fix: allow opting-into upstream probes #2505
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rexagod
force-pushed
the
upstream-probes-opt-in
branch
3 times, most recently
from
ed3886f
to
5b9a879
Compare
|
Tested downstream (CMO), on enabling diff --git a/assets/kube-state-metrics/deployment.yaml b/assets/kube-state-metrics/deployment.yaml
index ec651432e..e73091269 100644
--- a/assets/kube-state-metrics/deployment.yaml
+++ b/assets/kube-state-metrics/deployment.yaml
@@ -57,7 +57,19 @@ spec:
^kube_pod_completion_time$,
^kube_pod_status_scheduled$
image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.13.0
+ livenessProbe:
+ httpGet:
+ path: /livez
+ port: 8080
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
name: kube-state-metrics
+ readinessProbe:
+ httpGet:
+ path: /livez
+ port: 8080
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
resources:
requests:
cpu: 2m
diff --git a/jsonnet/main.jsonnet b/jsonnet/main.jsonnet
index 7539fb456..ffabfb4f0 100644
--- a/jsonnet/main.jsonnet
+++ b/jsonnet/main.jsonnet
@@ -216,6 +216,7 @@ local inCluster =
kubeRbacProxyImage: $.values.common.images.kubeRbacProxy,
commonLabels+: $.values.common.commonLabels,
mixin+: { ruleLabels: $.values.common.ruleLabels },
+ upstreamProbesOptIn: true,
},
nodeExporter: {
namespace: $.values.common.namespace,
@@ -439,7 +440,7 @@ local inCluster =
openshiftStateMetrics: openshiftStateMetrics($.values.openshiftStateMetrics),
} +
(import './utils/anti-affinity.libsonnet') +
- (import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/addons/ksm-lite.libsonnet') +
+ (import 'github.com/rexagod/kube-prometheus/jsonnet/kube-prometheus/addons/ksm-lite.libsonnet') +
(import './utils/ibm-cloud-managed-profile.libsonnet') +
(import './components/metrics-server-audit.libsonnet') +
{}; // Including empty object to simplify adding and removing imports during development
|
2 tasks
Comment on lines
171
to
178
| } + if ksm._config.upstreamProbesOptIn then { | ||
| livenessProbe: super.livenessProbe, | ||
| readinessProbe: super.livenessProbe, | ||
| } else { | ||
| livenessProbe:: null, | ||
| readinessProbe:: null, |
There was a problem hiding this comment.
Suggested change
| } + if ksm._config.upstreamProbesOptIn then { | |
| livenessProbe: super.livenessProbe, | |
| readinessProbe: super.livenessProbe, | |
| } else { | |
| livenessProbe:: null, | |
| readinessProbe:: null, | |
| } + if !ksm._config.upstreamProbesOptIn then { | |
| livenessProbe:: null, | |
| readinessProbe:: null, | |
| } else { |
rexagod
force-pushed
the
upstream-probes-opt-in
branch
2 times, most recently
from
5b9a879
to
99328cc
Compare
rexagod
force-pushed
the
upstream-probes-opt-in
branch
4 times, most recently
from
39059e6
to
fd44004
Compare
|
rexagod
force-pushed
the
upstream-probes-opt-in
branch
from
fd44004
to
eae7ec4
Compare
| '--tls-cipher-suites=' + std.join(',', krp._config.tlsCipherSuites), | ||
| '--upstream=' + krp._config.upstream, | ||
| ] // Optionals. | ||
| + if std.length(krp._config.ignorePaths) != 0 then ['--ignore-paths=' + std.join(',', krp._config.ignorePaths)] else defaults.ignorePaths, |
There was a problem hiding this comment.
