discovery/kubernetes: fix support for password_file and bearer_token_file (#5211)

* discovery/kubernetes: fix support for password_file Signed-off-by: Simon Pasquier <spasquie@redhat.com> * Create and pass custom RoundTripper to Kubernetes client Signed-off-by: Simon Pasquier <spasquie@redhat.com> * Use inline HTTPClientConfig Signed-off-by: Simon Pasquier <spasquie@redhat.com>
6 years ago · c8a1a5a93c
6 changed files with 37 additions and 64 deletions
--- a/cmd/promtool/main.go
+++ b/cmd/promtool/main.go
@ -221,7 +221,7 @@ func checkConfig(filename string) ([]string, error) {
 		}

 		for _, kd := range scfg.ServiceDiscoveryConfig.KubernetesSDConfigs {
-			if err := checkTLSConfig(kd.TLSConfig); err != nil {
+			if err := checkTLSConfig(kd.HTTPClientConfig.TLSConfig); err != nil {
 				return nil, err
 			}
 		}
--- a/config/config.go
+++ b/config/config.go
@ -161,10 +161,7 @@ func resolveFilepaths(baseDir string, cfg *Config) {
 	}
 	sdPaths := func(cfg *sd_config.ServiceDiscoveryConfig) {
 		for _, kcfg := range cfg.KubernetesSDConfigs {
-			kcfg.BearerTokenFile = join(kcfg.BearerTokenFile)
-			kcfg.TLSConfig.CAFile = join(kcfg.TLSConfig.CAFile)
-			kcfg.TLSConfig.CertFile = join(kcfg.TLSConfig.CertFile)
-			kcfg.TLSConfig.KeyFile = join(kcfg.TLSConfig.KeyFile)
+			clientPaths(&kcfg.HTTPClientConfig)
 		}
 		for _, mcfg := range cfg.MarathonSDConfigs {
 			mcfg.AuthTokenFile = join(mcfg.AuthTokenFile)
--- a/config/config_test.go
+++ b/config/config_test.go
@ -341,9 +341,11 @@ var expectedConf = &Config{
 					{
 						APIServer: kubernetesSDHostURL(),
 						Role:      kubernetes.RoleEndpoint,
-						BasicAuth: &config_util.BasicAuth{
-							Username: "myusername",
-							Password: "mysecret",
+						HTTPClientConfig: config_util.HTTPClientConfig{
+							BasicAuth: &config_util.BasicAuth{
+								Username: "myusername",
+								Password: "mysecret",
+							},
 						},
 						NamespaceDiscovery: kubernetes.NamespaceDiscovery{},
 					},
@ -700,6 +702,9 @@ var expectedErrors = []struct {
 	}, {
 		filename: "bearertoken_basicauth.bad.yml",
 		errMsg:   "at most one of basic_auth, bearer_token & bearer_token_file must be configured",
+	}, {
+		filename: "kubernetes_http_config_without_api_server.bad.yml",
+		errMsg:   "to use custom HTTP client configuration please provide the 'api_server' URL explicitly",
 	}, {
 		filename: "kubernetes_bearertoken.bad.yml",
 		errMsg:   "at most one of bearer_token & bearer_token_file must be configured",
--- a/config/testdata/kubernetes_http_config_without_api_server.bad.yml
+++ b/config/testdata/kubernetes_http_config_without_api_server.bad.yml
@ -0,0 +1,6 @@
+scrape_configs:
+  - job_name: prometheus
+
+    kubernetes_sd_configs:
+    - role: pod
+      bearer_token: 1234
--- a/discovery/kubernetes/kubernetes.go
+++ b/discovery/kubernetes/kubernetes.go
@ -16,7 +16,7 @@ package kubernetes
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"reflect"
 	"sync"
 	"time"

@ -25,8 +25,6 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	config_util "github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
-	"github.com/prometheus/prometheus/discovery/targetgroup"
-
 	apiv1 "k8s.io/api/core/v1"
 	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -35,6 +33,8 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
+
+	"github.com/prometheus/prometheus/discovery/targetgroup"
 )

 const (
@ -86,13 +86,10 @@ func (c *Role) UnmarshalYAML(unmarshal func(interface{}) error) error {

