openshift · marioferh · Jun 27, 2023
diff --git a/cmd/telemeter-client/main.go b/cmd/telemeter-client/main.go
@@ -48,11 +48,6 @@ func main() {
 
 	cmd.Flags().StringVar(&opt.Listen, "listen", opt.Listen, "A host:port to listen on for health and metrics.")
 	cmd.Flags().StringVar(&opt.From, "from", opt.From, "The Prometheus server to federate from.")
-
-	// TLS flags
-	cmd.Flags().StringVar(&opt.TLSCertFile, "tls-cert-file", "", "File containing the x509 public certificate to use when connecting to the Prometheus server.")
-	cmd.Flags().StringVar(&opt.TLSKey, "tls-private-key-file", "", "File containing the x509 private key to use when connecting to the Prometheus server. It should match with --tls-cert-file.")
-
 	cmd.Flags().StringVar(&opt.FromToken, "from-token", opt.FromToken, "A bearer token to use when authenticating to the source Prometheus server.")
 	cmd.Flags().StringVar(&opt.FromCAFile, "from-ca-file", opt.FromCAFile, "A file containing the CA certificate to use to verify the --from URL in addition to the system roots certificates.")
 	cmd.Flags().StringVar(&opt.FromTokenFile, "from-token-file", opt.FromTokenFile, "A file containing a bearer token to use when authenticating to the source Prometheus server.")
@@ -114,8 +109,6 @@ type Options struct {
 
 	From          string
 	To            string
-	TLSCertFile   string
-	TLSKey        string
 	ToUpload      string
 	ToAuthorize   string
 	FromCAFile    string
@@ -276,8 +269,6 @@ func (o *Options) Run() error {
 		FromTokenFile: o.FromTokenFile,
 		ToTokenFile:   o.ToTokenFile,
 		FromCAFile:    o.FromCAFile,
-		TLSCertFile:   o.TLSCertFile,
-		TLSKey:        o.TLSKey,
 
 		AnonymizeLabels:   o.AnonymizeLabels,
 		AnonymizeSalt:     o.AnonymizeSalt,

diff --git a/jsonnet/telemeter/client/kubernetes.libsonnet b/jsonnet/telemeter/client/kubernetes.libsonnet
@@ -2,12 +2,9 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
 local secretName = 'telemeter-client';
 local secretVolumeName = 'secret-telemeter-client';
 local secretMountPath = '/etc/telemeter';
-local tlsSecret = 'telemeter-client-certs';
+local tlsSecret = 'telemeter-client-tls';
 local tlsVolumeName = 'telemeter-client-tls';
 local tlsMountPath = '/etc/tls/private';
-local federateSecret = 'federate-client-certs';
-local federateVolumeName = 'federate-client-tls';
-local federateMountPath = '/etc/tls/private';
 local servingCertsCABundle = 'serving-certs-ca-bundle';
 local servingCertsCABundleFileName = 'service-ca.crt';
 local servingCertsCABundleMountPath = '/etc/%s' % servingCertsCABundle;
@@ -21,7 +18,7 @@ local securePort = 8443;
 
     telemeterClient+:: {
       anonymizeLabels: [],
-      from: 'https://prometheus-k8s.%(namespace)s.svc:9092' % $._config,
+      from: 'https://prometheus-k8s.%(namespace)s.svc:9091' % $._config,
       id: '',
       matchRules: [],
       salt: '',
@@ -101,8 +98,6 @@ local securePort = 8443;
       local secretVolume = volume.fromSecret(secretVolumeName, secretName);
       local tlsMount = containerVolumeMount.new(tlsVolumeName, tlsMountPath);
       local tlsVolume = volume.fromSecret(tlsVolumeName, tlsSecret);
-      local federateMount = containerVolumeMount.new(federateVolumeName, federateMountPath);
-      local federateVolume = volume.fromSecret(federateVolumeName, federateSecret);
       local sccabMount = containerVolumeMount.new(servingCertsCABundle, servingCertsCABundleMountPath);
       local sccabVolume = volume.withName(servingCertsCABundle) + volume.mixin.configMap.withName('telemeter-client-serving-certs-ca-bundle');
       local anonymize = containerEnv.new('ANONYMIZE_LABELS', std.join(',', $._config.telemeterClient.anonymizeLabels));
@@ -124,8 +119,6 @@ local securePort = 8443;
           '/usr/bin/telemeter-client',
           '--id=$(ID)',
           '--from=$(FROM)',
-          '--tls-cert-file=/etc/tls/private/tls.crt',
-          '--tls-private-key-file=/etc/tls/private/tls.key',
           '--from-ca-file=%s/%s' % [servingCertsCABundleMountPath, servingCertsCABundleFileName],
           '--from-token-file=' + fromTokenFile,
           '--to=$(TO)',
@@ -135,7 +128,7 @@ local securePort = 8443;
           '--anonymize-labels=$(ANONYMIZE_LABELS)',
         ] + matchRules) +
         container.withPorts(containerPort.newNamed(insecurePort, 'http')) +
-        container.withVolumeMounts([sccabMount, secretMount, federateMount]) +
+        container.withVolumeMounts([sccabMount, secretMount]) +
         container.withEnv([anonymize, from, id, to, httpProxy, httpsProxy, noProxy]) +
         container.mixin.resources.withRequests({ cpu: '1m', memory: '40Mi' });
 
