Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[kube-prometheus-stack] Default port on which ETCD exposes its metrics #3725

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[kube-prometheus-stack] Default port on which ETCD exposes its metrics #3725

wants to merge 10 commits into from
+3 −3

Conversation

xogoodnow
Copy link
Contributor

@xogoodnow xogoodnow commented Aug 25, 2023
edited
Loading

By default ETCD exposes its metrics on port 2379 and not 2381

What this PR does / why we need it

By default ETCD exposes its metrics on port 2379 and not 2381

Which issue this PR fixes

No service (by default) is listening on port 2381 on the cluster, so after installing the chart, the metrics for etcd would not be monitored unless the port in values.yaml (or ETCD configuration) is changed.
(optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged)

  • fixes #
    Changing eh default port for etcd metrics from 2381 to 2379 in the following path
    kubeEtcd.service. port
    AND
    kubeEtcd.service. targetPort

Special notes for your reviewer

Checklist

  • DCO signed
  • Chart Version bumped
  • Title of the PR starts with chart name (e.g. [prometheus-couchdb-exporter])

@xogoodnow
Default ETCD port
7774b11 
By default ETCD exposes its metrics on port 2379 and not 2381

Signed-off-by: xogoodnow <[email protected]>
@xogoodnow
Merge pull request #1 from xogoodnow/xogoodnow-patch-1
29bb357 
Default ETCD port
QuentinBisson
QuentinBisson requested changes Aug 25, 2023
View reviewed changes
Copy link
Member

@QuentinBisson QuentinBisson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The helm chart prefers to enable secure settings per default and port 2381 is etcd TLS port that is used to fetch metrics. It is possible that your clusters are either old or not providing a secure access to etcd in which case you need to configure the port to 2379 but that should only be the case for your clusters.

@GMartinez-Sisti
Copy link
Member

Hi @xogoodnow, thank you for the contribution. Please check #2264 regarding the ETCD ports.

TLDR: https://github.com/kubernetes/kubernetes/blob/8b132ea40a250e9acf08ab2fadb9a8c2fd811d74/cmd/kubeadm/app/constants/constants.go#L95-L96

@xogoodnow
Persisting Grafana
990269a 
There are no documents or comments on how to persist grafana. Charts must be read to understand how to persist it which is a unnecessary with a few lines of comments

Signed-off-by: xogoodnow <[email protected]>
@xogoodnow
Copy link
Contributor Author

Hi @QuentinBisson,
The version of my cluster at the moment is 1.28 which is the latest.
as for the security concern, by default etcd exposes its metrics on 2379 and in the official docs of etcd itself there are no mentions of any security risk for doing this. https://etcd.io/docs/v3.1/op-guide/monitoring/
There is no mention of security risk of doing this anywhere (since it uses the certificates)
Also I believe the default value must be compatible with default configuration of other services

@xogoodnow
Copy link
Contributor Author

Hi @GMartinez-Sisti , Just deploy the latest version of the cluster and install the chart, it does not work.
I just tested it on our stage and it did not work. (if you have the time I recommend you just test this with the latest version of k8s 1.28 and see if it works by default)
cheers

@xogoodnow xogoodnow changed the title Default port on which ETCD exposes its metrics [charts/kube-prometheus-stack] Default port on which ETCD exposes its metrics Aug 25, 2023
@xogoodnow xogoodnow changed the title [charts/kube-prometheus-stack] Default port on which ETCD exposes its metrics [kube-prometheus-stack] Default port on which ETCD exposes its metrics Aug 25, 2023
@zeritti
Copy link
Member

zeritti commented Aug 30, 2023

My impression is that introducing 2381 as an Etcd metrics port in the chart was based on a specific internal change in kubeadm, judging from the link to its constants above and in the original PR. From Etcd metrics-endpoint

Each etcd server exports metrics under the /metrics path on its client port and optionally on locations given by --listen-metrics-urls.

