Skip to content

Add an option to expose prometheus metrics securely via kube-rbac-proxy#1545

Merged
fedepaol merged 9 commits into
metallb:mainfrom
fedepaol:metrics/addsecuremetrics
Aug 3, 2022
Merged

Add an option to expose prometheus metrics securely via kube-rbac-proxy#1545
fedepaol merged 9 commits into
metallb:mainfrom
fedepaol:metrics/addsecuremetrics

Conversation

@fedepaol
Copy link
Copy Markdown
Member

@fedepaol fedepaol commented Jul 29, 2022

Here we adjust the manifests and the helm chart to optionally set a kube-rbac-proxy sidecar to interact with prometheus, in order to expose the metrics securely.

At the same time, we change CI to deploy the prometheus k8s stack and validate the metrics against the real prometheus instance (as opposed to validating that the pods are exposing the metrics). This will give us more confidence in the fact that the integration with prometheus is really working.

@fedepaol fedepaol force-pushed the metrics/addsecuremetrics branch 5 times, most recently from 11c044a to b27fa01 Compare July 29, 2022 21:08
oribon
oribon reviewed Aug 1, 2022
View reviewed changes
Comment thread config/frr/speaker-patch.yaml
Comment thread tasks.py
Comment thread config/manifests/metallb-frr.yaml
Comment thread config/manifests/metallb-frr.yaml
template:
metadata:
annotations:
prometheus.io/port: "7472"
Copy link
Copy Markdown
Member

@oribon oribon Jul 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

weird, that shouldn't have been here? remember removing it on the initial frr exporter pr for the reason in the previous comment - when no port is defined it should look for all monitoring ports 😄

Comment thread config/manifests/metallb-frr-prometheus.yaml Outdated
Comment thread e2etest/pkg/metrics/prometheus.go Outdated
Comment thread e2etest/pkg/metrics/prometheus.go
Comment thread e2etest/pkg/metrics/prometheus.go
Comment thread e2etest/pkg/metrics/prometheus.go
Comment thread e2etest/l2tests/l2.go Outdated
@fedepaol fedepaol force-pushed the metrics/addsecuremetrics branch 6 times, most recently from bc62af6 to 616c8ad Compare August 1, 2022 13:21
oribon
oribon approved these changes Aug 1, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@oribon oribon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fedepaol fedepaol force-pushed the metrics/addsecuremetrics branch 9 times, most recently from f352c16 to 5e1fbea Compare August 2, 2022 15:11
fedepaol added 3 commits August 2, 2022 23:18
@fedepaol
Config: add overlays to deploy the prometheus configuration
978ca4e 
Changing the overlays to add a layer for exposing metrics to the
prometheus operator via servicemonitors.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol
Tasks: add a command to deploy and test prometheus
9fff398 
Adding options to deploy prometheus and run metrics tests against it
passing the namespace it's deployed to.

We add a local configuration of prometheus stripped down of unnecessary
items, deploying only the operator and prometheus itself.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol
E2E: validate against real prometheus
5f7e8e0 
Testing the metrics exposed by the pods doesn't cover the full e2e
solution, and eventual issues in the integration with prometheus won't
appear. Here we add the option to the e2e tests to check the metrics on
prometheus too, if deployed on the cluster.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol fedepaol force-pushed the metrics/addsecuremetrics branch 2 times, most recently from 4374eee to 65ee24e Compare August 2, 2022 21:29
fedepaol added 4 commits August 3, 2022 12:07
@fedepaol
Charts: add option to securely expose the metrics
afc1b88 
Adding an option to add kube-rbac-proxy to the pods, exposing the
metrics via a secure channel, and adding an option to use
servicemonitors in order to consume those securely exposed metrics.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol
Config: regenerate all in one manifests
218fc2d 
Regenerating the manifests and adding two variants for prometheus
enabled.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol
CI: deploy prometheus
95dfd65 
Deploying prometheus to be able to run prometheus tests.
Also, add lanes with no prometheus.  We want to make sure the
deployment works also with no prometheus, so add a few helm / manifest
lanes without it.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol
Doc / release notes: add a section about secure metrics
12a944b 
Extending the docs accordingly.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol fedepaol force-pushed the metrics/addsecuremetrics branch from 65ee24e to ed73248 Compare August 3, 2022 10:07
@fedepaol fedepaol mentioned this pull request Aug 3, 2022
Merged
@fedepaol
Tasks: make tests timeout longer
e075f57 
The prometheus tests add test duration time. Raising the timeout to
accomodate them.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol fedepaol force-pushed the metrics/addsecuremetrics branch from ed73248 to e075f57 Compare August 3, 2022 11:23
@fedepaol fedepaol merged commit f638c3a into metallb:main Aug 3, 2022
@cprivitere cprivitere mentioned this pull request Oct 12, 2022
Closed
@eyenx eyenx mentioned this pull request Oct 19, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oribon oribon oribon approved these changes

@johananl johananl Awaiting requested review from johananl

@rata rata Awaiting requested review from rata

@russellb russellb Awaiting requested review from russellb

@gclawes gclawes Awaiting requested review from gclawes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fedepaol @oribon