-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1950430: pkg/cvo/metrics: Drop HTTP, require HTTPS for metrics access #481
Bug 1950430: pkg/cvo/metrics: Drop HTTP, require HTTPS for metrics access #481
Conversation
01613aa
to
5a1e4ae
Compare
@wking: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
@wking: This pull request references Bugzilla bug 1950430, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
5a1e4ae
to
8fd5ce4
Compare
We began serving metrics over HTTPS with 6132bc3 (Bug 1809195: Send CVO metrics over https, 2020-05-07, openshift#358), which also requested monitoring to scrape us over HTTPS. Now that that is all in place in 4.6, we no longer need to serve over HTTP in 4.7 and later. This commit pivots us to always serving over HTTPS. Because we are no longer serving HTTP, move to requiring --serving-cert-file and --serving-key-file when --listen is non-empty. I'd like to drop the --listen default, to make it an explicit opt-in, but I don't want to lose metrics when folks update from 4.6 -> 4.7. With this commit we start setting --listen explicitly when we launch child CVOs, and in 4.8 we can drop: ListenAddr: "0.0.0.0:9099", from pkg/start. It's possible that the manifest for the incoming CVO is constructed from the incoming release image, in which case we may be able to drop the --listen default now. I'm not setting --listen in the bootstrap manifest, because we don't need to serve metrics then (it's long before we have Prometheus around to scrape us).
We removed our only consumer in the previous commit. Generated with: $ go mod tidy $ go mod vendor $ git add -A pkg/cvo/metrics.go go.* vendor using: $ go version go version go1.14.4 linux/arm64
8fd5ce4
to
ae2821f
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jottofar, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
Update/rollback was too slow:
But the update/rollback did complete by the time we'd gathered, so: /override ci/prow/e2e-agnostic-upgrade |
@wking: Overrode contexts on behalf of wking: ci/prow/e2e-agnostic-upgrade In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@wking: All pull requests linked via external trackers have merged: Bugzilla bug 1950430 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
We began serving metrics over HTTPS with 6132bc3 (#358), which also requested monitoring to scrape us over HTTPS. Now that that is all in place in 4.6, we no longer need to serve over HTTP in 4.7 and later. This commit pivots us to always serving over HTTPS.
Because we are no longer serving HTTP, move to requiring
--serving-cert-file
and--serving-key-file
when--listen
is non-empty. I'd like to drop the--listen
default, to make it an explicit opt-in, but I don't want to lose metrics when folks update from 4.6 -> 4.7. With this commit we start setting--listen
explicitly when we launch child CVOs, and in 4.8 we can drop:from
pkg/start
. It's possible that the manifest for the incoming CVO is constructed from the incoming release image, in which case we may be able to drop the--listen
default now.I'm setting
--listen
empty in the bootstrap manifest, because we don't need to serve metrics then (it's long before we have Prometheus around to scrape us).