From d056eda01e4a32c1a9781a4bae8499d524f2d69b Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Fri, 5 Apr 2019 09:10:38 +0200 Subject: [PATCH 1/2] serviceMonitorKubeScheduler: enable TLS In accordance to https://github.com/openshift/cluster-kube-scheduler-operator/pull/88 we can now enable TLS for the kube scheduler. --- jsonnet/prometheus.jsonnet | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/jsonnet/prometheus.jsonnet b/jsonnet/prometheus.jsonnet index 2239824aec..cbfe9bad0b 100644 --- a/jsonnet/prometheus.jsonnet +++ b/jsonnet/prometheus.jsonnet @@ -316,27 +316,14 @@ local namespacesRole = endpoints: std.map( function(a) a { - - //TODO(brancz): Once OpenShift is based on Kubernetes 1.12 the - //scheduler will serve metrics on a secure port, then the below - //commented out code is what we will need without the relabel - //configs. - - //bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token', + bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token', interval: '30s', port: 'https', - //scheme: 'https', - //tlsConfig: { - // caFile: '/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt', - // serverName: 'scheduler.openshift-kube-scheduler.svc', - //}, - relabelings: [{ - sourceLabels: ['__address__'], - action: 'replace', - targetLabel: '__address__', - regex: '(.+)(?::\\d+)', - replacement: '$1:10251', - }], + scheme: 'https', + tlsConfig: { + caFile: '/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt', + serverName: 'scheduler.openshift-kube-scheduler.svc', + }, }, super.endpoints, ), From 04dd99342020e0ca6628b3322a01ca15075b81a4 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Mon, 8 Apr 2019 14:09:59 +0200 Subject: [PATCH 2/2] assets: regenerate --- .../service-monitor-kube-scheduler.yaml | 14 ++++++-------- pkg/manifests/bindata.go | 4 ++-- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/assets/prometheus-k8s/service-monitor-kube-scheduler.yaml b/assets/prometheus-k8s/service-monitor-kube-scheduler.yaml index 4d8ce03cb2..a5792e8b66 100644 --- a/assets/prometheus-k8s/service-monitor-kube-scheduler.yaml +++ b/assets/prometheus-k8s/service-monitor-kube-scheduler.yaml @@ -7,15 +7,13 @@ metadata: namespace: openshift-monitoring spec: endpoints: - - interval: 30s + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s port: https - relabelings: - - action: replace - regex: (.+)(?::\d+) - replacement: $1:10251 - sourceLabels: - - __address__ - targetLabel: __address__ + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + serverName: scheduler.openshift-kube-scheduler.svc jobLabel: null namespaceSelector: matchNames: diff --git a/pkg/manifests/bindata.go b/pkg/manifests/bindata.go index c2bccec0c0..5d20cfba75 100644 --- a/pkg/manifests/bindata.go +++ b/pkg/manifests/bindata.go @@ -1537,7 +1537,7 @@ func assetsPrometheusK8sServiceMonitorKubeControllerManagerYaml() (*asset, error return a, nil } -var _assetsPrometheusK8sServiceMonitorKubeSchedulerYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x74\x50\x4d\x4b\xc3\x40\x10\xbd\xe7\x57\xcc\xc1\x43\x4b\x49\x6d\x14\x41\xf6\xe2\x1f\x50\x2f\x05\x4f\x42\x98\xee\x8e\xc9\xda\xcd\xee\x32\x33\x29\x82\xf8\xdf\x25\xdb\xd4\x16\xc5\x5b\xf2\xde\xdb\x79\x1f\x98\xfd\x0b\xb1\xf8\x14\x0d\x0c\x29\x7a\x4d\xec\x63\xb7\xb6\x89\x29\xc9\xda\xa6\xe1\xfa\xd0\x54\x7b\x1f\x9d\x81\x2d\xf1\xc1\x5b\x7a\x3a\xaa\xaa\x81\x14\x1d\x2a\x9a\x0a\x20\xe0\x8e\x82\x4c\x5f\x00\xfb\x7b\xa9\x31\x67\x03\xfb\x71\x47\xb5\xd8\x9e\xdc\x18\x88\x2b\x80\x88\x03\xfd\x03\x4b\x46\x4b\x06\x52\xa6\x28\xbd\x7f\xd3\xfa\x9c\xa5\x92\x4c\x76\x3a\x4d\xd1\xe5\xe4\xa3\x16\x9f\x1a\x7c\x54\xe2\x03\x06\x03\xb7\x1b\x29\xce\x39\xb1\x1a\xe8\x55\xf3\xf1\x9f\xa9\xe4\xf2\xb1\x9b\xa3\xd5\x80\x56\x4b\x55\xa6\x1c\xd0\x52\x41\x27\x61\x47\x1f\x06\x16\xeb\xd5\x72\xf1\x60\xcc\xab\x5b\x2d\x7f\x98\xa2\x1b\x28\xaa\x81\xab\xc6\x34\x9b\x9b\xbb\x66\xe6\x24\x8d\x6c\xe9\xf1\xa2\xfa\xe4\xd0\xb6\xe8\x1c\x93\x48\xdb\xce\x98\x22\x77\xa4\x45\x67\x7e\xd1\xef\x69\x37\xe3\x71\x0c\xe1\x72\x8b\x2d\x05\xb2\x9a\xf8\x78\x78\x40\xb5\xfd\xf3\xc4\x9d\x8a\x9c\x97\xfa\xb3\xa7\x9c\x9e\xc2\xe7\x57\xf5\x1d\x00\x00\xff\xff\x11\x5a\xfc\xd7\xe0\x01\x00\x00") +var _assetsPrometheusK8sServiceMonitorKubeSchedulerYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x74\x91\xb1\xae\xd5\x30\x0c\x86\xf7\x3e\x85\x5f\x20\x0d\x88\x05\x65\x45\x62\x02\x96\x8b\xd8\x5d\xd7\xf7\x34\x9c\xd4\x89\x6c\xb7\x0b\xe2\xdd\x51\xda\xc2\xe1\x0e\x67\x4b\x7e\xd9\xbf\x3f\xff\xc6\x96\x7f\xb0\x5a\xae\x92\x60\xad\x92\xbd\x6a\x96\xdb\x48\x55\xb9\xda\x48\x75\x8d\xfb\xfb\xe1\x9e\x65\x4e\xf0\xc2\xba\x67\xe2\xaf\x67\xd5\xb0\xb2\xe3\x8c\x8e\x69\x00\x28\x38\x71\xb1\xfe\x02\xb8\x7f\xb4\x80\xad\x25\xb8\x6f\x13\x07\xa3\x85\xe7\xad\xb0\x0e\x00\x82\x2b\x3f\x91\xad\x21\x71\x82\xda\x58\x6c\xc9\xaf\x1e\x1e\x2c\x83\x35\xa6\x6e\xcd\x32\xb7\x9a\xc5\x8f\x39\x01\x26\x46\x65\xfd\x5e\xef\x2c\x9f\x73\xe1\x04\x71\x47\x8d\xba\x49\x34\x26\x65\xb7\xd8\x27\xa9\xb0\xb3\x8d\xb9\x46\x3b\xf1\x91\xa8\x6e\xe2\xd1\x7b\xe3\x01\x9c\xc5\x59\x77\x2c\x09\x3e\xbc\xb3\x43\x69\x55\x3d\xc1\xe2\xde\xce\x7f\xa7\xed\xe8\x0f\xc5\x8b\x7d\xaa\xf2\x9a\x6f\xe7\xce\x00\x84\x17\x04\x3b\xc5\xa6\x75\x65\x5f\x78\xb3\x48\x47\xd5\x8a\xcd\x4e\x00\xb9\x05\x62\x75\x0b\x84\x61\xda\x64\x2e\xfc\x17\x2c\x10\x8e\xa4\x7e\xf9\x75\x91\xf5\xdb\x91\xd8\xbf\xb0\xc6\x47\x3e\x6f\x53\x1c\x6d\xa7\x01\xe0\x67\x9d\xbe\xf4\x4b\x24\x90\xad\x94\xff\xa3\x7d\xe1\xc2\xe4\x55\x4f\xdc\x15\x9d\x96\xee\x7d\x9d\x2c\xc0\x33\xe3\xa1\x93\x5c\xad\xf0\xeb\xf7\xf0\x27\x00\x00\xff\xff\x79\x93\x86\xfc\x2f\x02\x00\x00") func assetsPrometheusK8sServiceMonitorKubeSchedulerYamlBytes() ([]byte, error) { return bindataRead( @@ -1552,7 +1552,7 @@ func assetsPrometheusK8sServiceMonitorKubeSchedulerYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "assets/prometheus-k8s/service-monitor-kube-scheduler.yaml", size: 480, mode: os.FileMode(420), modTime: time.Unix(1, 0)} + info := bindataFileInfo{name: "assets/prometheus-k8s/service-monitor-kube-scheduler.yaml", size: 559, mode: os.FileMode(420), modTime: time.Unix(1, 0)} a := &asset{bytes: bytes, info: info} return a, nil }