Remove kube-rbac-proxy #1730
Remove kube-rbac-proxy #1730
Conversation
k8s-ci-robot
added
kind/deprecation
k8s-ci-robot
added
area/provider/azure
|
/retest |
1 similar comment
|
/retest |
|
/retest |
|
I tested this locally, and it seems to break prometheus metrics, at least as viewed locally via the "metrics" link in Tilt. Switching back to the |
| - args: | ||
| - --leader-elect | ||
| - "--metrics-bind-addr=127.0.0.1:8080" | ||
| - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},AKS=${EXP_AKS:=false}" |
There was a problem hiding this comment.
just fyi: In CAPI we kept that one (but with localhost:8080) so we can replace it in our e2e test (https://github.com/kubernetes-sigs/cluster-api/blob/89df9472d1678ed8ff59f4e124d48ad51ffd85c6/test/e2e/config/docker.yaml#L53-L54) and the e2e test framework is able to retrieve the metrics via proxy (https://github.com/kubernetes-sigs/cluster-api/blob/c55b5013fcb84841cc3705dfb250cdfd8b140447/test/framework/deployment_helpers.go#L200-L206)
Not sure if that's also relevant for CAPZ
There was a problem hiding this comment.
added back with localhost
There was a problem hiding this comment.
If you want to collect metrics during e2e tests you also have to add the replacements to azure-dev.yaml (for all providers).
Sounds like what I described here: #1707 (comment) |
I'm surprised that is the case, we already have a patch for adding the metrid-bind-addr arg to the CAPZ manager: https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/hack/observability/opentelemetry/controller-manager-patch.yaml#L12 and that's what we use in tilt: https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/Tiltfile#L154 Will test again and report back. |
CecileRobertMichon
force-pushed
the
remove-kube-rbac-proxy
branch
from
b751518 to
32b7e61
Compare
| - name: manager | ||
| args: | ||
| - "--metrics-bind-addr=127.0.0.1:8080" | ||
| - "--metrics-bind-addr=:8080" |
There was a problem hiding this comment.
@mboersma @sbueringer this fixes Prometheus metrics in tilt
There was a problem hiding this comment.
I think the problem is that the ServiceMonitor still points to the https (8443) port.
One solution would be to adjust the auth_proxy_service.yaml (8443=>8080, scheme:https => scheme:http, port https => metrics (and also add the corresponding metrics port (8080) to the deployment)
CecileRobertMichon
force-pushed
the
remove-kube-rbac-proxy
branch
from
32b7e61 to
ccef607
Compare
|
/retest |
|
/hold @mboersma reported that metrics are still not getting collected |
k8s-ci-robot
added
the
do-not-merge/hold
CecileRobertMichon
force-pushed
the
remove-kube-rbac-proxy
branch
from
ccef607 to
63ae4ab
Compare
|
@devigned @mboersma @sbueringer I think this time I fixed it for real... I realized from our testing earlier that I hadn't re-added the auth_proxy_service.yaml to kustomization.yaml so the changes I made in there had no impact 🤦♀️ |
| kind: Service | ||
| metadata: | ||
| annotations: | ||
| prometheus.io/scrape: "true" |
There was a problem hiding this comment.
Currently this service only works in combination with the controller-manager-patch.yaml from the observability folder.
I think it would be good to either:
- move the file to the observability folder
- make it functional by changing the bind addr in
config/manager/manager.yaml(As mentioned: that's something which was rejected for security reasons in the main repo, but I'll stay out of this discussion :))
There was a problem hiding this comment.
@sbueringer thank you so much for your insights!
|
I can confirm metrics are flowing again in Tilt. I like @sbueringer's suggestion of moving |
|
/assign With @CecileRobertMichon out of office, I'll make the changes and update the PR. |
|
@mboersma please give this a look when you have a minute. I've updated the PR by moving the service exposure to the observability folder. |
|
/retest |
k8s-ci-robot
added
the
lgtm
|
One nit: I don't think you need |
I was thinking that. I could probably rip out some of the prom config, like the service account token, etc. |
Yes, sgtm |
devigned
force-pushed
the
remove-kube-rbac-proxy
branch
from
9c069a0 to
eb881cd
Compare
k8s-ci-robot
removed
the
lgtm
|
@mboersma I've ripped out some of the prom auth config and slimmed down the PR to only the required resources. If you could give this a quick check, I'd appreciate it. |
|
/lgtm I retested, and prometheus looks good. |
k8s-ci-robot
added
the
lgtm
|
Thank you, @mboersma! /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: devigned The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
thanks for carrying this to the finish line @devigned! |
6 participants
What type of PR is this?
/kind deprecation
What this PR does / why we need it: This should have been done as part of v1alpha4 per https://cluster-api.sigs.k8s.io/developer/providers/v1alpha3-to-v1alpha4, fixing now.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #1707
Special notes for your reviewer: I verified that this does not affect our telemetry in tilt.
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
TODOs:
Release note: