MCO-2018: Move operator metrics into the controller

cmd/machine-config-controller/start.go

@@ -40,6 +40,8 @@ var (
 		templates                string
 		promMetricsListenAddress string
 		resourceLockNamespace    string
+		tlsCipherSuites          []string
+		tlsMinVersion            string
 	}
 )
 
@@ -48,6 +50,8 @@ func init() {
 	startCmd.PersistentFlags().StringVar(&startOpts.kubeconfig, "kubeconfig", "", "Kubeconfig file to access a remote cluster (testing only)")
 	startCmd.PersistentFlags().StringVar(&startOpts.resourceLockNamespace, "resourcelock-namespace", metav1.NamespaceSystem, "Path to the template files used for creating MachineConfig objects")
 	startCmd.PersistentFlags().StringVar(&startOpts.promMetricsListenAddress, "metrics-listen-address", "127.0.0.1:8797", "Listen address for prometheus metrics listener")
+	startCmd.PersistentFlags().StringSliceVar(&startOpts.tlsCipherSuites, "tls-cipher-suites", nil, "Comma-separated list of cipher suites for the metrics server")
+	startCmd.PersistentFlags().StringVar(&startOpts.tlsMinVersion, "tls-min-version", "VersionTLS12", "Minimum TLS version supported for the metrics server")
 }
 
 func runStartCmd(_ *cobra.Command, _ []string) {
@@ -73,7 +77,7 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 
 		ctrlctx := ctrlcommon.CreateControllerContext(ctx, cb)
 
-		go ctrlcommon.StartMetricsListener(startOpts.promMetricsListenAddress, ctrlctx.Stop, ctrlcommon.RegisterMCCMetrics)
+		go ctrlcommon.StartMetricsListener(startOpts.promMetricsListenAddress, ctrlctx.Stop, ctrlcommon.RegisterMCCMetrics, startOpts.tlsMinVersion, startOpts.tlsCipherSuites)
 
 		controllers := createControllers(ctrlctx)
 		draincontroller := drain.New(

cmd/machine-config-daemon/start.go

@@ -43,6 +43,8 @@ var (
 		kubeletHealthzEnabled      bool
 		kubeletHealthzEndpoint     string
 		promMetricsURL             string
+		tlsCipherSuites            []string
+		tlsMinVersion              string
 	}
 )
 
@@ -57,6 +59,8 @@ func init() {
 	startCmd.PersistentFlags().BoolVar(&startOpts.kubeletHealthzEnabled, "kubelet-healthz-enabled", true, "kubelet healthz endpoint monitoring")
 	startCmd.PersistentFlags().StringVar(&startOpts.kubeletHealthzEndpoint, "kubelet-healthz-endpoint", "http://localhost:10248/healthz", "healthz endpoint to check health")
 	startCmd.PersistentFlags().StringVar(&startOpts.promMetricsURL, "metrics-url", "127.0.0.1:8797", "URL for prometheus metrics listener")
+	startCmd.PersistentFlags().StringSliceVar(&startOpts.tlsCipherSuites, "tls-cipher-suites", nil, "Comma-separated list of cipher suites for the metrics server")
+	startCmd.PersistentFlags().StringVar(&startOpts.tlsMinVersion, "tls-min-version", "VersionTLS12", "Minimum TLS version supported for the metrics server")
 }
 
 //nolint:gocritic
@@ -177,7 +181,7 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 	}
 
 	// Start local metrics listener
-	go ctrlcommon.StartMetricsListener(startOpts.promMetricsURL, stopCh, daemon.RegisterMCDMetrics)
+	go ctrlcommon.StartMetricsListener(startOpts.promMetricsURL, stopCh, daemon.RegisterMCDMetrics, startOpts.tlsMinVersion, startOpts.tlsCipherSuites)
 
 	ctrlctx := ctrlcommon.CreateControllerContext(ctx, cb)
 

cmd/machine-config-operator/start.go

@@ -25,17 +25,15 @@ var (
 	}
 
 	startOpts struct {
-		kubeconfig     string
-		imagesFile     string
-		promMetricsURL string
+		kubeconfig string
+		imagesFile string
 	}
 )
 
 func init() {
 	rootCmd.AddCommand(startCmd)
 	startCmd.PersistentFlags().StringVar(&startOpts.kubeconfig, "kubeconfig", "", "Kubeconfig file to access a remote cluster (testing only)")
 	startCmd.PersistentFlags().StringVar(&startOpts.imagesFile, "images-json", "", "images.json file for MCO.")
-	startCmd.PersistentFlags().StringVar(&startOpts.promMetricsURL, "metrics-listen-address", "127.0.0.1:8797", "Listen address for prometheus metrics listener")
 }
 
 func runStartCmd(_ *cobra.Command, _ []string) {
@@ -45,8 +43,6 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 	// This is 'main' context that we thread through the controller context and
 	// the leader elections. Cancelling this is "stop everything, we are shutting down".
 	runContext, runCancel := context.WithCancel(context.Background())
-	stopCh := make(chan struct{})
-	defer close(stopCh)
 
