From 0e4a5ba885ec4ad7110fc89146242580c10bced4 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Thu, 5 Sep 2024 23:52:49 +0000 Subject: [PATCH 1/5] add ability to read prometheus basic auth creds from secret Signed-off-by: Alex Leong --- .../templates/metrics-api-rbac.yaml | 37 ++++++++++++++++++ .../linkerd-viz/templates/metrics-api.yaml | 4 ++ viz/charts/linkerd-viz/values.yaml | 7 ++++ viz/cmd/testdata/install_default.golden | 38 ++++++++++++++++++- .../testdata/install_default_overrides.golden | 38 ++++++++++++++++++- .../install_prometheus_disabled.golden | 38 ++++++++++++++++++- ...stall_prometheus_loglevel_from_args.golden | 38 ++++++++++++++++++- .../testdata/install_proxy_resources.golden | 38 ++++++++++++++++++- viz/metrics-api/cmd/main.go | 18 ++++++++- 9 files changed, 250 insertions(+), 6 deletions(-) diff --git a/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml b/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml index 2fa38a8b0e4d1..a31dd184b8255 100644 --- a/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml +++ b/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml @@ -44,6 +44,43 @@ subjects: name: metrics-api namespace: {{.Release.Namespace}} --- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: prometheus-credentials + namespace: {{.Release.Namespace}} + labels: + linkerd.io/extension: viz + component: metrics-api + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: metrics-api-prometheus-credentials + namespace: {{.Release.Namespace}} + labels: + linkerd.io/extension: viz + component: metrics-api + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-credentials +subjects: +- kind: ServiceAccount + name: metrics-api + namespace: {{.Release.Namespace}} +--- kind: ServiceAccount apiVersion: v1 metadata: diff --git a/viz/charts/linkerd-viz/templates/metrics-api.yaml b/viz/charts/linkerd-viz/templates/metrics-api.yaml index 7a0da53d4f3c6..e421e499d04c3 100644 --- a/viz/charts/linkerd-viz/templates/metrics-api.yaml +++ b/viz/charts/linkerd-viz/templates/metrics-api.yaml @@ -88,7 +88,11 @@ spec: {{- else }} {{ fail "Please enable `linkerd-prometheus` or provide `prometheusUrl` for the viz extension to function properly"}} {{- end }} + {{- if .Values.prometheusCredsSecret }} + - -prometheus-creds-secret={{.Values.prometheusCredsSecret}} + {{- end}} - -enable-pprof={{.Values.enablePprof | default false}} + - -viz-namespace={{.Release.Namespace}} image: {{.Values.metricsAPI.image.registry | default .Values.defaultRegistry}}/{{.Values.metricsAPI.image.name}}:{{.Values.metricsAPI.image.tag | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.metricsAPI.image.pullPolicy | default .Values.defaultImagePullPolicy}} livenessProbe: diff --git a/viz/charts/linkerd-viz/values.yaml b/viz/charts/linkerd-viz/values.yaml index c3ebc6af59950..f32d0bd31930a 100644 --- a/viz/charts/linkerd-viz/values.yaml +++ b/viz/charts/linkerd-viz/values.yaml @@ -75,6 +75,13 @@ enablePSP: false # -- url of external prometheus instance prometheusUrl: "" +# -- name of the prometheus credentials secret +# If this is set, the metrics-api will use basic auth to connect to prometheus +# and load the user and password from the "user" and "password" keys +# respectively in the given secret. The secret must be in the same namespace +# and must exist before the metrics-api is deployed. +prometheusCredsSecret: "" + # -- url of external jaeger instance # Set this to `jaeger.linkerd-jaeger.svc.:16686` if you plan to use jaeger extension jaegerUrl: "" diff --git a/viz/cmd/testdata/install_default.golden b/viz/cmd/testdata/install_default.golden index b311b895d1e1f..52cbf7977295e 100644 --- a/viz/cmd/testdata/install_default.golden +++ b/viz/cmd/testdata/install_default.golden @@ -54,6 +54,41 @@ subjects: name: metrics-api namespace: linkerd-viz --- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: metrics-api-prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-credentials +subjects: +- kind: ServiceAccount + name: metrics-api + namespace: linkerd-viz +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -408,7 +443,7 @@ spec: template: metadata: annotations: - checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b + checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -428,6 +463,7 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false + - -viz-namespace=linkerd-viz image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/cmd/testdata/install_default_overrides.golden b/viz/cmd/testdata/install_default_overrides.golden index 25d7e2a612542..f91ed7a3f6652 100644 --- a/viz/cmd/testdata/install_default_overrides.golden +++ b/viz/cmd/testdata/install_default_overrides.golden @@ -54,6 +54,41 @@ subjects: name: metrics-api namespace: linkerd-viz --- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: metrics-api-prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-credentials +subjects: +- kind: ServiceAccount + name: metrics-api + namespace: linkerd-viz +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -408,7 +443,7 @@ spec: template: metadata: annotations: - checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b + checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -428,6 +463,7 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false + - -viz-namespace=linkerd-viz image: gcr.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/cmd/testdata/install_prometheus_disabled.golden b/viz/cmd/testdata/install_prometheus_disabled.golden index 0ad7c83b8bd7e..998def50daa32 100644 --- a/viz/cmd/testdata/install_prometheus_disabled.golden +++ b/viz/cmd/testdata/install_prometheus_disabled.golden @@ -55,6 +55,41 @@ subjects: name: metrics-api namespace: linkerd-viz --- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: metrics-api-prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-credentials +subjects: +- kind: ServiceAccount + name: metrics-api + namespace: linkerd-viz +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -368,7 +403,7 @@ spec: template: metadata: annotations: - checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b + checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -388,6 +423,7 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=external-prom.com - -enable-pprof=false + - -viz-namespace=linkerd-viz image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden index 9755202a3e5f2..1ba3ba139d1c9 100644 --- a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden +++ b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden @@ -54,6 +54,41 @@ subjects: name: metrics-api namespace: linkerd-viz --- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: metrics-api-prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-credentials +subjects: +- kind: ServiceAccount + name: metrics-api + namespace: linkerd-viz +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -408,7 +443,7 @@ spec: template: metadata: annotations: - checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b + checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -428,6 +463,7 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false + - -viz-namespace=linkerd-viz image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/cmd/testdata/install_proxy_resources.golden b/viz/cmd/testdata/install_proxy_resources.golden index c4fe7adb0b5ba..d8c4806f03819 100644 --- a/viz/cmd/testdata/install_proxy_resources.golden +++ b/viz/cmd/testdata/install_proxy_resources.golden @@ -54,6 +54,41 @@ subjects: name: metrics-api namespace: linkerd-viz --- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: metrics-api-prometheus-credentials + namespace: linkerd-viz + labels: + linkerd.io/extension: viz + component: metrics-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-credentials +subjects: +- kind: ServiceAccount + name: metrics-api + namespace: linkerd-viz +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -408,7 +443,7 @@ spec: template: metadata: annotations: - checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b + checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -428,6 +463,7 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false + - -viz-namespace=linkerd-viz image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/metrics-api/cmd/main.go b/viz/metrics-api/cmd/main.go index 7a72a6692354c..35b335caa2e02 100644 --- a/viz/metrics-api/cmd/main.go +++ b/viz/metrics-api/cmd/main.go @@ -16,7 +16,9 @@ import ( api "github.com/linkerd/linkerd2/viz/metrics-api" promApi "github.com/prometheus/client_golang/api" promv1 "github.com/prometheus/client_golang/api/prometheus/v1" + "github.com/prometheus/common/config" log "github.com/sirupsen/logrus" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func main() { @@ -25,8 +27,10 @@ func main() { addr := cmd.String("addr", ":8085", "address to serve on") kubeConfigPath := cmd.String("kubeconfig", "", "path to kube config") prometheusURL := cmd.String("prometheus-url", "", "prometheus url") + prometheusCredentials := cmd.String("prometheus-creds-secret", "", "name of the Secret containing prometheus credentials") metricsAddr := cmd.String("metrics-addr", ":9995", "address to serve scrapable metrics on") controllerNamespace := cmd.String("controller-namespace", "linkerd", "namespace in which Linkerd is installed") + vizNamespace := cmd.String("viz-namespace", "linkerd-viz", "namespace in which Linkerd-Viz is installed") ignoredNamespaces := cmd.String("ignore-namespaces", "kube-system", "comma separated list of namespaces to not list pods from") clusterDomain := cmd.String("cluster-domain", "cluster.local", "kubernetes cluster domain") enablePprof := cmd.Bool("enable-pprof", false, "Enable pprof endpoints on the admin server") @@ -63,7 +67,19 @@ func main() { var prometheusClient promApi.Client if *prometheusURL != "" { - prometheusClient, err = promApi.NewClient(promApi.Config{Address: *prometheusURL}) + promConfig := promApi.Config{Address: *prometheusURL} + if *prometheusCredentials != "" { + secret, err := k8sAPI.Client.CoreV1().Secrets(*vizNamespace).Get(ctx, *prometheusCredentials, metav1.GetOptions{}) + if err != nil { + log.Fatal(err.Error()) + } + promConfig.RoundTripper = config.NewBasicAuthRoundTripper( + config.NewInlineSecret(string(secret.Data["user"])), + config.NewInlineSecret(string(secret.Data["password"])), + promApi.DefaultRoundTripper, + ) + } + prometheusClient, err = promApi.NewClient(promConfig) if err != nil { log.Fatal(err.Error()) } From a6c683dc8904b63d15b9e414dd2e7a52ada4d08d Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Thu, 5 Sep 2024 23:58:00 +0000 Subject: [PATCH 2/5] go mod tidy Signed-off-by: Alex Leong --- go.mod | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.mod b/go.mod index 459afce17d0a2..bfaaade41e8a0 100644 --- a/go.mod +++ b/go.mod @@ -102,6 +102,7 @@ require ( github.com/huandu/xstrings v1.4.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect + github.com/jpillora/backoff v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect @@ -116,6 +117,7 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0-rc6 // indirect From b989cb1dd341dd3a06f69dd72773ec3909b42e10 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Fri, 6 Sep 2024 17:09:50 +0000 Subject: [PATCH 3/5] Update helm docs Signed-off-by: Alex Leong --- viz/charts/linkerd-viz/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md index 8ed126c478826..706843c43f331 100644 --- a/viz/charts/linkerd-viz/README.md +++ b/viz/charts/linkerd-viz/README.md @@ -160,6 +160,7 @@ Kubernetes: `>=1.22.0-0` | prometheus.scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. | | prometheus.sidecarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | | prometheus.tolerations | string | `nil` | Tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information | +| prometheusCredsSecret | string | `""` | name of the prometheus credentials secret If this is set, the metrics-api will use basic auth to connect to prometheus and load the user and password from the "user" and "password" keys respectively in the given secret. The secret must be in the same namespace and must exist before the metrics-api is deployed. | | prometheusUrl | string | `""` | url of external prometheus instance | | revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. | | tap.GID | string | `nil` | GID for the tap component | From 57b8162892765ee10768835fc50ba3e74c80f664 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Fri, 6 Sep 2024 18:30:38 +0000 Subject: [PATCH 4/5] doc-smithing Signed-off-by: Alex Leong --- viz/charts/linkerd-viz/README.md | 2 +- viz/charts/linkerd-viz/values.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md index 706843c43f331..178b014f94935 100644 --- a/viz/charts/linkerd-viz/README.md +++ b/viz/charts/linkerd-viz/README.md @@ -160,7 +160,7 @@ Kubernetes: `>=1.22.0-0` | prometheus.scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. | | prometheus.sidecarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | | prometheus.tolerations | string | `nil` | Tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information | -| prometheusCredsSecret | string | `""` | name of the prometheus credentials secret If this is set, the metrics-api will use basic auth to connect to prometheus and load the user and password from the "user" and "password" keys respectively in the given secret. The secret must be in the same namespace and must exist before the metrics-api is deployed. | +| prometheusCredsSecret | string | `""` | Name of the prometheus credentials secret. If this is set, the metrics-api will use basic auth to connect to prometheus and load the user and password from the "user" and "password" keys respectively in the given secret. The secret must be in the same namespace and must exist before the metrics-api is deployed. | | prometheusUrl | string | `""` | url of external prometheus instance | | revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. | | tap.GID | string | `nil` | GID for the tap component | diff --git a/viz/charts/linkerd-viz/values.yaml b/viz/charts/linkerd-viz/values.yaml index f32d0bd31930a..008e207b497ef 100644 --- a/viz/charts/linkerd-viz/values.yaml +++ b/viz/charts/linkerd-viz/values.yaml @@ -75,11 +75,11 @@ enablePSP: false # -- url of external prometheus instance prometheusUrl: "" -# -- name of the prometheus credentials secret -# If this is set, the metrics-api will use basic auth to connect to prometheus -# and load the user and password from the "user" and "password" keys -# respectively in the given secret. The secret must be in the same namespace -# and must exist before the metrics-api is deployed. +# -- Name of the prometheus credentials secret. If this is set, the metrics-api +# will use basic auth to connect to prometheus and load the user and password +# from the "user" and "password" keys respectively in the given secret. The +# secret must be in the same namespace and must exist before the metrics-api is +# deployed. prometheusCredsSecret: "" # -- url of external jaeger instance From 86fda11f657aaec4b60774e58f0e3e0ba155428e Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Mon, 9 Sep 2024 23:00:05 +0000 Subject: [PATCH 5/5] mount prometheus credentials secret Signed-off-by: Alex Leong --- .../templates/metrics-api-rbac.yaml | 37 ------------------ .../linkerd-viz/templates/metrics-api.yaml | 16 +++++++- viz/cmd/testdata/install_default.golden | 38 +------------------ .../testdata/install_default_overrides.golden | 38 +------------------ .../install_prometheus_disabled.golden | 38 +------------------ ...stall_prometheus_loglevel_from_args.golden | 38 +------------------ .../testdata/install_proxy_resources.golden | 38 +------------------ viz/metrics-api/cmd/main.go | 21 ++++++---- 8 files changed, 32 insertions(+), 232 deletions(-) diff --git a/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml b/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml index a31dd184b8255..2fa38a8b0e4d1 100644 --- a/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml +++ b/viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml @@ -44,43 +44,6 @@ subjects: name: metrics-api namespace: {{.Release.Namespace}} --- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: prometheus-credentials - namespace: {{.Release.Namespace}} - labels: - linkerd.io/extension: viz - component: metrics-api - {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: metrics-api-prometheus-credentials - namespace: {{.Release.Namespace}} - labels: - linkerd.io/extension: viz - component: metrics-api - {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-credentials -subjects: -- kind: ServiceAccount - name: metrics-api - namespace: {{.Release.Namespace}} ---- kind: ServiceAccount apiVersion: v1 metadata: diff --git a/viz/charts/linkerd-viz/templates/metrics-api.yaml b/viz/charts/linkerd-viz/templates/metrics-api.yaml index e421e499d04c3..526bb78f832c1 100644 --- a/viz/charts/linkerd-viz/templates/metrics-api.yaml +++ b/viz/charts/linkerd-viz/templates/metrics-api.yaml @@ -89,10 +89,10 @@ spec: {{ fail "Please enable `linkerd-prometheus` or provide `prometheusUrl` for the viz extension to function properly"}} {{- end }} {{- if .Values.prometheusCredsSecret }} - - -prometheus-creds-secret={{.Values.prometheusCredsSecret}} + - -prometheus-user-file=/var/prometheus/user + - -prometheus-password-file=/var/prometheus/password {{- end}} - -enable-pprof={{.Values.enablePprof | default false}} - - -viz-namespace={{.Release.Namespace}} image: {{.Values.metricsAPI.image.registry | default .Values.defaultRegistry}}/{{.Values.metricsAPI.image.name}}:{{.Values.metricsAPI.image.tag | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.metricsAPI.image.pullPolicy | default .Values.defaultImagePullPolicy}} livenessProbe: @@ -125,10 +125,22 @@ spec: runAsGroup: {{.Values.metricsAPI.GID | default .Values.defaultGID}} seccompProfile: type: RuntimeDefault + {{- if .Values.prometheusCredsSecret }} + volumeMounts: + - mountPath: /var/prometheus + name: prom-creds + readOnly: true + {{- end}} securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: metrics-api + {{- with .Values.prometheusCredsSecret }} + volumes: + - name: prom-creds + secret: + secretName: {{ . }} + {{- end }} {{- if and .Values.enablePodDisruptionBudget (gt (int .Values.metricsAPI.replicas) 1) }} --- kind: PodDisruptionBudget diff --git a/viz/cmd/testdata/install_default.golden b/viz/cmd/testdata/install_default.golden index 52cbf7977295e..b311b895d1e1f 100644 --- a/viz/cmd/testdata/install_default.golden +++ b/viz/cmd/testdata/install_default.golden @@ -54,41 +54,6 @@ subjects: name: metrics-api namespace: linkerd-viz --- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: metrics-api-prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-credentials -subjects: -- kind: ServiceAccount - name: metrics-api - namespace: linkerd-viz ---- kind: ServiceAccount apiVersion: v1 metadata: @@ -443,7 +408,7 @@ spec: template: metadata: annotations: - checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b + checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -463,7 +428,6 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false - - -viz-namespace=linkerd-viz image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/cmd/testdata/install_default_overrides.golden b/viz/cmd/testdata/install_default_overrides.golden index f91ed7a3f6652..25d7e2a612542 100644 --- a/viz/cmd/testdata/install_default_overrides.golden +++ b/viz/cmd/testdata/install_default_overrides.golden @@ -54,41 +54,6 @@ subjects: name: metrics-api namespace: linkerd-viz --- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: metrics-api-prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-credentials -subjects: -- kind: ServiceAccount - name: metrics-api - namespace: linkerd-viz ---- kind: ServiceAccount apiVersion: v1 metadata: @@ -443,7 +408,7 @@ spec: template: metadata: annotations: - checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b + checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -463,7 +428,6 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false - - -viz-namespace=linkerd-viz image: gcr.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/cmd/testdata/install_prometheus_disabled.golden b/viz/cmd/testdata/install_prometheus_disabled.golden index 998def50daa32..0ad7c83b8bd7e 100644 --- a/viz/cmd/testdata/install_prometheus_disabled.golden +++ b/viz/cmd/testdata/install_prometheus_disabled.golden @@ -55,41 +55,6 @@ subjects: name: metrics-api namespace: linkerd-viz --- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: metrics-api-prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-credentials -subjects: -- kind: ServiceAccount - name: metrics-api - namespace: linkerd-viz ---- kind: ServiceAccount apiVersion: v1 metadata: @@ -403,7 +368,7 @@ spec: template: metadata: annotations: - checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b + checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -423,7 +388,6 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=external-prom.com - -enable-pprof=false - - -viz-namespace=linkerd-viz image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden index 1ba3ba139d1c9..9755202a3e5f2 100644 --- a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden +++ b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden @@ -54,41 +54,6 @@ subjects: name: metrics-api namespace: linkerd-viz --- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: metrics-api-prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-credentials -subjects: -- kind: ServiceAccount - name: metrics-api - namespace: linkerd-viz ---- kind: ServiceAccount apiVersion: v1 metadata: @@ -443,7 +408,7 @@ spec: template: metadata: annotations: - checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b + checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -463,7 +428,6 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false - - -viz-namespace=linkerd-viz image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/cmd/testdata/install_proxy_resources.golden b/viz/cmd/testdata/install_proxy_resources.golden index d8c4806f03819..c4fe7adb0b5ba 100644 --- a/viz/cmd/testdata/install_proxy_resources.golden +++ b/viz/cmd/testdata/install_proxy_resources.golden @@ -54,41 +54,6 @@ subjects: name: metrics-api namespace: linkerd-viz --- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: metrics-api-prometheus-credentials - namespace: linkerd-viz - labels: - linkerd.io/extension: viz - component: metrics-api -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-credentials -subjects: -- kind: ServiceAccount - name: metrics-api - namespace: linkerd-viz ---- kind: ServiceAccount apiVersion: v1 metadata: @@ -443,7 +408,7 @@ spec: template: metadata: annotations: - checksum/config: 02e1d99894d26cb0b2a39e2b73ad02b39d1f64661cca88c219fc441ee9c7e67b + checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -463,7 +428,6 @@ spec: - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false - - -viz-namespace=linkerd-viz image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: diff --git a/viz/metrics-api/cmd/main.go b/viz/metrics-api/cmd/main.go index 35b335caa2e02..76ef145020633 100644 --- a/viz/metrics-api/cmd/main.go +++ b/viz/metrics-api/cmd/main.go @@ -18,7 +18,6 @@ import ( promv1 "github.com/prometheus/client_golang/api/prometheus/v1" "github.com/prometheus/common/config" log "github.com/sirupsen/logrus" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func main() { @@ -27,10 +26,10 @@ func main() { addr := cmd.String("addr", ":8085", "address to serve on") kubeConfigPath := cmd.String("kubeconfig", "", "path to kube config") prometheusURL := cmd.String("prometheus-url", "", "prometheus url") - prometheusCredentials := cmd.String("prometheus-creds-secret", "", "name of the Secret containing prometheus credentials") + prometheusUser := cmd.String("prometheus-user-file", "", "file containing username for prometheus basic auth") + prometheusPassword := cmd.String("prometheus-password-file", "", "file containing password for prometheus basic auth") metricsAddr := cmd.String("metrics-addr", ":9995", "address to serve scrapable metrics on") controllerNamespace := cmd.String("controller-namespace", "linkerd", "namespace in which Linkerd is installed") - vizNamespace := cmd.String("viz-namespace", "linkerd-viz", "namespace in which Linkerd-Viz is installed") ignoredNamespaces := cmd.String("ignore-namespaces", "kube-system", "comma separated list of namespaces to not list pods from") clusterDomain := cmd.String("cluster-domain", "cluster.local", "kubernetes cluster domain") enablePprof := cmd.Bool("enable-pprof", false, "Enable pprof endpoints on the admin server") @@ -68,16 +67,22 @@ func main() { var prometheusClient promApi.Client if *prometheusURL != "" { promConfig := promApi.Config{Address: *prometheusURL} - if *prometheusCredentials != "" { - secret, err := k8sAPI.Client.CoreV1().Secrets(*vizNamespace).Get(ctx, *prometheusCredentials, metav1.GetOptions{}) + if *prometheusUser != "" && *prometheusPassword != "" { + user, err := os.ReadFile(*prometheusUser) if err != nil { - log.Fatal(err.Error()) + log.Fatalf("failed to read file containing username for prometheus basic auth: %s", err) + } + password, err := os.ReadFile(*prometheusPassword) + if err != nil { + log.Fatalf("failed to read file containing password for prometheus basic auth: %s", err) } promConfig.RoundTripper = config.NewBasicAuthRoundTripper( - config.NewInlineSecret(string(secret.Data["user"])), - config.NewInlineSecret(string(secret.Data["password"])), + config.NewInlineSecret(string(user)), + config.NewInlineSecret(string(password)), promApi.DefaultRoundTripper, ) + } else if *prometheusUser != "" || *prometheusPassword != "" { + log.Fatal("both prometheus-user-file and prometheus-password-file must be set") } prometheusClient, err = promApi.NewClient(promConfig) if err != nil {