BUG 1670700: *: add support for etcd metrics proxy

[hexfusion]

This PR adds support for new TLS assets to support the etcd metrics proxy. This proxy will create a separate chain of trust for metrics consumer which will not give allow access to server data directly. The proxy itself is a feature of etcd called the grpc-proxy. By exposing a separate metrics port on the server and then using the proxy to listen to that port we eliminate direct gRPC transactions.

The grpc-proxy forwards only /metrics endpoint requests to the server.

/cc @brancz @abhinavdahiya

depends on: openshift/installer#1291 merged

[runcom]

@hexfusion could you please also add a target for these PRs (4.0 or 4.1 or next)? We're after freeze and if this is a feature I'd love someone like Clayton or Derek or Eric or others to approve

[runcom]

/hold

[kikisdeliveryservice]

Is this for 4.0 or 4.1?

[brancz]

As mentioned in openshift/installer#1291, this needs to land in 4.0.

[runcom]

e2es are failing with starting kube though, could you take a look?

/retest

[hexfusion]

working through this now

[hexfusion]

I am building

/var/opt/openshift/tls/etcd-metrics-ca-bundle.crt
/var/opt/openshift/tls/etcd-metrics-signer-client.crt
/var/opt/openshift/tls/etcd-metrics-signer-client.key
/var/opt/openshift/tls/etcd-metrics-signer-server.crt
/var/opt/openshift/tls/etcd-metrics-signer-server.key

But bootstrap wants different so back to the installer.

Mar 06 13:32:06 ip-10-0-5-133 bootkube.sh[29781]: F0306 13:32:06.133573       1 bootstrap.go:111] error rendering bootstrap manifests: open /etc/ssl/etcd/metrics-ca.crt: no such file or directory

[hexfusion]

/test e2e-aws

[hexfusion]

We have a little bit of a chicken and egg issue here :) as bootstrap depends on itself from the installer.

[abhinavdahiya]

I would like to use objectrefs for secret object.

[runcom]

AIUI, these flags should provide a dummy/default value for this PR to not depend on the installer. After this goes in, you can land the installer PR and then create another PR here to remove the dummy/default value to always honor what bootkube gives you.

(this is not changing or adding images from the release payload so it should be an easier dance)

/cc @cgwalters

[hexfusion]

ok sounds good that was my thought as well.

[brancz]

I can see the metrics client cert in the e2e test artifacts 🎉 now just need to satisfy CI I guess :)

[hexfusion]

@abhinavdahiya PTAL

/cc @brancz

[kikisdeliveryservice]

@hexfusion does this have/need an exception granted?

cc: @runcom

[hexfusion]

@hexfusion does this have/need an exception granted?

Yeah @kikisdeliveryservice monitoring will chime in, probably tomorrow.

[s-urbaniak]

/approve
... if the invariants expressed in openshift/installer#1483 (review) still hold.

Note that I do not have the authority to grant exceptions though! This must be done higher level.

[runcom]

cc @smarterclayton

[s-urbaniak]

xref openshift/cluster-monitoring-operator#302

[hexfusion]

We have a confirmation on this exception from @derekwaynecarr.

/cc @runcom

[runcom]

just saw that, thanks

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hexfusion, runcom, s-urbaniak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [runcom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hexfusion]

/hold cancel

[s-urbaniak]

@runcom @hexfusion awesome, thanks for the hard work ... now let's see if etcd appears in monitoring! 🎉