diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml index 25d30a468..02630fcd5 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/templates/prometheus-servicemonitor.yaml @@ -36,13 +36,22 @@ spec: - port: {{ include "vault.scheme" . }} interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} + {{- if .Values.serverTelemetry.serviceMonitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.serverTelemetry.serviceMonitor.bearerTokenFile }} + {{- end }} scheme: {{ include "vault.scheme" . | lower }} path: /v1/sys/metrics params: format: - prometheus + {{- $tlsConfig := .Values.serverTelemetry.serviceMonitor.tlsConfig }} + {{- if $tlsConfig }} + tlsConfig: + {{- toYaml $tlsConfig | nindent 6 }} + {{- else }} tlsConfig: insecureSkipVerify: true + {{- end }} namespaceSelector: matchNames: - {{ include "vault.namespace" . }} diff --git a/test/unit/prometheus-servicemonitor.bats b/test/unit/prometheus-servicemonitor.bats index 5d92c89d2..290733eb7 100755 --- a/test/unit/prometheus-servicemonitor.bats +++ b/test/unit/prometheus-servicemonitor.bats @@ -123,3 +123,45 @@ load _helpers [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ] [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "https" ] } + +@test "prometheus/ServiceMonitor-server: tlsConfig default" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.insecureSkipVerify')" = "true" ] +} + +@test "prometheus/ServiceMonitor-server: tlsConfig override" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.tlsConfig.ca=ca.crt' \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.ca')" = "ca.crt" ] +} + +@test "prometheus/ServiceMonitor-server: bearerTokenFile default" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0] | has("bearerTokenFile")')" = "false" ] +} + +@test "prometheus/ServiceMonitor-server: bearerTokenFile set" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + --set 'serverTelemetry.serviceMonitor.bearerTokenFile=tokenfile' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0].bearerTokenFile')" = "tokenfile" ] +} diff --git a/values.yaml b/values.yaml index 17f5ca572..cd900315f 100644 --- a/values.yaml +++ b/values.yaml @@ -1234,8 +1234,8 @@ csi: # https://developer.hashicorp.com/vault/docs/configuration/telemetry # https://developer.hashicorp.com/vault/docs/internals/telemetry serverTelemetry: - # Enable support for the Prometheus Operator. Currently, this chart does not support - # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # Enable support for the Prometheus Operator. If bearerTokenFile is not set for authenticating + # to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included # in the `listener "tcp"{}` stanza # telemetry { # unauthenticated_metrics_access = "true" @@ -1277,6 +1277,12 @@ serverTelemetry: # Timeout for Prometheus scrapes scrapeTimeout: 10s + # tlsConfig used for connecting to the Vault API + tlsConfig: {} + + # bearerTokenfile used for authentication to the Vault metrics API + bearerTokenFile: "" + prometheusRules: # The Prometheus operator *must* be installed before enabling this feature, # if not the chart will fail to install due to missing CustomResourceDefinitions