Sort out TLS.

Author: neunhoef

pkg/deployment/deployment.go

@@ -516,21 +516,21 @@ func (d *Deployment) isOwnerOf(obj metav1.Object) bool {
 func (d *Deployment) lookForServiceMonitorCRD() {
 	_, err := d.deps.KubeExtCli.ApiextensionsV1beta1().CustomResourceDefinitions().Get("servicemonitors.monitoring.coreos.com", metav1.GetOptions{})
 	log := d.deps.Log
-	log.Debug().Msgf("looking for ServiceMonitor CRD...")
+	log.Debug().Msgf("Looking for ServiceMonitor CRD...")
 	if err == nil {
 		if !d.haveServiceMonitorCRD {
-			log.Info().Msgf("have discovered ServiceMonitor CRD")
+			log.Info().Msgf("...have discovered ServiceMonitor CRD")
 		}
 		d.haveServiceMonitorCRD = true
 		d.triggerInspection()
 		return
 	} else if k8sutil.IsNotFound(err) {
 		if d.haveServiceMonitorCRD {
-			log.Info().Msgf("ServiceMonitor CRD no longer there")
+			log.Info().Msgf("...ServiceMonitor CRD no longer there")
 		}
 		d.haveServiceMonitorCRD = false
 		return
 	}
-	log.Warn().Err(err).Msgf("error when looking for ServiceMonitor CRD")
+	log.Warn().Err(err).Msgf("Error when looking for ServiceMonitor CRD")
 	return
 }

pkg/deployment/resources/resources.go

@@ -28,6 +28,7 @@ import (
 
 	driver "github.com/arangodb/go-driver"
 	"github.com/arangodb/kube-arangodb/pkg/util/trigger"
+	clientv1 "github.com/coreos/prometheus-operator/pkg/client/versioned/typed/monitoring/v1"
 	"github.com/rs/zerolog"
 )
 
@@ -47,6 +48,7 @@ type Resources struct {
 		mutex                 sync.Mutex
 		triggerSyncInspection trigger.Trigger
 	}
+	monitoringClient *clientv1.MonitoringV1Client
 }
 
 // NewResources creates a new Resources service, used to

pkg/deployment/resources/servicemonitor.go

@@ -34,15 +34,71 @@ import (
 func LabelsForExporterServiceMonitor(deploymentName string) map[string]string {
 	return map[string]string{
 		k8sutil.LabelKeyArangoDeployment: deploymentName,
-		k8sutil.LabelKeyApp:              "arango-exporter",
+		k8sutil.LabelKeyApp:              k8sutil.AppName,
 		"context":                        "metrics",
 	}
 }
 
 func LabelsForExporterServiceMonitorSelector(deploymentName string) map[string]string {
 	return map[string]string{
 		k8sutil.LabelKeyArangoDeployment: deploymentName,
-		k8sutil.LabelKeyApp:              "arangodb",
+		k8sutil.LabelKeyApp:              k8sutil.AppName,
+	}
+}
+
+// EnsureMonitoringClient returns a client for looking at ServiceMonitors
+// and keeps it in the Resources.
+func (r *Resources) EnsureMonitoringClient() (*clientv1.MonitoringV1Client, error) {
+	if r.monitoringClient != nil {
+		return r.monitoringClient, nil
+	}
+
+	// Make a client:
+	var restConfig *rest.Config
+	restConfig, err := k8sutil.InClusterConfig()
+	if err != nil {
+		return nil, maskAny(err)
+	}
+	mClient, err := clientv1.NewForConfig(restConfig)
+	if err != nil {
+		return nil, maskAny(err)
+	}
+	r.monitoringClient = mClient
+	return mClient, nil
+}
+
+func (r *Resources) makeEndpoint(isSecure bool) coreosv1.Endpoint {
+	if isSecure {
+		kubecli := r.context.GetKubeCli()
+		ns := r.context.GetNamespace()
+		secrets := k8sutil.NewSecretCache(kubecli.CoreV1().Secrets(ns))
+		spec := r.context.GetSpec()
+		secretName := spec.TLS.GetCASecretName()
+		cert, _, _, err := k8sutil.GetCASecret(secrets, secretName, nil)
+
+		var tlsconfig *coreosv1.TLSConfig
+		if err == nil {
+			tlsconfig = &coreosv1.TLSConfig{
+				CAFile:             cert,
+				InsecureSkipVerify: false,
+			}
+		} else {
+			tlsconfig = &coreosv1.TLSConfig{
+				InsecureSkipVerify: true,
+			}
+		}
+		return coreosv1.Endpoint{
+			Port:      "exporter",
+			Interval:  "10s",
+			Scheme:    "https",
+			TLSConfig: tlsconfig,
+		}
+	} else {
+		return coreosv1.Endpoint{
+			Port:     "exporter",
+			Interval: "10s",
+			Scheme:   "http",
+		}
 	}
 }
 
@@ -56,17 +112,11 @@ func (r *Resources) EnsureServiceMonitor() error {
 	owner := apiObject.AsOwner()
 	spec := r.context.GetSpec()
 	wantMetrics := spec.Metrics.IsEnabled()
-	serviceMonitorName := deploymentName + "-exporter"
+	serviceMonitorName := k8sutil.CreateExporterClientServiceName(deploymentName)
 
-	// First get a client:
-	var restConfig *rest.Config
-	restConfig, err := k8sutil.InClusterConfig()
-	if err != nil {
-		return maskAny(err)
-	}
-	var mClient *clientv1.MonitoringV1Client
-	mClient, err = clientv1.NewForConfig(restConfig)
+	mClient, err := r.EnsureMonitoringClient()
 	if err != nil {
+		log.Error().Err(err).Msgf("Cannot get a monitoring client.")
 		return maskAny(err)
 	}
 
@@ -88,14 +138,7 @@ func (r *Resources) EnsureServiceMonitor() error {
 				Spec: coreosv1.ServiceMonitorSpec{
 					JobLabel: "k8s-app",
 					Endpoints: []coreosv1.Endpoint{
-						coreosv1.Endpoint{
-							Port:     "exporter",
-							Interval: "10s",
-							Scheme:   "https",
-							TLSConfig: &coreosv1.TLSConfig{
-								InsecureSkipVerify: true,
-							},
-						},
+						r.makeEndpoint(spec.IsSecure()),
 					},
 					Selector: metav1.LabelSelector{
 						MatchLabels: LabelsForExporterServiceMonitorSelector(deploymentName),

pkg/logging/logger.go

@@ -27,6 +27,7 @@ import (
 	"os"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/rs/zerolog"
 )
@@ -62,8 +63,9 @@ type loggingService struct {
 // NewRootLogger creates a new zerolog logger with default settings.
 func NewRootLogger() zerolog.Logger {
 	return zerolog.New(zerolog.ConsoleWriter{
-		Out:     os.Stdout,
-		NoColor: true,
+		Out:        os.Stdout,
+		TimeFormat: time.RFC3339Nano,
+		NoColor:    true,
 	}).With().Timestamp().Logger()
 }