-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[kube-prometheus-stack] tlsConfig support for servicemonitors and default alertingEndpoints to work with istio strict mtls #145
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
@bismarck @gianrubio @gkarthiks @scottrigby @vsliouniaev @Xtigyro it will help many who want to use promeththeus operator with istio STRICT mTLS between prometheus component |
@infa-ddeore We would be happy to accept a PR implementing this feature. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
This issue is being automatically closed due to inactivity. |
Is nobody still interested in this? |
Yes, I'm very interested in this. |
I end up using the Helm post-renderer approach with kustomize to patch the chart on the fly. Here is a distilled example repo: https://github.com/uvw/kube-prometheus-stack-istio. |
Looking into the Istio code and docs further it looks like Metric merging is the supported way of handling metrics with MTLS set to strict. I've asked for clarification on the correct pattern to implement this. |
@infa-ddeore have you tested it with the latest kube-prometheus-stack? |
@Crazyigor1987 have you set a |
@stevehipwell THANK YOU, that was the right keyword! Finally kube-prometheus-stack works like I wanted it to. |
How come Prometheus needs the TLS configs for the Service Monitors if it has the side-car already injected? Shouldn't that allow scraping to happen over plain http? |
prometheus scrapes pod IPs directly, istio doesnt interfere the connections talking directly to the pod IPs |
You can use metric relabelling (we do this currently) to have the Istio proxy allow non mTLS scraping but you have to live with all metrics being associated with the Istio proxy pod. If Istio added originating pod labels we could re-write the metrics to get them back under the correct pod, this would be a pretty good solution. |
@stevehipwell This sounds interesting. Would you please give more details about this approach? Thanks already for the idea! |
@shadjac you can setup Prometheus Operator for Istio via the control plane (istiod) service monitor and data plane (istio-proxy) pod monitor from the example template. Once you've got this set up you can enable metrics merging to collect your container metrics directly from the data plane. With merging enabled the data plane will merge pod metrics if you annotate it with the standard (non-operator) Prometheus annotations ( |
@stevehipwell Thanks for elaborating this. However, in our case, the application pushes its metrics to port 8080 at path /metrics/prometheus. I assume the default values of the annotations are -
and they cant be changed. |
@shadjac the annotations that you add to your pod should be set to your values, the istio-proxy will re-write the annotations to it's values (which will be ignored by Prometheus Operator) but it will merge the metrics from your endpoint with its own to be collected by the pod monitor. |
@infa-ddeore we implemented the way you suggested but we cannot read the cert/key files mounted. I can see them at the path /etc/istio-certs. err="error creating HTTP client: unable to load specified CA cert /etc/istio-certs/root-cert.pem: open /etc/istio-certs/root-cert.pem: permission denied" scrape_pool=serviceMonitor/monitoring/test/0 Do we have to do something with the runAsUser. It's set to 1000 now. Should it be 0? |
I haven't come across such issue, may be the "kube-prometheus-stack" I used had different user id which allowed the access. |
Thanks @infa-ddeore |
Can someone comment why |
yes, it is required because the cert is signed by istio and prometheus wont trust it |
Thank you @infa-ddeore |
Update: Now my problem is that Prometheus tries to fire an alert by sending it to AlertManager over HTTPS, who apperently doesn't like this...
Background: As described here I'm trying to force Prometheus to use mTLS when communicating with the AlertManager ==== I have followed your guide, however the AlertManagers don't seem to be able to discover each other. I get errors like these:
I believe it happens when an AlertManagers (I have three instances running) starts up, fetches the IPs of the other two and tries syncing with them. Any idea why this might happen? As you previously describe pod to pod communication when using IPs should not be interfered by the Istio sidecar. In the envoy proxy config of one of the AlertManagers I see the following: 10.8.30.232 9093 Trans: raw_buffer; App: HTTP Route: alertmanager-main.monitoring.svc.cluster.local:9093
10.8.30.232 9093 ALL Cluster: outbound|9093||alertmanager-main.monitoring.svc.cluster.local
10.9.11.9 9093 Trans: raw_buffer; App: HTTP Route: alertmanager-operated.monitoring.svc.cluster.local:9093
10.9.11.9 9093 ALL Cluster: outbound|9093||alertmanager-operated.monitoring.svc.cluster.local
10.9.12.9 9093 Trans: raw_buffer; App: HTTP Route: alertmanager-operated.monitoring.svc.cluster.local:9093
10.9.12.9 9093 ALL Cluster: outbound|9093||alertmanager-operated.monitoring.svc.cluster.local
10.9.13.10 9093 Trans: raw_buffer; App: HTTP Route: alertmanager-operated.monitoring.svc.cluster.local:9093
10.9.13.10 9093 ALL Cluster: outbound|9093||alertmanager-operated.monitoring.svc.cluster.local
10.9.11.9 9094 ALL Cluster: outbound|9094||alertmanager-operated.monitoring.svc.cluster.local
10.9.12.9 9094 ALL Cluster: outbound|9094||alertmanager-operated.monitoring.svc.cluster.local
10.9.13.10 9094 ALL Cluster: outbound|9094||alertmanager-operated.monitoring.svc.cluster.local |
Can this be re-opened? |
Is your feature request related to a problem? Please describe.
prometheus stack installed with istio sidecar with STRICT mtls policy
Describe the solution you'd like
Describe alternatives you've considered
prometheus. prometheusSpec.alertingEndpoints
https and tlsconfigAdditional context
below is the override values (considering "prom" is the installed helm chart name, eg. helm install prom) that makes istio write the tls cert on the memory volume and prometheus mounts that volume
NOTE:
Prerequisites:
1.6.1
or higheristio-injection=enabled
)Istio
1.6.1
and higher needs to be installed to make it work, prometheus will have istio certs mounted under/etc/istio-certs/
dir, once PeerAuthentication is set to STRICT, prometheus will fail to scrape connect to other components like grafana, operator, alertmenager.edit servicemonitor to make prometheus scrape the target over https with tlsconfig as below
kubectl edit servicemonitors.monitoring.coreos.com prom-prometheus-operator-alertmanager
, now prometheus can scrape the target over mtls.The text was updated successfully, but these errors were encountered: