[MediaWiki-commits] [Gerrit] operations/puppet[production]: role: Prometheus https access to k8s apiserver / node

Wed, 08 Nov 2017 01:41:23 -0800 

Filippo Giunchedi has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/389929 )

Change subject: role: Prometheus https access to k8s apiserver / node
......................................................................

role: Prometheus https access to k8s apiserver / node

Send the correct server name while talking tls to the apiservers. Skip https 
validation for node
servers since their certs don't have IP address in SAN.

Bug: T177395
Change-Id: I6429801747a359e264434e41b5877c1287497b76
---
M modules/role/manifests/prometheus/k8s.pp
1 file changed, 8 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/29/389929/1

diff --git a/modules/role/manifests/prometheus/k8s.pp 
b/modules/role/manifests/prometheus/k8s.pp
index e4d16c2..0360a72 100644
--- a/modules/role/manifests/prometheus/k8s.pp
+++ b/modules/role/manifests/prometheus/k8s.pp
@@ -35,6 +35,9 @@
             'job_name'              => 'k8s-api',
             'bearer_token_file'     => $bearer_token_file,
             'scheme'                => 'https',
+            'tls_config' => {
+                'server_name' => "${master_host}",
+            },
             'kubernetes_sd_configs' => [
                 {
                     'api_server'        => "https://${master_host}:6443";,
@@ -58,7 +61,12 @@
             'job_name'              => 'k8s-node',
             'bearer_token_file'     => $bearer_token_file,
             # Force (insecure) https only for node servers
+            # We are connecting to node servers via IP address, though the 
certs don't contain SAN
+            # entries for the address.
             'scheme'                => 'https',
+            'tls_config' => {
+                'insecure_skip_verify' => 'true',
+            },
             'kubernetes_sd_configs' => [
                 {
                     'api_server'        => "https://${master_host}:6443";,

-- 
To view, visit https://gerrit.wikimedia.org/r/389929
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6429801747a359e264434e41b5877c1287497b76
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to