mirrors/prometheus-operator
mirrors/prometheus-operator
1
0
Fork 0
mirror of https://github.com/prometheus-operator/prometheus-operator.git synced 2025-04-09 02:24:16 +00:00
Code Activity

Merge pull request #7230 from simonpasquier/improve-webtls-doc

Browse source 
chore: improve documentation of web TLS configuration
This commit is contained in:
Simon Pasquier 2024-12-20 23:16:03 +01:00 committed by GitHub
commit 0b7a9746b1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
22 changed files with 942 additions and 562 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

131
Documentation/api.md generated
View file

@ -18041,20 +18041,24 @@ SecretOrConfigMap
</em>
</td>
<td>
<p>Contains the TLS certificate for the server.</p>
<em>(Optional)</em>
<p>Secret or ConfigMap containing the TLS certificate for the web server.</p>
<p>Either <code>keySecret</code> or <code>keyFile</code> must be defined.</p>
<p>It is mutually exclusive with <code>certFile</code>.</p>
</td>
</tr>
<tr>
<td>
<code>client_ca</code><br/>
<code>certFile</code><br/>
<em>
<a href="#monitoring.coreos.com/v1.SecretOrConfigMap">
SecretOrConfigMap
</a>
string
</em>
</td>
<td>
<p>Contains the CA certificate for client certificate authentication to the server.</p>
<em>(Optional)</em>
<p>Path to the TLS certificate file in the container for the web server.</p>
<p>Either <code>keySecret</code> or <code>keyFile</code> must be defined.</p>
<p>It is mutually exclusive with <code>cert</code>.</p>
</td>
</tr>
<tr>
@ -18067,7 +18071,54 @@ Kubernetes core/v1.SecretKeySelector
</em>
</td>
<td>
<p>Secret containing the TLS key for the server.</p>
<em>(Optional)</em>
<p>Secret containing the TLS private key for the web server.</p>
<p>Either <code>cert</code> or <code>certFile</code> must be defined.</p>
<p>It is mutually exclusive with <code>keyFile</code>.</p>
</td>
</tr>
<tr>
<td>
<code>keyFile</code><br/>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>Path to the TLS private key file in the container for the web server.</p>
<p>If defined, either <code>cert</code> or <code>certFile</code> must be defined.</p>
<p>It is mutually exclusive with <code>keySecret</code>.</p>
</td>
</tr>
<tr>
<td>
<code>client_ca</code><br/>
<em>
<a href="#monitoring.coreos.com/v1.SecretOrConfigMap">
SecretOrConfigMap
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.</p>
<p>It is mutually exclusive with <code>clientCAFile</code>.</p>
</td>
</tr>
<tr>
<td>
<code>clientCAFile</code><br/>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>Path to the CA certificate file for client certificate authentication to
the server.</p>
<p>It is mutually exclusive with <code>client_ca</code>.</p>
</td>
</tr>
<tr>
@ -18078,8 +18129,9 @@ string
</em>
</td>
<td>
<p>Server policy for client authentication. Maps to ClientAuth Policies.
For more detail on clientAuth options:
<em>(Optional)</em>
<p>The server policy for client TLS authentication.</p>
<p>For more detail on clientAuth options:
<a href="https://golang.org/pkg/crypto/tls/#ClientAuthType">https://golang.org/pkg/crypto/tls/#ClientAuthType</a></p>
</td>
</tr>
@ -18091,7 +18143,8 @@ string
</em>
</td>
<td>
<p>Minimum TLS version that is acceptable. Defaults to TLS12.</p>
<em>(Optional)</em>
<p>Minimum TLS version that is acceptable.</p>
</td>
</tr>
<tr>
@ -18102,7 +18155,8 @@ string
</em>
</td>
<td>
<p>Maximum TLS version that is acceptable. Defaults to TLS13.</p>
<em>(Optional)</em>
<p>Maximum TLS version that is acceptable.</p>
</td>
</tr>
<tr>
@ -18113,9 +18167,11 @@ string
</em>
</td>
<td>
<p>List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: <a href="https://golang.org/pkg/crypto/tls/#pkg-constants">https://golang.org/pkg/crypto/tls/#pkg-constants</a></p>
<em>(Optional)</em>
<p>List of supported cipher suites for TLS versions up to TLS 1.2.</p>
<p>If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
<a href="https://golang.org/pkg/crypto/tls/#pkg-constants">https://golang.org/pkg/crypto/tls/#pkg-constants</a></p>
</td>
</tr>
<tr>
@ -18126,9 +18182,10 @@ bool
</em>
</td>
<td>
<p>Controls whether the server selects the
client&rsquo;s most preferred cipher suite, or the server&rsquo;s most preferred
cipher suite. If true then the server&rsquo;s preference, as expressed in
<em>(Optional)</em>
<p>Controls whether the server selects the client&rsquo;s most preferred cipher
suite, or the server&rsquo;s most preferred cipher suite.</p>
<p>If true then the server&rsquo;s preference, as expressed in
the order of elements in cipherSuites, is used.</p>
</td>
</tr>
@ -18140,47 +18197,13 @@ the order of elements in cipherSuites, is used.</p>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.</p>
<p>Available curves are documented in the Go documentation:
<a href="https://golang.org/pkg/crypto/tls/#CurveID">https://golang.org/pkg/crypto/tls/#CurveID</a></p>
</td>
</tr>
<tr>
<td>
<code>keyFile</code><br/>
<em>
string
</em>
</td>
<td>
<p>Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with <code>keySecret</code>.</p>
</td>
</tr>
<tr>
<td>
<code>certFile</code><br/>
<em>
string
</em>
</td>
<td>
<p>Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with <code>cert</code>.</p>
</td>
</tr>
<tr>
<td>
<code>clientCAFile</code><br/>
<em>
string
</em>
</td>
<td>
<p>Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with <code>client_ca</code>.</p>
</td>
</tr>
</tbody>
</table>
<hr/>

268
bundle.yaml generated
View file

@ -18464,7 +18464,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -18517,20 +18522,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -18583,30 +18596,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -18630,18 +18656,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object
@ -31554,7 +31579,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -31607,20 +31637,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -31673,30 +31711,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -31720,18 +31771,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object
@ -44536,7 +44586,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -44589,20 +44644,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -44655,30 +44718,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -44702,18 +44778,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object
@ -65608,7 +65683,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -65661,20 +65741,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -65727,30 +65815,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -65774,18 +65875,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

67
example/prometheus-operator-crd-full/monitoring.coreos.com_alertmanagers.yaml generated
View file

@ -8425,7 +8425,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -8478,20 +8483,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -8544,30 +8557,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -8591,18 +8617,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

67
example/prometheus-operator-crd-full/monitoring.coreos.com_prometheusagents.yaml generated
View file

@ -10421,7 +10421,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -10474,20 +10479,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -10540,30 +10553,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -10587,18 +10613,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

67
example/prometheus-operator-crd-full/monitoring.coreos.com_prometheuses.yaml generated
View file

@ -12650,7 +12650,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -12703,20 +12708,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -12769,30 +12782,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -12816,18 +12842,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

67
example/prometheus-operator-crd-full/monitoring.coreos.com_thanosrulers.yaml generated
View file

@ -7836,7 +7836,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -7889,20 +7894,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -7955,30 +7968,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -8002,18 +8028,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

67
example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml generated
View file

@ -8426,7 +8426,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -8479,20 +8484,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -8545,30 +8558,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -8592,18 +8618,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

67
example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml generated
View file

@ -10422,7 +10422,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -10475,20 +10480,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -10541,30 +10554,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -10588,18 +10614,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

67
example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml generated
View file

@ -12651,7 +12651,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -12704,20 +12709,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -12770,30 +12783,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -12817,18 +12843,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

67
example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml generated
View file

@ -7837,7 +7837,12 @@ spec:
description: Defines the TLS parameters for HTTPS.
properties:
cert:
description: Contains the TLS certificate for the server.
description: |-
Secret or ConfigMap containing the TLS certificate for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `certFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -7890,20 +7895,28 @@ spec:
type: object
certFile:
description: |-
Path to the TLS certificate file in the Prometheus container for the server.
Mutually exclusive with `cert`.
Path to the TLS certificate file in the container for the web server.
Either `keySecret` or `keyFile` must be defined.
It is mutually exclusive with `cert`.
type: string
cipherSuites:
description: |-
List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
Go default cipher suites are used. Available cipher suites are documented
in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
List of supported cipher suites for TLS versions up to TLS 1.2.
If not defined, the Go default cipher suites are used.
Available cipher suites are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#pkg-constants
items:
type: string
type: array
client_ca:
description: Contains the CA certificate for client certificate
description: |-
Secret or ConfigMap containing the CA certificate for client certificate
authentication to the server.
It is mutually exclusive with `clientCAFile`.
properties:
configMap:
description: ConfigMap containing data to use for the
@ -7956,30 +7969,43 @@ spec:
type: object
clientAuthType:
description: |-
Server policy for client authentication. Maps to ClientAuth Policies.
The server policy for client TLS authentication.
For more detail on clientAuth options:
https://golang.org/pkg/crypto/tls/#ClientAuthType
type: string
clientCAFile:
description: |-
Path to the CA certificate file for client certificate authentication to the server.
Mutually exclusive with `client_ca`.
Path to the CA certificate file for client certificate authentication to
the server.
It is mutually exclusive with `client_ca`.
type: string
curvePreferences:
description: |-
Elliptic curves that will be used in an ECDHE handshake, in preference
order. Available curves are documented in the go documentation:
order.
Available curves are documented in the Go documentation:
https://golang.org/pkg/crypto/tls/#CurveID
items:
type: string
type: array
keyFile:
description: |-
Path to the TLS key file in the Prometheus container for the server.
Mutually exclusive with `keySecret`.
Path to the TLS private key file in the container for the web server.
If defined, either `cert` or `certFile` must be defined.
It is mutually exclusive with `keySecret`.
type: string
keySecret:
description: Secret containing the TLS key for the server.
description: |-
Secret containing the TLS private key for the web server.
Either `cert` or `certFile` must be defined.
It is mutually exclusive with `keyFile`.
properties:
key:
description: The key of the secret to select from. Must
@ -8003,18 +8029,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
maxVersion:
description: Maximum TLS version that is acceptable. Defaults
to TLS13.
description: Maximum TLS version that is acceptable.
type: string
minVersion:
description: Minimum TLS version that is acceptable. Defaults
to TLS12.
description: Minimum TLS version that is acceptable.
type: string
preferServerCipherSuites:
description: |-
Controls whether the server selects the
client's most preferred cipher suite, or the server's most preferred
cipher suite. If true then the server's preference, as expressed in
Controls whether the server selects the client's most preferred cipher
suite, or the server's most preferred cipher suite.
If true then the server's preference, as expressed in
the order of elements in cipherSuites, is used.
type: boolean
type: object

24
jsonnet/prometheus-operator/alertmanagers-crd.json
View file

@ -7065,7 +7065,7 @@
"description": "Defines the TLS parameters for HTTPS.",
"properties": {
"cert": {
"description": "Contains the TLS certificate for the server.",
"description": "Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.",
"properties": {
"configMap": {
"description": "ConfigMap containing data to use for the targets.",
@ -7117,26 +7117,26 @@
"type": "object"
},
"certFile": {
"description": "Path to the TLS certificate file in the Prometheus container for the server.\nMutually exclusive with `cert`.",
"description": "Path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.",
"type": "string"
},
"cipherSuites": {
"description": "List of supported cipher suites for TLS versions up to TLS 1.2. If empty,\nGo default cipher suites are used. Available cipher suites are documented\nin the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants",
"description": "List of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants",
"items": {
"type": "string"
},
"type": "array"
},
"clientAuthType": {
"description": "Server policy for client authentication. Maps to ClientAuth Policies.\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType",
"description": "The server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType",
"type": "string"
},
"clientCAFile": {
"description": "Path to the CA certificate file for client certificate authentication to the server.\nMutually exclusive with `client_ca`.",
"description": "Path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.",
"type": "string"
},
"client_ca": {
"description": "Contains the CA certificate for client certificate authentication to the server.",
"description": "Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.",
"properties": {
"configMap": {
"description": "ConfigMap containing data to use for the targets.",
@ -7188,18 +7188,18 @@
"type": "object"
},
"curvePreferences": {
"description": "Elliptic curves that will be used in an ECDHE handshake, in preference\norder. Available curves are documented in the go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID",
"description": "Elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID",
"items": {
"type": "string"
},
"type": "array"
},
"keyFile": {
"description": "Path to the TLS key file in the Prometheus container for the server.\nMutually exclusive with `keySecret`.",
"description": "Path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.",
"type": "string"
},
"keySecret": {
"description": "Secret containing the TLS key for the server.",
"description": "Secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.",
"properties": {
"key": {
"description": "The key of the secret to select from. Must be a valid secret key.",
@ -7222,15 +7222,15 @@
"x-kubernetes-map-type": "atomic"
},
"maxVersion": {
"description": "Maximum TLS version that is acceptable. Defaults to TLS13.",
"description": "Maximum TLS version that is acceptable.",
"type": "string"
},
"minVersion": {
"description": "Minimum TLS version that is acceptable. Defaults to TLS12.",
"description": "Minimum TLS version that is acceptable.",
"type": "string"
},
"preferServerCipherSuites": {
"description": "Controls whether the server selects the\nclient's most preferred cipher suite, or the server's most preferred\ncipher suite. If true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.",
"description": "Controls whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.",
"type": "boolean"
}
},

