Merge pull request #31 from VictoriaMetrics/added-tlsassets-load

Added tlsAssets load #26
VictoriaMetrics · Jun 12, 2020 · ad1104b · ad1104b
2 parents 7c67ce3 + 270f0bc
commit ad1104b
Show file tree

Hide file tree

Showing 10 changed files with 556 additions and 122 deletions.
diff --git a/pkg/apis/monitoring/v1/servicemonitor_types.go b/pkg/apis/monitoring/v1/servicemonitor_types.go
@@ -1,6 +1,7 @@
 package v1
 
 import (
+	"fmt"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -252,6 +253,21 @@ func (c *SecretOrConfigMap) Validate() error {
 	return nil
 }
 
+func (c *SecretOrConfigMap) BuildSelectorWithPrefix(prefix string) string {
+	if c.Secret != nil {
+		return fmt.Sprintf("%s%s/%s", prefix, c.Secret.Name, c.Secret.Key)
+
+	}
+	if c.ConfigMap != nil {
+		return fmt.Sprintf("%s%s/%s", prefix, c.ConfigMap.Name, c.ConfigMap.Key)
+	}
+	return ""
+}
+
+func (c *TLSConfig) BuildAssetPath(prefix, name, key string) string {
+	return fmt.Sprintf("%s_%s_%s", prefix, name, key)
+}
+
 // RemoteWriteSpec defines the remote_write configuration for prometheus.
 // +k8s:openapi-gen=true
 type RemoteWriteSpec struct {

diff --git a/pkg/apis/victoriametrics/v1beta1/vmagent_types.go b/pkg/apis/victoriametrics/v1beta1/vmagent_types.go
@@ -306,6 +306,10 @@ func (cr VmAgent) PrefixedName() string {
 	return fmt.Sprintf("vmagent-%s", cr.Name())
 }
 
+func (cr VmAgent) TLSAssetName() string {
+	return fmt.Sprintf("tls-assets-vmagent-%s", cr.Name())
+}
+
 func init() {
 	SchemeBuilder.Register(&VmAgent{}, &VmAgentList{})
 }
diff --git a/pkg/controller/factory/servicemons.go b/pkg/controller/factory/servicemons.go
@@ -347,7 +347,6 @@ func loadBearerTokensFromSecrets(ctx context.Context, rclient client.Client, mon
 				rclient,
 				mon.Namespace,
 				ep.BearerTokenSecret,
-				"bearertoken",
 				mon.Namespace+"/"+ep.BearerTokenSecret.Name,
 				nsSecretCache,
 			)
@@ -373,13 +372,13 @@ func loadBasicAuthSecret(basicAuth *monitoringv1.BasicAuth, s *v1.SecretList) (B
 	for _, secret := range s.Items {
 
 		if secret.Name == basicAuth.Username.Name {
-			if username, err = extractCredKey(&secret, basicAuth.Username, "username"); err != nil {
+			if username, err = extractCredKey(&secret, basicAuth.Username); err != nil {
 				return BasicAuthCredentials{}, err
 			}
 		}
 
 		if secret.Name == basicAuth.Password.Name {
-			if password, err = extractCredKey(&secret, basicAuth.Password, "password"); err != nil {
+			if password, err = extractCredKey(&secret, basicAuth.Password); err != nil {
 				return BasicAuthCredentials{}, err
 			}
 
@@ -397,45 +396,70 @@ func loadBasicAuthSecret(basicAuth *monitoringv1.BasicAuth, s *v1.SecretList) (B
 
 }
 
-func extractCredKey(secret *v1.Secret, sel v1.SecretKeySelector, cred string) (string, error) {
+func extractCredKey(secret *v1.Secret, sel v1.SecretKeySelector) (string, error) {
 	if s, ok := secret.Data[sel.Key]; ok {
 		return string(s), nil
 	}
-	return "", fmt.Errorf("secret %s key %q in secret %q not found", cred, sel.Key, sel.Name)
+	return "", fmt.Errorf("secret key %q in secret %q not found", sel.Key, sel.Name)
 }
 
 func getCredFromSecret(
 	ctx context.Context,
 	rclient client.Client,
 	ns string,
 	sel v1.SecretKeySelector,
-	cred string,
 	cacheKey string,
 	cache map[string]*v1.Secret,
-) (_ string, err error) {
+) (string, error) {
 	var s *v1.Secret
 	var ok bool
 
