From be8aaf9ff88e6a878cc0397d4bc455dfed91f5b3 Mon Sep 17 00:00:00 2001
From: Isaac Hollander McCreery <ihmccreery@google.com>
Date: Thu, 26 Oct 2017 13:54:21 -0700
Subject: [PATCH] Add prometheus-to-sd-exporter to metadata-proxy addon; bump
 to proxy to v0.1.4 and e2e to v0.0.2; remove configmag

---
 .../gce/metadata-proxy-configmap.yaml         | 88 -------------------
 .../metadata-proxy/gce/metadata-proxy.yaml    | 36 ++++----
 .../gce/container-linux/configure-helper.sh   |  5 ++
 cluster/gce/gci/configure-helper.sh           |  2 +
 test/e2e/auth/metadata_concealment.go         |  2 +-
 5 files changed, 29 insertions(+), 104 deletions(-)
 delete mode 100644 cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml

diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
deleted file mode 100644
index 2d23f42ad63..00000000000
--- a/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
+++ /dev/null
@@ -1,88 +0,0 @@
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: metadata-proxy-config
-  namespace: kube-system
-  labels:
-    addonmanager.kubernetes.io/mode: EnsureExists
-data:
-  nginx.conf: |-
-    user www-data;
-    worker_processes 4;
-    pid /run/nginx.pid;
-    error_log /dev/stdout;
-
-    events {
-      worker_connections 20;
-    }
-
-    http {
-      access_log /dev/stdout;
-      server {
-        listen 127.0.0.1:988;
-        # When serving 301s, don't redirect to port 988.
-        port_in_redirect off;
-
-        # By default, return 403. This protects us from new API versions.
-        location / {
-            return 403 "This metadata API is not allowed by the metadata proxy.";
-        }
-
-        # Allow for REST discovery.
-        location = / {
-            if ($args ~* "^(.+&)?recursive=") {
-                    return 403 "?recursive calls are not allowed by the metadata proxy.";
-            }
-            proxy_pass http://169.254.169.254;
-        }
-        location = /computeMetadata/ {
-            if ($args ~* "^(.+&)?recursive=") {
-                    return 403 "?recursive calls are not allowed by the metadata proxy.";
-            }
-            proxy_pass http://169.254.169.254;
-        }
-
-        # By default, allow the v0.1, v1beta1, and v1 APIs.
-        location /0.1/ {
-            if ($args ~* "^(.+&)?recursive=") {
-                    return 403 "?recursive calls are not allowed by the metadata proxy.";
-            }
-            proxy_pass http://169.254.169.254;
-        }
-        location /computeMetadata/v1beta1/ {
-            if ($args ~* "^(.+&)?recursive=") {
-                    return 403 "?recursive calls are not allowed by the metadata proxy.";
-            }
-            proxy_pass http://169.254.169.254;
-        }
-        location /computeMetadata/v1/ {
-            if ($args ~* "^(.+&)?recursive=") {
-                    return 403 "?recursive calls are not allowed by the metadata proxy.";
-            }
-            proxy_pass http://169.254.169.254;
-        }
-
-        # Return a 403 for the kube-env attribute in all allowed API versions.
-        location /0.1/meta-data/attributes/kube-env {
-            return 403 "This metadata endpoint is concealed.";
-        }
-        location /computeMetadata/v1beta1/instance/attributes/kube-env {
-            return 403 "This metadata endpoint is concealed.";
-        }
-        location /computeMetadata/v1/instance/attributes/kube-env {
-            return 403 "This metadata endpoint is concealed.";
-        }
-
-        # Return a 403 for instance identity in all allowed API versions.
-        location ~ /0.1/meta-data/service-accounts/.+/identity {
-            return 403 "This metadata endpoint is concealed.";
-        }
-        location ~ /computeMetadata/v1beta1/instance/service-accounts/.+/identity {
-            return 403 "This metadata endpoint is concealed.";
-        }
-        location ~ /computeMetadata/v1/instance/service-accounts/.+/identity {
-            return 403 "This metadata endpoint is concealed.";
-        }
-      }
-    }
-
diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
index 26f31a4c99c..3c082d213b1 100644
--- a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
+++ b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
@@ -38,26 +38,32 @@ spec:
       dnsPolicy: Default
       containers:
       - name: metadata-proxy
-        image: gcr.io/google-containers/metadata-proxy:0.1.3
-        imagePullPolicy: Always
+        image: gcr.io/google_containers/metadata-proxy:v0.1.4
         securityContext:
           privileged: true
-        command:
-          - '/start-proxy.sh'
         resources:
           requests:
-            memory: "32Mi"
-            cpu: "30m"
+            memory: "16Mi"
+            cpu: "15m"
           limits:
-            memory: "32Mi"
-            cpu: "30m"
-        volumeMounts:
-          - name: config-volume
-            mountPath: /etc/nginx/
+            memory: "16Mi"
+            cpu: "15m"
+      # BEGIN_PROMETHEUS_TO_SD
+      - name: prometheus-to-sd-exporter
+        image: gcr.io/google_containers/prometheus-to-sd:v0.2.2
+        command:
+          - /monitor
+          - --stackdriver-prefix={{ prometheus_to_sd_prefix }}/addons
+          - --api-override={{ prometheus_to_sd_endpoint }}
+          - --source=metadata_proxy:http://127.0.0.1:989?whitelisted=request_count
+        resources:
+          requests:
+            memory: "16Mi"
+            cpu: "15m"
+          limits:
+            memory: "16Mi"
+            cpu: "15m"
+      # END_PROMETHEUS_TO_SD
       nodeSelector:
         beta.kubernetes.io/metadata-proxy-ready: "true"
       terminationGracePeriodSeconds: 30
-      volumes:
-      - name: config-volume
-        configMap:
-          name: metadata-proxy-config
diff --git a/cluster/gce/container-linux/configure-helper.sh b/cluster/gce/container-linux/configure-helper.sh
index 88cc68de926..c5e15369cb3 100755
--- a/cluster/gce/container-linux/configure-helper.sh
+++ b/cluster/gce/container-linux/configure-helper.sh
@@ -1348,6 +1348,11 @@ EOF
   if [[ "${ENABLE_DEFAULT_STORAGE_CLASS:-}" == "true" ]]; then
     setup-addon-manifests "addons" "storage-class/gce"
   fi
+  if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
+    setup-addon-manifests "addons" "metadata-proxy/gce"
+    local -r metadata_proxy_yaml="${dst_dir}/metadata-proxy/gce/metadata-proxy.yaml"
+    update-prometheus-to-sd-parameters ${metadata_proxy_yaml}
+  fi
 