Suggested change
| + if std.length(krp._config.ignorePaths) != 0 then ['--ignore-paths=' + std.join(',', krp._config.ignorePaths)] else defaults.ignorePaths, | |
| + if std.length(krp._config.ignorePaths) != 0 then ['--ignore-paths=' + std.join(',', krp._config.ignorePaths)] else defaults.ignorePaths, |
Suggested change
| + if std.length(krp._config.ignorePaths) != 0 then ['--ignore-paths=' + std.join(',', krp._config.ignorePaths)] else defaults.ignorePaths, | |
| + if std.length(krp._config.ignorePaths) > 0 then ['--ignore-paths=' + std.join(',', krp._config.ignorePaths)] else [], |
| @@ -122,6 +124,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- | |||
| { name: 'https-self', containerPort: 9443 }, | |||
| ], | |||
| image: ksm._config.kubeRbacProxyImage, | |||
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/readyz'] else super.ignorePaths, | |||
There was a problem hiding this comment.
Suggested change
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/readyz'] else super.ignorePaths, | |
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/readyz'] else super.ignorePaths, |
Suggested change
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/readyz'] else super.ignorePaths, | |
| // When enabling probes, kube-rbac-proxy needs to always allow the /readyz endpoint. | |
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/readyz'] else [], |
| @@ -112,6 +113,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- | |||
| { name: 'https-main', containerPort: 8443 }, | |||
| ], | |||
| image: ksm._config.kubeRbacProxyImage, | |||
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/livez'] else super.ignorePaths, | |||
There was a problem hiding this comment.
Suggested change
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/livez'] else super.ignorePaths, | |
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/livez'] else super.ignorePaths, |
Suggested change
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/livez'] else super.ignorePaths, | |
| // When enabling probes, kube-rbac-proxy needs to always allow the /livez endpoint. | |
| ignorePaths: if ksm._config.upstreamProbesOptIn then ['/livez'] else [], |
| @@ -46,6 +46,7 @@ local defaults = { | |||
| runbookURLPattern: 'https://runbooks.prometheus-operator.dev/runbooks/kube-state-metrics/%s', | |||
| }, | |||
| }, | |||
| upstreamProbesOptIn:: false, | |||
There was a problem hiding this comment.
a comment explaining the purpose + implementation would be useful here.
Suggested change
| upstreamProbesOptIn:: false, | |
| enableProbes:: false, |
Comment on lines
173
to
195
| } + if !ksm._config.upstreamProbesOptIn then { | ||
| livenessProbe:: null, | ||
| readinessProbe:: null, | ||
| } else { | ||
| livenessProbe: super.livenessProbe, | ||
| readinessProbe: super.readinessProbe, | ||
| }, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf], |
There was a problem hiding this comment.
Suggested change
| } + if !ksm._config.upstreamProbesOptIn then { | |
| livenessProbe:: null, | |
| readinessProbe:: null, | |
| } else { | |
| livenessProbe: super.livenessProbe, | |
| readinessProbe: super.readinessProbe, | |
| }, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf], | |
| } + if !ksm._config.upstreamProbesOptIn then { | |
| livenessProbe:: null, | |
| readinessProbe:: null, | |
| } else {}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf], |
rexagod
force-pushed
the
upstream-probes-opt-in
branch
from
eae7ec4
to
a39a45d
Compare
|
@simonpasquier Pushed all the suggested changes but |
|
I generated the manifest with |
rexagod
force-pushed
the
upstream-probes-opt-in
branch
3 times, most recently
from
be93e60
to
54a4817
Compare
|
Tested on a cluster, seems to work now. I've made KRP's ports the single source of truth for KSM's probes and ports for convenience. PTAL below for downstream diff. diff --git a/assets/kube-state-metrics/deployment.yaml b/assets/kube-state-metrics/deployment.yaml
index ec651432e..3b444f081 100644
--- a/assets/kube-state-metrics/deployment.yaml
+++ b/assets/kube-state-metrics/deployment.yaml
@@ -57,7 +57,22 @@ spec:
^kube_pod_completion_time$,
^kube_pod_status_scheduled$
image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.13.0
+ livenessProbe:
+ httpGet:
+ path: /livez
+ port: http-metrics
+ scheme: HTTPS
name: kube-state-metrics
+ ports:
+ - containerPort: 8443
+ name: http-metrics
+ - containerPort: 9443
+ name: telemetry
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: telemetry
+ scheme: HTTPS
resources:
requests:
cpu: 2m
@@ -75,6 +90,7 @@ spec:
- --secure-listen-address=:8443
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- --upstream=http://127.0.0.1:8081/
+ - --ignore-paths=/livez
- --tls-cert-file=/etc/tls/private/tls.crt
- --tls-private-key-file=/etc/tls/private/tls.key
- --client-ca-file=/etc/tls/client/client-ca.crt
@@ -83,7 +99,7 @@ spec:
name: kube-rbac-proxy-main
ports:
- containerPort: 8443
- name: https-main
+ name: http-metrics
resources:
requests:
cpu: 1m
@@ -104,6 +120,7 @@ spec:
- --secure-listen-address=:9443
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- --upstream=http://127.0.0.1:8082/
+ - --ignore-paths=/readyz
- --tls-cert-file=/etc/tls/private/tls.crt
- --tls-private-key-file=/etc/tls/private/tls.key
- --client-ca-file=/etc/tls/client/client-ca.crt
@@ -112,7 +129,7 @@ spec:
name: kube-rbac-proxy-self
ports:
- containerPort: 9443
- name: https-self
+ name: telemetry
resources:
requests:
cpu: 1m |
rexagod
force-pushed
the
upstream-probes-opt-in
branch
from
54a4817
to
24c2733
Compare
rexagod
force-pushed
the
upstream-probes-opt-in
branch
from
24c2733
to
0774eef
Compare
rexagod
force-pushed
the
upstream-probes-opt-in
branch
from
0774eef
to
0e93289
Compare
|
Needs an approval (for workflows). |
|
https://github.com/prometheus-operator/kube-prometheus/actions/runs/11370566998/job/31653537858?pr=2505 fails on kube-state-metrics check for metrics. |
rexagod
force-pushed
the
upstream-probes-opt-in
branch
from
0e93289
to
1bc1116
Compare
Allow users to opt-into upstream probe definitions. Signed-off-by: Pranshu Srivastava <[email protected]>
rexagod
force-pushed
the
upstream-probes-opt-in
branch
5 times, most recently
from
a8d3ffc
to
83e0cdb
Compare
|
Fixed, needs workflow approval. |
|
Re-ping, @simonpasquier for another look here. 🙂 |
There was a problem hiding this comment.
I still see warnings when applying the manifests with enableProbes: true.
Warning: spec.template.spec.containers[1].ports[0]: duplicate port definition with spec.template.spec.containers[0].ports[0]
Warning: spec.template.spec.containers[2].ports[0]: duplicate port definition with spec.template.spec.containers[0].ports[1]
```
Also it still feels strange that the probes being defined on the ksm container while the kubelet queries the kube-rbac-proxy containers. I understand that for the liveness probe, it's required so we restart the ksm container if it gets stuck but could we at least define the readiness probe in the ksm container?
| image: ksm._config.kubeRbacProxyImage, | ||
| // When enabling probes, kube-rbac-proxy needs to always allow the /livez endpoint. | ||
| ignorePaths: if ksm._config.enableProbes then ['/livez'] else super.ignorePaths, |
There was a problem hiding this comment.
(nit) it's probably more idiomatic jsonnet.
Suggested change
| ignorePaths: if ksm._config.enableProbes then ['/livez'] else super.ignorePaths, | |
| ignorePaths+: if ksm._config.enableProbes then ['/livez'] else [], |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.
If it fixes a bug or resolves a feature request, be sure to link to that issue.
Allow users to opt-into upstream probe definitions.
Type of change
What type of changes does your code introduce to the kube-prometheus? Put an
xin the box that apply.CHANGE(fix or feature that would cause existing functionality to not work as expected)FEATURE(non-breaking change which adds functionality)BUGFIX(non-breaking change which fixes an issue)ENHANCEMENT(non-breaking change which improves existing functionality)NONE(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry
Please put a one-line changelog entry below. Later this will be copied to the changelog file.