@@ -170,7 +163,7 @@ local securePort = 8443;
       deployment.mixin.spec.template.spec.withServiceAccountName('telemeter-client') +
       deployment.mixin.spec.template.spec.withPriorityClassName('system-cluster-critical') +
       deployment.mixin.spec.template.spec.withNodeSelector({ 'kubernetes.io/os': 'linux' }) +
-      deployment.mixin.spec.template.spec.withVolumes([sccabVolume, secretVolume, tlsVolume, federateVolume]),
+      deployment.mixin.spec.template.spec.withVolumes([sccabVolume, secretVolume, tlsVolume]),
 
     secret:
       local secret = k.core.v1.secret;

diff --git a/manifests/client/deployment.yaml b/manifests/client/deployment.yaml
@@ -23,8 +23,6 @@ spec:
         - /usr/bin/telemeter-client
         - --id=$(ID)
         - --from=$(FROM)
-        - --tls-cert-file=/etc/tls/private/tls.crt
-        - --tls-private-key-file=/etc/tls/private/tls.key
         - --from-ca-file=/etc/serving-certs-ca-bundle/service-ca.crt
         - --from-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token
         - --to=$(TO)
@@ -36,7 +34,7 @@ spec:
         - name: ANONYMIZE_LABELS
           value: ""
         - name: FROM
-          value: https://prometheus-k8s.openshift-monitoring.svc:9092
+          value: https://prometheus-k8s.openshift-monitoring.svc:9091
         - name: ID
           value: ""
         - name: TO
@@ -63,9 +61,6 @@ spec:
         - mountPath: /etc/telemeter
           name: secret-telemeter-client
           readOnly: false
-        - mountPath: /etc/tls/private
-          name: federate-client-tls
-          readOnly: false
       - args:
         - --webhook-url=http://localhost:8080/-/reload
         - --volume-dir=/etc/serving-certs-ca-bundle
@@ -110,7 +105,4 @@ spec:
           secretName: telemeter-client
       - name: telemeter-client-tls
         secret:
-          secretName: telemeter-client-certs
-      - name: federate-client-tls
-        secret:
-          secretName: federate-client-certs
+          secretName: telemeter-client-tls
diff --git a/manifests/client/service.yaml b/manifests/client/service.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    service.beta.openshift.io/serving-cert-secret-name: telemeter-client-certs
+    service.beta.openshift.io/serving-cert-secret-name: telemeter-client-tls
   labels:
     k8s-app: telemeter-client
   name: telemeter-client

diff --git a/pkg/forwarder/forwarder.go b/pkg/forwarder/forwarder.go
@@ -67,8 +67,6 @@ type Config struct {
 	FromTokenFile string
 	ToTokenFile   string
 	FromCAFile    string
-	TLSCertFile   string
-	TLSKey        string
 
 	AnonymizeLabels   []string
 	AnonymizeSalt     string
@@ -150,24 +148,10 @@ func New(cfg Config) (*Worker, error) {
 
 	// Create the `fromClient`.
 	fromTransport := metricsclient.DefaultTransport()
-	fromClient := &http.Client{Transport: fromTransport}
-
 	if len(cfg.FromCAFile) > 0 {
-		level.Debug(logger).Log("msg", "TLS configuration", "ca_file", cfg.FromCAFile, "cert_file", cfg.TLSCertFile, "key_file", cfg.TLSKey)
-
-		var cert tls.Certificate
-		var err error
-
 		if fromTransport.TLSClientConfig == nil {
 			fromTransport.TLSClientConfig = &tls.Config{}
 		}
-		if cfg.TLSCertFile != "" && cfg.TLSKey != "" {
-			cert, err = tls.LoadX509KeyPair(*&cfg.TLSCertFile, *&cfg.TLSKey)
-			if err != nil {
-				return nil, fmt.Errorf("creating client x509 keypair from cert file %s and key file %s: %w", cfg.TLSCertFile, cfg.TLSKey, err)
-			}
-		}
-
 		pool, err := x509.SystemCertPool()
 		if err != nil {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
@@ -179,24 +163,20 @@ func New(cfg Config) (*Worker, error) {
 		if !pool.AppendCertsFromPEM(data) {
 			level.Warn(logger).Log("msg", "no certs found in from-ca-file")
 		}
-
-		fromTransport.TLSClientConfig.Certificates = []tls.Certificate{cert}
 		fromTransport.TLSClientConfig.RootCAs = pool
 	}
+	fromClient := &http.Client{Transport: fromTransport}
 	if cfg.Debug {
-		level.Debug(logger).Log("msg", "enabling the debug round tripper for the fromClient transport")
 		fromClient.Transport = telemeterhttp.NewDebugRoundTripper(logger, fromClient.Transport)
 	}
 	if len(cfg.FromToken) == 0 && len(cfg.FromTokenFile) > 0 {
-		level.Debug(logger).Log("msg", "enabling the token file round tripper for the fromClient transport")
 		data, err := ioutil.ReadFile(cfg.FromTokenFile)
 		if err != nil {
 			return nil, fmt.Errorf("unable to read from-token-file: %v", err)
 		}
 		cfg.FromToken = strings.TrimSpace(string(data))
 	}
 	if len(cfg.FromToken) > 0 {
-		level.Debug(logger).Log("msg", "enabling the token round tripper for the fromClient transport")
 		fromClient.Transport = telemeterhttp.NewBearerRoundTripper(cfg.FromToken, fromClient.Transport)
 	}
 	w.fromClient = metricsclient.New(logger, fromClient, cfg.LimitBytes, w.interval, "federate_from")