Skip to content

Commit

Permalink
Update integration test, switch to authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
tomhjp committed May 1, 2024
1 parent 71d6325 commit 719ba7e
Show file tree
Hide file tree
Showing 8 changed files with 80 additions and 72 deletions.
8 changes: 5 additions & 3 deletions templates/prometheus-servicemonitor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,6 @@ spec:
- port: {{ include "vault.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
{{- if .Values.serverTelemetry.serviceMonitor.bearerTokenFile }}
bearerTokenFile: {{ .Values.serverTelemetry.serviceMonitor.bearerTokenFile }}
{{- end }}
scheme: {{ include "vault.scheme" . | lower }}
path: /v1/sys/metrics
params:
Expand All @@ -52,6 +49,11 @@ spec:
tlsConfig:
insecureSkipVerify: true
{{- end }}
{{- $authz := .Values.serverTelemetry.serviceMonitor.authorization }}
{{- if $authz }}
authorization:
{{- toYaml $authz | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "vault.namespace" . }}
Expand Down
1 change: 0 additions & 1 deletion test/acceptance/_helpers.bash
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,6 @@ wait_for_running() {
for i in $(seq 60); do
if [ -n "$(check ${POD_NAME})" ]; then
echo "${POD_NAME} is ready."
sleep 5
return
fi

Expand Down
41 changes: 12 additions & 29 deletions test/acceptance/server-telemetry.bats
Original file line number Diff line number Diff line change
Expand Up @@ -10,46 +10,29 @@ load _helpers
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance

# Install prometheus-operator and friends.
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install \
helm upgrade --install \
--wait \
--version 39.6.0 \
--version 58.3.1 \
prometheus prometheus-community/kube-prometheus-stack

helm install \
# Install Vault with telemetry config now that the prometheus CRDs are applied.
helm upgrade --install \
--wait \
--values ./test/acceptance/server-test/telemetry.yaml \
--values ./test/acceptance/server-test/vault-server.yaml \
--values ./test/acceptance/server-test/vault-telemetry.yaml \
"$(name_prefix)" .

wait_for_running $(name_prefix)-0

# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0

# Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]

# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
done

wait_for_ready "$(name_prefix)-0"

# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
echo 'path "sys/metrics" {capabilities = ["read"]}' | kubectl exec -i "$(name_prefix)-0" -- vault policy write metrics -

local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
# Store Vault's dev TLS CA and a token in a secret for prometheus to use.
kubectl create secret generic vault-metrics-client \
--from-literal="ca.crt=$(kubectl exec "$(name_prefix)-0" -- cat /var/run/tls/vault-ca.pem)" \
--from-literal="token=$(kubectl exec "$(name_prefix)-0" -- vault token create -policy=metrics -field=token)"

# unfortunately it can take up to 2 minutes for the vault prometheus job to appear
# TODO: investigate how reduce this.
Expand Down
31 changes: 0 additions & 31 deletions test/acceptance/server-test/telemetry.yaml

This file was deleted.

26 changes: 26 additions & 0 deletions test/acceptance/server-test/vault-server.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

global:
tlsDisable: false
server:
dev:
enabled: true
# >- to convert to a single line with no line breaks.
extraArgs: >-
-dev-tls
-dev-tls-cert-dir=/var/run/tls
-dev-tls-san=vault.default.svc.cluster.local
-dev-tls-san=vault.default.svc
-dev-tls-san=vault.default
-dev-tls-san=vault
-dev-tls-san=$POD_IP
extraEnvironmentVars:
VAULT_CACERT: /var/run/tls/vault-ca.pem
VAULT_LOCAL_CONFIG: '{"telemetry":{"prometheus_retention_time":"30s","disable_hostname":true}}'
volumes:
- name: tls
emptyDir: {}
volumeMounts:
- mountPath: /var/run/tls
name: tls
16 changes: 16 additions & 0 deletions test/acceptance/server-test/vault-telemetry.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

serverTelemetry:
serviceMonitor:
enabled: true
interval: 15s
tlsConfig:
ca:
secret:
name: vault-metrics-client
key: ca.crt
authorization:
credentials:
name: vault-metrics-client
key: token
10 changes: 5 additions & 5 deletions test/unit/prometheus-servicemonitor.bats
Original file line number Diff line number Diff line change
Expand Up @@ -145,23 +145,23 @@ load _helpers
[ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.ca')" = "ca.crt" ]
}

@test "prometheus/ServiceMonitor-server: bearerTokenFile default" {
@test "prometheus/ServiceMonitor-server: authorization default" {
cd `chart_dir`
local output=$( (helm template \
--show-only templates/prometheus-servicemonitor.yaml \
--set 'serverTelemetry.serviceMonitor.enabled=true' \
. ) | tee /dev/stderr)

[ "$(echo "$output" | yq -r '.spec.endpoints[0] | has("bearerTokenFile")')" = "false" ]
[ "$(echo "$output" | yq -r '.spec.endpoints[0].authorization')" = "null" ]
}

@test "prometheus/ServiceMonitor-server: bearerTokenFile set" {
@test "prometheus/ServiceMonitor-server: authorization override" {
cd `chart_dir`
local output=$( (helm template \
--show-only templates/prometheus-servicemonitor.yaml \
--set 'serverTelemetry.serviceMonitor.authorization.credentials.name=a-secret' \
--set 'serverTelemetry.serviceMonitor.enabled=true' \
--set 'serverTelemetry.serviceMonitor.bearerTokenFile=tokenfile' \
. ) | tee /dev/stderr)

[ "$(echo "$output" | yq -r '.spec.endpoints[0].bearerTokenFile')" = "tokenfile" ]
[ "$(echo "$output" | yq -r '.spec.endpoints[0].authorization.credentials.name')" = "a-secret" ]
}
19 changes: 16 additions & 3 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1277,11 +1277,24 @@ serverTelemetry:
# Timeout for Prometheus scrapes
scrapeTimeout: 10s

# tlsConfig used for connecting to the Vault API
# tlsConfig used for scraping the Vault metrics API.
# See API reference: https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.TLSConfig
# example:
# tlsConfig:
# ca:
# secret:
# name: vault-metrics-client
# key: ca.crt
tlsConfig: {}

# bearerTokenfile used for authentication to the Vault metrics API
bearerTokenFile: ""
# authorization used for scraping the Vault metrics API.
# See API reference: https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.SafeAuthorization
# example:
# authorization:
# credentials:
# name: vault-metrics-client
# key: token
authorization: {}

prometheusRules:
# The Prometheus operator *must* be installed before enabling this feature,
Expand Down

0 comments on commit 719ba7e

Please sign in to comment.