MON-2807: Use bearer token file for remote write authentication with telemeter #1733
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
approved
simonpasquier
force-pushed
the
test-telemeter-receive
branch
from
73734fb
to
5cd04bc
Compare
|
/test e2e-agnostic |
1 similar comment
|
/test e2e-agnostic |
simonpasquier
force-pushed
the
test-telemeter-receive
branch
from
5cd04bc
to
8345d86
Compare
simonpasquier
force-pushed
the
test-telemeter-receive
branch
from
8345d86
to
7bb7ebb
Compare
simonpasquier
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/skip |
| @@ -1657,13 +1677,12 @@ func (f *Factory) PrometheusK8s(grpcTLS *v1.Secret, trustedCABundleCM *v1.Config | |||
| Replacement: "alerts", | |||
| }, | |||
| }, | |||
| MetadataConfig: &monv1.MetadataConfig{ | |||
There was a problem hiding this comment.
This change seems to not be related, was it intentional?
There was a problem hiding this comment.
Yes but it should be commented. Basically we don't want/need to forward metadata information to the telemeter server.
It comes from #1416 which was the previous PR that exercised the receive path of telemeter.
There was a problem hiding this comment.
Yes, Telemeter forwards rw requests to Thanos, and Thanos doesn't have metadata ingestion yet. We can still send it, but it would just be dropped. 🙂
There was a problem hiding this comment.
Did you still want to add a comment for this @simonpasquier ?
|
For traceability I'm also linking this here since AFAIK these two PRs are related openshift/telemeter#430 |
|
@jan--f I'm wondering if we shouldn't add an end-to-end test to validate the /receive path. Even though we don't support it yet in OCP, it would help detecting regressions on the server side. WDYT? |
simonpasquier
force-pushed
the
test-telemeter-receive
branch
from
7bb7ebb
to
8b68d6c
Compare
|
|
||
| // TestTelemeterRemoteWrite verifies that the monitoring stack can send data to | ||
| // the telemeter server using the native Prometheus remote write endpoint. | ||
| func TestTelemeterRemoteWrite(t *testing.T) { |
There was a problem hiding this comment.
Small curiosity questions:
- Where does CMO get the config/info that Prom is supposed to remote-write to
https://infogw.api.openshift.com.+? I see we are enabling remote-write but I don't get how it knows it's supposed to send them there. - Why are we modifying the deployment instead of using the ConfigMap
There was a problem hiding this comment.
I think it's hardcoded in the SetRemoteWrite function https://github.com/openshift/cluster-monitoring-operator/blob/master/pkg/manifests/config.go#L449. This is called in Operator.sync https://github.com/openshift/cluster-monitoring-operator/blob/master/pkg/operator/operator.go#L608.
There was a problem hiding this comment.
Indeed, thank you 👍
There was a problem hiding this comment.
yes, we have no way to turn on native remote write without setting CMO into unmanaged state and hacking the deployment args.
|
/skip |
|
/retest |
|
/assign @jan--f |
| clusterID := f.config.ClusterMonitoringConfiguration.TelemeterClientConfig.ClusterID | ||
| if telemetryEnabled && f.config.RemoteWrite { | ||
|
|
||
| if telemetrySecret != nil { | ||
| selectorRelabelConfig, err := promqlgen.LabelSelectorsToRelabelConfig(f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.TelemetryMatches) |
There was a problem hiding this comment.
Discussed separately: Future readers of this code would benefit from checking the actual config condition here (if telemetryEnabled && f.config.RemoteWrite) and assuming the secret was created instead of coupling this to the secret creating.
|
/retitle: MON-2807: Use bearer token file for remote write authentication with telemeter |
openshift-ci
bot
changed the title
|
Once change request discussed offline added here as a comment, otherwise this looks good. |
|
/retitle MON-2807: Use bearer token file for remote write authentication with telemeter |
openshift-ci
bot
changed the title
simonpasquier
force-pushed
the
test-telemeter-receive
branch
2 times, most recently
from
43ab1e6
to
c6d21a3
Compare
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
openshift-merge-robot
added
the
needs-rebase
simonpasquier
force-pushed
the
test-telemeter-receive
branch
from
c6d21a3
to
e9b7689
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/test e2e-agnostic-operator |
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
For security concerns, it's better to pass the bearer token via a Secret rather than sticking it in the Prometheus custom resource. Added TestTelemeterRemoteWrite to the end-to-end tests to ensure that the Telemetry remote-write path is tested though it isn't (yet) enabled.
simonpasquier
force-pushed
the
test-telemeter-receive
branch
from
e9b7689
to
dfa372d
Compare
|
/test e2e-agnostic |
|
@simonpasquier: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm On a side note, I was wondering about the |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jan--f, simonpasquier The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/label docs-approved |
openshift-ci
bot
added
docs-approved
cc @saswatamcode