[Close #254] feat: support custom tls config #327
Merged
+21
−5
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The following patch adjusts the podMonitor and serviceMonitor resource. The static configuration
tlsConfig
is replaced so that the TLS configuration can be configured individually by the user.The option
insecureSkipVerify: true
has been removed as it is a security risk. Users also have the option of redefining theinsecureSkipVerify
property directly viatlsConfig
if necessary. With regard to the previous rbac auth option, however, this is superfluous.Furthermore, the schema, i.e. HTTP or HTTPS, can now be defined to tell Prometheus which protocol should be used for communication.
The following sample configuration specifies that the x509-certificate-exporter encrypts requests via HTTPS and the HTTP client must authenticate itself via HTTPS (client auth).
Important Note: The
serverName
attribute must correspond to the CommonName or a Subject Alternative Name (SAN) of the TLS certificate. If this is not the case, prometheus will reject the connection trying to match the IP address of the pod with the CommonName / SAN.The client certificate and private key as well as the certificate of the certificate authorithy must be mounted additionally via the
extraVolumes
andextraVolumeMounts
option. This configuration is not standard and must also be implemented by the user if TLS client authentication is required.