Merge pull request #137 from brancz/fix-serving-certs

*: Fix handling of serving certs CA bundle
openshift · Oct 30, 2018 · 1cff58e · 1cff58e
2 parents 141e8ae + 576922f
commit 1cff58e
Show file tree

Hide file tree

Showing 550 changed files with 69,263 additions and 20,390 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -28,7 +28,7 @@
   version = "1.0.0"
 
 [[constraint]]
-  version = "v0.23.0"
+  version = "v0.25.0"
   name = "github.com/coreos/prometheus-operator"
 
 [[constraint]]
@@ -39,25 +39,21 @@
   name = "github.com/pkg/errors"
   version = "0.8.0"
 
-[[constraint]]
-  name = "github.com/prometheus/client_golang"
-  version = "0.8.0"
-
 [[constraint]]
   name = "k8s.io/api"
-  version = "kubernetes-1.11.0"
+  version = "kubernetes-1.12.0"
 
 [[constraint]]
   name = "k8s.io/apiextensions-apiserver"
-  version = "kubernetes-1.11.0"
+  version = "kubernetes-1.12.0"
 
 [[constraint]]
   name = "k8s.io/apimachinery"
-  version = "kubernetes-1.11.0"
+  version = "kubernetes-1.12.0"
 
 [[constraint]]
   name = "k8s.io/client-go"
-  version = "8.0.0"
+  version = "9.0.0"
 
 [[constraint]]
   name = "gopkg.in/yaml.v2"

diff --git a/assets/alertmanager/service-monitor.yaml b/assets/alertmanager/service-monitor.yaml
@@ -12,7 +12,7 @@ spec:
     port: web
     scheme: https
     tlsConfig:
-      caFile: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+      caFile: /etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt
       serverName: alertmanager-main
   selector:
     matchLabels:

diff --git a/assets/kube-state-metrics/service-monitor.yaml b/assets/kube-state-metrics/service-monitor.yaml
@@ -14,15 +14,15 @@ spec:
     scheme: https
     scrapeTimeout: 2m
     tlsConfig:
-      caFile: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+      caFile: /etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt
       serverName: server-name-replaced-at-runtime
   - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
     interval: 2m
     port: https-self
     scheme: https
     scrapeTimeout: 2m
     tlsConfig:
-      caFile: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+      caFile: /etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt
       serverName: server-name-replaced-at-runtime
   jobLabel: k8s-app
   selector:

diff --git a/assets/node-exporter/service-monitor.yaml b/assets/node-exporter/service-monitor.yaml
@@ -12,7 +12,7 @@ spec:
     port: https
     scheme: https
     tlsConfig:
-      caFile: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+      caFile: /etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt
       serverName: server-name-replaced-at-runtime
   jobLabel: k8s-app
   selector:

diff --git a/assets/prometheus-k8s/prometheus.yaml b/assets/prometheus-k8s/prometheus.yaml
@@ -28,9 +28,11 @@ spec:
       port: web
       scheme: https
       tlsConfig:
-        caFile: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+        caFile: /etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt
         serverName: alertmanager-main
   baseImage: openshift/prometheus
+  configMaps:
+  - prometheus-serving-certs-ca-bundle
   containers:
   - args:
     - -provider=openshift

diff --git a/assets/prometheus-k8s/service-monitor.yaml b/assets/prometheus-k8s/service-monitor.yaml
@@ -12,7 +12,7 @@ spec:
     port: web
     scheme: https
     tlsConfig:
-      caFile: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+      caFile: /etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt
       serverName: prometheus-k8s
   selector:
     matchLabels:

diff --git a/assets/prometheus-k8s/serving-certs-ca-bundle.yaml b/assets/prometheus-k8s/serving-certs-ca-bundle.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  service-ca.crt: ""
+kind: ConfigMap
+metadata:
+  annotations:
+    service.alpha.openshift.io/inject-cabundle: "true"
+  name: prometheus-serving-certs-ca-bundle
+  namespace: openshift-monitoring
diff --git a/assets/prometheus-operator/deployment.yaml b/assets/prometheus-operator/deployment.yaml
@@ -21,7 +21,7 @@ spec:
         - --logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
         - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.25.0
-        - --namespace=openshift-monitoring
+        - --namespaces=openshift-monitoring
         image: quay.io/coreos/prometheus-operator:v0.25.0
         name: prometheus-operator
         ports:

diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -104,7 +104,7 @@ func Main() int {
 	r := prometheus.NewRegistry()
 	r.MustRegister(
 		prometheus.NewGoCollector(),
-		prometheus.NewProcessCollector(os.Getpid(), ""),
+		prometheus.NewProcessCollector(prometheus.ProcessCollectorOpts{}),
 	)
 
 	config, err := clientcmd.BuildConfigFromFlags(*apiserver, *kubeconfigPath)

diff --git a/jsonnet/alertmanager.jsonnet b/jsonnet/alertmanager.jsonnet
@@ -3,6 +3,7 @@ local serviceAccount = k.core.v1.serviceAccount;
 local service = k.core.v1.service;
 local servicePort = k.core.v1.service.mixin.spec.portsType;
 local secret = k.core.v1.secret;
+local configmap = k.core.v1.configMap;
 local clusterRole = k.rbac.v1.clusterRole;
 local policyRule = clusterRole.rulesType;
 
