From 5d8cf965c1675fff8d6a71327f738cfd6dc8f95f Mon Sep 17 00:00:00 2001 From: Phil Sphicas Date: Mon, 27 Jul 2020 20:06:27 +0000 Subject: [PATCH] Prometheus: Allow input of TLS client creds in values.yaml Some scrape targets require the use of TLS client certificates, which are specified as filenames as part of the tls_config. This change allows these client certs and keys to be provided, stores them in a secret, and mounts them in the pod under /tls_configs. Example: tls_configs: kubernetes-etcd: ca.pem: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- crt.pem: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- key.pem: | -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- conf: prometheus: scrape_configs: template: | scrape_configs: - job_name: kubernetes-etcd scheme: https tls_config: ca_file: /tls_configs/kubernetes-etcd.ca.pem cert_file: /tls_configs/kubernetes-etcd.cert.pem key_file: /tls_configs/kubernetes-etcd.key.pem Change-Id: I963c65dc39f1b5110b091296b93e2de9cdd980a4 --- prometheus/templates/secret-tls-configs.yaml | 27 ++++++++++++++++++++ prometheus/templates/statefulset.yaml | 10 ++++++++ prometheus/values.yaml | 20 +++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 prometheus/templates/secret-tls-configs.yaml diff --git a/prometheus/templates/secret-tls-configs.yaml b/prometheus/templates/secret-tls-configs.yaml new file mode 100644 index 000000000..40a86a840 --- /dev/null +++ b/prometheus/templates/secret-tls-configs.yaml @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.tls_configs }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-tls-configs +data: +{{- range $k, $v := .Values.tls_configs }} +{{- range $f, $c := $v }} + {{ $k }}.{{ $f }}: {{ $c | b64enc }} +{{- end }} +{{- end }} +{{- end }} diff --git a/prometheus/templates/statefulset.yaml b/prometheus/templates/statefulset.yaml index 5f893bba0..52593f5e0 100644 --- a/prometheus/templates/statefulset.yaml +++ b/prometheus/templates/statefulset.yaml @@ -204,6 +204,10 @@ spec: readOnly: true - name: storage mountPath: /var/lib/prometheus/data +{{- if .Values.tls_configs }} + - name: tls-configs + mountPath: /tls_configs +{{- end }} {{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -220,6 +224,12 @@ spec: configMap: name: {{ printf "%s-%s" $envAll.Release.Name "prometheus-bin" | quote }} defaultMode: 0555 +{{- if .Values.tls_configs }} + - name: tls-configs + secret: + secretName: {{ printf "%s-%s" $envAll.Release.Name "tls-configs" | quote }} + defaultMode: 0444 +{{- end }} {{ if $mounts_prometheus.volumes }}{{ toYaml $mounts_prometheus.volumes | indent 8 }}{{ end }} {{- if not .Values.storage.enabled }} - name: storage diff --git a/prometheus/values.yaml b/prometheus/values.yaml index 793928313..b32614eb2 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -250,6 +250,26 @@ secrets: prometheus: public: prometheus-tls-public +tls_configs: + # If client certificates are required to connect to metrics endpoints, they + # can be configured here. They will be mounted in the pod under /tls_configs + # and can be referenced in scrape configs. + # The filenames will be the key and subkey concatenanted with a ".", e.g.: + # /tls_configs/kubernetes-etcd.ca.pem + # /tls_configs/kubernetes-etcd.crt.pem + # /tls_configs/kubernetes-etcd.key.pem + # From the following: + # kubernetes-etcd: + # ca.pem: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + # crt.pem: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + # key.pem: | + # -----BEGIN RSA PRIVATE KEY----- + # -----END RSA PRIVATE KEY----- + storage: enabled: true pvc: