Skip to content

Commit

Permalink
add support for serving metrics with self-signed cert
Browse files Browse the repository at this point in the history
Signed-off-by: zhangzujian <[email protected]>
  • Loading branch information
zhangzujian committed Jul 17, 2024
1 parent 1f58f75 commit 8bf5036
Show file tree
Hide file tree
Showing 13 changed files with 199 additions and 41 deletions.
5 changes: 5 additions & 0 deletions charts/kube-ovn/templates/controller-deploy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -116,13 +116,18 @@ spec:
- --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }}
- --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
- --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
- --secure-serving={{- .Values.func.SECURE_SERVING }}
env:
- name: ENABLE_SSL
value: "{{ .Values.networking.ENABLE_SSL }}"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
Expand Down
9 changes: 9 additions & 0 deletions charts/kube-ovn/templates/monitor-deploy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ spec:
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ["/kube-ovn/start-ovn-monitor.sh"]
args:
- --secure-serving={{- .Values.func.SECURE_SERVING }}
- --log_file=/var/log/kube-ovn/kube-ovn-monitor.log
- --logtostderr=false
- --alsologtostderr=true
Expand All @@ -58,6 +59,14 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IPS
valueFrom:
fieldRef:
Expand Down
9 changes: 9 additions & 0 deletions charts/kube-ovn/templates/ovncni-ds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ spec:
- --kubelet-dir={{ .Values.kubelet_conf.KUBELET_DIR }}
- --enable-tproxy={{ .Values.func.ENABLE_TPROXY }}
- --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }}
- --secure-serving={{- .Values.func.SECURE_SERVING }}
securityContext:
runAsUser: 0
privileged: true
Expand All @@ -96,6 +97,14 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IPS
valueFrom:
fieldRef:
Expand Down
1 change: 1 addition & 0 deletions charts/kube-ovn/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ func:
CHECK_GATEWAY: true
LOGICAL_GATEWAY: false
ENABLE_BIND_LOCAL_IP: true
SECURE_SERVING: false
U2O_INTERCONNECTION: false
ENABLE_TPROXY: false
ENABLE_IC: false
Expand Down
28 changes: 20 additions & 8 deletions cmd/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,15 @@ import (

kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
"github.com/kubeovn/kube-ovn/pkg/controller"
"github.com/kubeovn/kube-ovn/pkg/tls"
"github.com/kubeovn/kube-ovn/pkg/util"
"github.com/kubeovn/kube-ovn/versions"
)

const ovnLeaderResource = "kube-ovn-controller"
const (
svcName = "kube-ovn-controller"
ovnLeaderResource = "kube-ovn-controller"
)

func CmdMain() {
defer klog.Flush()
Expand Down Expand Up @@ -79,14 +83,22 @@ func CmdMain() {
}
}
}
// conform to Gosec G114
// https://github.com/securego/gosec#available-rules
server := &http.Server{
Addr: fmt.Sprintf("%s:%d", addr, config.PprofPort),
ReadHeaderTimeout: 3 * time.Second,
Handler: mux,

addr = util.JoinHostPort(addr, config.PprofPort)
if !config.SecureServing {
server := &http.Server{
Addr: addr,
ReadHeaderTimeout: 3 * time.Second,
Handler: mux,
}
util.LogFatalAndExit(server.ListenAndServe(), "failed to listen and server on %s", server.Addr)
} else {
ch, err := tls.SecureServing(addr, svcName, mux)
if err != nil {
util.LogFatalAndExit(err, "failed to serve on %s", addr)
}
<-ch
}
util.LogFatalAndExit(server.ListenAndServe(), "failed to listen and server on %s", server.Addr)
}()

// ctx, cancel := context.WithCancel(context.Background())
Expand Down
24 changes: 17 additions & 7 deletions cmd/daemon/cniserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,13 @@ import (
kubeovninformer "github.com/kubeovn/kube-ovn/pkg/client/informers/externalversions"
"github.com/kubeovn/kube-ovn/pkg/daemon"
"github.com/kubeovn/kube-ovn/pkg/ovs"
"github.com/kubeovn/kube-ovn/pkg/tls"
"github.com/kubeovn/kube-ovn/pkg/util"
"github.com/kubeovn/kube-ovn/versions"
)

const svcName = "kube-ovn-cni"

func CmdMain() {
defer klog.Flush()

Expand Down Expand Up @@ -114,14 +117,21 @@ func CmdMain() {
}()
}

// conform to Gosec G114
// https://github.com/securego/gosec#available-rules
server := &http.Server{
Addr: fmt.Sprintf("%s:%d", addr, config.PprofPort),
ReadHeaderTimeout: 3 * time.Second,
Handler: mux,
addr = util.JoinHostPort(addr, config.PprofPort)
if !config.SecureServing {
server := &http.Server{
Addr: addr,
ReadHeaderTimeout: 3 * time.Second,
Handler: mux,
}
util.LogFatalAndExit(server.ListenAndServe(), "failed to listen and server on %s", server.Addr)
} else {
ch, err := tls.SecureServing(addr, svcName, mux)
if err != nil {
util.LogFatalAndExit(err, "failed to serve on %s", addr)
}
<-ch
}
util.LogFatalAndExit(server.ListenAndServe(), "failed to listen and serve on %s", server.Addr)
}

func mvCNIConf(configDir, configFile, confName string) error {
Expand Down
48 changes: 28 additions & 20 deletions cmd/ovn_monitor/ovn_monitor.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,13 @@ import (

kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
ovn "github.com/kubeovn/kube-ovn/pkg/ovnmonitor"
"github.com/kubeovn/kube-ovn/pkg/tls"
"github.com/kubeovn/kube-ovn/pkg/util"
"github.com/kubeovn/kube-ovn/versions"
)

const svcName = "kube-ovn-monitor"

func CmdMain() {
defer klog.Flush()

Expand All @@ -25,21 +28,6 @@ func CmdMain() {
util.LogFatalAndExit(err, "failed to parse config")
}

exporter := ovn.NewExporter(config)
if err = exporter.StartConnection(); err != nil {
klog.Errorf("%s failed to connect db socket properly: %s", ovn.GetExporterName(), err)
go exporter.TryClientConnection()
}
exporter.StartOvnMetrics()
mux := http.NewServeMux()
if config.EnableMetrics {
mux.Handle(config.MetricsPath, promhttp.Handler())
klog.Infoln("Listening on", config.ListenAddress)
}

// conform to Gosec G114
// https://github.com/securego/gosec#available-rules

addr := config.ListenAddress
if os.Getenv("ENABLE_BIND_LOCAL_IP") == "true" {
podIpsEnv := os.Getenv("POD_IPS")
Expand All @@ -54,10 +42,30 @@ func CmdMain() {
}
}

server := &http.Server{
Addr: addr,
ReadHeaderTimeout: 3 * time.Second,
Handler: mux,
exporter := ovn.NewExporter(config)
if err = exporter.StartConnection(); err != nil {
klog.Errorf("%s failed to connect db socket properly: %s", ovn.GetExporterName(), err)
go exporter.TryClientConnection()
}
exporter.StartOvnMetrics()
mux := http.NewServeMux()
if config.EnableMetrics {
mux.Handle(config.MetricsPath, promhttp.Handler())
klog.Infoln("Listening on", addr)
}

if !config.SecureServing {
server := &http.Server{
Addr: addr,
ReadHeaderTimeout: 3 * time.Second,
Handler: mux,
}
util.LogFatalAndExit(server.ListenAndServe(), "failed to listen and server on %s", addr)
} else {
ch, err := tls.SecureServing(addr, svcName, mux)
if err != nil {
util.LogFatalAndExit(err, "failed to serve on %s", addr)
}
<-ch
}
util.LogFatalAndExit(server.ListenAndServe(), "failed to listen and server on %s", config.ListenAddress)
}
24 changes: 24 additions & 0 deletions dist/images/install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ ENABLE_BIND_LOCAL_IP=${ENABLE_BIND_LOCAL_IP:-true}
ENABLE_TPROXY=${ENABLE_TPROXY:-false}
OVS_VSCTL_CONCURRENCY=${OVS_VSCTL_CONCURRENCY:-100}
ENABLE_COMPACT=${ENABLE_COMPACT:-false}
SECURE_SERVING=${SECURE_SERVING:-false}

# debug
DEBUG_WRAPPER=${DEBUG_WRAPPER:-}
Expand Down Expand Up @@ -4058,13 +4059,18 @@ spec:
- --enable-lb-svc=$ENABLE_LB_SVC
- --keep-vm-ip=$ENABLE_KEEP_VM_IP
- --node-local-dns-ip=$NODE_LOCAL_DNS_IP
- --secure-serving=${SECURE_SERVING}
env:
- name: ENABLE_SSL
value: "$ENABLE_SSL"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
Expand Down Expand Up @@ -4199,6 +4205,7 @@ spec:
- --kubelet-dir=$KUBELET_DIR
- --enable-tproxy=$ENABLE_TPROXY
- --ovs-vsctl-concurrency=$OVS_VSCTL_CONCURRENCY
- --secure-serving=${SECURE_SERVING}
securityContext:
runAsUser: 0
privileged: true
Expand All @@ -4217,6 +4224,14 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ENABLE_BIND_LOCAL_IP
value: "$ENABLE_BIND_LOCAL_IP"
- name: DBUS_SYSTEM_BUS_ADDRESS
Expand Down Expand Up @@ -4482,6 +4497,7 @@ spec:
imagePullPolicy: $IMAGE_PULL_POLICY
command: ["/kube-ovn/start-ovn-monitor.sh"]
args:
- --secure-serving=${SECURE_SERVING}
- --log_file=/var/log/kube-ovn/kube-ovn-monitor.log
- --logtostderr=false
- --alsologtostderr=true
Expand All @@ -4496,6 +4512,14 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IPS
valueFrom:
fieldRef:
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ require (
gopkg.in/k8snetworkplumbingwg/multus-cni.v4 v4.0.2
k8s.io/api v0.30.2
k8s.io/apimachinery v0.30.2
k8s.io/apiserver v0.30.2
k8s.io/client-go v12.0.0+incompatible
k8s.io/klog/v2 v2.130.1
k8s.io/kubectl v0.30.2
Expand Down Expand Up @@ -241,7 +242,6 @@ require (
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiextensions-apiserver v0.30.2 // indirect
k8s.io/apiserver v0.30.2 // indirect
k8s.io/cli-runtime v0.30.2 // indirect
k8s.io/cloud-provider v0.30.2 // indirect
k8s.io/cluster-bootstrap v0.30.2 // indirect
Expand Down
8 changes: 5 additions & 3 deletions pkg/controller/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (

// Configuration is the controller conf
type Configuration struct {
BindAddress string
OvnNbAddr string
OvnSbAddr string
OvnTimeout int
Expand Down Expand Up @@ -68,8 +67,9 @@ type Configuration struct {
PodNicType string

WorkerNum int
PprofPort int
PprofPort int32
EnablePprof bool
SecureServing bool
NodePgProbeTime int

NetworkType string
Expand Down Expand Up @@ -143,7 +143,8 @@ func ParseFlags() (*Configuration, error) {

argWorkerNum = pflag.Int("worker-num", 3, "The parallelism of each worker")
argEnablePprof = pflag.Bool("enable-pprof", false, "Enable pprof")
argPprofPort = pflag.Int("pprof-port", 10660, "The port to get profiling data")
argPprofPort = pflag.Int32("pprof-port", 10660, "The port to get profiling data")
argSecureServing = pflag.Bool("secure-serving", false, "Enable secure serving")
argNodePgProbeTime = pflag.Int("nodepg-probe-time", 1, "The probe interval for node port-group, the unit is minute")

argNetworkType = pflag.String("network-type", util.NetworkTypeGeneve, "The ovn network type")
Expand Down Expand Up @@ -226,6 +227,7 @@ func ParseFlags() (*Configuration, error) {
WorkerNum: *argWorkerNum,
EnablePprof: *argEnablePprof,
PprofPort: *argPprofPort,
SecureServing: *argSecureServing,
NetworkType: *argNetworkType,
DefaultVlanID: *argDefaultVlanID,
LsDnatModDlDst: *argLsDnatModDlDst,
Expand Down
7 changes: 5 additions & 2 deletions pkg/daemon/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ type Configuration struct {
EncapChecksum bool
EnablePprof bool
MacLearningFallback bool
PprofPort int
PprofPort int32
SecureServing bool
NetworkType string
CniConfDir string
CniConfFile string
Expand Down Expand Up @@ -86,7 +87,8 @@ func ParseFlags() *Configuration {
argNodeSwitch = pflag.String("node-switch", "join", "The name of node gateway switch which help node to access pod network")
argEncapChecksum = pflag.Bool("encap-checksum", true, "Enable checksum")
argEnablePprof = pflag.Bool("enable-pprof", false, "Enable pprof")
argPprofPort = pflag.Int("pprof-port", 10665, "The port to get profiling data")
argPprofPort = pflag.Int32("pprof-port", 10665, "The port to get profiling data")
argSecureServing = pflag.Bool("secure-serving", false, "Enable secure serving")
argMacLearningFallback = pflag.Bool("mac-learning-fallback", false, "Fallback to the legacy MAC learning mode")

argsNetworkType = pflag.String("network-type", util.NetworkTypeGeneve, "Tunnel encapsulation protocol in overlay networks")
Expand Down Expand Up @@ -138,6 +140,7 @@ func ParseFlags() *Configuration {
OvsSocket: *argOvsSocket,
KubeConfigFile: *argKubeConfigFile,
EnablePprof: *argEnablePprof,
SecureServing: *argSecureServing,
PprofPort: *argPprofPort,
MacLearningFallback: *argMacLearningFallback,
NodeName: strings.ToLower(*argNodeName),
Expand Down
Loading

0 comments on commit 8bf5036

Please sign in to comment.