Prometheus: Allow input of TLS client creds in values.yaml

Some scrape targets require the use of TLS client certificates, which are specified as filenames as part of the tls_config. This change allows these client certs and keys to be provided, stores them in a secret, and mounts them in the pod under /tls_configs. Example: tls_configs: kubernetes-etcd: ca.pem: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- crt.pem: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- key.pem: | -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- conf: prometheus: scrape_configs: template: | scrape_configs: - job_name: kubernetes-etcd scheme: https tls_config: ca_file: /tls_configs/kubernetes-etcd.ca.pem cert_file: /tls_configs/kubernetes-etcd.cert.pem key_file: /tls_configs/kubernetes-etcd.key.pem Change-Id: I963c65dc39f1b5110b091296b93e2de9cdd980a4
2020-07-27 20:06:27 +00:00 · 2020-07-27 20:06:27 +00:00 · 5d8cf965c1
commit 5d8cf965c1
parent 8633b93548
3 changed files with 57 additions and 0 deletions
--- a/prometheus/templates/secret-tls-configs.yaml
+++ b/prometheus/templates/secret-tls-configs.yaml
@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.tls_configs }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-tls-configs
+data:
+{{- range $k, $v := .Values.tls_configs }}
+{{- range $f, $c := $v }}
+  {{ $k }}.{{ $f }}: {{ $c | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/prometheus/templates/statefulset.yaml
+++ b/prometheus/templates/statefulset.yaml
@ -204,6 +204,10 @@ spec:
              readOnly: true
            - name: storage
              mountPath: /var/lib/prometheus/data
+{{- if .Values.tls_configs }}
+            - name: tls-configs
+              mountPath: /tls_configs
+{{- end }}
 {{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -220,6 +224,12 @@ spec:
          configMap:
            name: {{ printf "%s-%s" $envAll.Release.Name "prometheus-bin" | quote }}
            defaultMode: 0555
+{{- if .Values.tls_configs }}
+        - name: tls-configs
+          secret:
+            secretName: {{ printf "%s-%s" $envAll.Release.Name "tls-configs" | quote }}
+            defaultMode: 0444
+{{- end }}
 {{ if $mounts_prometheus.volumes }}{{ toYaml $mounts_prometheus.volumes | indent 8 }}{{ end }}
 {{- if not .Values.storage.enabled }}
        - name: storage
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@ -250,6 +250,26 @@ secrets:
      prometheus:
        public: prometheus-tls-public

+tls_configs:
+  # If client certificates are required to connect to metrics endpoints, they
+  # can be configured here. They will be mounted in the pod under /tls_configs
+  # and can be referenced in scrape configs.
+  # The filenames will be the key and subkey concatenanted with a ".", e.g.:
+  #   /tls_configs/kubernetes-etcd.ca.pem
+  #   /tls_configs/kubernetes-etcd.crt.pem
+  #   /tls_configs/kubernetes-etcd.key.pem
+  # From the following:
+  # kubernetes-etcd:
+  #   ca.pem: |
+  #     -----BEGIN CERTIFICATE-----
+  #     -----END CERTIFICATE-----
+  #   crt.pem: |
+  #     -----BEGIN CERTIFICATE-----
+  #     -----END CERTIFICATE-----
+  #   key.pem: |
+  #     -----BEGIN RSA PRIVATE KEY-----
+  #     -----END RSA PRIVATE KEY-----
+
 storage:
  enabled: true
  pvc: