From f46317d919b3148f40b8a4343cebebedb60917dc Mon Sep 17 00:00:00 2001 From: Adam Talbot Date: Thu, 4 Jan 2024 16:28:29 +0000 Subject: [PATCH 1/4] feat: add tls config to metrics docs Signed-off-by: Adam Talbot --- .../docs/devops-tips/prometheus-metrics.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/content/docs/devops-tips/prometheus-metrics.md b/content/docs/devops-tips/prometheus-metrics.md index 968ce2077db..87c7d4f60ff 100644 --- a/content/docs/devops-tips/prometheus-metrics.md +++ b/content/docs/devops-tips/prometheus-metrics.md @@ -64,6 +64,48 @@ spec: honorLabels: true ``` +### TLS + +TLS can be enabled on the metrics endpoint for end-to-end encryption. This is achieved either using pre-signed static certificates, or using the internal dynamic certificate signing. + +#### Static certificates + +Static certificates can be provided to the cert-manager controller to use when listening on the metric endpoint. If the certificate files are changed then cert-manager will reload the certificates for zero-downtime rotation. + +Static certificates can be specified via the flags `--metrics-tls-cert-file` and `--metrics-tls-private-key-file` or the corresponding config file parameters `metricsTLSConfig.filesystem.certFile` and `metricsTLSConfig.filesystem.keyFile`. + +An example config file would be: + +```yaml +apiVersion: controller.config.cert-manager.io/v1alpha1 +kind: ControllerConfiguration +metricsTLSConfig: + filesystem: + certFile: "/path/to/cert.pem" + keyFile: "/path/to/key.pem" +``` + +#### Dynamic certificates + +In this mode cert-manager will create a CA in a named secret, then use this CA to sign the metrics endpoint certificate. This mode will also take care of rotation, auto rotating the certificate as required. + +Dynamic certificates can be specified via the flags `--metrics-dynamic-serving-ca-secret-namespace`, `--metrics-dynamic-serving-ca-secret-name` and `--metrics-dynamic-serving-dns-names` or the corresponding config file parameters `metricsTLSConfig.dynamic.secretNamespace`, `metricsTLSConfig.dynamic.secretName` and `metricsTLSConfig.dynamic.dnsNames`. + +An example config file would be: + +```yaml +apiVersion: controller.config.cert-manager.io/v1alpha1 +kind: ControllerConfiguration +metricsTLSConfig: + dynamic: + secretNamespace: "cert-manager" + secretName: "cert-manager-metrics-ca" + dnsNames: + - cert-manager-metrics + - cert-manager-metrics.cert-manager + - cert-manager-metrics.cert-manager.svc +``` + ## Monitoring Mixin Monitoring mixins are a way to bundle common alerts, rules, and dashboards for an application in a configurable and extensible way, using the Jsonnet data templating language. A cert-manager monitoring mixin can be found here https://gitlab.com/uneeq-oss/cert-manager-mixin. Documentation on usage can be found with the `cert-manager-mixin` project. From b1e8c99770a645f6f296072ebf5dfa231f9501d8 Mon Sep 17 00:00:00 2001 From: Adam Talbot Date: Tue, 9 Jan 2024 14:33:49 +0000 Subject: [PATCH 2/4] docs: add podmonitor example for tls metrics endpoint Signed-off-by: Adam Talbot --- .../docs/devops-tips/prometheus-metrics.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/content/docs/devops-tips/prometheus-metrics.md b/content/docs/devops-tips/prometheus-metrics.md index 87c7d4f60ff..7b309076a16 100644 --- a/content/docs/devops-tips/prometheus-metrics.md +++ b/content/docs/devops-tips/prometheus-metrics.md @@ -106,6 +106,39 @@ metricsTLSConfig: - cert-manager-metrics.cert-manager.svc ``` +When using Prometheus the CA generated by the generated certificate authority can be trusted as part of the `PodMonitor` or `ServiceMonitor` spec: + +```yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: cert-manager + namespace: cert-manager + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" +spec: + jobLabel: app.kubernetes.io/name + selector: + matchLabels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + podMetricsEndpoints: + - port: http + honorLabels: true + # TLS config trusting the CA and specifying the server name + tlsConfig: + serverName: cert-manager-metrics + ca: + secret: + name: cert-manager-metrics-ca + key: "tls.crt" +``` + ## Monitoring Mixin Monitoring mixins are a way to bundle common alerts, rules, and dashboards for an application in a configurable and extensible way, using the Jsonnet data templating language. A cert-manager monitoring mixin can be found here https://gitlab.com/uneeq-oss/cert-manager-mixin. Documentation on usage can be found with the `cert-manager-mixin` project. From f72d3aa9437558c543f8a6695eb42c6c798cda96 Mon Sep 17 00:00:00 2001 From: Adam Talbot Date: Tue, 9 Jan 2024 14:36:56 +0000 Subject: [PATCH 3/4] docs: add note that tls metrics certs must be mounted into the pod Signed-off-by: Adam Talbot --- content/docs/devops-tips/prometheus-metrics.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/docs/devops-tips/prometheus-metrics.md b/content/docs/devops-tips/prometheus-metrics.md index 7b309076a16..362ecfb485a 100644 --- a/content/docs/devops-tips/prometheus-metrics.md +++ b/content/docs/devops-tips/prometheus-metrics.md @@ -74,6 +74,8 @@ Static certificates can be provided to the cert-manager controller to use when l Static certificates can be specified via the flags `--metrics-tls-cert-file` and `--metrics-tls-private-key-file` or the corresponding config file parameters `metricsTLSConfig.filesystem.certFile` and `metricsTLSConfig.filesystem.keyFile`. +The certificate and private key must be mounted into the controller pod for this to work, if cert-manager is deployed using helm the `.volumes[]` and `.mounts[]` properties can facilitate this. + An example config file would be: ```yaml From 74017d6e96cfb8070eeb7535034d932624fd0171 Mon Sep 17 00:00:00 2001 From: Adam Talbot Date: Wed, 10 Jan 2024 14:41:25 +0000 Subject: [PATCH 4/4] docs: update prometheus example to correct port name Signed-off-by: Adam Talbot --- content/docs/devops-tips/prometheus-metrics.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/docs/devops-tips/prometheus-metrics.md b/content/docs/devops-tips/prometheus-metrics.md index 362ecfb485a..d3d897798e1 100644 --- a/content/docs/devops-tips/prometheus-metrics.md +++ b/content/docs/devops-tips/prometheus-metrics.md @@ -60,7 +60,7 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" podMetricsEndpoints: - - port: http + - port: http-metrics honorLabels: true ``` @@ -130,7 +130,8 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" podMetricsEndpoints: - - port: http + - port: http-metrics + scheme: https honorLabels: true # TLS config trusting the CA and specifying the server name tlsConfig: