OCPBUGS-62869: disable metrics auth for hypershift clusters #1242
Conversation
…robot/cherry-pick-1222-to-release-4.18" This reverts commit 92dd0b2.
CVO does not honor client certificates per the OCP metrics standard and HCP does not configure the secret. The combination of these two things means that on HCP, if we enable the CVO's auth handler, we lose the ability to determine if clusteroperators are functioning correctly at scale.
| if disableAuth { | ||
| handler := http.NewServeMux() | ||
| handler.Handle("/metrics", promhttp.Handler()) | ||
| server := &http.Server{ | ||
| Handler: handler, | ||
| } | ||
| return server | ||
| } |
There was a problem hiding this comment.
this is the code prior to #1223
| go func() { | ||
| defer utilruntime.HandleCrash() | ||
| err := cvo.RunMetrics(postMainContext, shutdownContext, o.ListenAddr, o.ServingCertFile, o.ServingKeyFile, restConfig) | ||
| disableMetricsAuth := o.InjectClusterIdIntoPromQL // this is wired to the "--hypershift" flag, so when hypershfit is no, we disableMetricsAuth |
There was a problem hiding this comment.
You have direct access to o.HyperShift here, so you can just use that instead of creating a local disableMetricsAuth variable, without having to touch o.InjectClusterIdIntoPromQL
There was a problem hiding this comment.
I don't think o.Hypershift exists on 4.18. I found this https://github.com/openshift/cluster-version-operator/blob/release-4.18/cmd/start.go#L48
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/hold hold so we can get all the releases ready and finalize tomorrow. |
openshift-ci
bot
added
the
do-not-merge/hold
|
@deads2k: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/jira cherrypick OCPBUGS-62868 |
|
@wking: Jira Issue OCPBUGS-62868 has been cloned as Jira Issue OCPBUGS-62869. Will retitle bug to link to clone. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
changed the title
openshift-ci-robot
added
jira/valid-reference
|
@deads2k: This pull request references Jira Issue OCPBUGS-62869, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/verified by @sjenning |
openshift-ci-robot
added
the
verified
|
@sjenning: This PR has been marked as verified by In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/label backport-risk-assessed |
openshift-ci
bot
added
the
backport-risk-assessed
4 participants
CVO does not honor client certificates per the OCP metrics standard and HCP does not configure the secret. The combination of these two things means that on HCP, if we enable the CVO's auth handler, we lose the ability to determine if clusteroperators are functioning correctly at scale.
/assign @wking