metropolis/node/core/metrics: export (controller-manager|scheduler) metrics
Change-Id: Ie61551655cbf1130bb5f5beb2923dac1aa52f868
Reviewed-on: https://review.monogon.dev/c/monogon/+/1952
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/core/metrics/BUILD.bazel b/metropolis/node/core/metrics/BUILD.bazel
index 9233ee2..f698f0e 100644
--- a/metropolis/node/core/metrics/BUILD.bazel
+++ b/metropolis/node/core/metrics/BUILD.bazel
@@ -16,6 +16,7 @@
"//metropolis/pkg/logtree",
"//metropolis/pkg/supervisor",
"//metropolis/proto/common",
+ "@io_k8s_kubernetes//cmd/kubeadm/app/constants",
],
)
diff --git a/metropolis/node/core/metrics/exporters.go b/metropolis/node/core/metrics/exporters.go
index 2cbe18c..5949eb4 100644
--- a/metropolis/node/core/metrics/exporters.go
+++ b/metropolis/node/core/metrics/exporters.go
@@ -1,12 +1,15 @@
package metrics
import (
+ "crypto/tls"
"fmt"
"io"
"net"
"net/http"
"net/url"
+ "k8s.io/kubernetes/cmd/kubeadm/app/constants"
+
"source.monogon.dev/metropolis/node"
"source.monogon.dev/metropolis/pkg/logtree"
)
@@ -21,6 +24,10 @@
Name string
// Port on which this exporter will be running.
Port node.Port
+ // ServerName used to verify the tls connection.
+ ServerName string
+ // TLSConfigFunc is used to configure tls authentication
+ TLSConfigFunc func(*Service, *Exporter) *tls.Config
// Executable to run to start the exporter.
Executable string
// Arguments to start the exporter. The exporter should listen at 127.0.0.1 and
@@ -46,10 +53,28 @@
Name: "etcd",
Port: node.MetricsEtcdListenerPort,
},
+ {
+ Name: "kubernetes-scheduler",
+ Port: constants.KubeSchedulerPort,
+ ServerName: "kube-scheduler.local",
+ TLSConfigFunc: (*Service).kubeTLSConfig,
+ },
+ {
+ Name: "kubernetes-controller-manager",
+ Port: constants.KubeControllerManagerPort,
+ ServerName: "kube-controller-manager.local",
+ TLSConfigFunc: (*Service).kubeTLSConfig,
+ },
+}
+
+func (s *Service) kubeTLSConfig(e *Exporter) *tls.Config {
+ c := s.KubeTLSConfig.Clone()
+ c.ServerName = e.ServerName
+ return c
}
// forward a given HTTP request to this exporter.
-func (e *Exporter) forward(logger logtree.LeveledLogger, w http.ResponseWriter, r *http.Request) {
+func (e *Exporter) forward(s *Service, logger logtree.LeveledLogger, w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
outreq := r.Clone(ctx)
@@ -58,6 +83,12 @@
Host: net.JoinHostPort("127.0.0.1", e.Port.PortString()),
Path: "/metrics",
}
+
+ transport := http.DefaultTransport.(*http.Transport).Clone()
+ if e.TLSConfigFunc != nil {
+ outreq.URL.Scheme = "https"
+ transport.TLSClientConfig = e.TLSConfigFunc(s, e)
+ }
logger.V(1).Infof("%s: forwarding %s to %s", r.RemoteAddr, r.URL.String(), outreq.URL.String())
if r.ContentLength == 0 {
@@ -66,7 +97,7 @@
if outreq.Body != nil {
defer outreq.Body.Close()
}
- res, err := http.DefaultTransport.RoundTrip(outreq)
+ res, err := transport.RoundTrip(outreq)
if err != nil {
logger.Errorf("%s: forwarding to %q failed: %v", r.RemoteAddr, e.Name, err)
w.WriteHeader(502)
diff --git a/metropolis/node/core/metrics/metrics.go b/metropolis/node/core/metrics/metrics.go
index 7126459..e087ada 100644
--- a/metropolis/node/core/metrics/metrics.go
+++ b/metropolis/node/core/metrics/metrics.go
@@ -44,6 +44,10 @@
// LocalRoles contains the local node roles which gets listened on and
// is required to decide whether or not to start the discovery routine
LocalRoles *memory.Value[*cpb.NodeRoles]
+ // KubeTLSConfig provides the tls.Config for authenticating against kubernetes
+ // services.
+ KubeTLSConfig *tls.Config
+
// List of Exporters to run and to forward HTTP requests to. If not set, defaults
// to DefaultExporters.
Exporters []Exporter
@@ -130,7 +134,7 @@
exporter := exporter
mux.HandleFunc(exporter.externalPath(), func(w http.ResponseWriter, r *http.Request) {
- exporter.forward(logger, w, r)
+ exporter.forward(s, logger, w, r)
})
logger.Infof("Registered exporter %q", exporter.Name)