 	// To help debugging, immediately log version
 	klog.Infof("Version: %s (Raw: %s, Hash: %s)", version.ReleaseVersion, version.Raw, version.Hash)
@@ -60,9 +56,6 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 		klog.Fatalf("error creating clients: %v", err)
 	}
 
-	// start metrics listener
-	go ctrlcommon.StartMetricsListener(startOpts.promMetricsURL, stopCh, operator.RegisterMCOMetrics)
-
 	run := func(ctx context.Context) {
 		go common.SignalHandler(runCancel)
 		ctrlctx := ctrlcommon.CreateControllerContext(ctx, cb)

install/0000_80_machine-config_00_service.yaml

@@ -1,26 +1,5 @@
 apiVersion: v1
 kind: Service
-metadata:
-  name: machine-config-operator
-  namespace: openshift-machine-config-operator
-  labels:
-    k8s-app: machine-config-operator
-  annotations:
-    include.release.openshift.io/ibm-cloud-managed: "true"
-    include.release.openshift.io/self-managed-high-availability: "true"
-    include.release.openshift.io/single-node-developer: "true"
-    service.beta.openshift.io/serving-cert-secret-name: mco-proxy-tls
-spec:
-  type: ClusterIP
-  selector:
-    k8s-app: machine-config-operator
-  ports:
-  - name: metrics
-    port: 9001
-    protocol: TCP
----
-apiVersion: v1
-kind: Service
 metadata:
   name: machine-config-controller
   namespace: openshift-machine-config-operator

install/0000_80_machine-config_04_deployment.yaml

@@ -43,30 +43,6 @@ spec:
         volumeMounts:
         - name: images
           mountPath: /etc/mco/images
-      - name: kube-rbac-proxy
-        image: placeholder.url.oc.will.replace.this.org/placeholdernamespace:kube-rbac-proxy
-        ports:
-        - containerPort: 9001
-          name: metrics
-          protocol: TCP
-        args:
-        - --secure-listen-address=0.0.0.0:9001
-        - --config-file=/etc/kube-rbac-proxy/config-file.yaml
-        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-        - --upstream=http://127.0.0.1:8797
-        - --logtostderr=true
-        - --tls-cert-file=/etc/tls/private/tls.crt
-        - --tls-private-key-file=/etc/tls/private/tls.key
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-        terminationMessagePolicy: FallbackToLogsOnError
-        volumeMounts:
-        - mountPath: /etc/tls/private
-          name: proxy-tls
-        - mountPath: /etc/kube-rbac-proxy
-          name: auth-proxy-config
       serviceAccountName: machine-config-operator
       nodeSelector:
         node-role.kubernetes.io/master: ""
@@ -91,10 +67,4 @@ spec:
       - name: images
         configMap:
           name: machine-config-operator-images
-      - name: proxy-tls
-        secret:
-          secretName: mco-proxy-tls
-      - configMap:
-          name: kube-rbac-proxy
-        name: auth-proxy-config
 

install/0000_90_machine-config_00_servicemonitor.yaml

@@ -1,41 +1,5 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
-metadata:
-  name: machine-config-operator
-  namespace: openshift-machine-config-operator
-  labels:
-    k8s-app: machine-config-operator
-  annotations:
-    include.release.openshift.io/self-managed-high-availability: "true"
-    include.release.openshift.io/single-node-developer: "true"
-spec:
-  endpoints:
-  - interval: 30s
-    bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-    port: metrics
-    scheme: https
-    path: /metrics
-    relabelings:
-    - action: replace
-      regex: ;(.*)
-      replacement: $1
-      separator: ";"
-      sourceLabels:
-      - node
-      - __meta_kubernetes_pod_node_name
-      targetLabel: node
-    tlsConfig:
-      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
-      serverName: machine-config-operator.openshift-machine-config-operator.svc
-  namespaceSelector:
-    matchNames:
-    - openshift-machine-config-operator
-  selector:
-    matchLabels:
-      k8s-app: machine-config-operator
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
 metadata:
   name: machine-config-controller
   namespace: openshift-machine-config-operator

manifests/machineconfigcontroller/deployment.yaml

@@ -24,6 +24,8 @@ spec:
         - "--resourcelock-namespace={{.TargetNamespace}}"
         - "--v={{.LogLevel}}"
         - "--payload-version={{.ReleaseVersion}}"
+        - "--tls-cipher-suites={{join .TLSCipherSuites ","}}"
+        - "--tls-min-version={{.TLSMinVersion}}"
         resources:
           requests:
             cpu: 20m

manifests/machineconfigdaemon/daemonset.yaml

@@ -32,6 +32,8 @@ spec:
           - "start"
           - "--payload-version={{.ReleaseVersion}}"
           - "--v={{.LogLevel}}"
+          - "--tls-cipher-suites={{join .TLSCipherSuites ","}}"
+          - "--tls-min-version={{.TLSMinVersion}}"
         resources:
           requests:
             cpu: 20m