Router should expose metrics via service serving cert

smarterclayton · smarterclayton · commit 50084e4ba15a · 2018-01-23T17:52:48.000-05:00
When router stats are on, use the service serving cert always
diff --git a/pkg/oc/admin/router/router.go b/pkg/oc/admin/router/router.go
@@ -388,6 +388,27 @@ func generateSecretsConfig(cfg *RouterConfig, namespace string, defaultCert []by
 		secrets = append(secrets, secret)
 	}
 
+	if cfg.Type == "haproxy-router" && cfg.StatsPort != 0 {
+		metricsCertName := "router-metrics-tls"
+		if len(defaultCert) == 0 {
+			// when we are generating a serving cert, we need to reuse the existing cert
+			metricsCertName = certName
+		}
+		volumes = append(volumes, kapi.Volume{
+			Name: "metrics-server-certificate",
+			VolumeSource: kapi.VolumeSource{
+				Secret: &kapi.SecretVolumeSource{
+					SecretName: metricsCertName,
+				},
+			},
+		})
+		mounts = append(mounts, kapi.VolumeMount{
+			Name:      "metrics-server-certificate",
+			ReadOnly:  true,
+			MountPath: "/etc/pki/tls/metrics/",
+		})
+	}
+
 	// The secret in this volume is either the one created for the
 	// user supplied default cert (pem format) or the secret generated
 	// by the service anotation (cert only format).
@@ -685,6 +706,8 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write
 	if cfg.Type == "haproxy-router" && cfg.StatsPort != 0 {
 		env["ROUTER_LISTEN_ADDR"] = fmt.Sprintf("0.0.0.0:%d", cfg.StatsPort)
 		env["ROUTER_METRICS_TYPE"] = "haproxy"
+		env["ROUTER_METRICS_TLS_CERT_FILE"] = "/etc/pki/tls/metrics/tls.crt"
+		env["ROUTER_METRICS_TLS_KEY_FILE"] = "/etc/pki/tls/metrics/tls.key"
 	}
 	env.Add(secretEnv)
 	if len(defaultCert) > 0 {
@@ -730,13 +753,6 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write
 		},
 	}
 
-	if cfg.StatsPort > 0 && cfg.ExposeMetrics {
-		pc := generateMetricsExporterContainer(cfg, env)
-		if pc != nil {
-			containers = append(containers, *pc)
-		}
-	}
-
 	objects := []runtime.Object{}
 	for _, s := range secrets {
 		objects = append(objects, s)
@@ -815,6 +831,9 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write
 				// The secret generated by the service annotaion contains a tls.crt and tls.key
 				// which ultimately need to be combined into a pem
 				t.Annotations["service.alpha.openshift.io/serving-cert-secret-name"] = certName
+			} else if cfg.Type == "haproxy-router" && cfg.StatsPort != 0 {
+				// Generate a serving cert for metrics only
+				t.Annotations["service.alpha.openshift.io/serving-cert-secret-name"] = "router-metrics-tls"
 			}
 		}
 	}
