Skip to content

Commit 7a5fd2a

Browse files
maltesandermaltesander
committed
add metrics service to tls cert
1 parent 8e09c4a commit 7a5fd2a

File tree

3 files changed

+17
-23
lines changed

3 files changed

+17
-23
lines changed

docs/modules/hdfs/pages/usage-guide/monitoring.adoc

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,3 @@ http://<hdfs-stacklet>-namenode-<rolegroup-name>-metrics:9870/prom
2323
HDFS exposes metrics through the same port as their web UI. Hence, when configuring HDFS with TLS the metrics are also secured by TLS,
2424
and the clients scraping the metrics endpoint need to authenticate against it. This could for example be accomplished by utilizing mTLS
2525
between Kubernetes Pods with the xref:home:secret-operator:index.adoc[Secret Operator].
26-
27-
When using the Prometheus `ServiceMonitor` for scraping, the `address` label needs relabeling to use the `headless` Service instead of the
28-
`metrics` Service. This is because per default Prometheus targets the Pod IPs as endpoints, but since the Pod IPs are not
29-
part of the certificate, the authentication will fail. Instead, the FQDN of the Pods, which can be added to the certificate, is used, but
30-
this FQDN is only available through the `headless` Service.
31-
32-
A more detailed explanation can be found in the xref:home:nifi:usage_guide/monitoring.adoc[NiFi Operator Monitoring Docs] with a similar situation
33-
and an example of a Prometheus `ServiceMonitor` configured for TLS in the
34-
https://github.com/stackabletech/demos/blob/main/stacks/monitoring/prometheus-service-monitors.yaml[Monitoring Stack{external-link-icon}^].

rust/operator-binary/src/container.rs

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ use stackable_operator::{
4848
CustomContainerLogConfig,
4949
},
5050
},
51+
role_utils::RoleGroupRef,
5152
utils::{COMMON_BASH_TRAP_FUNCTIONS, cluster_info::KubernetesClusterInfo},
5253
};
5354
use strum::{Display, EnumDiscriminants, IntoStaticStr};
@@ -216,24 +217,25 @@ impl ContainerConfig {
216217
hdfs: &v1alpha1::HdfsCluster,
217218
cluster_info: &KubernetesClusterInfo,
218219
role: &HdfsNodeRole,
219-
role_group: &str,
220+
rolegroup_ref: &RoleGroupRef<v1alpha1::HdfsCluster>,
220221
resolved_product_image: &ResolvedProductImage,
221222
merged_config: &AnyNodeConfig,
222223
env_overrides: Option<&BTreeMap<String, String>>,
223224
zk_config_map_name: &str,
224-
object_name: &str,
225225
namenode_podrefs: &[HdfsPodRef],
226226
labels: &Labels,
227227
) -> Result<(), Error> {
228228
// HDFS main container
229229
let main_container_config = Self::from(*role);
230-
pb.add_volumes(main_container_config.volumes(merged_config, object_name, labels)?)
230+
let object_name = &rolegroup_ref.object_name();
231+
232+
pb.add_volumes(main_container_config.volumes(merged_config, &object_name, labels)?)
231233
.context(AddVolumeSnafu)?;
232234
pb.add_container(main_container_config.main_container(
233235
hdfs,
234236
cluster_info,
235237
role,
236-
role_group,
238+
rolegroup_ref,
237239
resolved_product_image,
238240
zk_config_map_name,
239241
env_overrides,
@@ -277,6 +279,8 @@ impl ContainerConfig {
277279
)
278280
.with_pod_scope()
279281
.with_node_scope()
282+
// To scrape metrics behind TLS endpoint (without FQDN)
283+
.with_service_scope(rolegroup_ref.rolegroup_metrics_service_name())
280284
.with_format(SecretFormat::TlsPkcs12)
281285
.with_tls_pkcs12_password(TLS_STORE_PASSWORD)
282286
.with_auto_tls_cert_lifetime(
@@ -327,7 +331,7 @@ impl ContainerConfig {
327331
hdfs,
328332
cluster_info,
329333
role,
330-
role_group,
334+
&rolegroup_ref,
331335
resolved_product_image,
332336
zk_config_map_name,
333337
env_overrides,
@@ -348,7 +352,7 @@ impl ContainerConfig {
348352
hdfs,
349353
cluster_info,
350354
role,
351-
role_group,
355+
&rolegroup_ref.role_group,
352356
resolved_product_image,
353357
zk_config_map_name,
354358
env_overrides,
@@ -370,7 +374,7 @@ impl ContainerConfig {
370374
hdfs,
371375
cluster_info,
372376
role,
373-
role_group,
377+
&rolegroup_ref.role_group,
374378
resolved_product_image,
375379
zk_config_map_name,
376380
env_overrides,
@@ -393,7 +397,7 @@ impl ContainerConfig {
393397
hdfs,
394398
cluster_info,
395399
role,
396-
role_group,
400+
&rolegroup_ref.role_group,
397401
resolved_product_image,
398402
zk_config_map_name,
399403
env_overrides,
@@ -462,7 +466,7 @@ impl ContainerConfig {
462466
hdfs: &v1alpha1::HdfsCluster,
463467
cluster_info: &KubernetesClusterInfo,
464468
role: &HdfsNodeRole,
465-
role_group: &str,
469+
rolegroup_ref: &RoleGroupRef<v1alpha1::HdfsCluster>,
466470
resolved_product_image: &ResolvedProductImage,
467471
zookeeper_config_map_name: &str,
468472
env_overrides: Option<&BTreeMap<String, String>>,
@@ -481,7 +485,7 @@ impl ContainerConfig {
481485
.args(self.args(hdfs, cluster_info, role, merged_config, &[])?)
482486
.add_env_vars(self.env(
483487
hdfs,
484-
role_group,
488+
&rolegroup_ref.role_group,
485489
zookeeper_config_map_name,
486490
env_overrides,
487491
resources.as_ref(),

rust/operator-binary/src/hdfs_controller.rs

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -853,12 +853,11 @@ fn rolegroup_statefulset(
853853
hdfs,
854854
cluster_info,
855855
role,
856-
&rolegroup_ref.role_group,
856+
&rolegroup_ref,
857857
resolved_product_image,
858858
merged_config,
859859
env_overrides,
860860
&hdfs.spec.cluster_config.zookeeper_config_map_name,
861-
&rolegroup_ref.object_name(),
862861
namenode_podrefs,
863862
&rolegroup_selector_labels,
864863
)
@@ -979,6 +978,7 @@ properties: []
979978
.unwrap()
980979
.get("default")
981980
.unwrap();
981+
let rolegroup_ref = hdfs.rolegroup_ref(&role.to_string(), "default");
982982
let env_overrides = rolegroup_config.get(&PropertyNameKind::Env);
983983

984984
let merged_config = role.merged_config(&hdfs, "default").unwrap();
@@ -997,12 +997,11 @@ properties: []
997997
cluster_domain: DomainName::try_from("cluster.local").unwrap(),
998998
},
999999
&role,
1000-
"default",
1000+
&rolegroup_ref,
10011001
&resolved_product_image,
10021002
&merged_config,
10031003
env_overrides,
10041004
&hdfs.spec.cluster_config.zookeeper_config_map_name,
1005-
"todo",
10061005
&[],
10071006
&Labels::new(),
10081007
)

0 commit comments

Comments
 (0)