@@ -113,7 +114,7 @@ local authorizationRole = policyRule.new() +
               interval: '30s',
               scheme: 'https',
               tlsConfig: {
-                caFile: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt',
+                caFile: '/etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt',
                 serverName: 'alertmanager-main',
               },
               bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',

diff --git a/jsonnet/grafana.jsonnet b/jsonnet/grafana.jsonnet
@@ -3,6 +3,7 @@ local serviceAccount = k.core.v1.serviceAccount;
 local service = k.core.v1.service;
 local servicePort = k.core.v1.service.mixin.spec.portsType;
 local secret = k.core.v1.secret;
+local configmap = k.core.v1.configMap;
 local clusterRole = k.rbac.v1.clusterRole;
 local policyRule = clusterRole.rulesType;
 

diff --git a/jsonnet/kube-state-metrics.jsonnet b/jsonnet/kube-state-metrics.jsonnet
@@ -3,6 +3,7 @@ local service = k.core.v1.service;
 local deployment = k.apps.v1beta2.deployment;
 local container = deployment.mixin.spec.template.spec.containersType;
 local volume = deployment.mixin.spec.template.spec.volumesType;
+local configmap = k.core.v1.configMap;
 local containerPort = container.portsType;
 local containerVolumeMount = container.volumeMountsType;
 local tmpVolumeName = 'volume-directive-shadow';
@@ -34,7 +35,7 @@ local tlsVolumeName = 'kube-state-metrics-tls';
               port: 'https-main',
               scheme: 'https',
               tlsConfig: {
-                caFile: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt',
+                caFile: '/etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt',
                 serverName: 'server-name-replaced-at-runtime',
               },
             },
@@ -45,7 +46,7 @@ local tlsVolumeName = 'kube-state-metrics-tls';
               port: 'https-self',
               scheme: 'https',
               tlsConfig: {
-                caFile: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt',
+                caFile: '/etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt',
                 serverName: 'server-name-replaced-at-runtime',
               },
             },

diff --git a/jsonnet/node-exporter.jsonnet b/jsonnet/node-exporter.jsonnet
@@ -3,6 +3,7 @@ local service = k.core.v1.service;
 local daemonset = k.apps.v1beta2.daemonSet;
 local container = daemonset.mixin.spec.template.spec.containersType;
 local volume = daemonset.mixin.spec.template.spec.volumesType;
+local configmap = k.core.v1.configMap;
 local containerPort = container.portsType;
 local containerVolumeMount = container.volumeMountsType;
 local tlsVolumeName = 'node-exporter-tls';
@@ -31,7 +32,7 @@ local tlsVolumeName = 'node-exporter-tls';
               port: 'https',
               scheme: 'https',
               tlsConfig: {
-                caFile: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt',
+                caFile: '/etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt',
                 serverName: 'server-name-replaced-at-runtime',
               },
             },

diff --git a/jsonnet/prometheus-operator.jsonnet b/jsonnet/prometheus-operator.jsonnet
@@ -12,7 +12,7 @@
                 std.map(
                   function(c) c {
                     resources: {},
-                    args+: ['--namespace=' + $._config.namespace],
+                    args+: ['--namespaces=' + $._config.namespace],
                     securityContext: {},
                   },
                   super.containers,

diff --git a/jsonnet/prometheus.jsonnet b/jsonnet/prometheus.jsonnet
@@ -3,6 +3,7 @@ local serviceAccount = k.core.v1.serviceAccount;
 local service = k.core.v1.service;
 local servicePort = k.core.v1.service.mixin.spec.portsType;
 local secret = k.core.v1.secret;
+local configmap = k.core.v1.configMap;
 local clusterRole = k.rbac.v1.clusterRole;
 local policyRule = clusterRole.rulesType;
 local selector = k.apps.v1beta2.deployment.mixin.spec.selectorType;
@@ -85,6 +86,11 @@ local namespacesRole = policyRule.new() +
         servicePort.newNamed('tenancy', 9092, 'tenancy'),
       ]),
 
+    servingCertsCaBundle+:
+      configmap.new('prometheus-serving-certs-ca-bundle', { 'service-ca.crt': '' }) +
+      configmap.mixin.metadata.withNamespace($._config.namespace) +
+      configmap.mixin.metadata.withAnnotations({ 'service.alpha.openshift.io/inject-cabundle': 'true' }),
+
     // As Prometheus is protected by the oauth proxy it requires the
     // ability to create TokenReview and SubjectAccessReview requests.
     // Additionally in order to authenticate with the Alertmanager it
@@ -255,7 +261,7 @@ local namespacesRole = policyRule.new() +
               interval: '30s',
               scheme: 'https',
               tlsConfig: {
-                caFile: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt',
+                caFile: '/etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt',
                 serverName: 'prometheus-k8s',
               },
               bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
@@ -277,7 +283,7 @@ local namespacesRole = policyRule.new() +
                 function(a) a {
                   scheme: 'https',
                   tlsConfig: {
-                    caFile: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt',
+                    caFile: '/etc/prometheus/configmaps/prometheus-serving-certs-ca-bundle/service-ca.crt',
                     serverName: 'alertmanager-main',
                   },
                   bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
@@ -293,6 +299,7 @@ local namespacesRole = policyRule.new() +
             'prometheus-k8s-htpasswd',
             'kube-rbac-proxy',
           ],
+          configMaps: ['prometheus-serving-certs-ca-bundle'],
           serviceMonitorSelector: selector.withMatchExpressions({ key: 'k8s-app', operator: 'Exists' }),
           serviceMonitorNamespaceSelector: selector.withMatchExpressions({ key: 'openshift.io/cluster-monitoring', operator: 'Exists' }),
           listenLocal: true,