feat: add EnableAdminAPI field to PrometheusConfig API

morenod · morenod · commit 012e3cb022e4 · 2025-10-22T16:14:17.000+02:00
Add the EnableAdminAPI boolean field to the PrometheusConfig struct
to allow users to configure whether the Prometheus Admin API should
be enabled.

This commit only adds the API definition without implementing its
usage in the controller. The field includes appropriate validation
and documentation warning about security implications.

Signed-off-by: morenod &lt;dsanzmor@redhat.com&gt;
diff --git a/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml b/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml
@@ -199,6 +199,11 @@ spec:
                   replicas: 2
                 description: Define prometheus config
                 properties:
+                  enableAdminAPI:
+                    description: |-
+                      Enable Prometheus Admin API
+                      Default to the value of `false`.
+                    type: boolean
                   enableOtlpHttpReceiver:
                     description: |-
                       Enable Prometheus to accept OpenTelemetry Metrics via the otlp/http protocol.
diff --git a/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml b/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml
@@ -199,6 +199,15 @@ spec:
                   replicas: 2
                 description: Define prometheus config
                 properties:
+                  enableAdminAPI:
+                    description: |-
+                      Enable Prometheus Admin API.
+                      Defaults to the value of `false`.
+                      WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+                      shutdown Prometheus, and more. Enabling this should be done with care and the
+                      user is advised to add additional authentication authorization via a proxy to
+                      ensure only clients authorized to perform these actions can do so.
+                    type: boolean
                   enableOtlpHttpReceiver:
                     description: |-
                       Enable Prometheus to accept OpenTelemetry Metrics via the otlp/http protocol.
diff --git a/docs/api.md b/docs/api.md
@@ -470,6 +470,18 @@ Define prometheus config
         </tr>
     </thead>
     <tbody><tr>
+        <td><b>enableAdminAPI</b></td>
+        <td>boolean</td>
+        <td>
+          Enable Prometheus Admin API.
+Defaults to the value of `false`.
+WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+shutdown Prometheus, and more. Enabling this should be done with care and the
+user is advised to add additional authentication authorization via a proxy to
+ensure only clients authorized to perform these actions can do so.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
         <td><b>enableOtlpHttpReceiver</b></td>
         <td>boolean</td>
         <td>
diff --git a/pkg/apis/monitoring/v1alpha1/types.go b/pkg/apis/monitoring/v1alpha1/types.go
@@ -236,6 +236,14 @@ type PrometheusConfig struct {
 	// Configure TLS options for the Prometheus web server.
 	// +optional
 	WebTLSConfig *WebTLSConfig `json:"webTLSConfig,omitempty"`
+	// Enable Prometheus Admin API.
+	// Defaults to the value of `false`.
+	// WARNING: Enabling the admin APIs enables mutating endpoints, to delete data,
+	// shutdown Prometheus, and more. Enabling this should be done with care and the
+	// user is advised to add additional authentication authorization via a proxy to
+	// ensure only clients authorized to perform these actions can do so.
+	// +optional
+	EnableAdminAPI bool `json:"enableAdminAPI,omitempty"`
 }
 
 type AlertmanagerConfig struct {
