VictoriaMetrics/lib/promscrape/discovery/kubernetes/api.go

package kubernetes

import (
	"fmt"
	"net"
	"os"
	"strings"

	"github.com/VictoriaMetrics/VictoriaMetrics/lib/promauth"
)

func newAPIConfig(sdc *SDConfig, baseDir string, swcFunc ScrapeWorkConstructorFunc) (*apiConfig, error) {
	role := sdc.role()
	switch role {
	case "node", "pod", "service", "endpoints", "endpointslice", "ingress":
	default:
		return nil, fmt.Errorf("unexpected `role`: %q; must be one of `node`, `pod`, `service`, `endpoints`, `endpointslice` or `ingress`", role)
	}
	cc := &sdc.HTTPClientConfig
	ac, err := cc.NewConfig(baseDir)
	if err != nil {
		return nil, fmt.Errorf("cannot parse auth config: %w", err)
	}
	apiServer := sdc.APIServer

	if len(sdc.KubeConfigFile) > 0 {
		if len(apiServer) > 0 {
			return nil, fmt.Errorf("`api_server: %q` and `kubeconfig_file: %q` options cannot be set simultaneously", apiServer, sdc.KubeConfigFile)
		}
		kc, err := newKubeConfig(sdc.KubeConfigFile)
		if err != nil {
			return nil, fmt.Errorf("cannot build kube config from the specified `kubeconfig_file` config option: %w", err)
		}
		opts := &promauth.Options{
			BaseDir:         baseDir,
			BasicAuth:       kc.basicAuth,
			BearerToken:     kc.token,
			BearerTokenFile: kc.tokenFile,
			OAuth2:          cc.OAuth2,
			TLSConfig:       kc.tlsConfig,
			Headers:         cc.Headers,
		}
		acNew, err := opts.NewConfig()
		if err != nil {
			return nil, fmt.Errorf("cannot initialize auth config from `kubeconfig_file: %q`: %w", sdc.KubeConfigFile, err)
		}
		ac = acNew
		apiServer = kc.server
		sdc.ProxyURL = kc.proxyURL
	}

	if len(apiServer) == 0 {
		// Assume we run at k8s pod.
		// Discover apiServer and auth config according to k8s docs.
		// See https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#service-account-admission-controller
		host := os.Getenv("KUBERNETES_SERVICE_HOST")
		port := os.Getenv("KUBERNETES_SERVICE_PORT")
		if len(host) == 0 {
			return nil, fmt.Errorf("cannot find KUBERNETES_SERVICE_HOST env var; it must be defined when running in k8s; " +
				"probably, `kubernetes_sd_config->api_server` is missing in Prometheus configs?")
		}
		if len(port) == 0 {
			return nil, fmt.Errorf("cannot find KUBERNETES_SERVICE_PORT env var; it must be defined when running in k8s; "+
				"KUBERNETES_SERVICE_HOST=%q", host)
		}
		apiServer = "https://" + net.JoinHostPort(host, port)
		tlsConfig := promauth.TLSConfig{
			CAFile: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
		}
		opts := &promauth.Options{
			BaseDir:         baseDir,
			BearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token",
			OAuth2:          cc.OAuth2,
			TLSConfig:       &tlsConfig,
			Headers:         cc.Headers,
		}
		acNew, err := opts.NewConfig()
		if err != nil {
			return nil, fmt.Errorf("cannot initialize service account auth: %w; probably, `kubernetes_sd_config->api_server` is missing in Prometheus configs?", err)
		}
		ac = acNew
	}
	if !strings.Contains(apiServer, "://") {
		proto := "http"
		if sdc.HTTPClientConfig.TLSConfig != nil {
			proto = "https"
		}
		apiServer = proto + "://" + apiServer
	}
	for strings.HasSuffix(apiServer, "/") {
		apiServer = apiServer[:len(apiServer)-1]
	}
	// pre-check tls config
	if _, err := ac.NewTLSConfig(); err != nil {
		return nil, fmt.Errorf("cannot initialize tls config: %w", err)
	}
	aw := newAPIWatcher(apiServer, ac, sdc, swcFunc)
	cfg := &apiConfig{
		aw: aw,
	}
	return cfg, nil
}
lib/promscrape: add initial support for `kubernetes_sd_config` Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/334 2020-04-13 18:02:27 +00:00			`package kubernetes`

			`import (`
lib/promscrape: cleanup after 9b2246c29b860cd8a838d3e191f453ee8fcb5997 Main points: * Revert changes outside lib/promscrape/discovery/kuberntes . These changes can be applied later in a separate commit * Minimize changes in lib/promscrape/discovery/kubernetes compared to a93e6440016f61565d48ace2ce579759d0b6b51b * Corner case fixes. 2021-02-26 14:54:03 +00:00			`"fmt"`
			`"net"`
			`"os"`
			`"strings"`
lib/promscrape: add initial support for `kubernetes_sd_config` Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/334 2020-04-13 18:02:27 +00:00
lib/promscrape: cleanup after 9b2246c29b860cd8a838d3e191f453ee8fcb5997 Main points: * Revert changes outside lib/promscrape/discovery/kuberntes . These changes can be applied later in a separate commit * Minimize changes in lib/promscrape/discovery/kubernetes compared to a93e6440016f61565d48ace2ce579759d0b6b51b * Corner case fixes. 2021-02-26 14:54:03 +00:00			`"github.com/VictoriaMetrics/VictoriaMetrics/lib/promauth"`
lib/promscrape: add initial support for `kubernetes_sd_config` Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/334 2020-04-13 18:02:27 +00:00			`)`

lib/promscrape/discovery/kubernetes: cache ScrapeWork objects as soon as the corresponding k8s objects are changed This should reduce CPU usage and memory usage when Kubernetes contains tens of thousands of objects 2021-03-02 14:42:48 +00:00			`func newAPIConfig(sdc SDConfig, baseDir string, swcFunc ScrapeWorkConstructorFunc) (apiConfig, error) {`
lib/promscrape/discovery/kubernetes: return back support `role: endpointslices`, since it is used by VictoriaMetrics operator This is a follow up commit after 31b42b30b656cd3a3c3fed768eabbae1a8363ac5 2021-08-29 09:34:55 +00:00			`role := sdc.role()`
			`switch role {`
lib/promscrape/discovery/kubernetes: rename `role: endpointslices` to `role: endpointslice` to be consistent with Prometheus See https://github.com/prometheus/prometheus/blob/2ec6c7dbb82b72834021e01f1773eb90a67a371f/discovery/kubernetes/kubernetes.go#L99 2021-08-29 08:23:06 +00:00			`case "node", "pod", "service", "endpoints", "endpointslice", "ingress":`
lib/promscrape/discovery/kubernetes: use a single watcher per apiURL Previously multiple scrape jobs could create multiple watchers for the same apiURL. Now only a single watcher is used. This should reduce load on Kubernetes API server when many scrape job configs use Kubernetes service discovery. 2021-03-11 14:41:09 +00:00			`default:`
lib/promscrape/discovery/kubernetes: return back support `role: endpointslices`, since it is used by VictoriaMetrics operator This is a follow up commit after 31b42b30b656cd3a3c3fed768eabbae1a8363ac5 2021-08-29 09:34:55 +00:00			return nil, fmt.Errorf("unexpected `role`: %q; must be one of `node`, `pod`, `service`, `endpoints`, `endpointslice` or `ingress`", role)
lib/promscrape/discovery/kubernetes: use a single watcher per apiURL Previously multiple scrape jobs could create multiple watchers for the same apiURL. Now only a single watcher is used. This should reduce load on Kubernetes API server when many scrape job configs use Kubernetes service discovery. 2021-03-11 14:41:09 +00:00			`}`
lib/promauth: add ability to send additional http headers in requests to scrape targets This solves https://stackoverflow.com/questions/66032498/prometheus-scrape-metric-with-custom-header 2022-06-22 17:38:43 +00:00			`cc := &sdc.HTTPClientConfig`
