openshift · openshift-merge-robot · Jul 18, 2023 · Jul 11, 2023
diff --git a/assets/control-plane/minimal-service-monitor-etcd.yaml b/assets/control-plane/minimal-service-monitor-etcd.yaml
diff --git a/assets/control-plane/service-monitor-etcd.yaml b/assets/control-plane/service-monitor-etcd.yaml
diff --git a/assets/prometheus-k8s/prometheus.yaml b/assets/prometheus-k8s/prometheus.yaml
@@ -190,7 +190,6 @@ spec:
       openshift.io/cluster-monitoring: "true"
   ruleSelector: {}
   secrets:
-  - kube-etcd-client-certs
   - prometheus-k8s-tls
   - prometheus-k8s-proxy
   - prometheus-k8s-thanos-sidecar-tls

diff --git a/hack/deploy-on-openshift.sh b/hack/deploy-on-openshift.sh
@@ -24,5 +24,4 @@ oc apply -f manifests/01-namespace.yaml
 oc apply -f manifests/02-role-binding.yaml
 oc apply -f manifests/02-role.yaml
 oc apply -f manifests/03-config.yaml
-oc apply -f manifests/03-etcd-secret.yaml
 oc apply -f manifests/04-deployment.yaml
diff --git a/hack/generate-etcd-secret.sh b/hack/generate-etcd-secret.sh
diff --git a/hack/ocp-images.sh b/hack/ocp-images.sh
@@ -64,12 +64,6 @@ data:
       baseImage: ${INTERNAL_REGISTRY}/ose-kube-state-metrics
     auth:
       baseImage: ${INTERNAL_REGISTRY}/oauth-proxy
-    etcd:
-      enabled: true
-      targets:
-        selector:
-          openshift.io/component: etcd
-          openshift.io/control-plane: "true"
 EOF
 
 cat << EOF > manifests/cluster-monitoring-operator.yaml

diff --git a/jsonnet/components/control-plane.libsonnet b/jsonnet/components/control-plane.libsonnet
@@ -10,64 +10,6 @@ function(params)
       _config+:: cfg.mixin._config,
     },
 
-    serviceMonitorEtcd: {
-      apiVersion: 'monitoring.coreos.com/v1',
-      kind: 'ServiceMonitor',
-      metadata: {
-        name: 'etcd',
-        namespace: cfg.namespace,
-        labels: {
-          'app.kubernetes.io/name': 'etcd',
-          'k8s-app': 'etcd',
-          'monitoring.openshift.io/collection-profile': 'full',
-        },
-      },
-      spec: {
-        jobLabel: 'k8s-app',
-        endpoints: [
-          {
-            port: 'etcd-metrics',
-            interval: '30s',
-            scheme: 'https',
-            // Prometheus Operator (and Prometheus) allow us to specify a tlsConfig. This is required as most likely your etcd metrics end points is secure.
-            tlsConfig: {
-              caFile: '/etc/prometheus/secrets/kube-etcd-client-certs/etcd-client-ca.crt',
-              keyFile: '/etc/prometheus/secrets/kube-etcd-client-certs/etcd-client.key',
-              certFile: '/etc/prometheus/secrets/kube-etcd-client-certs/etcd-client.crt',
-            },
-          },
-        ],
-        selector: {
-          matchLabels: {
-            'k8s-app': 'etcd',
-          },
-        },
-        namespaceSelector: {
-          matchNames: ['openshift-etcd'],
-        },
-      },
-    },
-
-    minimalServiceMonitorEtcd: generateServiceMonitor.minimal(
-      self.serviceMonitorEtcd, std.join('|',
-                                        [
-                                          'etcd_disk_backend_commit_duration_seconds_bucket',
-                                          'etcd_disk_wal_fsync_duration_seconds_bucket',
-                                          'etcd_mvcc_db_total_size_in_bytes',
-                                          'etcd_mvcc_db_total_size_in_use_in_bytes',
-                                          'etcd_network_peer_round_trip_time_seconds_bucket',
-                                          'etcd_network_peer_sent_failures_total',
-                                          'etcd_server_has_leader',
-                                          'etcd_server_is_leader',
-                                          'etcd_server_proposals_failed_total',
-                                          'etcd_server_quota_backend_bytes',
-                                          'grpc_server_handled_total',
-                                          'grpc_server_handling_seconds_bucket',
-                                          'grpc_server_started_total',
-                                          'process_start_time_seconds',
-                                        ])
-    ),
-
     // This changes the kubelet's certificates to be validated when
     // scraping.
     serviceMonitorKubelet+: {

diff --git a/jsonnet/components/prometheus.libsonnet b/jsonnet/components/prometheus.libsonnet
@@ -328,7 +328,6 @@ function(params)
           runAsUser: 65534,
         },
         secrets+: [
-          'kube-etcd-client-certs',  //TODO(paulfantom): move it to etcd addon
           'prometheus-k8s-tls',
           'prometheus-k8s-proxy',
           'prometheus-k8s-thanos-sidecar-tls',

diff --git a/jsonnet/utils/configure-authentication-for-monitors.libsonnet b/jsonnet/utils/configure-authentication-for-monitors.libsonnet
@@ -1,7 +1,7 @@
 {
   configureAuthenticationForMonitors(o): {
     local configureAuthentication(o) = o {
-      [if (o.kind == 'ServiceMonitor' && !std.startsWith(o.metadata.name, 'etcd')) || o.kind == 'PodMonitor' then 'spec']+: {
+      [if o.kind == 'ServiceMonitor' || o.kind == 'PodMonitor' then 'spec']+: {
         [if o.kind == 'ServiceMonitor' then 'endpoints' else 'podMetricsEndpoints']: [
           if std.objectHas(e, 'scheme') && e.scheme == 'https' then
             e {

diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -939,6 +939,18 @@ func (c *Client) DeleteSecret(ctx context.Context, s *v1.Secret) error {
 	return err
 }
 
+// NOTE: this is only used during 4.13->4.14 upgrade, will be removed after.
+// TODO: remove this
+func (c *Client) DeleteSecretByNamespaceAndName(ctx context.Context, namespace, name string) error {
+	err := c.kclient.CoreV1().Secrets(namespace).Delete(ctx, name, metav1.DeleteOptions{})
+	// if the object does not exist then everything is good here
+	if err != nil && !apierrors.IsNotFound(err) {
+		return errors.Wrap(err, "deleting Secret object failed")
+	}
+
+	return nil
+}
+
 // validatePrometheusResource is a helper method for ValidatePrometheus.
 // NOTE: this function is refactored out of wait.Poll for testing
 func (c Client) validatePrometheusResource(ctx context.Context, prom types.NamespacedName) (bool, []error) {

diff --git a/pkg/manifests/config.go b/pkg/manifests/config.go
@@ -166,19 +166,6 @@ type Audit struct {
 	Profile auditv1.Level `json:"profile"`
 }
 
-type EtcdConfig struct {
-	Enabled *bool `json:"-"`
-}
-
-// IsEnabled returns the underlying value of the `Enabled` boolean pointer.
-// It defaults to false if the pointer is nil.
-func (e *EtcdConfig) IsEnabled() bool {
-	if e.Enabled == nil {
-		return false
-	}
-	return *e.Enabled
-}
-
 func (cfg *TelemeterClientConfig) IsEnabled() bool {
 	if cfg == nil {
 		return false
@@ -311,10 +298,6 @@ func (c *Config) applyDefaults() {
 		c.ClusterMonitoringConfiguration.K8sPrometheusAdapter.Audit.Profile = auditv1.LevelMetadata
 	}
 
-	if c.ClusterMonitoringConfiguration.EtcdConfig == nil {
-		c.ClusterMonitoringConfiguration.EtcdConfig = &EtcdConfig{}
-	}
-
 	if c.ClusterMonitoringConfiguration.PrometheusK8sConfig.CollectionProfile == "" {
 		c.ClusterMonitoringConfiguration.PrometheusK8sConfig.CollectionProfile = FullCollectionProfile
 	}

diff --git a/pkg/manifests/config_test.go b/pkg/manifests/config_test.go
@@ -174,23 +174,6 @@ func TestTelemeterClientConfig(t *testing.T) {
 	}
 }
 
-func TestEtcdDefaultsToDisabled(t *testing.T) {
-	c, err := NewConfigFromString("", false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if c.ClusterMonitoringConfiguration.EtcdConfig.IsEnabled() {
-		t.Error("an empty configuration should have etcd disabled")
-	}
-	c, err = NewConfigFromString(`{"etcd":{}}`, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if c.ClusterMonitoringConfiguration.EtcdConfig.IsEnabled() {
-		t.Error("an empty etcd configuration should have etcd disabled")
-	}
-}
-
 func TestPromAdapterDedicatedSMsDefaultsToDisabled(t *testing.T) {
 	c, err := NewConfigFromString("", false)
 	if err != nil {

diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -288,8 +288,6 @@ var (
 	ControlPlaneKubeletServiceMonitor        = "control-plane/service-monitor-kubelet.yaml"
 	ControlPlaneKubeletMinimalServiceMonitor = "control-plane/minimal-service-monitor-kubelet.yaml"
 	ControlPlaneKubeletServiceMonitorPA      = "control-plane/service-monitor-kubelet-resource-metrics.yaml"
-	ControlPlaneEtcdServiceMonitor           = "control-plane/service-monitor-etcd.yaml"
-	ControlPlaneEtcdMinimalServiceMonitor    = "control-plane/minimal-service-monitor-etcd.yaml"
 