24
jsonnet/prometheus-operator/prometheusagents-crd.json
View file

@ -8609,7 +8609,7 @@
"description": "Defines the TLS parameters for HTTPS.",
"properties": {
"cert": {
"description": "Contains the TLS certificate for the server.",
"description": "Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.",
"properties": {
"configMap": {
"description": "ConfigMap containing data to use for the targets.",
@ -8661,26 +8661,26 @@
"type": "object"
},
"certFile": {
"description": "Path to the TLS certificate file in the Prometheus container for the server.\nMutually exclusive with `cert`.",
"description": "Path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.",
"type": "string"
},
"cipherSuites": {
"description": "List of supported cipher suites for TLS versions up to TLS 1.2. If empty,\nGo default cipher suites are used. Available cipher suites are documented\nin the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants",
"description": "List of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants",
"items": {
"type": "string"
},
"type": "array"
},
"clientAuthType": {
"description": "Server policy for client authentication. Maps to ClientAuth Policies.\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType",
"description": "The server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType",
"type": "string"
},
"clientCAFile": {
"description": "Path to the CA certificate file for client certificate authentication to the server.\nMutually exclusive with `client_ca`.",
"description": "Path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.",
"type": "string"
},
"client_ca": {
"description": "Contains the CA certificate for client certificate authentication to the server.",
"description": "Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.",
"properties": {
"configMap": {
"description": "ConfigMap containing data to use for the targets.",
@ -8732,18 +8732,18 @@
"type": "object"
},
"curvePreferences": {
"description": "Elliptic curves that will be used in an ECDHE handshake, in preference\norder. Available curves are documented in the go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID",
"description": "Elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID",
"items": {
"type": "string"
},
"type": "array"
},
"keyFile": {
"description": "Path to the TLS key file in the Prometheus container for the server.\nMutually exclusive with `keySecret`.",
"description": "Path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.",
"type": "string"
},
"keySecret": {
"description": "Secret containing the TLS key for the server.",
"description": "Secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.",
"properties": {
"key": {
"description": "The key of the secret to select from. Must be a valid secret key.",
@ -8766,15 +8766,15 @@
"x-kubernetes-map-type": "atomic"
},
"maxVersion": {
"description": "Maximum TLS version that is acceptable. Defaults to TLS13.",
"description": "Maximum TLS version that is acceptable.",
"type": "string"
},
"minVersion": {
"description": "Minimum TLS version that is acceptable. Defaults to TLS12.",
"description": "Minimum TLS version that is acceptable.",
"type": "string"
},
"preferServerCipherSuites": {
"description": "Controls whether the server selects the\nclient's most preferred cipher suite, or the server's most preferred\ncipher suite. If true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.",
"description": "Controls whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.",
"type": "boolean"
}
},

24
jsonnet/prometheus-operator/prometheuses-crd.json
View file

@ -10562,7 +10562,7 @@
"description": "Defines the TLS parameters for HTTPS.",
"properties": {
"cert": {
"description": "Contains the TLS certificate for the server.",
"description": "Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.",
"properties": {
"configMap": {
"description": "ConfigMap containing data to use for the targets.",
@ -10614,26 +10614,26 @@
"type": "object"
},
"certFile": {
"description": "Path to the TLS certificate file in the Prometheus container for the server.\nMutually exclusive with `cert`.",
"description": "Path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.",
"type": "string"
},
"cipherSuites": {
"description": "List of supported cipher suites for TLS versions up to TLS 1.2. If empty,\nGo default cipher suites are used. Available cipher suites are documented\nin the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants",
"description": "List of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants",
"items": {
"type": "string"
},
"type": "array"
},
"clientAuthType": {
"description": "Server policy for client authentication. Maps to ClientAuth Policies.\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType",
"description": "The server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType",
"type": "string"
},
"clientCAFile": {
"description": "Path to the CA certificate file for client certificate authentication to the server.\nMutually exclusive with `client_ca`.",
"description": "Path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.",
"type": "string"
},
"client_ca": {
"description": "Contains the CA certificate for client certificate authentication to the server.",
"description": "Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.",
"properties": {
"configMap": {
"description": "ConfigMap containing data to use for the targets.",
@ -10685,18 +10685,18 @@
"type": "object"
},
"curvePreferences": {
"description": "Elliptic curves that will be used in an ECDHE handshake, in preference\norder. Available curves are documented in the go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID",
"description": "Elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID",
"items": {
"type": "string"
},
"type": "array"
},
"keyFile": {
"description": "Path to the TLS key file in the Prometheus container for the server.\nMutually exclusive with `keySecret`.",
"description": "Path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.",
"type": "string"
},
"keySecret": {
"description": "Secret containing the TLS key for the server.",
"description": "Secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.",
"properties": {
"key": {
"description": "The key of the secret to select from. Must be a valid secret key.",
@ -10719,15 +10719,15 @@
"x-kubernetes-map-type": "atomic"
},
"maxVersion": {
"description": "Maximum TLS version that is acceptable. Defaults to TLS13.",
"description": "Maximum TLS version that is acceptable.",
"type": "string"
},
"minVersion": {
"description": "Minimum TLS version that is acceptable. Defaults to TLS12.",
"description": "Minimum TLS version that is acceptable.",
"type": "string"
},
"preferServerCipherSuites": {
"description": "Controls whether the server selects the\nclient's most preferred cipher suite, or the server's most preferred\ncipher suite. If true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.",
"description": "Controls whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.",
"type": "boolean"
}
},

24
jsonnet/prometheus-operator/thanosrulers-crd.json
View file

@ -6503,7 +6503,7 @@
"description": "Defines the TLS parameters for HTTPS.",
"properties": {
"cert": {
"description": "Contains the TLS certificate for the server.",
"description": "Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.",
"properties": {
"configMap": {
"description": "ConfigMap containing data to use for the targets.",
@ -6555,26 +6555,26 @@
"type": "object"
},
"certFile": {
"description": "Path to the TLS certificate file in the Prometheus container for the server.\nMutually exclusive with `cert`.",
"description": "Path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.",
"type": "string"
},
"cipherSuites": {
"description": "List of supported cipher suites for TLS versions up to TLS 1.2. If empty,\nGo default cipher suites are used. Available cipher suites are documented\nin the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants",
"description": "List of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants",
"items": {
"type": "string"
},
"type": "array"
},
"clientAuthType": {
"description": "Server policy for client authentication. Maps to ClientAuth Policies.\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType",
"description": "The server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType",
"type": "string"
},
"clientCAFile": {
"description": "Path to the CA certificate file for client certificate authentication to the server.\nMutually exclusive with `client_ca`.",
"description": "Path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.",
"type": "string"
},
"client_ca": {
"description": "Contains the CA certificate for client certificate authentication to the server.",
"description": "Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.",
"properties": {
"configMap": {
"description": "ConfigMap containing data to use for the targets.",
@ -6626,18 +6626,18 @@
"type": "object"
},
"curvePreferences": {
"description": "Elliptic curves that will be used in an ECDHE handshake, in preference\norder. Available curves are documented in the go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID",
"description": "Elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID",
"items": {
"type": "string"
},
"type": "array"
},
"keyFile": {
"description": "Path to the TLS key file in the Prometheus container for the server.\nMutually exclusive with `keySecret`.",
"description": "Path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.",
"type": "string"
},
"keySecret": {
"description": "Secret containing the TLS key for the server.",
"description": "Secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.",
"properties": {
"key": {
"description": "The key of the secret to select from. Must be a valid secret key.",
@ -6660,15 +6660,15 @@
"x-kubernetes-map-type": "atomic"
},
"maxVersion": {
"description": "Maximum TLS version that is acceptable. Defaults to TLS13.",
"description": "Maximum TLS version that is acceptable.",
"type": "string"
},
"minVersion": {
"description": "Minimum TLS version that is acceptable. Defaults to TLS12.",
"description": "Minimum TLS version that is acceptable.",
"type": "string"
},
"preferServerCipherSuites": {
"description": "Controls whether the server selects the\nclient's most preferred cipher suite, or the server's most preferred\ncipher suite. If true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.",
"description": "Controls whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.",
"type": "boolean"
}
},

126
pkg/apis/monitoring/v1/types.go
View file

@ -361,42 +361,97 @@ type WebHTTPHeaders struct {
// WebTLSConfig defines the TLS parameters for HTTPS.
// +k8s:openapi-gen=true
type WebTLSConfig struct {
// Contains the TLS certificate for the server.
// Secret or ConfigMap containing the TLS certificate for the web server.
//
// Either `keySecret` or `keyFile` must be defined.
//
// It is mutually exclusive with `certFile`.
//
// +optional
Cert SecretOrConfigMap `json:"cert,omitempty"`
// Contains the CA certificate for client certificate authentication to the server.
ClientCA SecretOrConfigMap `json:"client_ca,omitempty"`
// Secret containing the TLS key for the server.
// Path to the TLS certificate file in the container for the web server.
//
// Either `keySecret` or `keyFile` must be defined.
//
// It is mutually exclusive with `cert`.
//
// +optional
CertFile *string `json:"certFile,omitempty"`
// Secret containing the TLS private key for the web server.
//
// Either `cert` or `certFile` must be defined.
//
// It is mutually exclusive with `keyFile`.
//
// +optional
KeySecret v1.SecretKeySelector `json:"keySecret,omitempty"`
// Server policy for client authentication. Maps to ClientAuth Policies.
// Path to the TLS private key file in the container for the web server.
//
// If defined, either `cert` or `certFile` must be defined.
//
// It is mutually exclusive with `keySecret`.
//
// +optional
KeyFile *string `json:"keyFile,omitempty"`
// Secret or ConfigMap containing the CA certificate for client certificate
// authentication to the server.
//
// It is mutually exclusive with `clientCAFile`.
//
// +optional
ClientCA SecretOrConfigMap `json:"client_ca,omitempty"`
// Path to the CA certificate file for client certificate authentication to
// the server.
//
// It is mutually exclusive with `client_ca`.
//
// +optional
ClientCAFile *string `json:"clientCAFile,omitempty"`
// The server policy for client TLS authentication.
//
// For more detail on clientAuth options:
// https://golang.org/pkg/crypto/tls/#ClientAuthType
ClientAuthType string `json:"clientAuthType,omitempty"`
// Minimum TLS version that is acceptable. Defaults to TLS12.
MinVersion string `json:"minVersion,omitempty"`
// Maximum TLS version that is acceptable. Defaults to TLS13.
MaxVersion string `json:"maxVersion,omitempty"`
// List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
// Go default cipher suites are used. Available cipher suites are documented
// in the go documentation: https://golang.org/pkg/crypto/tls/#pkg-constants
//
// +optional
ClientAuthType *string `json:"clientAuthType,omitempty"`
// Minimum TLS version that is acceptable.
//
// +optional
MinVersion *string `json:"minVersion,omitempty"`
// Maximum TLS version that is acceptable.
//
// +optional
MaxVersion *string `json:"maxVersion,omitempty"`
// List of supported cipher suites for TLS versions up to TLS 1.2.
//
// If not defined, the Go default cipher suites are used.
// Available cipher suites are documented in the Go documentation:
// https://golang.org/pkg/crypto/tls/#pkg-constants
//
// +optional
CipherSuites []string `json:"cipherSuites,omitempty"`
// Controls whether the server selects the
// client's most preferred cipher suite, or the server's most preferred
// cipher suite. If true then the server's preference, as expressed in
// Controls whether the server selects the client's most preferred cipher
// suite, or the server's most preferred cipher suite.
//
// If true then the server's preference, as expressed in
// the order of elements in cipherSuites, is used.
//
// +optional
PreferServerCipherSuites *bool `json:"preferServerCipherSuites,omitempty"`
// Elliptic curves that will be used in an ECDHE handshake, in preference
// order. Available curves are documented in the go documentation:
// order.
//
// Available curves are documented in the Go documentation:
// https://golang.org/pkg/crypto/tls/#CurveID
//
// +optional
CurvePreferences []string `json:"curvePreferences,omitempty"`
// Path to the TLS key file in the Prometheus container for the server.
// Mutually exclusive with `keySecret`.
KeyFile string `json:"keyFile,omitempty"`
// Path to the TLS certificate file in the Prometheus container for the server.
// Mutually exclusive with `cert`.
CertFile string `json:"certFile,omitempty"`
// Path to the CA certificate file for client certificate authentication to the server.
// Mutually exclusive with `client_ca`.
ClientCAFile string `json:"clientCAFile,omitempty"`
}
// Validate returns an error if one of the WebTLSConfig fields is invalid.
@ -408,36 +463,33 @@ func (c *WebTLSConfig) Validate() error {
}
if c.ClientCA != (SecretOrConfigMap{}) {
if c.ClientCAFile != "" {
if c.ClientCAFile != nil && *c.ClientCAFile != "" {
return errors.New("cannot specify both clientCAFile and clientCA")
}
if err := c.ClientCA.Validate(); err != nil {
return fmt.Errorf("invalid web tls config: %s", err.Error())
return fmt.Errorf("invalid client CA: %w", err)
}
}
if c.Cert != (SecretOrConfigMap{}) {
if c.CertFile != "" {
if c.CertFile != nil && *c.CertFile != "" {
return errors.New("cannot specify both cert and certFile")
}
if err := c.Cert.Validate(); err != nil {
return fmt.Errorf("invalid web tls config: %s", err.Error())
return fmt.Errorf("invalid TLS certificate: %w", err)
}
}
if c.KeyFile != "" && c.KeySecret != (v1.SecretKeySelector{}) {
if c.KeyFile != nil && *c.KeyFile != "" && c.KeySecret != (v1.SecretKeySelector{}) {
return errors.New("cannot specify both keyFile and keySecret")
}
hasCert := c.CertFile != "" || c.Cert != (SecretOrConfigMap{})
hasKey := c.KeyFile != "" || c.KeySecret != (v1.SecretKeySelector{})
if !hasKey {
return errors.New("TLS key must be defined")
if (c.KeyFile == nil || *c.KeyFile == "") && c.KeySecret == (v1.SecretKeySelector{}) {
return errors.New("TLS private key must be defined")
}
if !hasCert {
if (c.CertFile == nil || *c.CertFile == "") && c.Cert == (SecretOrConfigMap{}) {
return errors.New("TLS certificate must be defined")
}

31
pkg/apis/monitoring/v1/types_test.go
View file

@ -291,50 +291,47 @@ func TestValidateWebTlsConfig(t *testing.T) {
{
name: "caFile, certFile and keyFile",
config: &WebTLSConfig{
ClientCAFile: "cafile",
CertFile: "certfile",
KeyFile: "keyfile",
ClientCAFile: func(s string) *string { return &s }("cafile"),
CertFile: func(s string) *string { return &s }("certfile"),
KeyFile: func(s string) *string { return &s }("keyfile"),
},
err: false,
},
{
name: "certFile and keyFile",
config: &WebTLSConfig{
CertFile: "certfile",
KeyFile: "keyfile",
CertFile: func(s string) *string { return &s }("certfile"),
KeyFile: func(s string) *string { return &s }("keyfile"),
},
err: false,
},
{
name: "caFile and keyFile",
config: &WebTLSConfig{
ClientCAFile: "cafile",
KeyFile: "keyfile",
ClientCAFile: func(s string) *string { return &s }("cafile"),
KeyFile: func(s string) *string { return &s }("keyfile"),
},
err: true,
},
{
name: "caFile and certFile",
config: &WebTLSConfig{
ClientCAFile: "cafile",
CertFile: "certfile",
ClientCAFile: func(s string) *string { return &s }("cafile"),
CertFile: func(s string) *string { return &s }("certfile"),
},
err: true,
},
{
name: "caFile, cert and keyFile",
config: &WebTLSConfig{
ClientCAFile: "cafile",
KeyFile: "keyfile",
ClientCAFile: func(s string) *string { return &s }("cafile"),
KeyFile: func(s string) *string { return &s }("keyfile"),
Cert: SecretOrConfigMap{Secret: &v1.SecretKeySelector{}},
},
err: false,
},
{
name: "caFile, certFile and keySecret",
config: &WebTLSConfig{
ClientCAFile: "cafile",
CertFile: "certfile",
ClientCAFile: func(s string) *string { return &s }("cafile"),
CertFile: func(s string) *string { return &s }("certfile"),
KeySecret: v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "test-secret",
@ -342,7 +339,6 @@ func TestValidateWebTlsConfig(t *testing.T) {
Key: "tls.key",
},
},
err: false,
},
{
name: "ca, cert and keySecret",
@ -356,7 +352,6 @@ func TestValidateWebTlsConfig(t *testing.T) {
Key: "tls.key",
},
},
err: false,
},
{
name: "cert and keySecret",

32
pkg/apis/monitoring/v1/zz_generated.deepcopy.go generated
View file

@ -3739,8 +3739,38 @@ func (in *WebHTTPHeaders) DeepCopy() *WebHTTPHeaders {
func (in *WebTLSConfig) DeepCopyInto(out *WebTLSConfig) {
*out = *in
in.Cert.DeepCopyInto(&out.Cert)
in.ClientCA.DeepCopyInto(&out.ClientCA)
if in.CertFile != nil {
in, out := &in.CertFile, &out.CertFile
*out = new(string)
**out = **in
}
in.KeySecret.DeepCopyInto(&out.KeySecret)
if in.KeyFile != nil {
in, out := &in.KeyFile, &out.KeyFile
*out = new(string)
**out = **in
}
in.ClientCA.DeepCopyInto(&out.ClientCA)
if in.ClientCAFile != nil {
in, out := &in.ClientCAFile, &out.ClientCAFile
*out = new(string)
**out = **in
}
if in.ClientAuthType != nil {
in, out := &in.ClientAuthType, &out.ClientAuthType
*out = new(string)
**out = **in
}
if in.MinVersion != nil {
in, out := &in.MinVersion, &out.MinVersion
*out = new(string)
**out = **in
}
if in.MaxVersion != nil {
in, out := &in.MaxVersion, &out.MaxVersion
*out = new(string)
**out = **in
}
if in.CipherSuites != nil {
in, out := &in.CipherSuites, &out.CipherSuites
*out = make([]string, len(*in))

64
pkg/client/applyconfiguration/monitoring/v1/webtlsconfig.go
View file

@ -24,17 +24,17 @@ import (
// with apply.
type WebTLSConfigApplyConfiguration struct {
Cert *SecretOrConfigMapApplyConfiguration `json:"cert,omitempty"`
ClientCA *SecretOrConfigMapApplyConfiguration `json:"client_ca,omitempty"`
CertFile *string `json:"certFile,omitempty"`
KeySecret *corev1.SecretKeySelector `json:"keySecret,omitempty"`
KeyFile *string `json:"keyFile,omitempty"`
ClientCA *SecretOrConfigMapApplyConfiguration `json:"client_ca,omitempty"`
ClientCAFile *string `json:"clientCAFile,omitempty"`
ClientAuthType *string `json:"clientAuthType,omitempty"`
MinVersion *string `json:"minVersion,omitempty"`
MaxVersion *string `json:"maxVersion,omitempty"`
CipherSuites []string `json:"cipherSuites,omitempty"`
PreferServerCipherSuites *bool `json:"preferServerCipherSuites,omitempty"`
CurvePreferences []string `json:"curvePreferences,omitempty"`
KeyFile *string `json:"keyFile,omitempty"`
CertFile *string `json:"certFile,omitempty"`
ClientCAFile *string `json:"clientCAFile,omitempty"`
}
// WebTLSConfigApplyConfiguration constructs a declarative configuration of the WebTLSConfig type for use with
@ -51,11 +51,11 @@ func (b *WebTLSConfigApplyConfiguration) WithCert(value *SecretOrConfigMapApplyC
return b
}
// WithClientCA sets the ClientCA field in the declarative configuration to the given value
// WithCertFile sets the CertFile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientCA field is set to the value of the last call.
func (b *WebTLSConfigApplyConfiguration) WithClientCA(value *SecretOrConfigMapApplyConfiguration) *WebTLSConfigApplyConfiguration {
b.ClientCA = value
// If called multiple times, the CertFile field is set to the value of the last call.
func (b *WebTLSConfigApplyConfiguration) WithCertFile(value string) *WebTLSConfigApplyConfiguration {
b.CertFile = &value
return b
}
@ -67,6 +67,30 @@ func (b *WebTLSConfigApplyConfiguration) WithKeySecret(value corev1.SecretKeySel
return b
}
// WithKeyFile sets the KeyFile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the KeyFile field is set to the value of the last call.
func (b *WebTLSConfigApplyConfiguration) WithKeyFile(value string) *WebTLSConfigApplyConfiguration {
b.KeyFile = &value
return b
}
// WithClientCA sets the ClientCA field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientCA field is set to the value of the last call.
func (b *WebTLSConfigApplyConfiguration) WithClientCA(value *SecretOrConfigMapApplyConfiguration) *WebTLSConfigApplyConfiguration {
b.ClientCA = value
return b
}
// WithClientCAFile sets the ClientCAFile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientCAFile field is set to the value of the last call.
func (b *WebTLSConfigApplyConfiguration) WithClientCAFile(value string) *WebTLSConfigApplyConfiguration {
b.ClientCAFile = &value
return b
}
// WithClientAuthType sets the ClientAuthType field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientAuthType field is set to the value of the last call.
@ -118,27 +142,3 @@ func (b *WebTLSConfigApplyConfiguration) WithCurvePreferences(values ...string)
}
return b
}
// WithKeyFile sets the KeyFile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the KeyFile field is set to the value of the last call.
func (b *WebTLSConfigApplyConfiguration) WithKeyFile(value string) *WebTLSConfigApplyConfiguration {
b.KeyFile = &value
return b
}
// WithCertFile sets the CertFile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CertFile field is set to the value of the last call.
func (b *WebTLSConfigApplyConfiguration) WithCertFile(value string) *WebTLSConfigApplyConfiguration {
b.CertFile = &value
return b
}
// WithClientCAFile sets the ClientCAFile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientCAFile field is set to the value of the last call.
func (b *WebTLSConfigApplyConfiguration) WithClientCAFile(value string) *WebTLSConfigApplyConfiguration {
b.ClientCAFile = &value
return b
}

79
pkg/webconfig/config.go
View file

@ -16,13 +16,14 @@ package webconfig
import (
"context"
"fmt"
"path"
"path/filepath"
"strings"
"gopkg.in/yaml.v2"
v1 "k8s.io/api/core/v1"
clientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/utils/ptr"
monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
"github.com/prometheus-operator/prometheus-operator/pkg/k8sutil"
@ -37,13 +38,12 @@ var (
//
// Config can make a secret which holds the web config contents, as well as
// volumes and volume mounts for referencing the secret and the
// necessary TLS credentials.
// necessary TLS files.
type Config struct {
tlsConfig *monitoringv1.WebTLSConfig
httpConfig *monitoringv1.WebHTTPConfig
tlsCredentials *tlsCredentials
mountingDir string
secretName string
tlsConfig *monitoringv1.WebTLSConfig
httpConfig *monitoringv1.WebHTTPConfig
mountingDir string
secretName string
}
// New creates a new Config.
@ -54,22 +54,16 @@ func New(mountingDir string, secretName string, configFileFields monitoringv1.We
return nil, err
}
var tlsCreds *tlsCredentials
if tlsConfig != nil {
tlsCreds = newTLSCredentials(mountingDir, tlsConfig.KeySecret, tlsConfig.KeyFile, tlsConfig.Cert, tlsConfig.CertFile, tlsConfig.ClientCA, tlsConfig.ClientCAFile)
}
return &Config{
tlsConfig: tlsConfig,
httpConfig: configFileFields.HTTPConfig,
tlsCredentials: tlsCreds,
mountingDir: mountingDir,
secretName: secretName,
tlsConfig: tlsConfig,
httpConfig: configFileFields.HTTPConfig,
mountingDir: mountingDir,
secretName: secretName,
}, nil
}
// GetMountParameters returns volumes and volume mounts referencing the config file
// and the associated TLS credentials.
// and the associated TLS files.
// In addition, GetMountParameters returns a web.config.file command line option pointing
// to the file in the volume mount.
func (c Config) GetMountParameters() (monitoringv1.Argument, []v1.Volume, []v1.VolumeMount, error) {
@ -85,11 +79,13 @@ func (c Config) GetMountParameters() (monitoringv1.Argument, []v1.Volume, []v1.V
cfgMount := c.makeVolumeMount(destinationPath)
mounts = append(mounts, cfgMount)
if c.tlsCredentials != nil {
tlsVolumes, tlsMounts, err := c.tlsCredentials.getMountParameters()
if c.tlsConfig != nil {
tlsRefs := newTLSReferences(c.mountingDir, *c.tlsConfig)
tlsVolumes, tlsMounts, err := tlsRefs.getMountParameters()
if err != nil {
return monitoringv1.Argument{}, nil, nil, err
}
volumes = append(volumes, tlsVolumes...)
mounts = append(mounts, tlsMounts...)
}
@ -97,7 +93,8 @@ func (c Config) GetMountParameters() (monitoringv1.Argument, []v1.Volume, []v1.V
return arg, volumes, mounts, nil
}
// CreateOrUpdateWebConfigSecret create or update a Kubernetes secret with the data for the web config file.
// CreateOrUpdateWebConfigSecret create or update a Kubernetes secret with the
// data for the web config file.
// The format of the web config file is available in the official prometheus documentation:
// https://prometheus.io/docs/prometheus/latest/configuration/https/#https-and-authentication
func (c Config) CreateOrUpdateWebConfigSecret(ctx context.Context, secretClient clientv1.SecretInterface, s *v1.Secret) error {
@ -119,8 +116,7 @@ func (c Config) generateConfigFileContents() ([]byte, error) {
return []byte{}, nil
}
cfg := yaml.MapSlice{}
var cfg yaml.MapSlice
cfg = c.addTLSServerConfigToYaml(cfg)
cfg = c.addHTTPServerConfigToYaml(cfg)
@ -134,46 +130,47 @@ func (c Config) addTLSServerConfigToYaml(cfg yaml.MapSlice) yaml.MapSlice {
}
tlsServerConfig := yaml.MapSlice{}
tlsRefs := newTLSReferences(c.mountingDir, *c.tlsConfig)
switch {
case c.tlsCredentials.certFile != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "cert_file", Value: c.tlsCredentials.certFile})
case c.tlsCredentials.getCertMountPath() != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "cert_file", Value: fmt.Sprintf("%s/%s", c.tlsCredentials.getCertMountPath(), c.tlsCredentials.getCertFilename())})
case ptr.Deref(tls.CertFile, "") != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "cert_file", Value: *tls.CertFile})
case tlsRefs.getCertMountPath() != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "cert_file", Value: filepath.Join(tlsRefs.getCertMountPath(), tlsRefs.getCertFilename())})
}
switch {
case c.tlsCredentials.keyFile != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "key_file", Value: c.tlsCredentials.keyFile})
case c.tlsCredentials.getKeyMountPath() != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "key_file", Value: fmt.Sprintf("%s/%s", c.tlsCredentials.getKeyMountPath(), c.tlsCredentials.getKeyFilename())})
case ptr.Deref(tls.KeyFile, "") != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "key_file", Value: *tls.KeyFile})
case tlsRefs.getKeyMountPath() != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "key_file", Value: filepath.Join(tlsRefs.getKeyMountPath(), tlsRefs.getKeyFilename())})
}
if tls.ClientAuthType != "" {
if ptr.Deref(tls.ClientAuthType, "") != "" {
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{
Key: "client_auth_type",
Value: tls.ClientAuthType,
Value: *tls.ClientAuthType,
})
}
switch {
case c.tlsCredentials.clientCAFile != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "client_ca_file", Value: c.tlsCredentials.clientCAFile})
case c.tlsCredentials.getCAMountPath() != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "client_ca_file", Value: fmt.Sprintf("%s/%s", c.tlsCredentials.getCAMountPath(), c.tlsCredentials.getCAFilename())})
case ptr.Deref(tls.ClientCAFile, "") != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "client_ca_file", Value: *tls.ClientCAFile})
case tlsRefs.getCAMountPath() != "":
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{Key: "client_ca_file", Value: filepath.Join(tlsRefs.getCAMountPath(), tlsRefs.getCAFilename())})
}
if tls.MinVersion != "" {
if ptr.Deref(tls.MinVersion, "") != "" {
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{
Key: "min_version",
Value: tls.MinVersion,
Value: *tls.MinVersion,
})
}
if tls.MaxVersion != "" {
if ptr.Deref(tls.MaxVersion, "") != "" {
tlsServerConfig = append(tlsServerConfig, yaml.MapItem{
Key: "max_version",
Value: tls.MaxVersion,
Value: *tls.MaxVersion,
})
}

