[Close #254] feat: support custom tls config #327
Merged
+21
−5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Here is an excerpt from my prometheus instance, which now retrieves the metrics using HTTPS authentication and encryption.
|
The following patch adjusts the podMonitor and serviceMonitor resource. The
static configuration `tlsConfig` is replaced so that the TLS configuration can be
configured individually by the user.
The option `insecureSkipVerify: true` has been removed as it is a security risk.
Users also have the option of redefining the `insecureSkipVerify` property
directly via `tlsConfig` if necessary. With regard to the previous rbac auth
option, however, this is superfluous.
Furthermore, the schema, i.e. HTTP or HTTPS, can now be defined to tell
Prometheus which protocol should be used for communication.
The following sample configuration specifies that the x509-certificate-exporter
encrypts requests via HTTPS and the HTTP client must authenticate itself via
HTTPS (client auth).
```yaml
prometheusServiceMonitor:
tlsConfig:
caFile: /etc/prometheus/tls/ca/ca.crt
certFile: /etc/prometheus/tls/app2app/tls.crt
keyFile: /etc/prometheus/tls/app2app/tls.key
insecureSkipVerify: false
serverName: prometheus-x509-certificate-exporter
prometheusPodMonitor:
tlsConfig:
caFile: /etc/prometheus/tls/ca/ca.crt
certFile: /etc/prometheus/tls/app2app/tls.crt
keyFile: /etc/prometheus/tls/app2app/tls.key
insecureSkipVerify: false
serverName: prometheus-x509-certificate-exporter
```
Important Note: The `serverName` attribute must correspond to the CommonName or a
Subject Alternative Name (SAN) of the TLS certificate. If this is not the case,
prometheus will reject the connection trying to match the IP address of the pod
with the CommonName / SAN.
The client certificate and private key as well as the certificate of the
certificate authorithy must be mounted additionally via the `extraVolumes` and
`extraVolumeMounts` option. This configuration is not standard and must also be
implemented by the user if TLS client authentication is required.
Signed-off-by: Markus Pesch <[email protected]>
|
Hi @volker-raschek |
|
🎉 This PR is included in version 3.16.0-beta.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The following patch adjusts the podMonitor and serviceMonitor resource. The static configuration
tlsConfigis replaced so that the TLS configuration can be configured individually by the user.The option
insecureSkipVerify: truehas been removed as it is a security risk. Users also have the option of redefining theinsecureSkipVerifyproperty directly viatlsConfigif necessary. With regard to the previous rbac auth option, however, this is superfluous.Furthermore, the schema, i.e. HTTP or HTTPS, can now be defined to tell Prometheus which protocol should be used for communication.
The following sample configuration specifies that the x509-certificate-exporter encrypts requests via HTTPS and the HTTP client must authenticate itself via HTTPS (client auth).
Important Note: The
serverNameattribute must correspond to the CommonName or a Subject Alternative Name (SAN) of the TLS certificate. If this is not the case, prometheus will reject the connection trying to match the IP address of the pod with the CommonName / SAN.The client certificate and private key as well as the certificate of the certificate authorithy must be mounted additionally via the
extraVolumesandextraVolumeMountsoption. This configuration is not standard and must also be implemented by the user if TLS client authentication is required.