diff --git a/prometheus/templates/secret-tls-configs.yaml b/prometheus/templates/secret-tls-configs.yaml new file mode 100644 index 000000000..40a86a840 --- /dev/null +++ b/prometheus/templates/secret-tls-configs.yaml @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.tls_configs }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-tls-configs +data: +{{- range $k, $v := .Values.tls_configs }} +{{- range $f, $c := $v }} + {{ $k }}.{{ $f }}: {{ $c | b64enc }} +{{- end }} +{{- end }} +{{- end }} diff --git a/prometheus/templates/statefulset.yaml b/prometheus/templates/statefulset.yaml index 5f893bba0..52593f5e0 100644 --- a/prometheus/templates/statefulset.yaml +++ b/prometheus/templates/statefulset.yaml @@ -204,6 +204,10 @@ spec: readOnly: true - name: storage mountPath: /var/lib/prometheus/data +{{- if .Values.tls_configs }} + - name: tls-configs + mountPath: /tls_configs +{{- end }} {{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -220,6 +224,12 @@ spec: configMap: name: {{ printf "%s-%s" $envAll.Release.Name "prometheus-bin" | quote }} defaultMode: 0555 +{{- if .Values.tls_configs }} + - name: tls-configs + secret: + secretName: {{ printf "%s-%s" $envAll.Release.Name "tls-configs" | quote }} + defaultMode: 0444 +{{- end }} {{ if $mounts_prometheus.volumes }}{{ toYaml $mounts_prometheus.volumes | indent 8 }}{{ end }} {{- if not .Values.storage.enabled }} - name: storage diff --git a/prometheus/values.yaml b/prometheus/values.yaml index 793928313..b32614eb2 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -250,6 +250,26 @@ secrets: prometheus: public: prometheus-tls-public +tls_configs: + # If client certificates are required to connect to metrics endpoints, they + # can be configured here. They will be mounted in the pod under /tls_configs + # and can be referenced in scrape configs. + # The filenames will be the key and subkey concatenanted with a ".", e.g.: + # /tls_configs/kubernetes-etcd.ca.pem + # /tls_configs/kubernetes-etcd.crt.pem + # /tls_configs/kubernetes-etcd.key.pem + # From the following: + # kubernetes-etcd: + # ca.pem: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + # crt.pem: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + # key.pem: | + # -----BEGIN RSA PRIVATE KEY----- + # -----END RSA PRIVATE KEY----- + storage: enabled: true pvc: