Prometheus: Allow input of TLS client creds in values.yaml
Some scrape targets require the use of TLS client certificates, which are specified as filenames as part of the tls_config. This change allows these client certs and keys to be provided, stores them in a secret, and mounts them in the pod under /tls_configs. Example: tls_configs: kubernetes-etcd: ca.pem: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- crt.pem: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- key.pem: | -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- conf: prometheus: scrape_configs: template: | scrape_configs: - job_name: kubernetes-etcd scheme: https tls_config: ca_file: /tls_configs/kubernetes-etcd.ca.pem cert_file: /tls_configs/kubernetes-etcd.cert.pem key_file: /tls_configs/kubernetes-etcd.key.pem Change-Id: I963c65dc39f1b5110b091296b93e2de9cdd980a4
This commit is contained in:
parent
8633b93548
commit
5d8cf965c1
27
prometheus/templates/secret-tls-configs.yaml
Normal file
27
prometheus/templates/secret-tls-configs.yaml
Normal file
@ -0,0 +1,27 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.tls_configs }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ .Release.Name }}-tls-configs
|
||||
data:
|
||||
{{- range $k, $v := .Values.tls_configs }}
|
||||
{{- range $f, $c := $v }}
|
||||
{{ $k }}.{{ $f }}: {{ $c | b64enc }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -204,6 +204,10 @@ spec:
|
||||
readOnly: true
|
||||
- name: storage
|
||||
mountPath: /var/lib/prometheus/data
|
||||
{{- if .Values.tls_configs }}
|
||||
- name: tls-configs
|
||||
mountPath: /tls_configs
|
||||
{{- end }}
|
||||
{{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -220,6 +224,12 @@ spec:
|
||||
configMap:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "prometheus-bin" | quote }}
|
||||
defaultMode: 0555
|
||||
{{- if .Values.tls_configs }}
|
||||
- name: tls-configs
|
||||
secret:
|
||||
secretName: {{ printf "%s-%s" $envAll.Release.Name "tls-configs" | quote }}
|
||||
defaultMode: 0444
|
||||
{{- end }}
|
||||
{{ if $mounts_prometheus.volumes }}{{ toYaml $mounts_prometheus.volumes | indent 8 }}{{ end }}
|
||||
{{- if not .Values.storage.enabled }}
|
||||
- name: storage
|
||||
|
@ -250,6 +250,26 @@ secrets:
|
||||
prometheus:
|
||||
public: prometheus-tls-public
|
||||
|
||||
tls_configs:
|
||||
# If client certificates are required to connect to metrics endpoints, they
|
||||
# can be configured here. They will be mounted in the pod under /tls_configs
|
||||
# and can be referenced in scrape configs.
|
||||
# The filenames will be the key and subkey concatenanted with a ".", e.g.:
|
||||
# /tls_configs/kubernetes-etcd.ca.pem
|
||||
# /tls_configs/kubernetes-etcd.crt.pem
|
||||
# /tls_configs/kubernetes-etcd.key.pem
|
||||
# From the following:
|
||||
# kubernetes-etcd:
|
||||
# ca.pem: |
|
||||
# -----BEGIN CERTIFICATE-----
|
||||
# -----END CERTIFICATE-----
|
||||
# crt.pem: |
|
||||
# -----BEGIN CERTIFICATE-----
|
||||
# -----END CERTIFICATE-----
|
||||
# key.pem: |
|
||||
# -----BEGIN RSA PRIVATE KEY-----
|
||||
# -----END RSA PRIVATE KEY-----
|
||||
|
||||
storage:
|
||||
enabled: true
|
||||
pvc:
|
||||
|
Loading…
Reference in New Issue
Block a user