[MediaWiki-commits] [Gerrit] operations/puppet[production]: prometheus: Force using read-only kubelet API

Fri, 10 Nov 2017 06:44:12 -0800 

Alexandros Kosiaris has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/390264 )

Change subject: prometheus: Force using read-only kubelet API
......................................................................


prometheus: Force using read-only kubelet API

Rewrite the address label to use the 10255 port which is the read-only
API that kubelet supports. It's better to use this than provide
prometheus with access to the standard API

Force scheme to HTTP as the read-only API does not support HTTPS
Drop the tls_config stanza

Bug: T177395
Change-Id: I1cc3368d51fde08e7c50358b19fc258889446c86
---
M modules/role/manifests/prometheus/k8s.pp
1 file changed, 10 insertions(+), 7 deletions(-)

Approvals:
  Alexandros Kosiaris: Verified; Looks good to me, approved
  Filippo Giunchedi: Looks good to me, but someone else must approve



diff --git a/modules/role/manifests/prometheus/k8s.pp 
b/modules/role/manifests/prometheus/k8s.pp
index cd75fd4..789c842 100644
--- a/modules/role/manifests/prometheus/k8s.pp
+++ b/modules/role/manifests/prometheus/k8s.pp
@@ -60,13 +60,6 @@
         {
             'job_name'              => 'k8s-node',
             'bearer_token_file'     => $bearer_token_file,
-            # Force (insecure) https only for node servers
-            # We are connecting to node servers via IP address, though the 
certs don't contain SAN
-            # entries for the address.
-            'scheme'                => 'https',
-            'tls_config' => {
-                'insecure_skip_verify' => true,
-            },
             'kubernetes_sd_configs' => [
                 {
                     'api_server'        => "https://${master_host}:6443";,
@@ -80,6 +73,16 @@
                     'action' => 'labelmap',
                     'regex'  => '__meta_kubernetes_node_label_(.+)',
                 },
+                {
+                    # Force read-only API for nodes. This listens on port 10255
+                    # so rewrite the __address__ label to use that port. It's
+                    # also HTTP, not HTTPS
+                    'action'        => 'replace',  # Redundant but clearer
+                    'source_labels' => ['__address__'],
+                    'target_label'  => '__address__',
+                    'regex'         => '([\d\.]+):(\d+)',
+                    'replacement'   => "\${1}:10255",
+                },
             ]
         },
     ]

-- 
To view, visit https://gerrit.wikimedia.org/r/390264
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I1cc3368d51fde08e7c50358b19fc258889446c86
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to