[docs-agent] Update RHOBS API Gateway documentation for /api/v1/rules

[rrp-bot]

Automated Doc Audit

PR #538 (ROSAENG-195) added GET /api/v1/rules to the RHOBS API Gateway, exposing alerting and recording rule status for E2E tests. Two existing documentation files were not updated as part of that PR:

• terraform/modules/rhobs-api-gateway/README.md: Added a Routes table listing all exposed endpoints with their backends and access tiers; updated the Architecture diagram to show both the ingestion and query paths; corrected the Design Decisions wording which implied only MC ingestion traffic was served.

• docs/design/monitoring-platform.md: Added GET /api/v1/rules to the Security → Authorization bullet and the Cross-Cluster Remote Write key points, which previously listed only /api/v1/query and /api/v1/query_range as RC-account restricted endpoints.

PRs #537 (internal render.py fix) and #506 (SNS alerting, which already updated alerting-architecture.md) required no additional documentation changes.

/cc @iamkirkbater — please review these updates.

---

To request updates to this PR, prompt Claude through the ambient session here.

Summary by CodeRabbit

• Documentation
  • Updated monitoring platform and Terraform module documentation to clarify API Gateway access control policies: query and rules endpoints are restricted to Regional Cluster account only, while ingestion endpoints remain accessible to all authenticated principals within the same AWS Organization.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign psav for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation updates clarify RHOBS API Gateway authorization rules across two files: the design document now explicitly lists GET /api/v1/rules as RC-account-only in both its "Cross-Cluster Remote Write" and "Security" sections, and the Terraform module README documents per-path access tiers with corresponding architecture and design decision notes.

Changes

RHOBS API Gateway Authorization Documentation

Layer / File(s)	Summary
Design document authorization rules clarification docs/design/monitoring-platform.md	The "Cross-Cluster Remote Write" and "Security" sections are updated to include GET /api/v1/rules as an RC-account-only endpoint, aligning it with the existing restrictions on GET /api/v1/query and GET /api/v1/query_range.
Module README per-path access documentation terraform/modules/rhobs-api-gateway/README.md	Features, Routes, and Architecture sections are revised to document per-path access control: ingestion endpoints remain open to any authenticated principal in the same AWS Organization, while query and rules endpoints are restricted to RC account only. The access logging design decision is reworded to specify internal ingestion/MC metrics and RC-account query access.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• openshift-online/rosa-regional-platform#538: Terraform changes that add and enforce the /api/v1/rules endpoint access control that this PR documents.
• openshift-online/rosa-regional-platform#499: Original implementation of RHOBS API Gateway support with RC-account-only resource policy for query endpoints.
• openshift-online/rosa-regional-platform#328: Prior documentation update to API Gateway authorization rules covering authenticated principal behavior.

Suggested labels

ok-to-test, approved, lgtm

Suggested reviewers

• iamkirkbater
• psav

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: documenting the /api/v1/rules endpoint in RHOBS API Gateway docs, which is the primary focus across both modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @rrp-bot. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@terraform/modules/rhobs-api-gateway/README.md`:
- Around line 26-42: Replace the ASCII art diagram with a Mermaid flow diagram:
remove the ASCII block and add a ```mermaid fenced block using graph TB;
recreate nodes for MC, APIGW, VPCLINK, ALB, TG_RECV, TG_QUERY, RECV and QUERY
(use readable labels like MC["MC (SigV4 Proxy)"] and APIGW["RHOBS API
Gateway<br/>(AWS_IAM auth + resource policy)"]) and add directed links with the
same annotated edges (MC -->|POST /api/v1/receive...| APIGW, APIGW -->|GET
/api/v1/query...| VPCLINK, VPCLINK --> ALB, ALB --> TG_RECV and TG_QUERY,
TG_RECV --> RECV, TG_QUERY --> QUERY) so the diagram semantics match the
proposed Mermaid example in the review comment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2ae4474f-e28c-4acf-8937-f54b5a1f2b0d

📥 Commits

Reviewing files that changed from the base of the PR and between df454ab and 5431d70.

📒 Files selected for processing (2)

• docs/design/monitoring-platform.md
• terraform/modules/rhobs-api-gateway/README.md

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Replace ASCII art with Mermaid diagram.

The architecture diagram uses ASCII art. Per coding guidelines, all architectural and flow diagrams in markdown files must use Mermaid format instead of ASCII art.

🎨 Proposed Mermaid diagram

-```
-MC (SigV4 Proxy)
-    │
-    ▼ POST /api/v1/receive (SigV4-signed, any org account)
-    │
-RHOBS API Gateway (AWS_IAM auth + resource policy)
-    │
-    ▼ GET /api/v1/query, /api/v1/query_range, /api/v1/rules (RC account only)
-    │
-VPC Link (dedicated, rhobs-vpc-link SG)
-    │
-    ▼
-Internal ALB (:80) (dedicated, rhobs-alb SG)
-    │
-    ├──▶ Target Group: thanos-recv (IP)  → Thanos Receive Pods (:19291)
-    └──▶ Target Group: thanos-query (IP) → Thanos Query Frontend Pods (:9090)
-```
+```mermaid
+graph TB
+    MC["MC (SigV4 Proxy)"]
+    APIGW["RHOBS API Gateway<br/>(AWS_IAM auth + resource policy)"]
+    VPCLINK["VPC Link<br/>(dedicated, rhobs-vpc-link SG)"]
+    ALB["Internal ALB (:80)<br/>(dedicated, rhobs-alb SG)"]
+    TG_RECV["Target Group: thanos-recv (IP)"]
+    TG_QUERY["Target Group: thanos-query (IP)"]
+    RECV["Thanos Receive Pods (:19291)"]
+    QUERY["Thanos Query Frontend Pods (:9090)"]
+    
+    MC -->|"POST /api/v1/receive<br/>(SigV4-signed, any org account)"| APIGW
+    APIGW -->|"GET /api/v1/query, /api/v1/query_range,<br/>/api/v1/rules (RC account only)"| VPCLINK
+    VPCLINK --> ALB
+    ALB --> TG_RECV
+    ALB --> TG_QUERY
+    TG_RECV --> RECV
+    TG_QUERY --> QUERY
+```
</details>

As per coding guidelines, use Mermaid for diagrams in markdown files and never use ASCII art. Based on learnings, this applies to architectural/flow diagrams; directory tree listings are still acceptable.

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

[warning] 26-26: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @terraform/modules/rhobs-api-gateway/README.md around lines 26 - 42, Replace
the ASCII art diagram with a Mermaid flow diagram: remove the ASCII block and
add a ```mermaid fenced block using graph TB; recreate nodes for MC, APIGW,
VPCLINK, ALB, TG_RECV, TG_QUERY, RECV and QUERY (use readable labels like MC["MC
(SigV4 Proxy)"] and APIGW["RHOBS API Gateway
(AWS_IAM auth + resource
policy)"]) and add directed links with the same annotated edges (MC -->|POST
/api/v1/receive...| APIGW, APIGW -->|GET /api/v1/query...| VPCLINK, VPCLINK -->
ALB, ALB --> TG_RECV and TG_QUERY, TG_RECV --> RECV, TG_QUERY --> QUERY) so the
diagram semantics match the proposed Mermaid example in the review comment.

</details>

<!-- fingerprinting:phantom:triton:puma -->

<!-- This is an auto-generated comment by CodeRabbit -->

[psav]

/ok-to-test

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[redhat-chai-bot]

Auto-closing: this documentation update was not reviewed within 3 days. If the changes are still relevant, a new PR will be opened in a future run.