From c8a1a5a93c2346560cc9032a57534a26467e9157 Mon Sep 17 00:00:00 2001 From: Simon Pasquier Date: Wed, 20 Feb 2019 11:22:34 +0100 Subject: [PATCH] discovery/kubernetes: fix support for password_file and bearer_token_file (#5211) * discovery/kubernetes: fix support for password_file Signed-off-by: Simon Pasquier * Create and pass custom RoundTripper to Kubernetes client Signed-off-by: Simon Pasquier * Use inline HTTPClientConfig Signed-off-by: Simon Pasquier --- cmd/promtool/main.go | 2 +- config/config.go | 5 +- config/config_test.go | 11 ++- ...tes_http_config_without_api_server.bad.yml | 6 ++ discovery/kubernetes/kubernetes.go | 74 +++++-------------- docs/configuration/configuration.md | 3 + 6 files changed, 37 insertions(+), 64 deletions(-) create mode 100644 config/testdata/kubernetes_http_config_without_api_server.bad.yml diff --git a/cmd/promtool/main.go b/cmd/promtool/main.go index 7a9192ea6..1abcafa8f 100644 --- a/cmd/promtool/main.go +++ b/cmd/promtool/main.go @@ -221,7 +221,7 @@ func checkConfig(filename string) ([]string, error) { } for _, kd := range scfg.ServiceDiscoveryConfig.KubernetesSDConfigs { - if err := checkTLSConfig(kd.TLSConfig); err != nil { + if err := checkTLSConfig(kd.HTTPClientConfig.TLSConfig); err != nil { return nil, err } } diff --git a/config/config.go b/config/config.go index 004d58a85..087b24c89 100644 --- a/config/config.go +++ b/config/config.go @@ -161,10 +161,7 @@ func resolveFilepaths(baseDir string, cfg *Config) { } sdPaths := func(cfg *sd_config.ServiceDiscoveryConfig) { for _, kcfg := range cfg.KubernetesSDConfigs { - kcfg.BearerTokenFile = join(kcfg.BearerTokenFile) - kcfg.TLSConfig.CAFile = join(kcfg.TLSConfig.CAFile) - kcfg.TLSConfig.CertFile = join(kcfg.TLSConfig.CertFile) - kcfg.TLSConfig.KeyFile = join(kcfg.TLSConfig.KeyFile) + clientPaths(&kcfg.HTTPClientConfig) } for _, mcfg := range cfg.MarathonSDConfigs { mcfg.AuthTokenFile = join(mcfg.AuthTokenFile) diff --git a/config/config_test.go b/config/config_test.go index 5aa860c65..dbba29a63 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -341,9 +341,11 @@ var expectedConf = &Config{ { APIServer: kubernetesSDHostURL(), Role: kubernetes.RoleEndpoint, - BasicAuth: &config_util.BasicAuth{ - Username: "myusername", - Password: "mysecret", + HTTPClientConfig: config_util.HTTPClientConfig{ + BasicAuth: &config_util.BasicAuth{ + Username: "myusername", + Password: "mysecret", + }, }, NamespaceDiscovery: kubernetes.NamespaceDiscovery{}, }, @@ -700,6 +702,9 @@ var expectedErrors = []struct { }, { filename: "bearertoken_basicauth.bad.yml", errMsg: "at most one of basic_auth, bearer_token & bearer_token_file must be configured", + }, { + filename: "kubernetes_http_config_without_api_server.bad.yml", + errMsg: "to use custom HTTP client configuration please provide the 'api_server' URL explicitly", }, { filename: "kubernetes_bearertoken.bad.yml", errMsg: "at most one of bearer_token & bearer_token_file must be configured", diff --git a/config/testdata/kubernetes_http_config_without_api_server.bad.yml b/config/testdata/kubernetes_http_config_without_api_server.bad.yml new file mode 100644 index 000000000..1779454da --- /dev/null +++ b/config/testdata/kubernetes_http_config_without_api_server.bad.yml @@ -0,0 +1,6 @@ +scrape_configs: + - job_name: prometheus + + kubernetes_sd_configs: + - role: pod + bearer_token: 1234 diff --git a/discovery/kubernetes/kubernetes.go b/discovery/kubernetes/kubernetes.go index a71d66edd..988817c28 100644 --- a/discovery/kubernetes/kubernetes.go +++ b/discovery/kubernetes/kubernetes.go @@ -16,7 +16,7 @@ package kubernetes import ( "context" "fmt" - "io/ioutil" + "reflect" "sync" "time" @@ -25,8 +25,6 @@ import ( "github.com/prometheus/client_golang/prometheus" config_util "github.com/prometheus/common/config" "github.com/prometheus/common/model" - "github.com/prometheus/prometheus/discovery/targetgroup" - apiv1 "k8s.io/api/core/v1" extensionsv1beta1 "k8s.io/api/extensions/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -35,6 +33,8 @@ import ( "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "k8s.io/client-go/tools/cache" + + "github.com/prometheus/prometheus/discovery/targetgroup" ) const ( @@ -86,13 +86,10 @@ func (c *Role) UnmarshalYAML(unmarshal func(interface{}) error) error { // SDConfig is the configuration for Kubernetes service discovery. type SDConfig struct { - APIServer config_util.URL `yaml:"api_server,omitempty"` - Role Role `yaml:"role"` - BasicAuth *config_util.BasicAuth `yaml:"basic_auth,omitempty"` - BearerToken config_util.Secret `yaml:"bearer_token,omitempty"` - BearerTokenFile string `yaml:"bearer_token_file,omitempty"` - TLSConfig config_util.TLSConfig `yaml:"tls_config,omitempty"` - NamespaceDiscovery NamespaceDiscovery `yaml:"namespaces,omitempty"` + APIServer config_util.URL `yaml:"api_server,omitempty"` + Role Role `yaml:"role"` + HTTPClientConfig config_util.HTTPClientConfig `yaml:",inline"` + NamespaceDiscovery NamespaceDiscovery `yaml:"namespaces,omitempty"` } // UnmarshalYAML implements the yaml.Unmarshaler interface. @@ -106,16 +103,12 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(interface{}) error) error { if c.Role == "" { return fmt.Errorf("role missing (one of: pod, service, endpoints, node, ingress)") } - if len(c.BearerToken) > 0 && len(c.BearerTokenFile) > 0 { - return fmt.Errorf("at most one of bearer_token & bearer_token_file must be configured") - } - if c.BasicAuth != nil && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) { - return fmt.Errorf("at most one of basic_auth, bearer_token & bearer_token_file must be configured") + err = c.HTTPClientConfig.Validate() + if err != nil { + return err } - if c.APIServer.URL == nil && - (c.BasicAuth != nil || c.BearerToken != "" || c.BearerTokenFile != "" || - c.TLSConfig.CAFile != "" || c.TLSConfig.CertFile != "" || c.TLSConfig.KeyFile != "") { - return fmt.Errorf("to use custom authentication please provide the 'api_server' URL explicitly") + if c.APIServer.URL == nil && !reflect.DeepEqual(c.HTTPClientConfig, &config_util.HTTPClientConfig{}) { + return fmt.Errorf("to use custom HTTP client configuration please provide the 'api_server' URL explicitly") } return nil } @@ -195,46 +188,15 @@ func New(l log.Logger, conf *SDConfig) (*Discovery, error) { if err != nil { return nil, err } - // Because the handling of configuration parameters changes - // we should inform the user when their currently configured values - // will be ignored due to precedence of InClusterConfig level.Info(l).Log("msg", "Using pod service account via in-cluster config") - - if conf.TLSConfig.CAFile != "" { - level.Warn(l).Log("msg", "Configured TLS CA file is ignored when using pod service account") - } - if conf.TLSConfig.CertFile != "" || conf.TLSConfig.KeyFile != "" { - level.Warn(l).Log("msg", "Configured TLS client certificate is ignored when using pod service account") - } - if conf.BearerToken != "" { - level.Warn(l).Log("msg", "Configured auth token is ignored when using pod service account") - } - if conf.BasicAuth != nil { - level.Warn(l).Log("msg", "Configured basic authentication credentials are ignored when using pod service account") - } } else { - kcfg = &rest.Config{ - Host: conf.APIServer.String(), - TLSClientConfig: rest.TLSClientConfig{ - CAFile: conf.TLSConfig.CAFile, - CertFile: conf.TLSConfig.CertFile, - KeyFile: conf.TLSConfig.KeyFile, - Insecure: conf.TLSConfig.InsecureSkipVerify, - }, - } - token := string(conf.BearerToken) - if conf.BearerTokenFile != "" { - bf, err := ioutil.ReadFile(conf.BearerTokenFile) - if err != nil { - return nil, err - } - token = string(bf) + rt, err := config_util.NewRoundTripperFromConfig(conf.HTTPClientConfig, "kubernetes_sd") + if err != nil { + return nil, err } - kcfg.BearerToken = token - - if conf.BasicAuth != nil { - kcfg.Username = conf.BasicAuth.Username - kcfg.Password = string(conf.BasicAuth.Password) + kcfg = &rest.Config{ + Host: conf.APIServer.String(), + Transport: rt, } } diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index 24779a520..9dfb6f34a 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -812,6 +812,9 @@ basic_auth: # Optional bearer token file authentication information. [ bearer_token_file: ] +# Optional proxy URL. +[ proxy_url: ] + # TLS configuration. tls_config: [ ]