listen on metrics port with self-signed cert

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
kubeovn · Jul 16, 2024 · 0001cc4 · 0001cc4
1 parent e322273
commit 0001cc4
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 22 deletions.
diff --git a/charts/kube-ovn/templates/monitor-deploy.yaml b/charts/kube-ovn/templates/monitor-deploy.yaml
@@ -58,6 +58,14 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
             - name: POD_IPS
               valueFrom:
                 fieldRef:

diff --git a/cmd/ovn_monitor/ovn_monitor.go b/cmd/ovn_monitor/ovn_monitor.go
@@ -2,12 +2,15 @@ package ovn_monitor
 
 import (
 	"fmt"
+	"net"
 	"net/http"
 	"os"
+	"strconv"
 	"strings"
-	"time"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	apiserver "k8s.io/apiserver/pkg/server"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/klog/v2"
 
 	kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
@@ -16,6 +19,8 @@ import (
 	"github.com/kubeovn/kube-ovn/versions"
 )
 
+const svcName = "kube-ovn-monitor"
+
 func CmdMain() {
 	defer klog.Flush()
 
@@ -25,21 +30,6 @@ func CmdMain() {
 		util.LogFatalAndExit(err, "failed to parse config")
 	}
 
-	exporter := ovn.NewExporter(config)
-	if err = exporter.StartConnection(); err != nil {
-		klog.Errorf("%s failed to connect db socket properly: %s", ovn.GetExporterName(), err)
-		go exporter.TryClientConnection()
-	}
-	exporter.StartOvnMetrics()
-	mux := http.NewServeMux()
-	if config.EnableMetrics {
-		mux.Handle(config.MetricsPath, promhttp.Handler())
-		klog.Infoln("Listening on", config.ListenAddress)
-	}
-
-	// conform to Gosec G114
-	// https://github.com/securego/gosec#available-rules
-
 	addr := config.ListenAddress
 	if os.Getenv("ENABLE_BIND_LOCAL_IP") == "true" {
 		podIpsEnv := os.Getenv("POD_IPS")
@@ -54,10 +44,59 @@ func CmdMain() {
 		}
 	}
 
-	server := &http.Server{
-		Addr:              addr,
-		ReadHeaderTimeout: 3 * time.Second,
-		Handler:           mux,
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		util.LogFatalAndExit(err, "invalid listen address: %q", addr)
+	}
+
+	name := os.Getenv("POD_NAME")
+	namespace := os.Getenv("POD_NAMESPACE")
+	podIPs := os.Getenv("POD_IPS")
+	alternateDNS := []string{name, svcName, fmt.Sprintf("%s.%s", svcName, namespace), fmt.Sprintf("%s.%s.svc", svcName, namespace)}
+	alternateIPs := []net.IP{net.ParseIP("127.0.0.1"), net.IPv6loopback}
+	for _, podIP := range strings.Split(podIPs, ",") {
+		if ip := net.ParseIP(podIP); ip != nil {
+			alternateIPs = append(alternateIPs, ip)
+		}
+	}
+	options := apiserveroptions.NewSecureServingOptions()
+	if host != "" {
+		if ip := net.ParseIP(host); ip == nil {
+			util.LogFatalAndExit(fmt.Errorf("invalid ip address: %q", host), "invalid listen address: %q", addr)
+		} else {
+			p, err := strconv.Atoi(port)
+			if err != nil {
+				util.LogFatalAndExit(err, "invalid listen address: %q", addr)
+			}
+			options.BindPort = p
+		}
+	}
+
+	if err = options.MaybeDefaultWithSelfSignedCerts("localhost", alternateDNS, alternateIPs); err != nil {
+		util.LogFatalAndExit(err, "failed to genarate self signed certificates")
+	}
+
+	var c *apiserver.SecureServingInfo
+	if err = options.ApplyTo(&c); err != nil {
+		util.LogFatalAndExit(err, "failed to apply secure serving options to secure serving info")
+	}
+
+	exporter := ovn.NewExporter(config)
+	if err = exporter.StartConnection(); err != nil {
+		klog.Errorf("%s failed to connect db socket properly: %s", ovn.GetExporterName(), err)
+		go exporter.TryClientConnection()
+	}
+	exporter.StartOvnMetrics()
+	mux := http.NewServeMux()
+	if config.EnableMetrics {
+		mux.Handle(config.MetricsPath, promhttp.Handler())
+		klog.Infoln("Listening on", config.ListenAddress)
+	}
+
+	stopCh := make(chan struct{}, 1)
+	_, listenerStoppedCh, err := c.Serve(mux, 0, stopCh)
+	if err != nil {
+		util.LogFatalAndExit(err, "failed to serve on %s", addr)
 	}
-	util.LogFatalAndExit(server.ListenAndServe(), "failed to listen and server on %s", config.ListenAddress)
+	<-listenerStoppedCh
 }
diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -4496,6 +4496,14 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
             - name: POD_IPS
               valueFrom:
                 fieldRef:

diff --git a/go.mod b/go.mod
@@ -44,6 +44,7 @@ require (
 	gopkg.in/k8snetworkplumbingwg/multus-cni.v4 v4.0.2
 	k8s.io/api v0.30.2
 	k8s.io/apimachinery v0.30.2
+	k8s.io/apiserver v0.30.2
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubectl v0.30.2
@@ -241,7 +242,6 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.30.2 // indirect
-	k8s.io/apiserver v0.30.2 // indirect
 	k8s.io/cli-runtime v0.30.2 // indirect
 	k8s.io/cloud-provider v0.30.2 // indirect
 	k8s.io/cluster-bootstrap v0.30.2 // indirect