Filippo Giunchedi has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/389929 )
Change subject: role: Prometheus https access to k8s apiserver / node
......................................................................
role: Prometheus https access to k8s apiserver / node
Prometheus will talk to kubemaster.svc doing SNI as usual, after that it
discovers each apiserver and adds it as a target to be polled individually for
metrics. Scraping each apiserver happens also via https but talking directly to
the IP address, the tls certs presented don't have the IP address included in
the certificate SAN (and rightly so). Thus force sending the kubemaster.svc SNI
when talking to the discovered apiservers.
When talking to kubelets the issue is the same but we're using a different
strategy. The kubelet certs are either self-signed (default) or in our case
signed by puppet and don't contain the IP address either. Skip https validation
altogether for these.
Another strategy for kubelets to be investigated in the future would be to
scrape metrics via ther (http, not https) readonly port.
Bug: T177395
Change-Id: I6429801747a359e264434e41b5877c1287497b76
---
M modules/role/manifests/prometheus/k8s.pp
1 file changed, 8 insertions(+), 0 deletions(-)
Approvals:
Alexandros Kosiaris: Looks good to me, but someone else must approve
jenkins-bot: Verified
Filippo Giunchedi: Looks good to me, approved
diff --git a/modules/role/manifests/prometheus/k8s.pp
b/modules/role/manifests/prometheus/k8s.pp
index e4d16c2..cd75fd4 100644
--- a/modules/role/manifests/prometheus/k8s.pp
+++ b/modules/role/manifests/prometheus/k8s.pp
@@ -35,6 +35,9 @@
'job_name' => 'k8s-api',
'bearer_token_file' => $bearer_token_file,
'scheme' => 'https',
+ 'tls_config' => {
+ 'server_name' => $master_host,
+ },
'kubernetes_sd_configs' => [
{
'api_server' => "https://${master_host}:6443";,
@@ -58,7 +61,12 @@
'job_name' => 'k8s-node',
'bearer_token_file' => $bearer_token_file,
# Force (insecure) https only for node servers
+ # We are connecting to node servers via IP address, though the
certs don't contain SAN
+ # entries for the address.
'scheme' => 'https',
+ 'tls_config' => {
+ 'insecure_skip_verify' => true,
+ },
'kubernetes_sd_configs' => [
{
'api_server' => "https://${master_host}:6443";,
--
To view, visit https://gerrit.wikimedia.org/r/389929
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I6429801747a359e264434e41b5877c1287497b76
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