12
pkg/webconfig/config_test.go
View file

@ -140,9 +140,9 @@ func TestCreateOrUpdateWebConfigSecret(t *testing.T) {
},
Key: "tls.keySecret",
},
ClientAuthType: "RequireAnyClientCert",
MinVersion: "TLS11",
MaxVersion: "TLS13",
ClientAuthType: ptr.To("RequireAnyClientCert"),
MinVersion: ptr.To("TLS11"),
MaxVersion: ptr.To("TLS13"),
CipherSuites: []string{"cipher-1", "cipher-2"},
PreferServerCipherSuites: ptr.To(false),
CurvePreferences: []string{"curve-1", "curve-2"},
@ -154,9 +154,9 @@ func TestCreateOrUpdateWebConfigSecret(t *testing.T) {
name: "TLS config with client CA, cert and key files",
webConfigFileFields: monitoringv1.WebConfigFileFields{
TLSConfig: &monitoringv1.WebTLSConfig{
ClientCAFile: "/etc/ssl/certs/tls.client_ca",
CertFile: "/etc/ssl/certs/tls.crt",
KeyFile: "/etc/ssl/secrets/tls.key",
ClientCAFile: ptr.To("/etc/ssl/certs/tls.client_ca"),
CertFile: ptr.To("/etc/ssl/certs/tls.crt"),
KeyFile: ptr.To("/etc/ssl/secrets/tls.key"),
},
},
golden: "TLS_config_with_client_CA_cert_and_key_files.golden",

