Skip to content

Commit

Permalink
Configurable tlsConfig and authorization for Prometheus ServiceMonitor (
Browse files Browse the repository at this point in the history
#1025)

Co-authored-by: Toni Tauro
  • Loading branch information
tomhjp authored May 10, 2024
1 parent 13ee838 commit 534dddc
Show file tree
Hide file tree
Showing 8 changed files with 123 additions and 63 deletions.
9 changes: 9 additions & 0 deletions templates/prometheus-servicemonitor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,17 @@ spec:
params:
format:
- prometheus
{{- with .Values.serverTelemetry.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- else }}
tlsConfig:
insecureSkipVerify: true
{{- end }}
{{- with .Values.serverTelemetry.serviceMonitor.authorization }}
authorization:
{{- toYaml . | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "vault.namespace" . }}
Expand Down
1 change: 0 additions & 1 deletion test/acceptance/_helpers.bash
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,6 @@ wait_for_running() {
for i in $(seq 60); do
if [ -n "$(check ${POD_NAME})" ]; then
echo "${POD_NAME} is ready."
sleep 5
return
fi

Expand Down
41 changes: 12 additions & 29 deletions test/acceptance/server-telemetry.bats
Original file line number Diff line number Diff line change
Expand Up @@ -10,46 +10,29 @@ load _helpers
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance

# Install prometheus-operator and friends.
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install \
helm upgrade --install \
--wait \
--version 39.6.0 \
--version 58.3.1 \
prometheus prometheus-community/kube-prometheus-stack

helm install \
# Install Vault with telemetry config now that the prometheus CRDs are applied.
helm upgrade --install \
--wait \
--values ./test/acceptance/server-test/telemetry.yaml \
--values ./test/acceptance/server-test/vault-server.yaml \
--values ./test/acceptance/server-test/vault-telemetry.yaml \
"$(name_prefix)" .

wait_for_running $(name_prefix)-0

# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0

# Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]

# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
done

wait_for_ready "$(name_prefix)-0"

# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
echo 'path "sys/metrics" {capabilities = ["read"]}' | kubectl exec -i "$(name_prefix)-0" -- vault policy write metrics -

local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
# Store Vault's dev TLS CA and a token in a secret for prometheus to use.
kubectl create secret generic vault-metrics-client \
--from-literal="ca.crt=$(kubectl exec "$(name_prefix)-0" -- cat /var/run/tls/vault-ca.pem)" \
--from-literal="token=$(kubectl exec "$(name_prefix)-0" -- vault token create -policy=metrics -field=token)"

# unfortunately it can take up to 2 minutes for the vault prometheus job to appear
# TODO: investigate how reduce this.
Expand Down
31 changes: 0 additions & 31 deletions test/acceptance/server-test/telemetry.yaml

This file was deleted.

23 changes: 23 additions & 0 deletions test/acceptance/server-test/vault-server.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

global:
tlsDisable: false
server:
dev:
enabled: true
# >- to convert to a single line with no line breaks.
extraArgs: >-
-dev-tls
-dev-tls-cert-dir=/var/run/tls
-dev-tls-san=vault
-dev-tls-san=$POD_IP
extraEnvironmentVars:
VAULT_CACERT: /var/run/tls/vault-ca.pem
VAULT_LOCAL_CONFIG: '{"telemetry":{"prometheus_retention_time":"30s","disable_hostname":true}}'
volumes:
- name: tls
emptyDir: {}
volumeMounts:
- mountPath: /var/run/tls
name: tls
16 changes: 16 additions & 0 deletions test/acceptance/server-test/vault-telemetry.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

serverTelemetry:
serviceMonitor:
enabled: true
interval: 15s
tlsConfig:
ca:
secret:
name: vault-metrics-client
key: ca.crt
authorization:
credentials:
name: vault-metrics-client
key: token
42 changes: 42 additions & 0 deletions test/unit/prometheus-servicemonitor.bats
Original file line number Diff line number Diff line change
Expand Up @@ -123,3 +123,45 @@ load _helpers
[ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ]
[ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "https" ]
}

@test "prometheus/ServiceMonitor-server: tlsConfig default" {
cd `chart_dir`
local output=$( (helm template \
--show-only templates/prometheus-servicemonitor.yaml \
--set 'serverTelemetry.serviceMonitor.enabled=true' \
. ) | tee /dev/stderr)

[ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.insecureSkipVerify')" = "true" ]
}

@test "prometheus/ServiceMonitor-server: tlsConfig override" {
cd `chart_dir`
local output=$( (helm template \
--show-only templates/prometheus-servicemonitor.yaml \
--set 'serverTelemetry.serviceMonitor.tlsConfig.ca=ca.crt' \
--set 'serverTelemetry.serviceMonitor.enabled=true' \
. ) | tee /dev/stderr)

[ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.ca')" = "ca.crt" ]
}

@test "prometheus/ServiceMonitor-server: authorization default" {
cd `chart_dir`
local output=$( (helm template \
--show-only templates/prometheus-servicemonitor.yaml \
--set 'serverTelemetry.serviceMonitor.enabled=true' \
. ) | tee /dev/stderr)

[ "$(echo "$output" | yq -r '.spec.endpoints[0].authorization')" = "null" ]
}

@test "prometheus/ServiceMonitor-server: authorization override" {
cd `chart_dir`
local output=$( (helm template \
--show-only templates/prometheus-servicemonitor.yaml \
--set 'serverTelemetry.serviceMonitor.authorization.credentials.name=a-secret' \
--set 'serverTelemetry.serviceMonitor.enabled=true' \
. ) | tee /dev/stderr)

[ "$(echo "$output" | yq -r '.spec.endpoints[0].authorization.credentials.name')" = "a-secret" ]
}
23 changes: 21 additions & 2 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1241,8 +1241,8 @@ csi:
# https://developer.hashicorp.com/vault/docs/configuration/telemetry
# https://developer.hashicorp.com/vault/docs/internals/telemetry
serverTelemetry:
# Enable support for the Prometheus Operator. Currently, this chart does not support
# authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included
# Enable support for the Prometheus Operator. If authorization is not set for authenticating
# to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included
# in the `listener "tcp"{}` stanza
# telemetry {
# unauthenticated_metrics_access = "true"
Expand Down Expand Up @@ -1284,6 +1284,25 @@ serverTelemetry:
# Timeout for Prometheus scrapes
scrapeTimeout: 10s

# tlsConfig used for scraping the Vault metrics API.
# See API reference: https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.TLSConfig
# example:
# tlsConfig:
# ca:
# secret:
# name: vault-metrics-client
# key: ca.crt
tlsConfig: {}

# authorization used for scraping the Vault metrics API.
# See API reference: https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.SafeAuthorization
# example:
# authorization:
# credentials:
# name: vault-metrics-client
# key: token
authorization: {}

prometheusRules:
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
Expand Down

0 comments on commit 534dddc

Please sign in to comment.