			`ac, err := cc.NewConfig(baseDir)`
lib/promscrape/discovery/kubernetes/: unify apiConfig creation 2020-05-04 12:53:50 +00:00			`if err != nil {`
lib/promscrape: cleanup after 9b2246c29b860cd8a838d3e191f453ee8fcb5997 Main points: * Revert changes outside lib/promscrape/discovery/kuberntes . These changes can be applied later in a separate commit * Minimize changes in lib/promscrape/discovery/kubernetes compared to a93e6440016f61565d48ace2ce579759d0b6b51b * Corner case fixes. 2021-02-26 14:54:03 +00:00			`return nil, fmt.Errorf("cannot parse auth config: %w", err)`
			`}`
			`apiServer := sdc.APIServer`
promscrape/discovery: support kubeconfig (#2533) 2022-06-01 18:34:00 +00:00
lib/promscrape/discovery/kubernetes: follow-up after 006b8c7534f97cf5379c9cea8292f9ca0c0b32d6 - make more clear error logs - simplify testing for newKubeConfig by passing only the path to kube_config file instead of SDConfig struct 2022-06-06 11:24:52 +00:00			`if len(sdc.KubeConfigFile) > 0 {`
			`if len(apiServer) > 0 {`
			return nil, fmt.Errorf("`api_server: %q` and `kubeconfig_file: %q` options cannot be set simultaneously", apiServer, sdc.KubeConfigFile)
			`}`
			`kc, err := newKubeConfig(sdc.KubeConfigFile)`
promscrape/discovery: support kubeconfig (#2533) 2022-06-01 18:34:00 +00:00			`if err != nil {`
lib/promscrape/discovery/kubernetes: follow-up after 006b8c7534f97cf5379c9cea8292f9ca0c0b32d6 - make more clear error logs - simplify testing for newKubeConfig by passing only the path to kube_config file instead of SDConfig struct 2022-06-06 11:24:52 +00:00			return nil, fmt.Errorf("cannot build kube config from the specified `kubeconfig_file` config option: %w", err)
promscrape/discovery: support kubeconfig (#2533) 2022-06-01 18:34:00 +00:00			`}`
lib/promauth: refactor NewConfig in order to improve maintainability 1. Split NewConfig into smaller functions 2. Introduce Options struct for simplifying construction of the Config with various options This commit is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/2684 2022-07-04 11:27:48 +00:00			`opts := &promauth.Options{`
			`BaseDir: baseDir,`
			`BasicAuth: kc.basicAuth,`
			`BearerToken: kc.token,`
			`BearerTokenFile: kc.tokenFile,`
			`OAuth2: cc.OAuth2,`
			`TLSConfig: kc.tlsConfig,`
			`Headers: cc.Headers,`
			`}`
			`acNew, err := opts.NewConfig()`
promscrape/discovery: support kubeconfig (#2533) 2022-06-01 18:34:00 +00:00			`if err != nil {`
lib/promscrape/discovery/kubernetes: follow-up after 006b8c7534f97cf5379c9cea8292f9ca0c0b32d6 - make more clear error logs - simplify testing for newKubeConfig by passing only the path to kube_config file instead of SDConfig struct 2022-06-06 11:24:52 +00:00			return nil, fmt.Errorf("cannot initialize auth config from `kubeconfig_file: %q`: %w", sdc.KubeConfigFile, err)
promscrape/discovery: support kubeconfig (#2533) 2022-06-01 18:34:00 +00:00			`}`
lib/promscrape/discovery/kubernetes: follow-up after 006b8c7534f97cf5379c9cea8292f9ca0c0b32d6 - make more clear error logs - simplify testing for newKubeConfig by passing only the path to kube_config file instead of SDConfig struct 2022-06-06 11:24:52 +00:00			`ac = acNew`
lib/promscrape/discovery/kubernetes: follow-up after 0b5c8749117299645c190840e10712a76f525ed4 (#2672) 2022-06-01 18:44:45 +00:00			`apiServer = kc.server`
			`sdc.ProxyURL = kc.proxyURL`
promscrape/discovery: support kubeconfig (#2533) 2022-06-01 18:34:00 +00:00			`}`

lib/promscrape: cleanup after 9b2246c29b860cd8a838d3e191f453ee8fcb5997 Main points: * Revert changes outside lib/promscrape/discovery/kuberntes . These changes can be applied later in a separate commit * Minimize changes in lib/promscrape/discovery/kubernetes compared to a93e6440016f61565d48ace2ce579759d0b6b51b * Corner case fixes. 2021-02-26 14:54:03 +00:00			`if len(apiServer) == 0 {`
			`// Assume we run at k8s pod.`
			`// Discover apiServer and auth config according to k8s docs.`
			`// See https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#service-account-admission-controller`
			`host := os.Getenv("KUBERNETES_SERVICE_HOST")`
			`port := os.Getenv("KUBERNETES_SERVICE_PORT")`
			`if len(host) == 0 {`
			`return nil, fmt.Errorf("cannot find KUBERNETES_SERVICE_HOST env var; it must be defined when running in k8s; " +`
			"probably, `kubernetes_sd_config->api_server` is missing in Prometheus configs?")
			`}`
			`if len(port) == 0 {`
			`return nil, fmt.Errorf("cannot find KUBERNETES_SERVICE_PORT env var; it must be defined when running in k8s; "+`
			`"KUBERNETES_SERVICE_HOST=%q", host)`
			`}`
			`apiServer = "https://" + net.JoinHostPort(host, port)`
			`tlsConfig := promauth.TLSConfig{`
			`CAFile: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",`
			`}`
lib/promauth: refactor NewConfig in order to improve maintainability 1. Split NewConfig into smaller functions 2. Introduce Options struct for simplifying construction of the Config with various options This commit is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/2684 2022-07-04 11:27:48 +00:00			`opts := &promauth.Options{`
			`BaseDir: baseDir,`
			`BearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token",`
			`OAuth2: cc.OAuth2,`
			`TLSConfig: &tlsConfig,`
			`Headers: cc.Headers,`
			`}`
			`acNew, err := opts.NewConfig()`
lib/promscrape: cleanup after 9b2246c29b860cd8a838d3e191f453ee8fcb5997 Main points: * Revert changes outside lib/promscrape/discovery/kuberntes . These changes can be applied later in a separate commit * Minimize changes in lib/promscrape/discovery/kubernetes compared to a93e6440016f61565d48ace2ce579759d0b6b51b * Corner case fixes. 2021-02-26 14:54:03 +00:00			`if err != nil {`
			return nil, fmt.Errorf("cannot initialize service account auth: %w; probably, `kubernetes_sd_config->api_server` is missing in Prometheus configs?", err)
			`}`
			`ac = acNew`
			`}`
			`if !strings.Contains(apiServer, "://") {`
			`proto := "http"`
lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 18:17:43 +00:00			`if sdc.HTTPClientConfig.TLSConfig != nil {`
lib/promscrape: cleanup after 9b2246c29b860cd8a838d3e191f453ee8fcb5997 Main points: * Revert changes outside lib/promscrape/discovery/kuberntes . These changes can be applied later in a separate commit * Minimize changes in lib/promscrape/discovery/kubernetes compared to a93e6440016f61565d48ace2ce579759d0b6b51b * Corner case fixes. 2021-02-26 14:54:03 +00:00			`proto = "https"`
			`}`
			`apiServer = proto + "://" + apiServer`
			`}`
			`for strings.HasSuffix(apiServer, "/") {`
			`apiServer = apiServer[:len(apiServer)-1]`
lib/promscrape: add initial support for `kubernetes_sd_config` Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/334 2020-04-13 18:02:27 +00:00			`}`
lib/promscrape/discovery/kubernetes: avoid possible panic if given caFile under kubernetes.SDConfig.HTTPClientConfig is not exist (#5243) follow up https://github.com/VictoriaMetrics/VictoriaMetrics/commit/d5a599badce3ff84c3ef236e1e8c3fb38514f272 2023-10-27 18:20:22 +00:00			`// pre-check tls config`
			`if _, err := ac.NewTLSConfig(); err != nil {`
			`return nil, fmt.Errorf("cannot initialize tls config: %w", err)`
			`}`
lib/promscrape/discovery/kubernetes: use a single watcher per apiURL Previously multiple scrape jobs could create multiple watchers for the same apiURL. Now only a single watcher is used. This should reduce load on Kubernetes API server when many scrape job configs use Kubernetes service discovery. 2021-03-11 14:41:09 +00:00			`aw := newAPIWatcher(apiServer, ac, sdc, swcFunc)`
lib/promscrape: add Prometheus-compatible service discovery for Consul aka `consul_sd_configs` Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/330 2020-05-04 17:48:02 +00:00			`cfg := &apiConfig{`
lib/promscrape: cleanup after 9b2246c29b860cd8a838d3e191f453ee8fcb5997 Main points: * Revert changes outside lib/promscrape/discovery/kuberntes . These changes can be applied later in a separate commit * Minimize changes in lib/promscrape/discovery/kubernetes compared to a93e6440016f61565d48ace2ce579759d0b6b51b * Corner case fixes. 2021-02-26 14:54:03 +00:00			`aw: aw,`
lib/promscrape: add initial support for `kubernetes_sd_config` Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/334 2020-04-13 18:02:27 +00:00			`}`
lib/promscrape: add Prometheus-compatible service discovery for Consul aka `consul_sd_configs` Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/330 2020-05-04 17:48:02 +00:00			`return cfg, nil`
			`}`