127
pkg/webconfig/tls_credentials.go
View file

@ -17,6 +17,7 @@ package webconfig
import (
"fmt"
"path"
"path/filepath"
corev1 "k8s.io/api/core/v1"
@ -28,48 +29,30 @@ const (
volumePrefix = "web-config-tls-"
)
// tlsCredentials are the credentials used for web TLS.
type tlsCredentials struct {
// mountPath is the directory where TLS credentials are intended to be mounted.
// tlsReferences represent TLS material referenced from secrets/configmaps.
type tlsReferences struct {
// mountPath is the directory where the TLS files are intended to be mounted.
mountPath string
// keySecret is the Kubernetes secret containing the TLS key.
// keySecret is the Kubernetes Secret containing the TLS private key.
keySecret corev1.SecretKeySelector
// keyFile is file path containing the TLS key
keyFile string
// cert is the kubernetes secret or configmap containing the TLS certificate
// cert is the Kubernetes Secret or ConfigMap containing the TLS certificate.
cert monitoringv1.SecretOrConfigMap
// certFile is file path containing the TLS certificate
certFile string
// clientCA is the kubernetes secret or configmap containing the client CA certificate
// clientCA is the Kubernetes Secret or ConfigMap containing the client CA certificate.
clientCA monitoringv1.SecretOrConfigMap
// clientCAFile is file path containing the client CA certificate
clientCAFile string
}
// newTLSCredentials creates new tlsCredentials from secrets of configmaps.
func newTLSCredentials(
mountPath string,
keySecret corev1.SecretKeySelector,
keyFile string,
cert monitoringv1.SecretOrConfigMap,
certFile string,
clientCA monitoringv1.SecretOrConfigMap,
clientCAFile string,
) *tlsCredentials {
return &tlsCredentials{
mountPath: mountPath,
keySecret: keySecret,
keyFile: keyFile,
cert: cert,
certFile: certFile,
clientCA: clientCA,
clientCAFile: clientCAFile,
func newTLSReferences(mountPath string, cfg monitoringv1.WebTLSConfig) *tlsReferences {
return &tlsReferences{
mountPath: mountPath,
keySecret: cfg.KeySecret,
cert: cfg.Cert,
clientCA: cfg.ClientCA,
}
}
// getMountParameters creates volumes and volume mounts referencing the TLS credentials.
func (a *tlsCredentials) getMountParameters() ([]corev1.Volume, []corev1.VolumeMount, error) {
func (tr *tlsReferences) getMountParameters() ([]corev1.Volume, []corev1.VolumeMount, error) {
var (
volumes []corev1.Volume
mounts []corev1.VolumeMount
@ -77,36 +60,36 @@ func (a *tlsCredentials) getMountParameters() ([]corev1.Volume, []corev1.VolumeM
)
prefix := volumePrefix + "secret-key-"
volumes, mounts, err = a.mountParamsForSecret(volumes, mounts, a.keySecret, prefix, a.getKeyMountPath())
volumes, mounts, err = tr.mountParamsForSecret(volumes, mounts, tr.keySecret, prefix, tr.getKeyMountPath())
if err != nil {
return nil, nil, err
}
switch {
case a.cert.Secret != nil:
case tr.cert.Secret != nil:
prefix := volumePrefix + "secret-cert-"
volumes, mounts, err = a.mountParamsForSecret(volumes, mounts, *a.cert.Secret, prefix, a.getCertMountPath())
volumes, mounts, err = tr.mountParamsForSecret(volumes, mounts, *tr.cert.Secret, prefix, tr.getCertMountPath())
if err != nil {
return nil, nil, err
}
case a.cert.ConfigMap != nil:
case tr.cert.ConfigMap != nil:
prefix := volumePrefix + "configmap-cert-"
volumes, mounts, err = a.mountParamsForConfigmap(volumes, mounts, *a.cert.ConfigMap, prefix, a.getCertMountPath())
volumes, mounts, err = tr.mountParamsForConfigmap(volumes, mounts, *tr.cert.ConfigMap, prefix, tr.getCertMountPath())
if err != nil {
return nil, nil, err
}
}
switch {
case a.clientCA.Secret != nil:
case tr.clientCA.Secret != nil:
prefix := volumePrefix + "secret-client-ca-"
volumes, mounts, err = a.mountParamsForSecret(volumes, mounts, *a.clientCA.Secret, prefix, a.getCAMountPath())
volumes, mounts, err = tr.mountParamsForSecret(volumes, mounts, *tr.clientCA.Secret, prefix, tr.getCAMountPath())
if err != nil {
return nil, nil, err
}
case a.clientCA.ConfigMap != nil:
case tr.clientCA.ConfigMap != nil:
prefix := volumePrefix + "configmap-client-ca-"
volumes, mounts, err = a.mountParamsForConfigmap(volumes, mounts, *a.clientCA.ConfigMap, prefix, a.getCAMountPath())
volumes, mounts, err = tr.mountParamsForConfigmap(volumes, mounts, *tr.clientCA.ConfigMap, prefix, tr.getCAMountPath())
if err != nil {
return nil, nil, err
}
@ -115,7 +98,7 @@ func (a *tlsCredentials) getMountParameters() ([]corev1.Volume, []corev1.VolumeM
return volumes, mounts, nil
}
func (a *tlsCredentials) mountParamsForSecret(
func (tr *tlsReferences) mountParamsForSecret(
volumes []corev1.Volume,
mounts []corev1.VolumeMount,
secret corev1.SecretKeySelector,
@ -154,7 +137,7 @@ func (a *tlsCredentials) mountParamsForSecret(
return volumes, mounts, nil
}
func (a *tlsCredentials) mountParamsForConfigmap(
func (tr *tlsReferences) mountParamsForConfigmap(
volumes []corev1.Volume,
mounts []corev1.VolumeMount,
configMap corev1.ConfigMapKeySelector,
@ -195,64 +178,64 @@ func (a *tlsCredentials) mountParamsForConfigmap(
return volumes, mounts, nil
}
// getKeyMountPath is the mount path of the TLS key inside a prometheus container.
func (a *tlsCredentials) getKeyMountPath() string {
secret := monitoringv1.SecretOrConfigMap{Secret: &a.keySecret}
return a.tlsPathForSelector(secret, "key")
// getKeyMountPath is the mount path of the private key inside a container.
func (tr *tlsReferences) getKeyMountPath() string {
secret := monitoringv1.SecretOrConfigMap{Secret: &tr.keySecret}
return tr.tlsPathForSelector(secret, "key")
}
// getKeyFilename returns the filename (key) of the key.
func (a *tlsCredentials) getKeyFilename() string {
return a.keySecret.Key
// getKeyFilename returns the filename (key) of the private key.
func (tr *tlsReferences) getKeyFilename() string {
return tr.keySecret.Key
}
// getCertMountPath is the mount path of the TLS certificate inside a prometheus container,.
func (a *tlsCredentials) getCertMountPath() string {
if a.cert.ConfigMap != nil || a.cert.Secret != nil {
return a.tlsPathForSelector(a.cert, "cert")
// getCertMountPath is the mount path of the TLS certificate inside a container.
func (tr *tlsReferences) getCertMountPath() string {
if tr.cert.ConfigMap != nil || tr.cert.Secret != nil {
return tr.tlsPathForSelector(tr.cert, "cert")
}
return ""
}
// getCertFilename returns the filename (key) of the certificate.
func (a *tlsCredentials) getCertFilename() string {
if a.cert.Secret != nil {
return a.cert.Secret.Key
} else if a.cert.ConfigMap != nil {
return a.cert.ConfigMap.Key
func (tr *tlsReferences) getCertFilename() string {
if tr.cert.Secret != nil {
return tr.cert.Secret.Key
} else if tr.cert.ConfigMap != nil {
return tr.cert.ConfigMap.Key
}
return ""
}
// getCAMountPath is the mount path of the client CA certificate inside a prometheus container.
func (a *tlsCredentials) getCAMountPath() string {
if a.clientCA.ConfigMap != nil || a.clientCA.Secret != nil {
return a.tlsPathForSelector(a.clientCA, "ca")
// getCAMountPath is the mount path of the client CA certificate inside a container.
func (tr *tlsReferences) getCAMountPath() string {
if tr.clientCA.ConfigMap != nil || tr.clientCA.Secret != nil {
return tr.tlsPathForSelector(tr.clientCA, "ca")
}
return ""
}
// getCAFilename is the mount path of the client CA certificate inside a prometheus container.
func (a *tlsCredentials) getCAFilename() string {
if a.clientCA.Secret != nil {
return a.clientCA.Secret.Key
} else if a.clientCA.ConfigMap != nil {
return a.clientCA.ConfigMap.Key
// getCAFilename retruns the filename (key) of the client CA certificate.
func (tr *tlsReferences) getCAFilename() string {
if tr.clientCA.Secret != nil {
return tr.clientCA.Secret.Key
} else if tr.clientCA.ConfigMap != nil {
return tr.clientCA.ConfigMap.Key
}
return ""
}
func (a *tlsCredentials) tlsPathForSelector(sel monitoringv1.SecretOrConfigMap, mountType string) string {
func (tr *tlsReferences) tlsPathForSelector(sel monitoringv1.SecretOrConfigMap, mountType string) string {
var filename string
if sel.Secret != nil {
filename = fmt.Sprintf("secret/%s-%s", sel.Secret.Name, mountType)
filename = filepath.Join("secret", fmt.Sprintf("%s-%s", sel.Secret.Name, mountType))
} else {
filename = fmt.Sprintf("configmap/%s-%s", sel.ConfigMap.Name, mountType)
filename = filepath.Join("configmap", fmt.Sprintf("%s-%s", sel.ConfigMap.Name, mountType))
}
return path.Join(a.mountPath, filename)
return path.Join(tr.mountPath, filename)
}

2
test/framework/prometheus.go
View file

@ -317,7 +317,7 @@ func (f *Framework) EnableRemoteWriteReceiverWithTLS(p *monitoringv1.Prometheus)
Key: PrivateKey,
},
// Liveness/readiness probes don't work when using "RequireAndVerifyClientCert".
ClientAuthType: "VerifyClientCertIfGiven",
ClientAuthType: ptr.To("VerifyClientCertIfGiven"),
},
},
}