Expose prometheus service type

[feiniao0308]

Expose prometheus service type to values.yaml

Expected Behaviour

User should be able to specify the service type of prometheus to LoadBalancer, so that all users can access the metrics via LoadBalancer http url

Current Behaviour

It's hardcode to ClusterIP

Possible Solution

Extract the service type to values.yaml

Steps to Reproduce (for bugs)

1. Deploy OpenFaaS in kubernetes 2.kubectl get svc and find prometheus is ClusterIP which can only be accessed via port forwarding.

Context

Your Environment

• FaaS-CLI version ( Full output from: faas-cli version ): CLI: commit: 750add9e2a6d1d1f1bfb788a6a85341b4b4140e8 version: 0.8.22

• Docker version docker version (e.g. Docker 17.0.05 ): Engine: Version: 19.03.8 API version: 1.40 (minimum version 1.12) Go version: go1.12.17 Git commit: afacb8b Built: Wed Mar 11 01:29:16 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: v1.2.13 GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429 runc: Version: 1.0.0-rc10 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd docker-init: Version: 0.18.0 GitCommit: fec3683

• What version and distriubtion of Kubernetes are you using? kubectl version Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-06T01:44:30Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"darwin/amd64"}

• Operating System and version (e.g. Linux, Windows, MacOS): MacOS

• Link to your project or a code example to reproduce issue:

• What network driver are you using and what CIDR? i.e. Weave net / Flannel

[alexellis]

Thanks for your interest.

Given that Prometheus has no auth, exposing it to the internet directly sounds like a bad idea.

You should be using Ingress so that you can also obtain a TLS certificate.

If you really want to view Prometheus, people usually use kubectl port-forward or Grafana.

Closing as this issue as it encourages unsafe practices.

Alex

[feiniao0308]

@alexellis I think the user will take the risk to expose the URL. Here's the scenario why user need to access the prometheus URL. Some users may have another global Grafana not in same cluster with prometheus, or user may need to pull the prometheus metrics and use other monitoring tools(such as Wavefront) to monitor the health of openfaas.

OpenFaaS should provide flexible configuration for end user. I can see most helm charts has provided service as configurable.

[feiniao0308]

@alexellis can we support it?

[alexellis]

Just to reiterate what I said, because it doesn't seem to be clear: exposing Prometheus as a LoadBalancer on the Internet is insecure, I don't want to enable that use-case.

You can very easily add an Ingress definition and secure the endpoint, adding TLS and basic-auth using nginx-ingress.

Alternatively, you can use kubectl port-forward svc/prometheus -n openfaas 9090:9090.

[alexellis]

If you need technical support with Kubernetes, try the Kubernetes Slack, it's a friendly community. https://slack.k8s.io