openshift · danielmellado · May 7, 2026
diff --git a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml
@@ -1181,6 +1181,9 @@ tests:
         kind: ClusterMonitoring
         spec:
           thanosQuerierConfig:
+            logLevel: "Debug"
+            requestLogging: "LogAll"
+            crossOriginRequestPolicy: "DenyAll"
             nodeSelector:
               kubernetes.io/os: linux
             resources:
@@ -1201,6 +1204,9 @@ tests:
         kind: ClusterMonitoring
         spec:
           thanosQuerierConfig:
+            logLevel: "Debug"
+            requestLogging: "LogAll"
+            crossOriginRequestPolicy: "DenyAll"
             nodeSelector:
               kubernetes.io/os: linux
             resources:
@@ -1434,6 +1440,134 @@ tests:
                 topologyKey: topology.kubernetes.io/zone
                 whenUnsatisfiable: DoNotSchedule
       expectedError: "Duplicate value"
+    - name: Should accept ThanosQuerierConfig with logLevel set to Error
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "Error"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "Error"
+    - name: Should accept ThanosQuerierConfig with logLevel set to Warn
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "Warn"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "Warn"
+    - name: Should accept ThanosQuerierConfig with logLevel set to Info
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "Info"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "Info"
+    - name: Should accept ThanosQuerierConfig with logLevel set to Debug
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "Debug"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "Debug"
+    - name: Should reject ThanosQuerierConfig with invalid logLevel
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            logLevel: "InvalidLevel"
+      expectedError: 'spec.thanosQuerierConfig.logLevel: Unsupported value: "InvalidLevel": supported values: "Error", "Warn", "Info", "Debug"'
+    - name: Should accept ThanosQuerierConfig with requestLogging set to LogAll
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            requestLogging: "LogAll"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            requestLogging: "LogAll"
+    - name: Should accept ThanosQuerierConfig with requestLogging set to None
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            requestLogging: "None"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            requestLogging: "None"
+    - name: Should reject ThanosQuerierConfig with invalid requestLogging
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            requestLogging: "InvalidValue"
+      expectedError: 'spec.thanosQuerierConfig.requestLogging: Unsupported value: "InvalidValue": supported values: "LogAll", "None"'
+    - name: Should accept ThanosQuerierConfig with crossOriginRequestPolicy set to AllowAll
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            crossOriginRequestPolicy: "AllowAll"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            crossOriginRequestPolicy: "AllowAll"
+    - name: Should accept ThanosQuerierConfig with crossOriginRequestPolicy set to DenyAll
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            crossOriginRequestPolicy: "DenyAll"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            crossOriginRequestPolicy: "DenyAll"
+    - name: Should reject ThanosQuerierConfig with invalid crossOriginRequestPolicy
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          thanosQuerierConfig:
+            crossOriginRequestPolicy: "InvalidValue"
+      expectedError: 'spec.thanosQuerierConfig.crossOriginRequestPolicy: Unsupported value: "InvalidValue": supported values: "AllowAll", "DenyAll"'
     - name: Should be able to create MonitoringPluginConfig with valid resources
       initial: |
         apiVersion: config.openshift.io/v1alpha1

diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go
@@ -2381,6 +2381,37 @@ type TelemeterClientConfig struct {
 // At least one field must be specified; an empty thanosQuerierConfig object is not allowed.
 // +kubebuilder:validation:MinProperties=1
 type ThanosQuerierConfig struct {
+	// logLevel defines the verbosity of logs emitted by Thanos Querier.
+	// logLevel is optional.
+	// Allowed values are Error, Warn, Info, and Debug.
+	// When set to Error, only errors will be logged.
+	// When set to Warn, both warnings and errors will be logged.
+	// When set to Info, general information, warnings, and errors will all be logged.
+	// When set to Debug, detailed debugging information will be logged.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is `Info`.
+	// +optional
+	LogLevel LogLevel `json:"logLevel,omitempty"`
+	// requestLogging controls whether all incoming HTTP and gRPC requests are logged by Thanos Querier.
+	// requestLogging is optional.
+	// Valid values are "LogAll" and "None".
+	// When set to "LogAll", every request received by Thanos Querier is logged with method, path, and response status.
+	// The log level for request logs is derived from the logLevel field.
+	// When set to "None", request logging is turned off.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is "None".
+	// +optional
+	RequestLogging RequestLoggingPolicy `json:"requestLogging,omitempty"`
+	// crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy
+	// for Thanos Querier's HTTP endpoints.
+	// crossOriginRequestPolicy is optional.
+	// Valid values are "AllowAll" and "DenyAll".
+	// When set to "AllowAll", CORS headers are added to responses, allowing cross-origin requests from any domain.
+	// When set to "DenyAll", no CORS headers are added and cross-origin requests are rejected by the browser.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is "DenyAll".
+	// +optional
+	CrossOriginRequestPolicy CrossOriginRequestPolicy `json:"crossOriginRequestPolicy,omitempty"`
 	// nodeSelector defines the nodes on which the Pods are scheduled.
 	// nodeSelector is optional.
 	//
@@ -2449,6 +2480,31 @@ type ThanosQuerierConfig struct {
 	TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
 }
 
+// RequestLoggingPolicy controls whether HTTP and gRPC request logging is active.
+// Valid values are "LogAll" and "None".
+// +kubebuilder:validation:Enum=LogAll;None
+type RequestLoggingPolicy string
+
+const (
+	// RequestLoggingPolicyLogAll enables logging of all incoming requests.
+	RequestLoggingPolicyLogAll RequestLoggingPolicy = "LogAll"
+	// RequestLoggingPolicyNone disables request logging.
+	RequestLoggingPolicyNone RequestLoggingPolicy = "None"
+)
+
+// CrossOriginRequestPolicy controls the CORS (Cross-Origin Resource Sharing) policy
+// for Thanos Querier's HTTP endpoints.
+// Valid values are "AllowAll" and "DenyAll".
+// +kubebuilder:validation:Enum=AllowAll;DenyAll
+type CrossOriginRequestPolicy string
+
+const (
+	// CrossOriginRequestPolicyAllowAll sets CORS headers allowing requests from any origin.
+	CrossOriginRequestPolicyAllowAll CrossOriginRequestPolicy = "AllowAll"
+	// CrossOriginRequestPolicyDenyAll does not set CORS headers, rejecting cross-origin requests.
+	CrossOriginRequestPolicyDenyAll CrossOriginRequestPolicy = "DenyAll"
+)
+
 // AuditProfile defines the audit log level for the Metrics Server.
 // +kubebuilder:validation:Enum=None;Metadata;Request;RequestResponse
 type AuditProfile string

diff --git a/...1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/...1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml
@@ -5888,6 +5888,37 @@ spec:
                   When set, at least one field must be specified within thanosQuerierConfig.
                 minProperties: 1
                 properties:
+                  crossOriginRequestPolicy:
+                    description: |-
+                      crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy
+                      for Thanos Querier's HTTP endpoints.
+                      crossOriginRequestPolicy is optional.
+                      Valid values are "AllowAll" and "DenyAll".
+                      When set to "AllowAll", CORS headers are added to responses, allowing cross-origin requests from any domain.
+                      When set to "DenyAll", no CORS headers are added and cross-origin requests are rejected by the browser.
+                      When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+                      The current default value is "DenyAll".
+                    enum:
+                    - AllowAll
+                    - DenyAll
+                    type: string
+                  logLevel:
+                    description: |-
+                      logLevel defines the verbosity of logs emitted by Thanos Querier.
+                      logLevel is optional.
+                      Allowed values are Error, Warn, Info, and Debug.
+                      When set to Error, only errors will be logged.
+                      When set to Warn, both warnings and errors will be logged.
+                      When set to Info, general information, warnings, and errors will all be logged.
+                      When set to Debug, detailed debugging information will be logged.
+                      When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+                      The current default value is `Info`.
+                    enum:
+                    - Error
+                    - Warn
+                    - Info
+                    - Debug
+                    type: string
                   nodeSelector:
                     additionalProperties:
                       type: string
@@ -5902,6 +5933,20 @@ spec:
                     maxProperties: 10
                     minProperties: 1
                     type: object
+                  requestLogging:
+                    description: |-
+                      requestLogging controls whether all incoming HTTP and gRPC requests are logged by Thanos Querier.
+                      requestLogging is optional.
+                      Valid values are "LogAll" and "None".
+                      When set to "LogAll", every request received by Thanos Querier is logged with method, path, and response status.
+                      The log level for request logs is derived from the logLevel field.
+                      When set to "None", request logging is turned off.
+                      When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+                      The current default value is "None".
+                    enum:
+                    - LogAll
+                    - None
+                    type: string
                   resources:
                     description: |-
                       resources defines the compute resource requests and limits for the Thanos Querier container.

diff --git a/...regated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/...regated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml
@@ -5888,6 +5888,37 @@ spec:
                   When set, at least one field must be specified within thanosQuerierConfig.
                 minProperties: 1
                 properties:
+                  crossOriginRequestPolicy:
+                    description: |-
+                      crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy
+                      for Thanos Querier's HTTP endpoints.
+                      crossOriginRequestPolicy is optional.
+                      Valid values are "AllowAll" and "DenyAll".
+                      When set to "AllowAll", CORS headers are added to responses, allowing cross-origin requests from any domain.
+                      When set to "DenyAll", no CORS headers are added and cross-origin requests are rejected by the browser.
+                      When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+                      The current default value is "DenyAll".
+                    enum:
+                    - AllowAll
+                    - DenyAll
+                    type: string
+                  logLevel:
+                    description: |-
+                      logLevel defines the verbosity of logs emitted by Thanos Querier.
+                      logLevel is optional.
+                      Allowed values are Error, Warn, Info, and Debug.
+                      When set to Error, only errors will be logged.
+                      When set to Warn, both warnings and errors will be logged.
+                      When set to Info, general information, warnings, and errors will all be logged.
+                      When set to Debug, detailed debugging information will be logged.
+                      When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+                      The current default value is `Info`.
+                    enum:
+                    - Error
+                    - Warn
+                    - Info
+                    - Debug
+                    type: string
                   nodeSelector:
                     additionalProperties:
                       type: string
@@ -5902,6 +5933,20 @@ spec:
                     maxProperties: 10
                     minProperties: 1
                     type: object
+                  requestLogging:
+                    description: |-
+                      requestLogging controls whether all incoming HTTP and gRPC requests are logged by Thanos Querier.
+                      requestLogging is optional.
+                      Valid values are "LogAll" and "None".
+                      When set to "LogAll", every request received by Thanos Querier is logged with method, path, and response status.
+                      The log level for request logs is derived from the logLevel field.
+                      When set to "None", request logging is turned off.
+                      When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+                      The current default value is "None".
+                    enum:
+                    - LogAll
+                    - None
+                    type: string
                   resources:
                     description: |-
                       resources defines the compute resource requests and limits for the Thanos Querier container.

diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go