feat(profilecli): add kube-proxy command for unified microservice access #4777
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add intelligent reverse proxy command that unifies all Pyroscope microservices in Kubernetes into a single endpoint. The command: - Auto-discovers services using label selectors - Provides path-based routing to correct services - Uses kubectl proxy on Unix socket for secure K8s API access - Listens on configurable TCP address (default 127.0.0.1:4242) - Filters to user-facing services only (distributor, query-frontend, tenant-settings, ad-hoc-profiles)
jake-kramer
requested changes
Jan 21, 2026
Contributor
jake-kramer
left a comment
jake-kramer
left a comment
There was a problem hiding this comment.
Thanks for putting this together! To get it to work with drilldown locally, I needed the following changes:
diff --git a/cmd/profilecli/kube_proxy.go b/cmd/profilecli/kube_proxy.go
index e5696af8f..1037a8c80 100644
--- a/cmd/profilecli/kube_proxy.go
+++ b/cmd/profilecli/kube_proxy.go
@@ -381,13 +381,24 @@ func (m *reverseProxyManager) proxyToService(w http.ResponseWriter, r *http.Requ
return
}
- // Copy headers
+ // Copy headers, but skip Authorization to avoid interfering with kubectl's auth
for key, values := range r.Header {
+ // Skip Authorization header - kubectl proxy uses kubeconfig auth, not incoming auth
+ if key == "Authorization" {
+ level.Debug(logger).Log("msg", "skipping Authorization header from incoming request")
+ continue
+ }
for _, value := range values {
proxyReq.Header.Add(key, value)
}
}
+ // Inject tenant ID if configured
+ if m.params.TenantID != "" {
+ proxyReq.Header.Set("X-Scope-OrgID", m.params.TenantID)
+ level.Debug(logger).Log("msg", "injected tenant ID", "tenant_id", m.params.TenantID)
+ }
+
// Execute request via Unix socket
client := &http.Client{
Transport: &http.Transport{I was able to successfully run against a local drilldown with:
profilecli admin kube-proxy -v
--url=<cluster url>
--tenant-id=<tenant id>
-n <namespace>
-c <cluster>
--listen-addr="127.0.0.1:4040"
-l "app.kubernetes.io/name=fire" # for dev
where drilldown Pyroscope datasource is set to :4040
|
|
||
| func (m *reverseProxyManager) initRoutingRules() { | ||
| // Order matters - most specific first! | ||
| m.routingRules = []routingRule{ |
Contributor
There was a problem hiding this comment.
Is there any straightforward way of programmatically generating this list?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a reverse proxy command that unifies all Pyroscope microservices in Kubernetes into a single endpoint.
The command:
tenant-settings, ad-hoc-profiles)
cc @jake-kramer we discussed the best way for debugging a problem, not too sure that is. But it works for me. In theory we could also inject a tenant id using a flag.