Add support for ServiceAccount auth to kubeletstats

[pmcollins]

Description: Kubeletstats receiver only supported TLS auth. This change adds support
for ServiceAccount auth as well.

Link to tracking Issue: #311

Testing: Manual testing of ServiceAccount auth was done in GKE.

Documentation: ServiceAccount config is already in the README.

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Pablo Collins (249f4489efd20ad8400e525e35a9ee9319746db9)

[codecov]

Codecov Report

Merging #324 into master will increase coverage by 0.33%.
The diff coverage is 87.27%.

@@            Coverage Diff             @@
##           master     #324      +/-   ##
==========================================
+ Coverage   83.04%   83.38%   +0.33%     
==========================================
  Files         167      167              
  Lines        8900     8943      +43     
==========================================
+ Hits         7391     7457      +66     
+ Misses       1185     1161      -24     
- Partials      324      325       +1     

Impacted Files	Coverage Δ
receiver/kubeletstatsreceiver/kubelet/cert.go	69.23% <50.00%> (+69.23%)	⬆️
receiver/kubeletstatsreceiver/kubelet/client.go	92.85% <88.67%> (+41.63%)	⬆️
receiver/carbonreceiver/transport/tcp_server.go	65.71% <0.00%> (-1.91%)	⬇️
receiver/kubeletstatsreceiver/factory.go	64.10% <0.00%> (+5.12%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a304ef1...d41a754. Read the comment docs.

[dmitryax]

Overall looks good to me. Just minor comments

[dmitryax]

Should we provide more details by wrapping this error?

[pmcollins]

Good point. Done.

[dmitryax]

Same here. It might be not clear to the end user why do we try to read this file

[pmcollins]

Agree. Fixed.

[dmitryax]

I would put a log entry here like (maybe warning?): kubelet endpoint is not provided, using hostname "..." by default.

I think usually it's not going to work so it would be good to let user know about it, in case if they just forgot to set the endpoint config.

[pmcollins]

This functionality is borrowed from the Smart Agent and I agree it's not obvious. If you set hostNetwork to true in the pod spec, the pod has access to the node's loopback device. I have added a comment to explain, have added a log warning, and updated the readme.

[dmitryax]

Cool. Thank you!

[dmitryax]

Not sure if there is a case when this would work in k8s, but let's keep it if you think it can work

[pmcollins]

Should work with hostNetwork, but I've removed falling back to localhost since getting the hostname shouldn't error out (and smart agent doesn't do this either).

[dmitryax]

Yes, I was talking about localhost in this comment

[dmitryax]

Can we add a serviceAccount usage example here with downward API?

If I understand correctly it should be:

  kubeletstats:
    authType: serviceAccount
    endpoint: https://${K8S_NODE_NAME}:10250

Another note:

Make sure that it's set using the downward API in the collector pod spec as follows:

env:
  - name: K8S_NODE_NAME
    valueFrom:
      fieldRef:
        fieldPath: spec.nodeName

[pmcollins]

Yeah, that's a good idea. Done.

[dmitryax]

Looks good to me. I'm not sure if we need to hit 95% coverage here. Probably only NewClient, where case k8sconfig.AuthTypeServiceAccount: looks like still not covered

[pmcollins]

Looks good to me. I'm not sure if we need to hit 95% coverage here. Probably only NewClient, where case k8sconfig.AuthTypeServiceAccount: looks like still not covered

Thanks for the review Dmitrii. I haven't added coverage for those two lines because they require secrets to be mounted. I'll have to make some tweaks to make this unit-testable.

[dmitryax]

@pmcollins could you check the linter issue please?

[dmitryax]

LGTM. @tigrannajaryan @bogdandrutu the diff has pretty good coverage. I don't think we gain a lot by reaching 95% here. Could you take a look if we can merge it?