fix: adjust node exporter tls to match what was default behavior in extension#8156
Merged
Conversation
chmill-zz
requested review from
AbelHu,
Devinwong,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts Linux node-exporter startup behavior so TLS is disabled by default (matching legacy VM extension behavior) and can be optionally enabled via /etc/default/node-exporter.
Changes:
- Disable node-exporter TLS by default; add env-var driven opt-in (
NODE_EXPORTER_TLS_ENABLED) and configurable client auth (NODE_EXPORTER_TLS_CLIENT_AUTH). - Simplify TLS cert selection logic to prefer the kubelet rotation cert when present, otherwise fall back to static certs.
- Replace the baseline
web-config.ymlcontent with guidance comments since the startup script now generates it when TLS is enabled.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| parts/linux/cloud-init/artifacts/node-exporter/node-exporter-startup.sh | Switches TLS to opt-in and generates exporter-toolkit web config only when enabled/certs found. |
| parts/linux/cloud-init/artifacts/node-exporter/baseline/etc/node-exporter.d/web-config.yml | Removes default TLS config and replaces it with comments describing opt-in TLS behavior. |
cameronmeissner
approved these changes
Mar 23, 2026
… allowlist and defaulting back when failing
cameronmeissner
approved these changes
Mar 24, 2026
pdamianov-dev
pushed a commit
that referenced
this pull request
Mar 26, 2026
cameronmeissner
pushed a commit
that referenced
this pull request
Mar 26, 2026
r2k1
pushed a commit
that referenced
this pull request
Apr 8, 2026
saewoni
added a commit
that referenced
this pull request
Apr 14, 2026
PR #8156 changed node-exporter to TLS-off by default, making web-config.yml a comment-only placeholder. The old grep checks for tls_server_config/client_auth_type/client_ca_file always fail on current VHDs. This was already fixed on main but missed during rebase.
saewoni
added a commit
that referenced
this pull request
Apr 14, 2026
PR #8156 changed node-exporter to TLS-off by default, making web-config.yml a comment-only placeholder. The old grep checks for tls_server_config/client_auth_type/client_ca_file always fail on current VHDs. This was already fixed on main but missed during rebase.
jingwenw15
pushed a commit
that referenced
this pull request
Apr 19, 2026
PR #8156 changed node-exporter to TLS-off by default, making web-config.yml a comment-only placeholder. The old grep checks for tls_server_config/client_auth_type/client_ca_file always fail on current VHDs. This was already fixed on main but missed during rebase.
jingwenw15
pushed a commit
that referenced
this pull request
Apr 30, 2026
PR #8156 changed node-exporter to TLS-off by default, making web-config.yml a comment-only placeholder. The old grep checks for tls_server_config/client_auth_type/client_ca_file always fail on current VHDs. This was already fixed on main but missed during rebase.
jingwenw15
pushed a commit
that referenced
this pull request
May 2, 2026
PR #8156 changed node-exporter to TLS-off by default, making web-config.yml a comment-only placeholder. The old grep checks for tls_server_config/client_auth_type/client_ca_file always fail on current VHDs. This was already fixed on main but missed during rebase.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
fitting into previously used behavior to make things work rather than make things right.
Which issue(s) this PR fixes:
Fixes #