From a861c27a34ff9374cb9f2044c1f86a14cbf40a00 Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Thu, 26 Jul 2018 13:28:45 -0500
Subject: [PATCH] Prometheus: Update command line flags

This updates the default command line flags for Prometheus. It
explicitly sets the HTTP administrative settings to false and
gives a brief explanation of the security concerns associated
with enabling them

This also removes the honor_labels setting where set to false, as
false is the default setting for honor_labels

Change-Id: I69acdbce604864882d642e44c09a5f0b9c454a61
---
 prometheus/templates/utils/_command_line_flags.tpl | 10 +++++-----
 prometheus/values.yaml                             | 10 +++++++++-
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/prometheus/templates/utils/_command_line_flags.tpl b/prometheus/templates/utils/_command_line_flags.tpl
index 549762388..e78d8b42f 100644
--- a/prometheus/templates/utils/_command_line_flags.tpl
+++ b/prometheus/templates/utils/_command_line_flags.tpl
@@ -34,11 +34,11 @@ limitations under the License.
 # 'prometheus --help-man'
 
 {{- define "prometheus.utils.command_line_flags" -}}
-{{- range $flag, $value := . }}
-{{- $flag := $flag | replace "_" "-" -}}
-{{- if eq $flag "web.enable-admin-api" -}}
-{{- if $value -}}
-{{- printf "--%s" $flag }}
+{{- range $flag, $value := . -}}
+{{- $flag := $flag | replace "_" "-" }}
+{{- if eq $flag "web.enable-admin-api" "web.enable-lifecycle" -}}
+{{- if $value }}
+{{- printf " --%s" $flag -}}
 {{- end -}}
 {{- else -}}
 {{- $value := $value | toString }}
diff --git a/prometheus/values.yaml b/prometheus/values.yaml
index 124c0eaff..61c62da7d 100644
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@@ -217,7 +217,16 @@ conf:
       storage.tsdb.retention: 7d
       storage.tsdb.min_block_duration: 2h
       storage.tsdb.max_block_duration: 2h
+      # NOTE(srwilkers): These settings default to false, but they are
+      # exposed here to allow enabling if desired. Please note the security
+      # impacts of enabling these flags. More information regarding the impacts
+      # can be found here: https://prometheus.io/docs/operating/security/
+      #
+      # If set to true, all administrative functionality is exposed via the http
+      # /api/*/admin/ path
       web.enable_admin_api: false
+      # If set to true, allows for http reloads and shutdown of Prometheus
+      web.enable_lifecycle: false
     scrape_configs:
       global:
         scrape_interval: 60s
@@ -485,7 +494,6 @@ conf:
             action: replace
             target_label: kubernetes_pod_name
         - job_name: calico-etcd
-          honor_labels: false
           kubernetes_sd_configs:
           - role: service
           scrape_interval: 20s