Add annotations for enabling TLS on Envoy Prometheus endpoint #1303
Conversation
| @@ -1,6 +1,6 @@ | |||
| {{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} | |||
| {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} | |||
| {{- if (and (and .Values.global.tls.enabled .Values.global.tls.httpsOnly) (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics))}}{{ fail "global.metrics.enableAgentMetrics cannot be enabled if TLS (HTTPS only) is enabled" }}{{ end -}} | |||
| # {{- if (and (and .Values.global.tls.enabled .Values.global.tls.httpsOnly) (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics))}}{{ fail "global.metrics.enableAgentMetrics cannot be enabled if TLS (HTTPS only) is enabled" }}{{ end -}} | |||
There was a problem hiding this comment.
Does this check (and the one in server-statefulset.yml) need to be modified at all, or can it just be removed? Further down in this file we set the http port to 8501 if tls.enabled is true, so it seems like this can probably be deleted because now we'll support scraping both agent and Envoy prometheus metrics over TLS.
There was a problem hiding this comment.
I think we can just delete this check now and the corresponding BATS tests (if there are any)
jmurret
requested review from
a team,
ndhanushkodi and
thisisnotashwin
and removed request for
a team
| @@ -214,6 +219,19 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod, | |||
| data.PrometheusScrapePath = prometheusScrapePath | |||
| data.PrometheusBackendPort = mergedMetricsPort | |||
| } | |||
| // Pull the TLS config from the relevant annotations. | |||
There was a problem hiding this comment.
Are all of these annotations required or just one?
If they are all required, or required in sets we should enforce that with some validation and errors, in which case we should also update the unit tests accordingly.
There was a problem hiding this comment.
Cert, key, and one of CA file or path is required - would that validation go in the client/server daemonset templates, or somewhere else?
There was a problem hiding this comment.
Since it can be overridden by annotations I think we need it on both ends:
- in the template logic for the defaults
- here for the overrides
There was a problem hiding this comment.
I added the check/tests here - these won't be settable in the template/defaults though so this should be the only place the validation is needed.
|
Could we get some reviews on this from @thisisnotashwin and @ndhanushkodi. It looks like the feature is now merged on the Core side in main. |
| @@ -1,6 +1,6 @@ | |||
| {{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} | |||
| {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} | |||
| {{- if (and (and .Values.global.tls.enabled .Values.global.tls.httpsOnly) (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics))}}{{ fail "global.metrics.enableAgentMetrics cannot be enabled if TLS (HTTPS only) is enabled" }}{{ end -}} | |||
| # {{- if (and (and .Values.global.tls.enabled .Values.global.tls.httpsOnly) (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics))}}{{ fail "global.metrics.enableAgentMetrics cannot be enabled if TLS (HTTPS only) is enabled" }}{{ end -}} | |||
There was a problem hiding this comment.
I think we can just delete this check now and the corresponding BATS tests (if there are any)
Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
Changes proposed in this PR:
How I've tested this PR:
How I expect reviewers to test this PR:
Checklist: