New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-11958: Add the trusted CA bundle in UWM Prometheus pods #1970
OCPBUGS-11958: Add the trusted CA bundle in UWM Prometheus pods #1970
Conversation
Skipping CI for Draft Pull Request. |
@rexagod: This pull request references Jira Issue OCPBUGS-11958, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@rexagod: This pull request references Jira Issue OCPBUGS-11958, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Add the trusted CA bundle in UWM Prometheus pods, so users can secure the remote-write endpoint, in response to [OCPBUGS-11958](https://issues.redhat.com/browse/OCPBUGS-11958). Signed-off-by: Pranshu Srivastava <rexagod@gmail.com>
|
/retest all |
@rexagod: The
The following commands are available to trigger optional jobs:
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test all |
/skip |
prefix: "prometheus-user-workload", | ||
} | ||
|
||
hashedTrustedCA, err := cbs.syncTrustedCABundle(ctx, trustedCA) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of using caBundleSyncer, it's better to use DeleteHashedConfigMap
like here
cluster-monitoring-operator/pkg/tasks/thanos_ruler_user_workload.go
Lines 384 to 397 in 88d97c8
trustedCA, err := t.factory.ThanosRulerTrustedCABundle() | |
if err != nil { | |
return errors.Wrap(err, "initializing Thanos Ruler trusted CA bundle ConfigMap failed") | |
} | |
err = t.client.DeleteConfigMap(ctx, trustedCA) | |
if err != nil { | |
return errors.Wrap(err, "deleting Thanos Ruler trusted CA bundle ConfigMap failed") | |
} | |
err = t.client.DeleteHashedConfigMap(ctx, trustedCA.GetNamespace(), "thanos-ruler", "") | |
if err != nil { | |
return errors.Wrap(err, "deleting all hashed Thanos Ruler trusted CA bundle ConfigMap failed") | |
} |
pkg/manifests/manifests.go
Outdated
@@ -1731,6 +1737,27 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret) (*monv1.Prometheus, | |||
p.Spec.Secrets = append(p.Spec.Secrets, getAdditionalAlertmanagerSecrets(alertManagerConfigs)...) | |||
} | |||
|
|||
if trustedCABundleCM != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a real need to check for nil? if not, it might be more readable to inject the configmap along with the configuration of the startup probe (e.g. have only one loop iterating over the containers).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, Simon. I've pushed the snippet in the loop above.
3dcd4ef
to
6ea7a45
Compare
/retest |
d1ba20b
to
b152c8c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/skip |
/retest-required |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rexagod, simonpasquier The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
6375989
into
openshift:master
@rexagod: Jira Issue OCPBUGS-11958: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-11958 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@rexagod: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/cherry-pick release-4.13 |
@rexagod: new pull request created: #2041 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.12 |
@rexagod: #1970 failed to apply on top of branch "release-4.12":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Add the trusted CA bundle in UWM Prometheus pods, so users can secure
the remote-write endpoint, in response to OCPBUGS-11958.