[MediaWiki-commits] [Gerrit] operations/puppet[production]: prometheus: Force using read-only kubelet API

Alexandros Kosiaris (Code Review) Thu, 09 Nov 2017 07:48:05 -0800

Alexandros Kosiaris has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/390264 )


Change subject: prometheus: Force using read-only kubelet API
......................................................................

prometheus: Force using read-only kubelet API

Rewrite the address label to use the 10255 port which is the read-only
API that kubelet supports. It's better to use this than provide
prometheus with access to the standard API

Force scheme to HTTP as the read-only API does not support HTTPS
Drop the tls_config stanza

Bug: T177395
Change-Id: I1cc3368d51fde08e7c50358b19fc258889446c86
---
M modules/role/manifests/prometheus/k8s.pp
1 file changed, 10 insertions(+), 7 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/64/390264/1

diff --git a/modules/role/manifests/prometheus/k8s.pp 
b/modules/role/manifests/prometheus/k8s.pp
index cd75fd4..c1a18e1 100644
--- a/modules/role/manifests/prometheus/k8s.pp
+++ b/modules/role/manifests/prometheus/k8s.pp
@@ -60,13 +60,9 @@
         {
             'job_name'              => 'k8s-node',
             'bearer_token_file'     => $bearer_token_file,
-            # Force (insecure) https only for node servers
-            # We are connecting to node servers via IP address, though the 
certs don't contain SAN
-            # entries for the address.
-            'scheme'                => 'https',
-            'tls_config' => {
-                'insecure_skip_verify' => true,
-            },
+            # Force read-only API for node servers. Unfortunately this is not
+            # encrypted, so force scheme HTTP
+            'scheme'                => 'http',
             'kubernetes_sd_configs' => [
                 {
                     'api_server'        => "https://${master_host}:6443";,
@@ -80,6 +76,13 @@
                     'action' => 'labelmap',
                     'regex'  => '__meta_kubernetes_node_label_(.+)',
                 },
+                {
+                    'action'        => 'replace',  # Redundant but clearer
+                    'source_labels' => ['__address__'],
+                    'target_label'  => '__address__',
+                    'regex'         => '([\d\.]+):(\d+)',
+                    'replacement'   => "\${1}:10255",
+                },
             ]
         },
     ]

-- 
To view, visit https://gerrit.wikimedia.org/r/390264
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1cc3368d51fde08e7c50358b19fc258889446c86
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: prometheus: Force using read-only kubelet API

Reply via email to