-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Helm chart does not support tlsConfig for serviceMonitor/podMonitor #254
Labels
Comments
volker-raschek
added a commit
to volker-raschek/x509-certificate-exporter
that referenced
this issue
Sep 4, 2024
The following patch adjusts the podMonitor and serviceMonitor resource. The static configuration `tlsConfig` is replaced so that the TLS configuration can be configured individually by the user. The option `insecureSkipVerify: true` has been removed as it is a security risk. Users also have the option of redefining the `insecureSkipVerify` property directly via `tlsConfig` if necessary. With regard to the previous rbac auth option, however, this is superfluous. Furthermore, the schema, i.e. HTTP or HTTPS, can now be defined to tell Prometheus which protocol should be used for communication. The following sample configuration specifies that the x509-certificate-exporter encrypts requests via HTTPS and the HTTP client must authenticate itself via HTTPS (client auth). ```yaml prometheusServiceMonitor: tlsConfig: caFile: /etc/prometheus/tls/ca/ca.crt certFile: /etc/prometheus/tls/app2app/tls.crt keyFile: /etc/prometheus/tls/app2app/tls.key insecureSkipVerify: false serverName: prometheus-x509-certificate-exporter prometheusPodMonitor: tlsConfig: caFile: /etc/prometheus/tls/ca/ca.crt certFile: /etc/prometheus/tls/app2app/tls.crt keyFile: /etc/prometheus/tls/app2app/tls.key insecureSkipVerify: false serverName: prometheus-x509-certificate-exporter ``` Important Note: The `serverName` attribute must correspond to the CommonName or a Subject Alternative Name (SAN) of the TLS certificate. If this is not the case, prometheus will reject the connection trying to match the IP address of the pod with the CommonName / SAN. The client certificate and private key as well as the certificate of the certificate authorithy must be mounted additionally via the `extraVolumes` and `extraVolumeMounts` option. This configuration is not standard and must also be implemented by the user if TLS client authentication is required. Signed-off-by: Markus Pesch <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
As the title of the bug already describe, does the helm chart not support a custom
tlsConfig
for the serviceMonitor and podMonitor resource. I need to specify properties likeca
,caFile
,cert
,certFile
,insecureSkipVerify
,key
,keyFile
,keySecret
andserverName
More details
I've deployed an internal certificate authorithy via cert-manager. Each namespace get his own intermediate ca. Based on this intermediate ca, I issued a custom certificate to listen the web-server of the certificate-exporter on HTTPS. To archive this, I've created the following
web-config.yaml
and referenced the secret in the helm chart:Based on the fact that I switched to HTTPS, the serviceMonitor created by the helm chart always listen on HTTP. I've inspect the helm chart and found the reason for listening on HTTP. The scheme will only be switched when turning
rbacProxy
totrue
, but my intention is not to turning on the rbacProxy option. I would like to use the foll tlsConfig spec which is supported by the api resourcemonitoring.coreos.com/v1
. This includes more than predefined values.Long term goal
Instead of using basic-auth or token auth, I would like to implement tls client authentication - mutual TLS. The spec of the api resource
monitoring.coreos.com/v1
already contains the required values and the propertyclient_auth_type
of thewebconfig.yaml
also support it, but the helm chart does not provide tls configuration options for the serviceMonitor.Proposal
It would be great, if the default values of the
tlsConfig
would be part of the helm chart. Otherwise is not possible to customize the configuration and to encrypt the communication between prometheus and the certificate exporter.Excerpt of the tlsConfig spec
The full spec can be found here.
Workaround
Create a patch file for the serviceMonitor resource and apply the patch after the deployment via helm.
Execute the following command to apply the patch:
Volker
The text was updated successfully, but these errors were encountered: