pkg/asset/tls: add etcd metrics assets #1291
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
hexfusion
force-pushed
the
etcd_metrics
branch
5 times, most recently
from
593858d
to
ae0953a
Compare
|
/test e2e-aws |
hexfusion
force-pushed
the
etcd_metrics
branch
from
83e5e46
to
1737e38
Compare
pkg/asset/tls/etcdmetricsproxy.go
Outdated
| ) | ||
|
|
||
| // EtcdMetricsProxyCA is the asset that generates the etcd-metrics-proxy-ca key/cert pair. | ||
| // [DEPRECATED] |
There was a problem hiding this comment.
a new asset is already deprecated? ;)
There was a problem hiding this comment.
yeah started with your template but I see where you are going now will clean that up, thanks for the feedback!
|
we are moving towards dropping root-ca from all chains. some examples #1232 |
hexfusion
force-pushed
the
etcd_metrics
branch
2 times, most recently
from
60926f0
to
d20c0d3
Compare
|
@abhinavdahiya does this look more inline with what you are expecting? |
hexfusion
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
/test e2e-aws |
hexfusion
changed the title
openshift-ci-robot
added
the
do-not-merge/work-in-progress
hexfusion
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
@abhinavdahiya PTAL |
data/data/aws/vpc/sg-master.tf
Outdated
| security_group_id = "${aws_security_group.master.id}" | ||
|
|
||
| protocol = "tcp" | ||
| from_port = 23790 |
There was a problem hiding this comment.
can you get approval to use that port openshift/origin#21520
pkg/asset/manifests/operators.go
Outdated
| @@ -145,6 +153,9 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass | |||
| EtcdCaCert: string(etcdCA.Cert()), | |||
| EtcdClientCert: base64.StdEncoding.EncodeToString(etcdClientCertKey.Cert()), | |||
| EtcdClientKey: base64.StdEncoding.EncodeToString(etcdClientCertKey.Key()), | |||
| EtcdMetricsCaCert: string(etcdMetricsSignerCertKey.Cert()), | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
@abhinavdahiya I would like to keep it like this if possible. It feels like we could drop the CA Bundle config but maybe I am missing something?
There was a problem hiding this comment.
this seems to used for https://github.com/openshift/installer/pull/1291/files#diff-626d6cfa425c30cb6c099ebc5324d25b
I think we should use the CABundle asset for this for consistency.
|
@hexfusion this is LGTM.
|
|
@abhinavdahiya rebased commits. WRT openshift/origin#21520 would it preferred to drop into the |
Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
|
|
/cc @brancz |
|
Generally 👍 from me as not having etcd metrics is a regression from 3.11, and it's by far the most important component to be monitored. This must be in 4.0. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, hexfusion The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
This PR is to start a conversation about using etcd grpc-proxy to provide TLS trust separation between etcd server and monitoring. The idea here is to provide monitoring a root CA which they can own giving access to etcd metrics but not etcd server directly. etcd grpc-proxy will only forward GET requests to etcd server /metrics endpoint.
/cc @abhinavdahiya
Blocking: openshift/machine-config-operator#517.