metropolis/node/core/metrics: export (controller-manager|scheduler) metrics
Change-Id: Ie61551655cbf1130bb5f5beb2923dac1aa52f868
Reviewed-on: https://review.monogon.dev/c/monogon/+/1952
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/core/roleserve/roleserve.go b/metropolis/node/core/roleserve/roleserve.go
index 02bc510..0c486d1 100644
--- a/metropolis/node/core/roleserve/roleserve.go
+++ b/metropolis/node/core/roleserve/roleserve.go
@@ -168,6 +168,7 @@
s.metrics = &workerMetrics{
curatorConnection: &s.CuratorConnection,
localRoles: &s.localRoles,
+ localControlplane: &s.localControlPlane,
}
return s
diff --git a/metropolis/node/core/roleserve/worker_metrics.go b/metropolis/node/core/roleserve/worker_metrics.go
index a9add88..d0c89a4 100644
--- a/metropolis/node/core/roleserve/worker_metrics.go
+++ b/metropolis/node/core/roleserve/worker_metrics.go
@@ -2,10 +2,14 @@
import (
"context"
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
cpb "source.monogon.dev/metropolis/proto/common"
"source.monogon.dev/metropolis/node/core/metrics"
+ kpki "source.monogon.dev/metropolis/node/kubernetes/pki"
"source.monogon.dev/metropolis/pkg/event/memory"
"source.monogon.dev/metropolis/pkg/supervisor"
@@ -19,6 +23,7 @@
type workerMetrics struct {
curatorConnection *memory.Value[*curatorConnection]
localRoles *memory.Value[*cpb.NodeRoles]
+ localControlplane *memory.Value[*localControlPlane]
}
func (s *workerMetrics) run(ctx context.Context) error {
@@ -32,10 +37,53 @@
}
supervisor.Logger(ctx).Infof("Got curator connection, starting...")
+ lw := s.localControlplane.Watch()
+ defer lw.Close()
+ cp, err := lw.Get(ctx)
+ if err != nil {
+ return err
+ }
+
+ pki, err := kpki.FromLocalConsensus(ctx, cp.consensus)
+ if err != nil {
+ return err
+ }
+
+ // TODO(q3k): move this to IssueCertificates and replace with dedicated certificate
+ cert, key, err := pki.Certificate(ctx, kpki.Master)
+ if err != nil {
+ return fmt.Errorf("could not load certificate %q from PKI: %w", kpki.Master, err)
+ }
+ parsedKey, err := x509.ParsePKCS8PrivateKey(key)
+ if err != nil {
+ return fmt.Errorf("failed to parse key for cert %q: %w", kpki.Master, err)
+ }
+
+ caCert, _, err := pki.Certificate(ctx, kpki.IdCA)
+ if err != nil {
+ return fmt.Errorf("could not load certificate %q from PKI: %w", kpki.IdCA, err)
+ }
+ parsedCACert, err := x509.ParseCertificate(caCert)
+ if err != nil {
+ return fmt.Errorf("failed to parse cert %q: %w", kpki.IdCA, err)
+ }
+
+ rootCAs := x509.NewCertPool()
+ rootCAs.AddCert(parsedCACert)
+
+ kubeTLSConfig := &tls.Config{
+ RootCAs: rootCAs,
+ Certificates: []tls.Certificate{{
+ Certificate: [][]byte{cert},
+ PrivateKey: parsedKey,
+ }},
+ }
+
svc := metrics.Service{
- Credentials: cc.credentials,
- Curator: ipb.NewCuratorClient(cc.conn),
- LocalRoles: s.localRoles,
+ Credentials: cc.credentials,
+ Curator: ipb.NewCuratorClient(cc.conn),
+ LocalRoles: s.localRoles,
+ KubeTLSConfig: kubeTLSConfig,
}
return svc.Run(ctx)
}