlampconfig/headlampConfig.go

@@ -63,4 +63,5 @@ type HeadlampCFG struct {
 	TLSCertPath           string
 	TLSKeyPath            string
 	SessionTTL            int
+	PrometheusEndpoint    string
 }

backend/pkg/kubeconfig/kubeconfig_test.go

@@ -10,7 +10,6 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/kubernetes-sigs/headlamp/backend/pkg/config"
 	"github.com/kubernetes-sigs/headlamp/backend/pkg/kubeconfig"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
@@ -315,11 +314,44 @@ func createTempKubeconfig(t *testing.T, content string) string {
 }
 
 func TestContext(t *testing.T) {
-	kubeConfigFile := config.GetDefaultKubeConfigPath()
+	// Start a mock server
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/version" {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write([]byte(`{"major": "1", "minor": "20"}`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	// Create a temp kubeconfig pointing to the mock server
+	kubeConfigContent := fmt.Sprintf(`apiVersion: v1
+clusters:
+- cluster:
+    server: %s
+    insecure-skip-tls-verify: true
+  name: minikube
+contexts:
+- context:
+    cluster: minikube
+    namespace: default
+    user: minikube
+  name: minikube
+current-context: minikube
+kind: Config
+users:
+- name: minikube
+  user:
+    token: test-token
+`, server.URL)
+
+	tempFile := createTempKubeconfig(t, kubeConfigContent)
+	defer os.Remove(tempFile)
 
 	configStore := kubeconfig.NewContextStore()
 
-	err := kubeconfig.LoadAndStoreKubeConfigs(configStore, kubeConfigFile, kubeconfig.KubeConfig, nil)
+	err := kubeconfig.LoadAndStoreKubeConfigs(configStore, tempFile, kubeconfig.KubeConfig, nil)
 	require.NoError(t, err)
 
 	testContext, err := configStore.GetContext("minikube")
@@ -342,6 +374,11 @@ func TestContext(t *testing.T) {
 
 	err = testContext.ProxyRequest(rr, request)
 	require.NoError(t, err)
+	// We need to flush the proxy response to the recorder
+	if f, ok := rr.Result().Body.(http.Flusher); ok {
+		f.Flush()
+	}
+
 	assert.Equal(t, http.StatusOK, rr.Code)
 
 	t.Logf("Proxy request Response: %s", rr.Body.String())

charts/headlamp/templates/deployment.yaml

@@ -319,6 +319,9 @@ spec:
             {{- with .Values.config.baseURL }}
             - "-base-url={{ . }}"
             {{- end }}
+            {{- with .Values.config.prometheus.endpoint }}
+            - "-prometheus-endpoint={{ . | quote }}"
+            {{- end }}
             {{- with .Values.config.tlsCertPath }}
             - "-tls-cert-path={{ . }}"
             {{- end }}

charts/headlamp/values.yaml

@@ -38,6 +38,9 @@ config:
   baseURL: ""
   # -- session token TTL in seconds (default is 24 hours)
   sessionTTL: 86400
+  prometheus:
+    # -- Prometheus endpoint for the cluster
+    endpoint: ""
   oidc:
     # Option 1:
     # @param config.oidc.secret - OIDC secret configuration
@@ -161,8 +164,7 @@ podLabels: {}
 hostUsers: true
 
 # -- Headlamp pod's Security Context
-podSecurityContext:
-  {}
+podSecurityContext: {}
   # fsGroup: 2000
 
 # -- Headlamp containers Security Context
@@ -184,7 +186,6 @@ securityContext:
 #     drop:
 #       - ALL
 
-
 service:
   # -- Annotations to add to the service
   annotations: {}
@@ -211,8 +212,7 @@ persistentVolumeClaim:
   # -- Enable Persistent Volume Claim
   enabled: false
   # -- Annotations to add to the persistent volume claim (if enabled)
-  annotations:
-    {}
+  annotations: {}
   # -- accessModes for the persistent volume claim, eg: ReadWriteOnce, ReadOnlyMany, ReadWriteMany etc.
   accessModes: []
   # -- size of the persistent volume claim, eg: 10Gi. Required if enabled is true.
@@ -228,8 +228,7 @@ ingress:
   # -- Enable ingress controller resource
   enabled: false
   # -- Annotations for Ingress resource
-  annotations:
-    {}
+  annotations: {}
     # kubernetes.io/tls-acme: "true"
 
   # -- Additional labels to add to the Ingress resource
@@ -242,8 +241,7 @@ ingress:
 
   # -- Hostname(s) for the Ingress resource
   # Please refer to https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec for more information.
-  hosts:
-    []
+  hosts: []
     # - host: chart-example.local
     #   paths:
     #   - path: /
@@ -288,8 +286,7 @@ httpRoute:
   #         port: 80
 
 # -- CPU/Memory resource requests/limits
-resources:
-  {}
+resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -353,8 +350,7 @@ pluginsManager:
   #     cpu: "1000m"
   #     memory: "4096Mi"
   # If omitted, the plugin manager will inherit the global securityContext
-  securityContext:
-    {}
+  securityContext: {}
     # runAsUser: 1001
     # runAsNonRoot: true
     # allowPrivilegeEscalation: false