 	if s, ok = cache[cacheKey]; !ok {
-		s := &v1.Secret{}
-		if err = rclient.Get(ctx, types.NamespacedName{Namespace: ns, Name: sel.Name}, s); err != nil {
-			return "", fmt.Errorf("unable to fetch %s secret %q: %w", cred, sel.Name, err)
+		s = &v1.Secret{}
+		if err := rclient.Get(ctx, types.NamespacedName{Namespace: ns, Name: sel.Name}, s); err != nil {
+			return "", fmt.Errorf("unable to fetch key from secret%s: %w", sel.Name, err)
 		}
 		cache[cacheKey] = s
 	}
-	return extractCredKey(s, sel, cred)
+	return extractCredKey(s, sel)
+}
+
+func getCredFromConfigMap(
+	ctx context.Context,
+	rclient client.Client,
+	ns string,
+	sel v1.ConfigMapKeySelector,
+	cacheKey string,
+	cache map[string]*v1.ConfigMap,
+) (string, error) {
+	var s *v1.ConfigMap
+	var ok bool
+
+	if s, ok = cache[cacheKey]; !ok {
+		s = &v1.ConfigMap{}
+		err := rclient.Get(ctx, types.NamespacedName{Namespace: ns, Name: sel.Name}, s)
+		if err != nil {
+			return "", fmt.Errorf("cannot get configmap: %s at namespace %s, err: %s", sel.Name, ns, err)
+		}
+		cache[cacheKey] = s
+	}
+
+	if a, ok := s.Data[sel.Key]; ok {
+		return a, nil
+	}
+	return "", fmt.Errorf("key not found at configmap, key: %s, configmap %s ", sel.Key, sel.Name)
 }
 
 func loadBasicAuthSecretFromAPI(ctx context.Context, rclient client.Client, basicAuth *monitoringv1.BasicAuth, ns string, cache map[string]*v1.Secret) (BasicAuthCredentials, error) {
 	var username string
 	var password string
 	var err error
 
-	if username, err = getCredFromSecret(ctx, rclient, ns, basicAuth.Username, "username", ns+"/"+basicAuth.Username.Name, cache); err != nil {
+	if username, err = getCredFromSecret(ctx, rclient, ns, basicAuth.Username, ns+"/"+basicAuth.Username.Name, cache); err != nil {
 		return BasicAuthCredentials{}, err
 	}
 
-	if password, err = getCredFromSecret(ctx, rclient, ns, basicAuth.Password, "password", ns+"/"+basicAuth.Password.Name, cache); err != nil {
+	if password, err = getCredFromSecret(ctx, rclient, ns, basicAuth.Password, ns+"/"+basicAuth.Password.Name, cache); err != nil {
 		return BasicAuthCredentials{}, err
 	}
 

diff --git a/pkg/controller/factory/servicemons_build.go b/pkg/controller/factory/servicemons_build.go
@@ -17,9 +17,9 @@ import (
 const (
 	defaultReplicaExternalLabelName = "prometheus_replica"
 	defaultScrapeInterval           = "30s"
-	tlsAssetsDir                    = "/etc/prometheus/certs"
-	configFilename                  = "prometheus.yaml.gz"
-	configEnvsubstFilename          = "prometheus.env.yaml"
+	tlsAssetsDir                    = "/etc/vmagent-tls/certs"
+	configFilename                  = "vmagent.yaml.gz"
+	configEnvsubstFilename          = "vmagent.env.yaml"
 	kubernetesSDRoleEndpoint        = "endpoints"
 	kubernetesSDRolePod             = "pod"
 )
@@ -453,7 +453,7 @@ func generateServiceMonitorConfig(
 		cfg = append(cfg, yaml.MapItem{Key: "scheme", Value: ep.Scheme})
 	}
 
-	cfg = addTLStoYamlWrapp(cfg, m.Namespace, ep.TLSConfig)
+	cfg = addTLStoYaml(cfg, m.Namespace, ep.TLSConfig)
 
 	if ep.BearerTokenFile != "" {
 		cfg = append(cfg, yaml.MapItem{Key: "bearer_token_file", Value: ep.BearerTokenFile})
@@ -669,63 +669,25 @@ func addTLStoYaml(cfg yaml.MapSlice, namespace string, tls *monitoringv1.TLSConf
 			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "ca_file", Value: tls.CAFile})
 		}
 		if tls.CA.Secret != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "ca_file", Value: pathPrefix + "_" + tls.CA.Secret.Name + "_" + tls.CA.Secret.Key})
+			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "ca_file", Value: tls.BuildAssetPath(pathPrefix, tls.CA.Secret.Name, tls.CA.Secret.Key)})
 		}
 		if tls.CA.ConfigMap != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "ca_file", Value: pathPrefix + "_" + tls.CA.ConfigMap.Name + "_" + tls.CA.ConfigMap.Key})
+			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "ca_file", Value: tls.BuildAssetPath(pathPrefix, tls.CA.ConfigMap.Name, tls.CA.ConfigMap.Key)})
 		}
 		if tls.CertFile != "" {
 			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "cert_file", Value: tls.CertFile})
 		}
 		if tls.Cert.Secret != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "cert_file", Value: pathPrefix + "_" + tls.Cert.Secret.Name + "_" + tls.Cert.Secret.Key})
+			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "cert_file", Value: tls.BuildAssetPath(pathPrefix, tls.Cert.Secret.Name, tls.Cert.Secret.Key)})
 		}
 		if tls.Cert.ConfigMap != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "cert_file", Value: pathPrefix + "_" + tls.Cert.ConfigMap.Name + "_" + tls.Cert.ConfigMap.Key})
+			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "cert_file", Value: tls.BuildAssetPath(pathPrefix, tls.Cert.ConfigMap.Name, tls.Cert.ConfigMap.Key)})
 		}
 		if tls.KeyFile != "" {
 			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "key_file", Value: tls.KeyFile})
 		}
 		if tls.KeySecret != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "key_file", Value: pathPrefix + "_" + tls.KeySecret.Name + "_" + tls.KeySecret.Key})
-		}
-		if tls.ServerName != "" {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "server_name", Value: tls.ServerName})
-		}
-		cfg = append(cfg, yaml.MapItem{Key: "tls_config", Value: tlsConfig})
-	}
-	return cfg
-}
-
-func addTLStoYamlWrapp(cfg yaml.MapSlice, namespace string, tls *monitoringv1.TLSConfig) yaml.MapSlice {
-	if tls != nil {
-		pathPrefix := path.Join(tlsAssetsDir, namespace)
-		tlsConfig := yaml.MapSlice{
-			{Key: "insecure_skip_verify", Value: tls.InsecureSkipVerify},
-		}
-		if tls.CAFile != "" {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "ca_file", Value: tls.CAFile})
-		}
-		if tls.CA.Secret != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "ca_file", Value: pathPrefix + "_" + tls.CA.Secret.Name + "_" + tls.CA.Secret.Key})
-		}
-		if tls.CA.ConfigMap != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "ca_file", Value: pathPrefix + "_" + tls.CA.ConfigMap.Name + "_" + tls.CA.ConfigMap.Key})
-		}
-		if tls.CertFile != "" {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "cert_file", Value: tls.CertFile})
-		}
-		if tls.Cert.Secret != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "cert_file", Value: pathPrefix + "_" + tls.Cert.Secret.Name + "_" + tls.Cert.Secret.Key})
-		}
-		if tls.Cert.ConfigMap != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "cert_file", Value: pathPrefix + "_" + tls.Cert.ConfigMap.Name + "_" + tls.Cert.ConfigMap.Key})
-		}
-		if tls.KeyFile != "" {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "key_file", Value: tls.KeyFile})
-		}
-		if tls.KeySecret != nil {
-			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "key_file", Value: pathPrefix + "_" + tls.KeySecret.Name + "_" + tls.KeySecret.Key})
+			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "key_file", Value: tls.BuildAssetPath(pathPrefix, tls.KeySecret.Name, tls.KeySecret.Key)})
 		}
 		if tls.ServerName != "" {
 			tlsConfig = append(tlsConfig, yaml.MapItem{Key: "server_name", Value: tls.ServerName})
@@ -838,7 +800,6 @@ func generateK8SSDConfig(namespaces []string, apiserverConfig *monitoringv1.APIS
 			k8sSDConfig = append(k8sSDConfig, yaml.MapItem{Key: "bearer_token_file", Value: apiserverConfig.BearerTokenFile})
 		}
 
-		// TODO: If we want to support secret refs for k8s service discovery tls
 		// config as well, make sure to path the right namespace here.
 		k8sSDConfig = addTLStoYaml(k8sSDConfig, "", apiserverConfig.TLSConfig)
 	}