 // SDConfig is the configuration for Kubernetes service discovery.
 type SDConfig struct {
-	APIServer          config_util.URL        `yaml:"api_server,omitempty"`
-	Role               Role                   `yaml:"role"`
-	BasicAuth          *config_util.BasicAuth `yaml:"basic_auth,omitempty"`
-	BearerToken        config_util.Secret     `yaml:"bearer_token,omitempty"`
-	BearerTokenFile    string                 `yaml:"bearer_token_file,omitempty"`
-	TLSConfig          config_util.TLSConfig  `yaml:"tls_config,omitempty"`
-	NamespaceDiscovery NamespaceDiscovery     `yaml:"namespaces,omitempty"`
+	APIServer          config_util.URL              `yaml:"api_server,omitempty"`
+	Role               Role                         `yaml:"role"`
+	HTTPClientConfig   config_util.HTTPClientConfig `yaml:",inline"`
+	NamespaceDiscovery NamespaceDiscovery           `yaml:"namespaces,omitempty"`
 }

 // UnmarshalYAML implements the yaml.Unmarshaler interface.
@ -106,16 +103,12 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	if c.Role == "" {
 		return fmt.Errorf("role missing (one of: pod, service, endpoints, node, ingress)")
 	}
-	if len(c.BearerToken) > 0 && len(c.BearerTokenFile) > 0 {
-		return fmt.Errorf("at most one of bearer_token & bearer_token_file must be configured")
-	}
-	if c.BasicAuth != nil && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) {
-		return fmt.Errorf("at most one of basic_auth, bearer_token & bearer_token_file must be configured")
+	err = c.HTTPClientConfig.Validate()
+	if err != nil {
+		return err
 	}
-	if c.APIServer.URL == nil &&
-		(c.BasicAuth != nil || c.BearerToken != "" || c.BearerTokenFile != "" ||
-			c.TLSConfig.CAFile != "" || c.TLSConfig.CertFile != "" || c.TLSConfig.KeyFile != "") {
-		return fmt.Errorf("to use custom authentication please provide the 'api_server' URL explicitly")
+	if c.APIServer.URL == nil && !reflect.DeepEqual(c.HTTPClientConfig, &config_util.HTTPClientConfig{}) {
+		return fmt.Errorf("to use custom HTTP client configuration please provide the 'api_server' URL explicitly")
 	}
 	return nil
 }
@ -195,46 +188,15 @@ func New(l log.Logger, conf *SDConfig) (*Discovery, error) {
 		if err != nil {
 			return nil, err
 		}
-		// Because the handling of configuration parameters changes
-		// we should inform the user when their currently configured values
-		// will be ignored due to precedence of InClusterConfig
 		level.Info(l).Log("msg", "Using pod service account via in-cluster config")
-
-		if conf.TLSConfig.CAFile != "" {
-			level.Warn(l).Log("msg", "Configured TLS CA file is ignored when using pod service account")
-		}
-		if conf.TLSConfig.CertFile != "" || conf.TLSConfig.KeyFile != "" {
-			level.Warn(l).Log("msg", "Configured TLS client certificate is ignored when using pod service account")
-		}
-		if conf.BearerToken != "" {
-			level.Warn(l).Log("msg", "Configured auth token is ignored when using pod service account")
-		}
-		if conf.BasicAuth != nil {
-			level.Warn(l).Log("msg", "Configured basic authentication credentials are ignored when using pod service account")
-		}
 	} else {
-		kcfg = &rest.Config{
-			Host: conf.APIServer.String(),
-			TLSClientConfig: rest.TLSClientConfig{
-				CAFile:   conf.TLSConfig.CAFile,
-				CertFile: conf.TLSConfig.CertFile,
-				KeyFile:  conf.TLSConfig.KeyFile,
-				Insecure: conf.TLSConfig.InsecureSkipVerify,
-			},
-		}
-		token := string(conf.BearerToken)
-		if conf.BearerTokenFile != "" {
-			bf, err := ioutil.ReadFile(conf.BearerTokenFile)
-			if err != nil {
-				return nil, err
-			}
-			token = string(bf)
+		rt, err := config_util.NewRoundTripperFromConfig(conf.HTTPClientConfig, "kubernetes_sd")
+		if err != nil {
+			return nil, err
 		}
-		kcfg.BearerToken = token
-
-		if conf.BasicAuth != nil {
-			kcfg.Username = conf.BasicAuth.Username
-			kcfg.Password = string(conf.BasicAuth.Password)
+		kcfg = &rest.Config{
+			Host:      conf.APIServer.String(),
+			Transport: rt,
 		}
 	}

--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@ -812,6 +812,9 @@ basic_auth:
 # Optional bearer token file authentication information.
 [ bearer_token_file: <filename> ]

+# Optional proxy URL.
+[ proxy_url: <string> ]
+
 # TLS configuration.
 tls_config:
  [ <tls_config> ]