   # Place addon manager pod manifest.
   cp "${src_dir}/kube-addon-manager.yaml" /etc/kubernetes/manifests
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index ebea8de1635..8861eab17f5 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1897,6 +1897,8 @@ EOF
   fi
   if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
     setup-addon-manifests "addons" "metadata-proxy/gce"
+    local -r metadata_proxy_yaml="${dst_dir}/metadata-proxy/gce/metadata-proxy.yaml"
+    update-prometheus-to-sd-parameters ${metadata_proxy_yaml}
   fi
 
   # Place addon manager pod manifest.
diff --git a/test/e2e/auth/metadata_concealment.go b/test/e2e/auth/metadata_concealment.go
index 0fbde63df9b..4c3a97bc162 100644
--- a/test/e2e/auth/metadata_concealment.go
+++ b/test/e2e/auth/metadata_concealment.go
@@ -45,7 +45,7 @@ var _ = SIGDescribe("Metadata Concealment", func() {
 						Containers: []v1.Container{
 							{
 								Name:  "check-metadata-concealment",
-								Image: "gcr.io/google_containers/check-metadata-concealment:v0.0.1",
+								Image: "gcr.io/google_containers/check-metadata-concealment:v0.0.2",
 							},
 						},
 						RestartPolicy: v1.RestartPolicyOnFailure,