Fixing issues using rancher-pushprox to hit authenticated kubernetes endpoints #2851
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Rancher pushprox 102.0.2
add imagepullsecrets and ability to force https scheme
|
This should resolve rancher/rancher#43414 |
joshmeranda
approved these changes
Aug 21, 2023
rohitsakala
requested changes
Sep 8, 2023
There was a problem hiding this comment.
This PR doesn't follow the guidelines of updating a charts.
@joshmeranda Lets connect to make sure this PR follows them and then merge this.
Merged
|
closing in favor of #2962 |
|
Actually closing, based on Josh's comment. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue:
Users cannot use authenticated endpoints directly without modifying the servicemonitors created by this chart if using the upstream kube-prometheus-stack chart.
Additionally, users cannot use imagePullSecrets for private repositories.
Problem
In its current configuration, without using the proxies, which do not work with the upstream chart, users cannot authenticate to kubernetes api endpoints that require authentication to access them. Additionally, since the same endpoints do not expose certificates to any ip but
127.0.0.1, I've added the capability to honor the insecureSkipVerify flag if it is set. While I was there, I also fixed a bug in metricRelabelings where it would generate an empty list if not configured, it would generate an invalid list if not configured.Solution
This adds the ability to use authentication on the clients to the kubernetes components. Added the ability to correctly set the http(s) scheme if not using the proxy feature. Fixed a bug so service monitors will honor the insecureSkipVerify flag if set by the client. Fixed a bug in metricRelabelings where it would generate an empty list if not configured. Added imagepullsecrets as a global field to be used whenever an image is pulled.
Testing
Engineering Testing
Manual Testing
I've tested this using our current configuration yamls and helm templating the changes.
Automated Testing
None.
QA Testing Considerations
Test all the things.
Regressions Considerations
The primary focus of changes here were done to the rancher-pushprox client. The main focus of testing should be there and specifically on the service monitor.
Backporting considerations
Yes, needs to be backported to Rancher 2.6.