diff --git a/changelog.d/0-release-notes/nginz-ingress b/changelog.d/0-release-notes/nginz-ingress index ac07443c28..b2bb1b1763 100644 --- a/changelog.d/0-release-notes/nginz-ingress +++ b/changelog.d/0-release-notes/nginz-ingress @@ -8,6 +8,8 @@ no need to set matching `service.nginz.external{Http,Tcp}Port` inside the The `config.http.httpPort` and `config.ws.wsPort` values in the `nginz` chart still configure the ports the `nginz` service is listening on. +Metrics were moved from `config.http.httpPort` to a new `http-metrics` port. + The `nginz` chart also gained support for `metrics.serviceMonitor.enabled`, creating a `ServiceMonitor` resource to scrape metrics, like for other wire services. diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl index 02c422b727..899caae44e 100644 --- a/charts/nginz/templates/conf/_nginx.conf.tpl +++ b/charts/nginz/templates/conf/_nginx.conf.tpl @@ -199,29 +199,6 @@ http { return 200; } - location /vts { - zauth off; - access_log off; - allow 10.0.0.0/8; - allow 127.0.0.1; - deny all; - - # Requests with an X-Forwarded-For header will have the real client - # source IP address set correctly, due to the real_ip_header directive - # in the top-level configuration. However, this will not set the client - # IP correctly for clients which are connected via a load balancer which - # uses the PROXY protocol. - # - # Hence, for safety, we deny access to the vts metrics endpoints to - # clients which are connected via PROXY protocol. - if ($proxy_protocol_addr != "") { - return 403; - } - - vhost_traffic_status_display; - vhost_traffic_status_display_format html; - } - # Block "Franz" -- http://meetfranz.com if ($http_user_agent ~* Franz) { return 403; @@ -399,5 +376,23 @@ http { } {{- end }} } + + server { + # even though we don't use zauth for this server block, + # we need to specify zauth_keystore etc. + zauth_keystore {{ .Values.nginx_conf.zauth_keystore }}; + zauth_acl {{ .Values.nginx_conf.zauth_acl }}; + + listen {{ .Values.config.http.metricsPort }}; + + location /vts { + access_log off; + zauth off; + + vhost_traffic_status_display; + vhost_traffic_status_display_format html; + } + } + } {{- end }} diff --git a/charts/nginz/templates/deployment.yaml b/charts/nginz/templates/deployment.yaml index 3abda67744..d9aa8c19b5 100644 --- a/charts/nginz/templates/deployment.yaml +++ b/charts/nginz/templates/deployment.yaml @@ -56,6 +56,8 @@ spec: containerPort: {{ .Values.config.http.httpPort }} - name: tcp containerPort: {{ .Values.config.ws.wsPort }} + - name: http-metrics + containerPort: {{ .Values.config.http.metricsPort }} readinessProbe: httpGet: path: /status diff --git a/charts/nginz/templates/service.yaml b/charts/nginz/templates/service.yaml index e15a56ccc4..8ed76cdaaa 100644 --- a/charts/nginz/templates/service.yaml +++ b/charts/nginz/templates/service.yaml @@ -16,5 +16,8 @@ spec: - name: ws port: {{ .Values.config.ws.wsPort }} targetPort: 8081 + - name: http-metrics + port: {{ .Values.config.http.metricsPort }} + targetPort: 8082 selector: app: nginz diff --git a/charts/nginz/templates/servicemonitor.yaml b/charts/nginz/templates/servicemonitor.yaml index 441d4f3f9a..a5ffad05b8 100644 --- a/charts/nginz/templates/servicemonitor.yaml +++ b/charts/nginz/templates/servicemonitor.yaml @@ -10,7 +10,7 @@ metadata: heritage: {{ .Release.Service }} spec: endpoints: - - port: http + - port: http-metrics path: /vts/status/format/prometheus selector: matchLabels: diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml index 981bfdbb23..79184eafbc 100644 --- a/charts/nginz/values.yaml +++ b/charts/nginz/values.yaml @@ -19,6 +19,7 @@ images: config: http: httpPort: 8080 + metricsPort: 8082 ws: wsPort: 8081 useProxyProtocol: true