 	MonitoringPlugin                    = "monitoring-plugin/console-plugin.yaml"
 	MonitoringPluginConfigMap           = "monitoring-plugin/config-map.yaml"
@@ -1453,17 +1451,6 @@ func (f *Factory) PrometheusK8s(grpcTLS *v1.Secret, trustedCABundleCM *v1.Config
 		}
 	}
 
-	if !f.config.ClusterMonitoringConfiguration.EtcdConfig.IsEnabled() {
-		secrets := []string{}
-		for _, s := range p.Spec.Secrets {
-			if s != "kube-etcd-client-certs" {
-				secrets = append(secrets, s)
-			}
-		}
-
-		p.Spec.Secrets = secrets
-	}
-
 	if f.config.Images.Thanos != "" {
 		p.Spec.Thanos.Image = &f.config.Images.Thanos
 	}
@@ -2456,54 +2443,6 @@ func (f *Factory) ControlPlanePrometheusRule() (*monv1.PrometheusRule, error) {
 	return r, nil
 }
 
-func (f *Factory) ControlPlaneEtcdSecret(tlsClient *v1.Secret, ca *v1.ConfigMap) (*v1.Secret, error) {
-	data := make(map[string]string)
-
-	for k, v := range tlsClient.Data {
-		data[k] = string(v)
-	}
-
-	for k, v := range ca.Data {
-		data[k] = v
-	}
-
-	r := newErrMapReader(data)
-
-	var (
-		clientCA   = r.value(TrustedCABundleKey)
-		clientCert = r.value("tls.crt")
-		clientKey  = r.value("tls.key")
-	)
-
-	if r.Error() != nil {
-		return nil, errors.Wrap(r.err, "couldn't find etcd certificate data")
-	}
-
-	return &v1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: f.namespace,
-			Name:      "kube-etcd-client-certs",
-		},
-		StringData: map[string]string{
-			"etcd-client-ca.crt": clientCA,
-			"etcd-client.key":    clientKey,
-			"etcd-client.crt":    clientCert,
-		},
-	}, nil
-}
-
-func (f *Factory) ControlPlaneEtcdServiceMonitors() ([]*monv1.ServiceMonitor, error) {
-	return serviceMonitors(f.config.TechPreview, f.ControlPlaneEtcdServiceMonitor, f.ControlPlaneEtcdMinimalServiceMonitor)
-}
-
-func (f *Factory) ControlPlaneEtcdServiceMonitor() (*monv1.ServiceMonitor, error) {
-	return f.NewServiceMonitor(f.assets.MustNewAssetReader(ControlPlaneEtcdServiceMonitor))
-}
-
-func (f *Factory) ControlPlaneEtcdMinimalServiceMonitor() (*monv1.ServiceMonitor, error) {
-	return f.NewServiceMonitor(f.assets.MustNewAssetReader(ControlPlaneEtcdMinimalServiceMonitor))
-}
-
 func (f *Factory) ControlPlaneKubeletServiceMonitors() ([]*monv1.ServiceMonitor, error) {
 	return serviceMonitors(f.config.TechPreview, f.ControlPlaneKubeletServiceMonitor, f.ControlPlaneKubeletMinimalServiceMonitor)
 }

diff --git a/pkg/manifests/manifests_test.go b/pkg/manifests/manifests_test.go
@@ -623,11 +623,6 @@ func TestUnconfiguredManifests(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	_, err = f.ControlPlaneEtcdServiceMonitor()
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	_, err = f.ControlPlaneKubeletServiceMonitor()
 	if err != nil {
 		t.Fatal(err)
@@ -4111,16 +4106,6 @@ func TestNonHighlyAvailableInfrastructureServiceMonitors(t *testing.T) {
 				return pt.Spec.Endpoints, nil
 			},
 		},
-		{
-			name: "etcd Service Monitor",
-			getEndpoints: func(f *Factory) ([]monv1.Endpoint, error) {
-				pt, err := f.ControlPlaneEtcdServiceMonitor()
-				if err != nil {
-					return nil, err
-				}
-				return pt.Spec.Endpoints, nil
-			},
-		},
 		{
 			name: "kubelet Service Monitor",
 			getEndpoints: func(f *Factory) ([]monv1.Endpoint, error) {

diff --git a/pkg/manifests/types.go b/pkg/manifests/types.go
@@ -37,8 +37,6 @@ type ClusterMonitoringConfiguration struct {
 	// `AlertmanagerMainConfig` defines settings for the
 	// Alertmanager component in the `openshift-monitoring` namespace.
 	AlertmanagerMainConfig *AlertmanagerMainConfig `json:"alertmanagerMain,omitempty"`
-	// OmitFromDoc
-	EtcdConfig *EtcdConfig `json:"-"`
 	// `UserWorkloadEnabled` is a Boolean flag that enables monitoring for user-defined projects.
 	UserWorkloadEnabled *bool `json:"enableUserWorkload,omitempty"`
 	// OmitFromDoc