search

cert-manager / approver-policy

approver-policy is a cert-manager approver that allows users to define policies that restrict what certificates can be requested.
https://cert-manager.io/docs/policy/approval/approver-policy/
Apache License 2.0
66 stars 23 forks source link

BUGFIX: Avoid duplicate Prometheus scrape targets by using a named port in the ServiceMonitor #471

Closed wallrj closed 2 months ago

wallrj commented 2 months ago

In https://github.com/cert-manager/approver-policy/pull/229 @leotomas837 reported that:

The ServiceMonitor targets both the web hook service and the metrics service. Yet, only the metrics service must be scraped (the probe could be scraped too via the blackbox-exporter, but that is a subject for another PR). The webhook service must not be discovered by Prometheus.

In that original PR, we tried to fix this by modifying the labels in the Service and ServiceMonitor, but while testing it we found a simpler solution, which is to specify a port name in the ServiceMonitor.

Before

Screenshot 2024-07-25 094542

After

Screenshot 2024-07-25 100019

Testing

You can test this yourself as follows:

# Start a Kind cluster and install approver-policy (from source) + cert-manager
make test-smoke-deps

# Deploy  Prometheus
helm upgrade default kube-prometheus-stack \
    --repo https://prometheus-community.github.io/helm-charts \
    --install \
    --namespace prometheus \
    --create-namespace \
    --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false \
    --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
    --wait

# Redeploy approver-policy with ServiceMonitor enabled
make test-smoke-deps \
  INSTALL_OPTIONS="--set image.repository=\$(oci_manager_image_name_development) --set app.metrics.service.servicemonitor.enabled=true"

# Connect to prometheus web UI
kubectl port-forward -n prometheus pods/prometheus-default-kube-prometheus-st-prometheus-0 9090

Visit: http://localhost:9090/targets

cert-manager-prow[bot] commented 2 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/cert-manager/approver-policy/blob/main/OWNERS)~~ [SgtCoDFish] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment