feat(kuma-cp) Prometheus metrics over mTLS #793
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nickolaev
reviewed
Jun 2, 2020
| // We assume that skipMTLS = nil is the same as false, so we don't break deployments between 0.5 and 0.5.1 | ||
| skipMTLS := prometheusEndpoint.SkipMTLS == nil || prometheusEndpoint.SkipMTLS.Value | ||
| var listener *envoy_api.Listener | ||
| if skipMTLS || !ctx.Mesh.Resource.MTLSEnabled() { |
There was a problem hiding this comment.
Would it make sense to handle skipMTLS in a separate function?
There was a problem hiding this comment.
Refactored
jakubdyszkiewicz
force-pushed
the
feat/envoy-metrics-mtls-v3
branch
from
fc5b7ea to
174fed1
Compare
nickolaev
approved these changes
Jun 3, 2020
|
Issue created. Docs are here kumahq/kuma-website#214 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces Prometheus metrics over mTLS. There are new properties in Prometheus backend configuration:
Since metrics will be exposed with mTLS, there has to be a service that TrafficPermission will match on. You can define this service name in tags.
skipMTLSlets you skip mTLS defined on the mesh. If the value is nil or true, Prometheus endpoint will be exposed without mTLS.kumactl install metricsnow installs prometheus as a part of the mesh with direct access of"*".I needed to remove probes for now because health checks are not accessible when mTLS is on.
Node Exporter for some reason was crashing the whole K8S cluster when Kuma DP was deployed there, therefore for now sidecar injection for it is disabled.
I introduced the concept of additional networking in the code, so policies can be matched on extra listeners that we are generating automatically (like Prometheus)
Documentation
Documentation kumahq/kuma-website#214