From 2f8bf042cd125fe5cb433d74f308070a3fe06daa Mon Sep 17 00:00:00 2001 From: Toni Tauro Date: Fri, 28 Jul 2023 15:45:49 +0200 Subject: [PATCH 1/5] feat(Prometheus/ServiceMonitor): add configurable tlsConfig & bearerTokenFile for authentication Signed-off-by: Toni Tauro --- Chart.yaml | 2 +- templates/prometheus-servicemonitor.yaml | 9 +++++++++ values.yaml | 6 ++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 104b05f3f..878f0b1eb 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: vault -version: 0.25.0 +version: 0.26.0 appVersion: 1.14.0 kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml index 25d30a468..02630fcd5 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/templates/prometheus-servicemonitor.yaml @@ -36,13 +36,22 @@ spec: - port: {{ include "vault.scheme" . }} interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} + {{- if .Values.serverTelemetry.serviceMonitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.serverTelemetry.serviceMonitor.bearerTokenFile }} + {{- end }} scheme: {{ include "vault.scheme" . | lower }} path: /v1/sys/metrics params: format: - prometheus + {{- $tlsConfig := .Values.serverTelemetry.serviceMonitor.tlsConfig }} + {{- if $tlsConfig }} + tlsConfig: + {{- toYaml $tlsConfig | nindent 6 }} + {{- else }} tlsConfig: insecureSkipVerify: true + {{- end }} namespaceSelector: matchNames: - {{ include "vault.namespace" . }} diff --git a/values.yaml b/values.yaml index 8538cd61c..347dfe605 100644 --- a/values.yaml +++ b/values.yaml @@ -1201,6 +1201,12 @@ serverTelemetry: # Timeout for Prometheus scrapes scrapeTimeout: 10s + # tlsConfig used for connecting to the Vault API + tlsConfig: {} + + # bearerTokenfile used for authentication to the Vault metrics API + bearerTokenFile: "" + prometheusRules: # The Prometheus operator *must* be installed before enabling this feature, # if not the chart will fail to install due to missing CustomResourceDefinitions From e0b3589dfdb361b510906fc698da062ba209cf98 Mon Sep 17 00:00:00 2001 From: Toni Tauro Date: Fri, 28 Jul 2023 16:04:48 +0200 Subject: [PATCH 2/5] feat(tests): added tests for tlsConfig override & bearerTokenfile setting Signed-off-by: Toni Tauro --- test/unit/prometheus-servicemonitor.bats | 42 ++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/test/unit/prometheus-servicemonitor.bats b/test/unit/prometheus-servicemonitor.bats index 5d92c89d2..4da555af2 100755 --- a/test/unit/prometheus-servicemonitor.bats +++ b/test/unit/prometheus-servicemonitor.bats @@ -123,3 +123,45 @@ load _helpers [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ] [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "https" ] } + +@test "prometheus/ServiceMonitor-server: tlsConfig default" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.insecureSkipVerify')" = "true" ] +} + +@test "prometheus/ServiceMonitor-server: tlsConfig override" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.tlsConfig.ca=ca.crt' \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.ca')" = "ca.crt" ] +} + +@test "prometheus/ServiceMonitor-server: bearerTokenFile default" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0] | has("bearerToken")')" = "false" ] +} + +@test "prometheus/ServiceMonitor-server: bearerTokenFile set" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + --set 'serverTelemetry.serviceMonitor.bearerTokenFile=tokenfile' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0].bearerTokenFile')" = "tokenfile" ] +} From 3776ae30c8dd747356e5f11755aa2355c0640bc1 Mon Sep 17 00:00:00 2001 From: Toni Tauro Date: Tue, 2 Apr 2024 11:00:06 +0200 Subject: [PATCH 3/5] Update Chart.yaml Co-authored-by: Tom Proctor --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index abc94daf0..2b19aceac 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: vault -version: 0.28.0 +version: 0.27.0 appVersion: 1.15.2 kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart From 671b27bebf46cb11474992b241921d383eb4525b Mon Sep 17 00:00:00 2001 From: Toni Tauro Date: Tue, 2 Apr 2024 11:09:09 +0200 Subject: [PATCH 4/5] fix(test/unit/promsm.bats): suggestion by @tomhjp Signed-off-by: Toni Tauro --- test/unit/prometheus-servicemonitor.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/prometheus-servicemonitor.bats b/test/unit/prometheus-servicemonitor.bats index 4da555af2..290733eb7 100755 --- a/test/unit/prometheus-servicemonitor.bats +++ b/test/unit/prometheus-servicemonitor.bats @@ -152,7 +152,7 @@ load _helpers --set 'serverTelemetry.serviceMonitor.enabled=true' \ . ) | tee /dev/stderr) - [ "$(echo "$output" | yq -r '.spec.endpoints[0] | has("bearerToken")')" = "false" ] + [ "$(echo "$output" | yq -r '.spec.endpoints[0] | has("bearerTokenFile")')" = "false" ] } @test "prometheus/ServiceMonitor-server: bearerTokenFile set" { From 71d6325f4598f69c26af2850154bc83d7e1d07af Mon Sep 17 00:00:00 2001 From: Toni Tauro Date: Tue, 2 Apr 2024 11:10:58 +0200 Subject: [PATCH 5/5] doc(values.yaml): suggestion by @tomhjp Signed-off-by: Toni Tauro --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index 1a0bbfa22..cd900315f 100644 --- a/values.yaml +++ b/values.yaml @@ -1234,8 +1234,8 @@ csi: # https://developer.hashicorp.com/vault/docs/configuration/telemetry # https://developer.hashicorp.com/vault/docs/internals/telemetry serverTelemetry: - # Enable support for the Prometheus Operator. Currently, this chart does not support - # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # Enable support for the Prometheus Operator. If bearerTokenFile is not set for authenticating + # to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included # in the `listener "tcp"{}` stanza # telemetry { # unauthenticated_metrics_access = "true"