Prometheus: Allow input of TLS client creds in values.yaml

Some scrape targets require the use of TLS client certificates, which
are specified as filenames as part of the tls_config.

This change allows these client certs and keys to be provided, stores
them in a secret, and mounts them in the pod under /tls_configs.

Example:

    tls_configs:
      kubernetes-etcd:
        ca.pem: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
        crt.pem: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
        key.pem: |
          -----BEGIN RSA PRIVATE KEY-----
          -----END RSA PRIVATE KEY-----

    conf:
      prometheus:
        scrape_configs:
          template: |
            scrape_configs:
              - job_name: kubernetes-etcd
                scheme: https
                tls_config:
                  ca_file: /tls_configs/kubernetes-etcd.ca.pem
                  cert_file: /tls_configs/kubernetes-etcd.cert.pem
                  key_file: /tls_configs/kubernetes-etcd.key.pem

Change-Id: I963c65dc39f1b5110b091296b93e2de9cdd980a4
This commit is contained in:
Phil Sphicas 2020-07-27 20:06:27 +00:00
parent 8633b93548
commit 5d8cf965c1
3 changed files with 57 additions and 0 deletions

View File

@ -0,0 +1,27 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.tls_configs }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-tls-configs
data:
{{- range $k, $v := .Values.tls_configs }}
{{- range $f, $c := $v }}
{{ $k }}.{{ $f }}: {{ $c | b64enc }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -204,6 +204,10 @@ spec:
readOnly: true readOnly: true
- name: storage - name: storage
mountPath: /var/lib/prometheus/data mountPath: /var/lib/prometheus/data
{{- if .Values.tls_configs }}
- name: tls-configs
mountPath: /tls_configs
{{- end }}
{{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -220,6 +224,12 @@ spec:
configMap: configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "prometheus-bin" | quote }} name: {{ printf "%s-%s" $envAll.Release.Name "prometheus-bin" | quote }}
defaultMode: 0555 defaultMode: 0555
{{- if .Values.tls_configs }}
- name: tls-configs
secret:
secretName: {{ printf "%s-%s" $envAll.Release.Name "tls-configs" | quote }}
defaultMode: 0444
{{- end }}
{{ if $mounts_prometheus.volumes }}{{ toYaml $mounts_prometheus.volumes | indent 8 }}{{ end }} {{ if $mounts_prometheus.volumes }}{{ toYaml $mounts_prometheus.volumes | indent 8 }}{{ end }}
{{- if not .Values.storage.enabled }} {{- if not .Values.storage.enabled }}
- name: storage - name: storage

View File

@ -250,6 +250,26 @@ secrets:
prometheus: prometheus:
public: prometheus-tls-public public: prometheus-tls-public
tls_configs:
# If client certificates are required to connect to metrics endpoints, they
# can be configured here. They will be mounted in the pod under /tls_configs
# and can be referenced in scrape configs.
# The filenames will be the key and subkey concatenanted with a ".", e.g.:
# /tls_configs/kubernetes-etcd.ca.pem
# /tls_configs/kubernetes-etcd.crt.pem
# /tls_configs/kubernetes-etcd.key.pem
# From the following:
# kubernetes-etcd:
# ca.pem: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# crt.pem: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# key.pem: |
# -----BEGIN RSA PRIVATE KEY-----
# -----END RSA PRIVATE KEY-----
storage: storage:
enabled: true enabled: true
pvc: pvc: