mirrors/prometheus-operator
mirrors/prometheus-operator
1
0
Fork 0
mirror of https://github.com/prometheus-operator/prometheus-operator.git synced 2025-04-21 11:48:53 +00:00
Code Activity

Merge pull request from simonpasquier/refactor-store-pkg-tokens

Browse source 
chore: refactor tokens management in the assets package
This commit is contained in:
Simon Pasquier 2024-06-04 08:37:38 +02:00 committed by GitHub
commit 77e92ecd4e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
22 changed files with 263 additions and 247 deletions

106
pkg/alertmanager/operator.go
View file

@ -1097,37 +1097,37 @@ func checkReceivers(ctx context.Context, amc *monitoringv1alpha1.AlertmanagerCon
for i, receiver := range amc.Spec.Receivers {
amcKey := fmt.Sprintf("alertmanagerConfig/%s/%s/%d", amc.GetNamespace(), amc.GetName(), i)
err := checkPagerDutyConfigs(ctx, receiver.PagerDutyConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err := checkPagerDutyConfigs(ctx, receiver.PagerDutyConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
err = checkOpsGenieConfigs(ctx, receiver.OpsGenieConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkOpsGenieConfigs(ctx, receiver.OpsGenieConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
err = checkDiscordConfigs(ctx, receiver.DiscordConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkDiscordConfigs(ctx, receiver.DiscordConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
err = checkSlackConfigs(ctx, receiver.SlackConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkSlackConfigs(ctx, receiver.SlackConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
err = checkWebhookConfigs(ctx, receiver.WebhookConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkWebhookConfigs(ctx, receiver.WebhookConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
err = checkWechatConfigs(ctx, receiver.WeChatConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkWechatConfigs(ctx, receiver.WeChatConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
err = checkWebexConfigs(ctx, receiver.WebexConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkWebexConfigs(ctx, receiver.WebexConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
@ -1137,12 +1137,12 @@ func checkReceivers(ctx context.Context, amc *monitoringv1alpha1.AlertmanagerCon
return err
}
err = checkVictorOpsConfigs(ctx, receiver.VictorOpsConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkVictorOpsConfigs(ctx, receiver.VictorOpsConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
err = checkPushoverConfigs(ctx, receiver.PushoverConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkPushoverConfigs(ctx, receiver.PushoverConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
@ -1152,12 +1152,12 @@ func checkReceivers(ctx context.Context, amc *monitoringv1alpha1.AlertmanagerCon
return err
}
err = checkTelegramConfigs(ctx, receiver.TelegramConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkTelegramConfigs(ctx, receiver.TelegramConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
err = checkMSTeamsConfigs(ctx, receiver.MSTeamsConfigs, amc.GetNamespace(), amcKey, store, amVersion)
err = checkMSTeamsConfigs(ctx, receiver.MSTeamsConfigs, amc.GetNamespace(), store, amVersion)
if err != nil {
return err
}
@ -1170,17 +1170,14 @@ func checkPagerDutyConfigs(
ctx context.Context,
configs []monitoringv1alpha1.PagerDutyConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
pagerDutyConfigKey := fmt.Sprintf("%s/pagerduty/%d", key, i)
if config.RoutingKey != nil {
if _, err := store.GetSecretKey(ctx, namespace, *config.RoutingKey); err != nil {
return err
@ -1193,7 +1190,7 @@ func checkPagerDutyConfigs(
}
}
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, pagerDutyConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1205,18 +1202,16 @@ func checkOpsGenieConfigs(
ctx context.Context,
configs []monitoringv1alpha1.OpsGenieConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
if err := checkOpsGenieResponder(config.Responders, amVersion); err != nil {
return err
}
opsgenieConfigKey := fmt.Sprintf("%s/opsgenie/%d", key, i)
if config.APIKey != nil {
if _, err := store.GetSecretKey(ctx, namespace, *config.APIKey); err != nil {
@ -1224,7 +1219,7 @@ func checkOpsGenieConfigs(
}
}
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, opsgenieConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1246,24 +1241,23 @@ func checkDiscordConfigs(
ctx context.Context,
configs []monitoringv1alpha1.DiscordConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
if len(configs) == 0 {
return nil
}
if amVersion.LT(semver.MustParse("0.25.0")) {
return fmt.Errorf(`discordConfigs' is available in Alertmanager >= 0.25.0 only - current %s`, amVersion)
}
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
discordConfigKey := fmt.Sprintf("%s/discord/%d", key, i)
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, discordConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
@ -1279,15 +1273,13 @@ func checkSlackConfigs(
ctx context.Context,
configs []monitoringv1alpha1.SlackConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
slackConfigKey := fmt.Sprintf("%s/slack/%d", key, i)
if config.APIURL != nil {
if _, err := store.GetSecretKey(ctx, namespace, *config.APIURL); err != nil {
@ -1295,7 +1287,7 @@ func checkSlackConfigs(
}
}
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, slackConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1307,15 +1299,13 @@ func checkWebhookConfigs(
ctx context.Context,
configs []monitoringv1alpha1.WebhookConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
webhookConfigKey := fmt.Sprintf("%s/webhook/%d", key, i)
if config.URLSecret != nil {
url, err := store.GetSecretKey(ctx, namespace, *config.URLSecret)
@ -1327,7 +1317,7 @@ func checkWebhookConfigs(
}
}
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, webhookConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1339,15 +1329,13 @@ func checkWechatConfigs(
ctx context.Context,
configs []monitoringv1alpha1.WeChatConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
wechatConfigKey := fmt.Sprintf("%s/wechat/%d", key, i)
if config.APISecret != nil {
if _, err := store.GetSecretKey(ctx, namespace, *config.APISecret); err != nil {
@ -1355,7 +1343,7 @@ func checkWechatConfigs(
}
}
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, wechatConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1367,7 +1355,6 @@ func checkWebexConfigs(
ctx context.Context,
configs []monitoringv1alpha1.WebexConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
@ -1379,13 +1366,12 @@ func checkWebexConfigs(
return fmt.Errorf(`webexConfigs' is available in Alertmanager >= 0.25.0 only - current %s`, amVersion)
}
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
webexConfigKey := fmt.Sprintf("%s/webex/%d", key, i)
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, webexConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1418,11 +1404,10 @@ func checkVictorOpsConfigs(
ctx context.Context,
configs []monitoringv1alpha1.VictorOpsConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
@ -1432,8 +1417,7 @@ func checkVictorOpsConfigs(
}
}
victoropsConfigKey := fmt.Sprintf("%s/victorops/%d", key, i)
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, victoropsConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1445,7 +1429,6 @@ func checkPushoverConfigs(
ctx context.Context,
configs []monitoringv1alpha1.PushoverConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
@ -1463,7 +1446,7 @@ func checkPushoverConfigs(
return nil
}
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
@ -1474,8 +1457,7 @@ func checkPushoverConfigs(
return err
}
pushoverConfigKey := fmt.Sprintf("%s/pushover/%d", key, i)
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, pushoverConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1491,16 +1473,16 @@ func checkSnsConfigs(
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
snsConfigKey := fmt.Sprintf("%s/sns/%d", key, i)
if err := store.AddSigV4(ctx, namespace, config.Sigv4, key); err != nil {
return err
}
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, snsConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1511,31 +1493,29 @@ func checkTelegramConfigs(
ctx context.Context,
configs []monitoringv1alpha1.TelegramConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
if len(configs) == 0 {
return nil
}
if amVersion.LT(semver.MustParse("0.24.0")) {
return fmt.Errorf(`telegramConfigs' is available in Alertmanager >= 0.24.0 only - current %s`, amVersion)
}
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
telegramConfigKey := fmt.Sprintf("%s/telegram/%d", key, i)
if config.BotToken != nil {
if _, err := store.GetSecretKey(ctx, namespace, *config.BotToken); err != nil {
return err
}
}
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, telegramConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1547,25 +1527,23 @@ func checkMSTeamsConfigs(
ctx context.Context,
configs []monitoringv1alpha1.MSTeamsConfig,
namespace string,
key string,
store *assets.StoreBuilder,
amVersion semver.Version,
) error {
if len(configs) == 0 {
return nil
}
if amVersion.LT(semver.MustParse("0.26.0")) {
return fmt.Errorf(`invalid syntax in receivers config; msteams integration is only available in Alertmanager >= 0.26.0`)
}
for i, config := range configs {
for _, config := range configs {
if err := checkHTTPConfig(config.HTTPConfig, amVersion); err != nil {
return err
}
msteamsConfigKey := fmt.Sprintf("%s/msteams/%d", key, i)
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, msteamsConfigKey, store); err != nil {
if err := configureHTTPConfigInStore(ctx, config.HTTPConfig, namespace, store); err != nil {
return err
}
}
@ -1605,19 +1583,19 @@ func checkInhibitRules(amc *monitoringv1alpha1.AlertmanagerConfig, version semve
}
// configureHTTPConfigInStore configures the asset store for HTTPConfigs.
func configureHTTPConfigInStore(ctx context.Context, httpConfig *monitoringv1alpha1.HTTPConfig, namespace string, key string, store *assets.StoreBuilder) error {
func configureHTTPConfigInStore(ctx context.Context, httpConfig *monitoringv1alpha1.HTTPConfig, namespace string, store *assets.StoreBuilder) error {
if httpConfig == nil {
return nil
}
var err error
if httpConfig.BearerTokenSecret != nil {
if err = store.AddBearerToken(ctx, namespace, httpConfig.BearerTokenSecret, key); err != nil {
if _, err = store.GetSecretKey(ctx, namespace, *httpConfig.BearerTokenSecret); err != nil {
return err
}
}
if err = store.AddSafeAuthorizationCredentials(ctx, namespace, httpConfig.Authorization, key); err != nil {
if err = store.AddSafeAuthorizationCredentials(ctx, namespace, httpConfig.Authorization); err != nil {
return err
}