The client port is indeed 2379/tcp and supposed to always be protected by TLS.

kubeadm introduced port 2381 in a change to access the Etcd's /health endpoint for health checks/liveness probes without TLS replacing thus the previous health check implementation. It makes use of the Etcd flag above that can enable additional URLs serving /metrics and /health. Furthermore, as the health check is insecure, it opens the port at localhost - it is not supposed to be accessed from outside.

The changes in kubeadm have no effect on how Etcd primarily serves its metrics: through the client port.

@GMartinez-Sisti
Copy link
Member

IMHO if we decide to go ahead and change the port, it should be considered a breaking change to ensure we don't break existing installations.

@stale
Copy link

stale bot commented Oct 15, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

@xogoodnow
Copy link
Contributor Author

Hi, considering that this would be a breaking change, do we have any estimation on how and when to make these changes on the chart?

@stale stale bot removed the lifecycle/stale label Oct 16, 2023
@jkroepke
Copy link
Member

jkroepke commented Oct 16, 2023
edited
Loading

Bump the helm major chart version + upgrade notes on the README.md is the way to go for an breaking change and needs to be part of the PR itself.

GMartinez-Sisti
GMartinez-Sisti reviewed Dec 8, 2023
View reviewed changes
charts/kube-prometheus-stack/values.yaml Outdated
Comment on lines 944 to 954
## To make Grafana persistant (Using Statefulset)
##
# persistence:
# enabled: true
# type: sts
# storageClassName: <StorageClassName>
# accessModes:
# - ReadWriteOnce
# size: 20Gi
# finalizers:
# - kubernetes.io/pvc-protection
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These shouldn't be here. Can you please remove them?

GMartinez-Sisti
GMartinez-Sisti requested changes Dec 8, 2023
View reviewed changes
Copy link
Member

@GMartinez-Sisti GMartinez-Sisti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As @jkroepke said, please do:

Bump the helm major chart version + upgrade notes on the README.md is the way to go for an breaking change and needs to be part of the PR itself.

@xogoodnow
Update values.yaml
deeba51 
Omitted the part about persisting Grafana.
p.s: Sent a separate PR for that
Thankyou

Signed-off-by: Ali <[email protected]>
@xogoodnow
Merge branch 'prometheus-community:main' into main
7359d34
@xogoodnow xogoodnow requested a review from jkroepke as a code owner January 23, 2024 17:55
@stale Stale
Copy link

stale bot commented Mar 13, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

@xogoodnow
Copy link
Contributor Author

Hi
Should something be done on my end?

@stale stale bot removed the lifecycle/stale label Mar 16, 2024
@jkroepke
Copy link
Member

jkroepke commented Mar 16, 2024
edited
Loading

Hi Should something be done on my end?

Yes, please take note of the review comment from @GMartinez-Sisti + resolve MR conflicts

@xogoodnow
Copy link
Contributor Author

hi @jkroepke,
the changes have been made
Please check and if there is something that I must do , let me know

@jkroepke
Copy link
Member

Hi @xogoodnow

currently, I'm missing everything what is requested.

@stale Stale
Copy link

stale bot commented Apr 22, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

@xogoodnow xogoodnow marked this pull request as draft November 16, 2024 14:32
@stale stale bot removed the lifecycle/stale label Nov 16, 2024
@xogoodnow xogoodnow marked this pull request as ready for review November 16, 2024 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GMartinez-Sisti GMartinez-Sisti GMartinez-Sisti requested changes

@andrewgkew andrewgkew Awaiting requested review from andrewgkew andrewgkew is a code owner

@gianrubio gianrubio Awaiting requested review from gianrubio gianrubio is a code owner

@gkarthiks gkarthiks Awaiting requested review from gkarthiks gkarthiks is a code owner

@scottrigby scottrigby Awaiting requested review from scottrigby scottrigby is a code owner

@Xtigyro Xtigyro Awaiting requested review from Xtigyro Xtigyro is a code owner

@QuentinBisson QuentinBisson Awaiting requested review from QuentinBisson QuentinBisson is a code owner

@jkroepke jkroepke Awaiting requested review from jkroepke jkroepke is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@xogoodnow @GMartinez-Sisti @zeritti @jkroepke @QuentinBisson