Having no explicit MinVersion is reported by [gosec] as G402 (CWE-295):
`TLS MinVersion too low`
Using MinVersion: tls.VersionTLS12 because it's what client-go uses:
cf 1ac8d45935/transport/transport.go (L92)
That way, the Kubernetes API client and the Prometheus client in
prometheus-adapter use the same TLS config MinVersion.
[gosec]: https://github.com/securego/gosec
Prior to this fix, openapi spec for prometheus-adapter apiextension was based on the type "k8s.io/sample-apiserver/pkg/apiserver" which is incorrect. Due to the incorrect type, `kubectl explain podmetrics` (or nodemetrics) wasn't showing any doc for any resources from metrics.k8s.io/v1beta1.
This changeset fixes the problem by using the right type(sigs.k8s.io/metrics-server/pkg/api) for the openapi generation.
This also helped to remove the sample-apiserver dependency from
prometheus-adapter.
Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Create the pod lister based on a filtered informer factory that will
filter non-running pods so that prometheus-adapter don't expect metrics
from them.
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
Add a signal handler stopping the adapter if it receives a SIGINT or
SIGTERM signal. This prevent the prometheus-adapter pod from being stuck
in "Terminating" state.
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
Pick up changes to 1.17 to custom-metrics-apiserver and the latest
changes in metrics-server to allow us to show table results for
podmetrics and nodemetrics. Fix import and interface changes as
necessary.
The localvendor directory is an artifact of a change in sigs.k8s.io:
sigs.k8s.io/metrics-server now requires this dependency in order to
resolve, even though we do not use the scraper package.
go: sigs.k8s.io/metrics-server@v0.3.7 requires
k8s.io/kubernetes/pkg/kubelet/apis/stats/v1alpha1@v0.0.0: reading k8s.io/kubernetes/pkg/kubelet/apis/stats/v1alpha1/pkg/kubelet/apis/stats/v1alpha1/go.mod at revision pkg/kubelet/apis/stats/v1alpha1/v0.0.0: unknown revision pkg/kubelet/apis/stats/v1alpha1/v0.0.0
Often prometheus is gated by some proxy requiring an auth bearer
token. Currently there is no possibility to configure one except for
providing a full-fledged kubeconfig.
This fixes it by adding a new flag pointing to an optional file
containing the auth bearer for prometheus communication.
