-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
generate client key and certificates #1282
Conversation
This PR includes some fixes to the original of #1252, namely:
|
looks like the failures in the kube-rbac-proxy are persisting, I'll try to check what's going on |
The problem was in the client-ca being missing for the kube-rbac-proxy-thanos container in the prometheus-k8s workload. Nevertheless, the kube-rbac-proxy should not panic in such cases but that's something that can be investigated outside of this PR. |
Opened brancz/kube-rbac-proxy#131 to track the kube-rbac-proxy issue |
added fixes for other failing kube-rbac-proxies that did not have the client-ca configured |
mhm, the tech debt of running things sequentially is showing as the operator refuses to progress to the client-ca creation while the prometheus-operator fails to deploy because it's missing the client-ca 😐 In an ideal world, this would be handled by two separate controllers. I'll see if rearranging the order is possible. |
the related test errors from the "common" test runs seem to have passed and the cluster installation is now successful. I can see that the operator test still fails. Very likely because of the kube-rbac-proxy bug that's prevents our client-cert-authenticated metrics scraping requests from succeeding. That's a shame. I'll try to see if I can fix that. |
Yes it looks like the error is now with the kube-rbac-proxy of the prometheus-operator in the openshift-user-workload-monitoring namespace [1]. Maybe you could only enable client TLS authentication for a few targeted service monitors (e.g. node_exporter, kubelet and kube-state-metrics)? |
I believe I've found the issue, we should be green once brancz/kube-rbac-proxy#132 makes it to the release payload |
Would the PR also include tests? |
I'm using the current e2e tests of this repository (quite successfully, actually, issues were found and are being fixed). For unit tests, please refer to https://github.com/openshift/library-go/blob/8cc52ce9b72b591c2c1946c81c21f823bbc43a1d/pkg/operator/csr/controller_test.go#L33 |
fixed the go.mod in the latest revision |
…ble to progress The prometheus-operator itself is using an kube-rbac-proxy and therefore needs to have the client-ca for its deployment.
/retest |
@simonpasquier Just FYI - @stlaz started his PTO today and I'll be looking at this PR when he's off. Please let me know if we need any additional changes. |
Thank you both 🙇, I was wondering how this change is validated :) |
@simonpasquier Should this go into our backlog? |
you may want to consider library-go for your operator, I trust that the folks of #forum-apiserver would be willing to help, me including :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
The CI is happy with the change so am I :)
Thanks @s-urbaniak @stlaz @slaskawi for the great work!
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: simonpasquier, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
@stlaz: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
9 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
🎉 |
This is a PR to wire the creation of client certificates for metrics scraping. It uses library-go idiomatic controller logic which is not used yet in CMO.
Kindly asking for feedback. If the general direction is accepted, I will continue with wiring those certificates to Prometheus.
/cc @openshift/openshift-team-monitoring