4
pkg/apis/monitoring/v1/prometheus_types.go
View file

@ -1804,9 +1804,11 @@ func (c *SafeAuthorization) Validate() error {
if strings.ToLower(strings.TrimSpace(c.Type)) == "basic" {
return &AuthorizationValidationError{`Authorization type cannot be set to "basic", use "basic_auth" instead`}
}
if c.Credentials == nil {
return &AuthorizationValidationError{"Authorization credentials are required"}
}
return nil
}
@ -1822,9 +1824,11 @@ func (c *Authorization) Validate() error {
if c.Credentials != nil && c.CredentialsFile != "" {
return &AuthorizationValidationError{"Authorization can not specify both Credentials and CredentialsFile"}
}
if strings.ToLower(strings.TrimSpace(c.Type)) == "basic" {
return &AuthorizationValidationError{"Authorization type cannot be set to \"basic\", use \"basic_auth\" instead"}
}
return nil
}

52
pkg/assets/store.go
View file

@ -44,7 +44,6 @@ type StoreBuilder struct {
objStore cache.Store
TLSAssets map[TLSAssetKey]TLSAsset
TokenAssets map[string]Token
SigV4Assets map[string]SigV4Credentials
AzureOAuthAssets map[string]AzureOAuthCredentials
}
@ -71,7 +70,6 @@ func NewStoreBuilder(cmClient corev1client.ConfigMapsGetter, sClient corev1clien
cmClient: cmClient,
sClient: sClient,
TLSAssets: make(map[TLSAssetKey]TLSAsset),
TokenAssets: make(map[string]Token),
SigV4Assets: make(map[string]SigV4Credentials),
AzureOAuthAssets: make(map[string]AzureOAuthCredentials),
objStore: cache.NewStore(assetKeyFunc),
@ -214,35 +212,7 @@ func (s *StoreBuilder) AddOAuth2(ctx context.Context, ns string, oauth2 *monitor
return nil
}
// AddToken processes the given SecretKeySelector and adds the referenced data to the store.
func (s *StoreBuilder) addToken(ctx context.Context, ns string, sel *v1.SecretKeySelector, key string) error {
if sel == nil {
return nil
}
if sel.Name == "" {
return nil
}
token, err := s.GetSecretKey(ctx, ns, *sel)
if err != nil {
return fmt.Errorf("failed to get token from secret: %w", err)
}
s.TokenAssets[key] = Token(token)
return nil
}
func (s *StoreBuilder) AddBearerToken(ctx context.Context, ns string, sel *v1.SecretKeySelector, key string) error {
err := s.addToken(ctx, ns, sel, key)
if err != nil {
return fmt.Errorf("failed to get bearer token: %w", err)
}
return nil
}
func (s *StoreBuilder) AddSafeAuthorizationCredentials(ctx context.Context, namespace string, auth *monitoringv1.SafeAuthorization, key string) error {
func (s *StoreBuilder) AddSafeAuthorizationCredentials(ctx context.Context, namespace string, auth *monitoringv1.SafeAuthorization) error {
if auth == nil || auth.Credentials == nil {
return nil
}
@ -251,14 +221,16 @@ func (s *StoreBuilder) AddSafeAuthorizationCredentials(ctx context.Context, name
return err
}
err := s.addToken(ctx, namespace, auth.Credentials, key)
if err != nil {
return fmt.Errorf("failed to get authorization token of type %q: %w", auth.Type, err)
if auth.Credentials.Name != "" {
if _, err := s.GetSecretKey(ctx, namespace, *auth.Credentials); err != nil {
return fmt.Errorf("failed to get authorization token of type %q: %w", auth.Type, err)
}
}
return nil
}
func (s *StoreBuilder) AddAuthorizationCredentials(ctx context.Context, namespace string, auth *monitoringv1.Authorization, key string) error {
func (s *StoreBuilder) AddAuthorizationCredentials(ctx context.Context, namespace string, auth *monitoringv1.Authorization) error {
if auth == nil || auth.Credentials == nil {
return nil
}
@ -267,10 +239,12 @@ func (s *StoreBuilder) AddAuthorizationCredentials(ctx context.Context, namespac
return err
}
err := s.addToken(ctx, namespace, auth.Credentials, key)
if err != nil {
return fmt.Errorf("failed to get authorization token of type %q: %w", auth.Type, err)
if auth.Credentials != nil && auth.Credentials.Name != "" {
if _, err := s.GetSecretKey(ctx, namespace, *auth.Credentials); err != nil {
return fmt.Errorf("failed to get authorization token of type %q: %w", auth.Type, err)
}
}
return nil
}
@ -473,8 +447,10 @@ func (cos *cacheOnlyStore) GetSecretOrConfigMapKey(key monitoringv1.SecretOrConf
return "", err
}
return string(b), nil
case key.ConfigMap != nil:
return cos.GetConfigMapKey(*key.ConfigMap)
default:
return "", nil
}

