You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As the title of the bug already describe, does the helm chart not support a custom tlsConfig for the serviceMonitor and podMonitor resource. I need to specify properties like ca, caFile, cert, certFile, insecureSkipVerify, key, keyFile, keySecret and serverName
More details
I've deployed an internal certificate authorithy via cert-manager. Each namespace get his own intermediate ca. Based on this intermediate ca, I issued a custom certificate to listen the web-server of the certificate-exporter on HTTPS. To archive this, I've created the following web-config.yaml and referenced the secret in the helm chart:
Based on the fact that I switched to HTTPS, the serviceMonitor created by the helm chart always listen on HTTP. I've inspect the helm chart and found the reason for listening on HTTP. The scheme will only be switched when turning rbacProxy to true, but my intention is not to turning on the rbacProxy option. I would like to use the foll tlsConfig spec which is supported by the api resource monitoring.coreos.com/v1. This includes more than predefined values.
Long term goal
Instead of using basic-auth or token auth, I would like to implement tls client authentication - mutual TLS. The spec of the api resource monitoring.coreos.com/v1 already contains the required values and the property client_auth_type of the webconfig.yaml also support it, but the helm chart does not provide tls configuration options for the serviceMonitor.
Proposal
It would be great, if the default values of the tlsConfig would be part of the helm chart. Otherwise is not possible to customize the configuration and to encrypt the communication between prometheus and the certificate exporter.
prometheusServiceMonitor:
# -- Should a ServiceMonitor object be installed to scrape this exporter. For prometheus-operator (kube-prometheus) users.
create: true
# -- Target scrape interval set in the ServiceMonitor
scrapeInterval: 60s
# -- Target scrape timeout set in the ServiceMonitor
scrapeTimeout: 30s
# -- Additional labels to add to ServiceMonitor objects
extraLabels: {}
# -- Relabel config for the ServiceMonitor, see: https://coreos.com/operators/prometheus/docs/latest/api.html#relabelconfig
relabelings: []
+ # -- Custom TLS config options+ tlsConfig: + ca: "" + caFile: ""+ cert: ""+ certFile: "" + key: ""+ keyFile: ""+ insecureSkipVerify: "" + servername: ""
prometheusPodMonitor:
# -- Should a PodMonitor object be installed to scrape this exporter. For prometheus-operator (kube-prometheus) users.
create: false
# -- Target scrape interval set in the PodMonitor
scrapeInterval: 60s
# -- Target scrape timeout set in the PodMonitor
scrapeTimeout: 30s
# -- Additional labels to add to PodMonitor objects
extraLabels: {}
# -- Relabel config for the PodMonitor, see: https://coreos.com/operators/prometheus/docs/latest/api.html#relabelconfig
relabelings: []
+ # -- Custom TLS config options+ tlsConfig: + ca: "" + caFile: ""+ cert: ""+ certFile: "" + key: ""+ keyFile: ""+ insecureSkipVerify: "" + servername: ""
tlsConfig:
description: TLS configuration to use when scraping the target.properties:
ca:
description: Certificate authority used when verifying servercertificates.properties:
configMap:
description: ConfigMap containing data to use for thetargets.properties:
key:
description: The key to select.type: stringname:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'type: stringoptional:
description: Specify whether the ConfigMap or itskey must be definedtype: booleanrequired:
- keytype: objectx-kubernetes-map-type: atomicsecret:
description: Secret containing data to use for the targets.properties:
key:
description: The key of the secret to select from. Mustbe a valid secret key.type: stringname:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'type: stringoptional:
description: Specify whether the Secret or its keymust be definedtype: booleanrequired:
- keytype: objectx-kubernetes-map-type: atomictype: objectcaFile:
description: Path to the CA cert in the Prometheus containerto use for the targets.type: stringcert:
description: Client certificate to present when doing client-authentication.properties:
configMap:
description: ConfigMap containing data to use for thetargets.properties:
key:
description: The key to select.type: stringname:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'type: stringoptional:
description: Specify whether the ConfigMap or itskey must be definedtype: booleanrequired:
- keytype: objectx-kubernetes-map-type: atomicsecret:
description: Secret containing data to use for the targets.properties:
key:
description: The key of the secret to select from. Mustbe a valid secret key.type: stringname:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'type: stringoptional:
description: Specify whether the Secret or its keymust be definedtype: booleanrequired:
- keytype: objectx-kubernetes-map-type: atomictype: objectcertFile:
description: Path to the client cert file in the Prometheuscontainer for the targets.type: stringinsecureSkipVerify:
description: Disable target certificate validation.type: booleankeyFile:
description: Path to the client key file in the Prometheuscontainer for the targets.type: stringkeySecret:
description: Secret containing the client key file for thetargets.properties:
key:
description: The key of the secret to select from. Mustbe a valid secret key.type: stringname:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'type: stringoptional:
description: Specify whether the Secret or its key mustbe definedtype: booleanrequired:
- keytype: objectx-kubernetes-map-type: atomicserverName:
description: Used to verify the hostname for the targets.type: stringtype: object
Workaround
Create a patch file for the serviceMonitor resource and apply the patch after the deployment via helm.
The following patch adjusts the podMonitor and serviceMonitor resource. The
static configuration `tlsConfig` is replaced so that the TLS configuration can be
configured individually by the user.
The option `insecureSkipVerify: true` has been removed as it is a security risk.
Users also have the option of redefining the `insecureSkipVerify` property
directly via `tlsConfig` if necessary. With regard to the previous rbac auth
option, however, this is superfluous.
Furthermore, the schema, i.e. HTTP or HTTPS, can now be defined to tell
Prometheus which protocol should be used for communication.
The following sample configuration specifies that the x509-certificate-exporter
encrypts requests via HTTPS and the HTTP client must authenticate itself via
HTTPS (client auth).
```yaml
prometheusServiceMonitor:
tlsConfig:
caFile: /etc/prometheus/tls/ca/ca.crt
certFile: /etc/prometheus/tls/app2app/tls.crt
keyFile: /etc/prometheus/tls/app2app/tls.key
insecureSkipVerify: false
serverName: prometheus-x509-certificate-exporter
prometheusPodMonitor:
tlsConfig:
caFile: /etc/prometheus/tls/ca/ca.crt
certFile: /etc/prometheus/tls/app2app/tls.crt
keyFile: /etc/prometheus/tls/app2app/tls.key
insecureSkipVerify: false
serverName: prometheus-x509-certificate-exporter
```
Important Note: The `serverName` attribute must correspond to the CommonName or a
Subject Alternative Name (SAN) of the TLS certificate. If this is not the case,
prometheus will reject the connection trying to match the IP address of the pod
with the CommonName / SAN.
The client certificate and private key as well as the certificate of the
certificate authorithy must be mounted additionally via the `extraVolumes` and
`extraVolumeMounts` option. This configuration is not standard and must also be
implemented by the user if TLS client authentication is required.
Signed-off-by: Markus Pesch <markus.pesch@cryptic.systems>
Summary
As the title of the bug already describe, does the helm chart not support a custom
tlsConfig
for the serviceMonitor and podMonitor resource. I need to specify properties likeca
,caFile
,cert
,certFile
,insecureSkipVerify
,key
,keyFile
,keySecret
andserverName
More details
I've deployed an internal certificate authorithy via cert-manager. Each namespace get his own intermediate ca. Based on this intermediate ca, I issued a custom certificate to listen the web-server of the certificate-exporter on HTTPS. To archive this, I've created the following
web-config.yaml
and referenced the secret in the helm chart:Based on the fact that I switched to HTTPS, the serviceMonitor created by the helm chart always listen on HTTP. I've inspect the helm chart and found the reason for listening on HTTP. The scheme will only be switched when turning
rbacProxy
totrue
, but my intention is not to turning on the rbacProxy option. I would like to use the foll tlsConfig spec which is supported by the api resourcemonitoring.coreos.com/v1
. This includes more than predefined values.Long term goal
Instead of using basic-auth or token auth, I would like to implement tls client authentication - mutual TLS. The spec of the api resource
monitoring.coreos.com/v1
already contains the required values and the propertyclient_auth_type
of thewebconfig.yaml
also support it, but the helm chart does not provide tls configuration options for the serviceMonitor.Proposal
It would be great, if the default values of the
tlsConfig
would be part of the helm chart. Otherwise is not possible to customize the configuration and to encrypt the communication between prometheus and the certificate exporter.Excerpt of the tlsConfig spec
The full spec can be found here.
Workaround
Create a patch file for the serviceMonitor resource and apply the patch after the deployment via helm.
Execute the following command to apply the patch:
Volker
The text was updated successfully, but these errors were encountered: