Support flux managed clusters #1364
Conversation
QuentinBisson
force-pushed
the
support-flux-managed-clusters
branch
8 times, most recently
from
591119b to
78b34b6
Compare
|
Tested on Snail, working fine :) |
| @@ -1,10 +1,15 @@ | |||
| [[- define "_apiserver" -]] | |||
| [[- if ne .ClusterType "management_cluster" ]] | |||
| api_server: https://[[ .APIServerURL ]] | |||
| [[- if eq .AuthenticationType "token" ]] | |||
There was a problem hiding this comment.
Add a new field named authentication type that explains if the tls config needs to use a token or a cert/key pair
| @@ -5,6 +5,8 @@ metadata: | |||
| labels: | |||
| {{- include "labels.common" . | nindent 4 }} | |||
| name: alertmanager-psp | |||
| annotations: | |||
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default | |||
There was a problem hiding this comment.
Add a missing seccomp annotation that causes issue on snail
| bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token | ||
| [[ end ]] |
There was a problem hiding this comment.
why these 3 above lines are not embedded in the _apiserver section ?
There was a problem hiding this comment.
That's because etcd is a bit special, especially on vintage
There was a problem hiding this comment.
Also the apiserver secion is only for workload clusters because prometheus in the MC have access to the api server "locally"
There was a problem hiding this comment.
On MC there is always a file with the token ?
There was a problem hiding this comment.
Should be yes
Signed-off-by: QuentinBisson <[email protected]>
Signed-off-by: QuentinBisson <[email protected]>
* Change GetOrganization to rely on the namespace * Rely on namespace label for organization --------- Co-authored-by: Mohamed Chiheb <[email protected]> Co-authored-by: QuentinBisson <[email protected]>
* Bump alertmanager and prometheus versions * Release v4.47.0 --------- Co-authored-by: QuentinBisson <[email protected]>
Signed-off-by: QuentinBisson <[email protected]>
Signed-off-by: QuentinBisson <[email protected]>
QuentinBisson
force-pushed
the
support-flux-managed-clusters
branch
4 times, most recently
from
075d918 to
6f016aa
Compare
Signed-off-by: QuentinBisson <[email protected]>
QuentinBisson
force-pushed
the
support-flux-managed-clusters
branch
from
6f016aa to
cc829af
Compare
service/key/key.go
Outdated
| } else if (secret.Data["crt"] != nil && len(secret.Data["crt"]) > 0) && (secret.Data["key"] != nil && len(secret.Data["key"]) > 0) { | ||
| return "certificates", nil | ||
| } | ||
| return "vintage", nil |
There was a problem hiding this comment.
What does "vintage" mean ?
I see no use case with this authentication type ?!
There was a problem hiding this comment.
Well, it means the vintage authentication mechanism (for KVM). It's not used but i wanted to avoid setting an empty string here
There was a problem hiding this comment.
Can you add a comment please :-)
There was a problem hiding this comment.
I made it into an error :)
Signed-off-by: QuentinBisson <[email protected]>
QuentinBisson
force-pushed
the
support-flux-managed-clusters
branch
6 times, most recently
from
5881dea to
4711752
Compare
Signed-off-by: QuentinBisson <[email protected]>
QuentinBisson
force-pushed
the
support-flux-managed-clusters
branch
from
4711752 to
ab43a27
Compare
|
@giantswarm/team-atlas The changes should be easier to review :) |
|
Tested on |
Towards: giantswarm/roadmap#2809
To connect to the api server of CAPI Clusters, prometheus-meta-operator is copying the kubeconfig for the cluster (certificate and private key) to be able to establish a TLS connection.
For Flux managed clusters described in this issue giantswarm/roadmap#2670, the kubeconfig contains a token and not a certificate/private key pair so we need to adjust prometheus-meta-operator to be able to configure the Prometheus to use a token to connect to the API server instead of the certificates.
This PR does just that
Checklist
I have:
CHANGELOG.md