44
pkg/assets/store_test.go
View file

@ -65,7 +65,7 @@ hvBlhCknnq89u57O41ID6Mqxz3bRxNxpkqhfMyVWcVU=
-----END RSA PRIVATE KEY-----`
)
func TestAddBearerToken(t *testing.T) {
func TestGetSecretKey(t *testing.T) {
c := fake.NewSimpleClientset(
&v1.Secret{
ObjectMeta: metav1.ObjectMeta{
@ -78,7 +78,7 @@ func TestAddBearerToken(t *testing.T) {
},
)
for i, tc := range []struct {
for _, tc := range []struct {
ns string
selectedName string
selectedKey string
@ -128,8 +128,7 @@ func TestAddBearerToken(t *testing.T) {
Key: tc.selectedKey,
}
key := fmt.Sprintf("bearertoken/%d", i)
err := store.AddBearerToken(context.Background(), tc.ns, &sel, key)
s, err := store.GetSecretKey(context.Background(), tc.ns, sel)
if tc.err {
if err == nil {
@ -142,13 +141,7 @@ func TestAddBearerToken(t *testing.T) {
t.Fatalf("expecting no error, got %q", err)
}
s, found := store.TokenAssets[key]
if !found {
t.Fatalf("expecting to find key %q but got nothing", key)
}
if string(s) != tc.expected {
if s != tc.expected {
t.Fatalf("expecting %q, got %q", tc.expected, s)
}
})
@ -802,7 +795,7 @@ func TestAddAuthorization(t *testing.T) {
},
)
for i, tc := range []struct {
for _, tc := range []struct {
ns string
selectedName string
selectedKey string
@ -835,6 +828,14 @@ func TestAddAuthorization(t *testing.T) {
err: true,
},
{
ns: "ns1",
selectedName: "",
selectedKey: "",
authType: "Bearer",
expected: "",
},
} {
t.Run("", func(t *testing.T) {
store := NewStoreBuilder(c.CoreV1(), c.CoreV1())
@ -850,8 +851,7 @@ func TestAddAuthorization(t *testing.T) {
},
}
key := fmt.Sprintf("foo/auth/%d", i)
err := store.AddAuthorizationCredentials(context.Background(), tc.ns, sel, key)
err := store.AddAuthorizationCredentials(context.Background(), tc.ns, sel)
if tc.err {
if err == nil {
@ -864,13 +864,17 @@ func TestAddAuthorization(t *testing.T) {
t.Fatalf("expecting no error, got %q", err)
}
sec, found := store.TokenAssets[key]
if !found {
t.Fatalf("expecting to find key %q but got nothing", key)
if sel.Credentials.Name == "" {
return
}
s := string(sec)
b, err := store.ForNamespace(tc.ns).GetSecretKey(*sel.Credentials)
if err != nil {
t.Fatalf("expecting to find secret key but got %s", err)
}
s := string(b)
if s != tc.expected {
t.Fatalf("expecting %q, got %q", tc.expected, s)
}
@ -901,7 +905,7 @@ func TestAddAuthorizationNoCredentials(t *testing.T) {
CredentialsFile: "/path/to/secret",
}
err := store.AddAuthorizationCredentials(context.Background(), "foo", sel, "foo/bar")
err := store.AddAuthorizationCredentials(context.Background(), "foo", sel)
if err != nil {
t.Fatalf("expecting no error, got %q", err)

