Packet etcd: Use http for metrics endpoint

Change the metrics port of etcd from `https` to `http` because: - When you keep metrics port on https you need certificate to scrape that endpoint. You can't simply skip the TLS check and expect to get the data, a client cert is needed. - Providing the apiserver client cert to prometheus operator is counter productive to security. So it is not a very viable option. Because this cert has root permissions on the etcd cluster. - We can create another user that has permissions to scrape metrics endpoint only, but it is not trivial. See the upstream issue which mentions how cert access etcd is either access to everything or nothing. Issue: etcd-io/etcd#8458. Signed-off-by: Suraj Deshmukh <[email protected]>
kinvolk · May 29, 2020 · 12d4351 · 12d4351
1 parent c5728c2
commit 12d4351
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/cl/controller.yaml.tmpl b/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/cl/controller.yaml.tmpl
@@ -65,7 +65,7 @@ systemd:
         EnvironmentFile=/run/metadata/flatcar
         Type=oneshot
         RemainAfterExit=true
-        ExecStart=/bin/sh -c 'echo "ETCD_LISTEN_CLIENT_URLS=https://$COREOS_PACKET_IPV4_PRIVATE_0:2379" > /etc/kubernetes/etcd.config && echo "ETCD_LISTEN_PEER_URLS=https://$COREOS_PACKET_IPV4_PRIVATE_0:2380" >> /etc/kubernetes/etcd.config && echo "ETCD_LISTEN_METRICS_URLS=https://$COREOS_PACKET_IPV4_PRIVATE_0:2381" >> /etc/kubernetes/etcd.config'
+        ExecStart=/bin/sh -c 'echo "ETCD_LISTEN_CLIENT_URLS=https://$COREOS_PACKET_IPV4_PRIVATE_0:2379" > /etc/kubernetes/etcd.config && echo "ETCD_LISTEN_PEER_URLS=https://$COREOS_PACKET_IPV4_PRIVATE_0:2380" >> /etc/kubernetes/etcd.config && echo "ETCD_LISTEN_METRICS_URLS=http://$COREOS_PACKET_IPV4_PRIVATE_0:2381" >> /etc/kubernetes/etcd.config'
         [Install]
         RequiredBy=etcd-member.service
     - name: coreos-metadata.service