New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MON-3229: Remove the dependency on the apiserver auth #1904
MON-3229: Remove the dependency on the apiserver auth #1904
Conversation
I think that we also need to update the telemeter client so it can authenticate against the Prometheus server using a client TLS certificate. Right now, the forwarder package (which reads the metrics from the /federate endpoint) only supports bearer token authentication. |
14135da
to
933033b
Compare
Testing TLS changes |
191cf78
to
96085b5
Compare
96085b5
to
8f96539
Compare
depends on openshift/telemeter#457 |
50722bb
to
5ecd763
Compare
c2041ff
to
440d643
Compare
76964fd
to
c0ac7c5
Compare
c0ac7c5
to
5baef0d
Compare
a49143f
to
419d5ce
Compare
/retest-required |
1 similar comment
/retest-required |
Signed-off-by: Mario Fernandez <mariofer@redhat.com>
ba85332
to
5c08866
Compare
it seems as everything is working with last patch of openshift/telemeter#455
After this PR is merged I can add some test in telemeter side. Also this tests in tests origin is checking always that cmo and telemeter federate scraping is working right: https://github.com/openshift/origin/blob/master/test/extended/prometheus/prometheus.go#L276-L305 |
Signed-off-by: Mario Fernandez <mariofer@redhat.com>
cf6388a
to
1ec291a
Compare
/retest |
1ec291a
to
b38647f
Compare
/test e2e-aws-ovn-single-node |
/retitle MON-3229: Remove the dependency on the apiserver auth |
@marioferh: This pull request references MON-3229 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
static+: [ | ||
{ | ||
user: { | ||
name: 'system:serviceaccount:openshift-monitoring:prometheus-k8s', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: This seems to repeat at various place. Perhaps we should store this in a variable / config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the other reference to this user is here https://github.com/openshift/cluster-monitoring-operator/blob/master/jsonnet/utils/generate-secret.libsonnet#L18
I think it not so repetitive as all the *rbac-secret.yaml
files are generated from that function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if its ok for @sthaha we can moving forward with this PR and maybe do a refactor in the future with other variables configs or SA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marioferh , nit
can always be ignored 🤗
Signed-off-by: Mario Fernandez <mariofer@redhat.com>
b38647f
to
a280a8a
Compare
/hold |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marioferh, raptorsun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@marioferh: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/unhold |
97f0462
into
openshift:master
Description
When the control plane nodes are under pressure or the apiserver is just not available, no telemetry data is emitted by the monitoring stack
Solution
Remove the dependency on the apiserver would be to use mTLS communication between telemeter-client and the Prometheus pods.
Add /federate endpoint to rbac proxy and allow telemeter-client to authenticate via mTLS to reach Prometheus metrics.
Add mTLS auth to telemeter-client openshift/telemeter#455
Type of change