Cleaner separation between ServiceAccount and custom authentication in K8S SD (#2348)

* Canonical usage of cluster service-account in K8S SD * Early validation for opt-in custom auth in K8S SD * Fix typo in condition
2017-01-19 10:52:52 +01:00 · 2017-01-19 10:52:52 +01:00 · b22eb65d0f
parent 7eb849e6a8
commit b22eb65d0f
2 changed files with 37 additions and 14 deletions
--- a/config/config.go
+++ b/config/config.go
@ -997,6 +997,11 @@ func (c *KubernetesSDConfig) UnmarshalYAML(unmarshal func(interface{}) error) er
 	if c.BasicAuth != nil && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) {
 		return fmt.Errorf("at most one of basic_auth, bearer_token & bearer_token_file must be configured")
 	}
+	if c.APIServer.URL == nil &&
+		(c.BasicAuth != nil || c.BearerToken != "" || c.BearerTokenFile != "" ||
+			c.TLSConfig.CAFile != "" || c.TLSConfig.CertFile != "" || c.TLSConfig.KeyFile != "") {
+		return fmt.Errorf("to use custom authentication please provide the 'api_server' URL explicitly")
+	}
 	return nil
 }

--- a/discovery/kubernetes/kubernetes.go
+++ b/discovery/kubernetes/kubernetes.go
@ -82,11 +82,38 @@ func New(l log.Logger, conf *config.KubernetesSDConfig) (*Kubernetes, error) {
 		err  error
 	)
 	if conf.APIServer.URL == nil {
+		// Use the Kubernetes provided pod service account
+		// as described in https://kubernetes.io/docs/admin/service-accounts-admin/
 		kcfg, err = rest.InClusterConfig()
 		if err != nil {
 			return nil, err
 		}
+		// Because the handling of configuration parameters changes
+		// we should inform the user when their currently configured values
+		// will be ignored due to precedence of InClusterConfig
+		l.Info("Using pod service account via in-cluster config")
+		if conf.TLSConfig.CAFile != "" {
+			l.Warn("Configured TLS CA file is ignored when using pod service account")
+		}
+		if conf.TLSConfig.CertFile != "" || conf.TLSConfig.KeyFile != "" {
+			l.Warn("Configured TLS client certificate is ignored when using pod service account")
+		}
+		if conf.BearerToken != "" {
+			l.Warn("Configured auth token is ignored when using pod service account")
+		}
+		if conf.BasicAuth != nil {
+			l.Warn("Configured basic authentication credentials are ignored when using pod service account")
+		}
 	} else {
+		kcfg = &rest.Config{
+			Host: conf.APIServer.String(),
+			TLSClientConfig: rest.TLSClientConfig{
+				CAFile:   conf.TLSConfig.CAFile,
+				CertFile: conf.TLSConfig.CertFile,
+				KeyFile:  conf.TLSConfig.KeyFile,
+			},
+			Insecure: conf.TLSConfig.InsecureSkipVerify,
+		}
 		token := conf.BearerToken
 		if conf.BearerTokenFile != "" {
 			bf, err := ioutil.ReadFile(conf.BearerTokenFile)
@ -95,24 +122,15 @@ func New(l log.Logger, conf *config.KubernetesSDConfig) (*Kubernetes, error) {
 			}
 			token = string(bf)
 		}
+		kcfg.BearerToken = token

-		kcfg = &rest.Config{
-			Host:        conf.APIServer.String(),
-			BearerToken: token,
-			TLSClientConfig: rest.TLSClientConfig{
-				CAFile: conf.TLSConfig.CAFile,
-			},
+		if conf.BasicAuth != nil {
+			kcfg.Username = conf.BasicAuth.Username
+			kcfg.Password = conf.BasicAuth.Password
 		}
 	}
-	kcfg.UserAgent = "prometheus/discovery"

-	if conf.BasicAuth != nil {
-		kcfg.Username = conf.BasicAuth.Username
-		kcfg.Password = conf.BasicAuth.Password
-	}
-	kcfg.TLSClientConfig.CertFile = conf.TLSConfig.CertFile
-	kcfg.TLSClientConfig.KeyFile = conf.TLSConfig.KeyFile
-	kcfg.Insecure = conf.TLSConfig.InsecureSkipVerify
+	kcfg.UserAgent = "prometheus/discovery"

 	c, err := kubernetes.NewForConfig(kcfg)
 	if err != nil {