104
pkg/prometheus/promcfg.go
View file

@ -493,8 +493,7 @@ func (cg *ConfigGenerator) addSigv4ToYaml(cfg yaml.MapSlice,
func (cg *ConfigGenerator) addSafeAuthorizationToYaml(
cfg yaml.MapSlice,
assetStoreKey string,
store *assets.StoreBuilder,
store assets.StoreGetter,
auth *monitoringv1.SafeAuthorization,
) yaml.MapSlice {
if auth == nil {
@ -508,20 +507,20 @@ func (cg *ConfigGenerator) addSafeAuthorizationToYaml(
authCfg = append(authCfg, yaml.MapItem{Key: "type", Value: strings.TrimSpace(auth.Type)})
if auth.Credentials != nil {
if s, ok := store.TokenAssets[assetStoreKey]; ok {
authCfg = append(authCfg, yaml.MapItem{Key: "credentials", Value: s})
b, err := store.GetSecretKey(*auth.Credentials)
if err != nil {
level.Error(cg.logger).Log("err", fmt.Sprintf("invalid credentials ref: %s", err))
} else {
authCfg = append(authCfg, yaml.MapItem{Key: "credentials", Value: string(b)})
}
}
// extract current cfg section from assetStoreKey, assuming
// "<component>/something..."
return cg.WithMinimumVersion("2.26.0").WithKeyVals("component", strings.Split(assetStoreKey, "/")[0]).AppendMapItem(cfg, "authorization", authCfg)
return cg.WithMinimumVersion("2.26.0").AppendMapItem(cfg, "authorization", authCfg)
}
func (cg *ConfigGenerator) addAuthorizationToYaml(
cfg yaml.MapSlice,
assetStoreKey string,
store *assets.StoreBuilder,
store assets.StoreGetter,
auth *monitoringv1.Authorization,
) yaml.MapSlice {
if auth == nil {
@ -530,13 +529,13 @@ func (cg *ConfigGenerator) addAuthorizationToYaml(
// reuse addSafeAuthorizationToYaml and unpack the part we're interested
// in, namely the value under the "authorization" key
authCfg := cg.addSafeAuthorizationToYaml(yaml.MapSlice{}, assetStoreKey, store, &auth.SafeAuthorization)[0].Value.(yaml.MapSlice)
authCfg := cg.addSafeAuthorizationToYaml(yaml.MapSlice{}, store, &auth.SafeAuthorization)[0].Value.(yaml.MapSlice)
if auth.CredentialsFile != "" {
authCfg = append(authCfg, yaml.MapItem{Key: "credentials_file", Value: auth.CredentialsFile})
}
return cg.WithMinimumVersion("2.26.0").WithKeyVals("component", strings.Split(assetStoreKey, "/")[0]).AppendMapItem(cfg, "authorization", authCfg)
return cg.WithMinimumVersion("2.26.0").AppendMapItem(cfg, "authorization", authCfg)
}
func (cg *ConfigGenerator) buildExternalLabels() yaml.MapSlice {
@ -893,19 +892,24 @@ func (cg *ConfigGenerator) generatePodMonitorConfig(
cfg = addTLStoYaml(cfg, m.Namespace, mergeSafeTLSConfigWithScrapeClass(ep.TLSConfig, scrapeClass))
s := store.ForNamespace(m.Namespace)
//nolint:staticcheck // Ignore SA1019 this field is marked as deprecated.
if ep.BearerTokenSecret.Name != "" {
level.Debug(cg.logger).Log("msg", "'bearerTokenSecret' is deprecated, use 'authorization' instead.")
if s, ok := store.TokenAssets[fmt.Sprintf("podMonitor/%s/%s/%d", m.Namespace, m.Name, i)]; ok {
cfg = append(cfg, yaml.MapItem{Key: "bearer_token", Value: s})
b, err := s.GetSecretKey(ep.BearerTokenSecret)
if err != nil {
level.Error(cg.logger).Log("err", fmt.Sprintf("invalid bearer token secret ref: %s", err))
} else {
cfg = append(cfg, yaml.MapItem{Key: "bearer_token", Value: string(b)})
}
}
s := store.ForNamespace(m.Namespace)
cfg = cg.addBasicAuthToYaml(cfg, s, ep.BasicAuth)
cfg = cg.addOAuth2ToYaml(cfg, s, ep.OAuth2)
cfg = cg.addSafeAuthorizationToYaml(cfg, fmt.Sprintf("podMonitor/auth/%s/%s/%d", m.Namespace, m.Name, i), store, ep.Authorization)
cfg = cg.addSafeAuthorizationToYaml(cfg, s, ep.Authorization)
relabelings := initRelabelings()
@ -1296,18 +1300,21 @@ func (cg *ConfigGenerator) generateProbeConfig(
cfg = addTLStoYaml(cfg, m.Namespace, mergeSafeTLSConfigWithScrapeClass(m.Spec.TLSConfig, scrapeClass))
s := store.ForNamespace(m.Namespace)
if m.Spec.BearerTokenSecret.Name != "" {
pnKey := fmt.Sprintf("probe/%s/%s", m.GetNamespace(), m.GetName())
if s, ok := store.TokenAssets[pnKey]; ok {
cfg = append(cfg, yaml.MapItem{Key: "bearer_token", Value: s})
b, err := s.GetSecretKey(m.Spec.BearerTokenSecret)
if err != nil {
level.Error(cg.logger).Log("err", fmt.Sprintf("invalid bearer token secret ref: %s", err))
} else {
cfg = append(cfg, yaml.MapItem{Key: "bearer_token", Value: string(b)})
}
}
s := store.ForNamespace(m.Namespace)
cfg = cg.addBasicAuthToYaml(cfg, s, m.Spec.BasicAuth)
cfg = cg.addOAuth2ToYaml(cfg, s, m.Spec.OAuth2)
cfg = cg.addSafeAuthorizationToYaml(cfg, fmt.Sprintf("probe/auth/%s/%s", m.Namespace, m.Name), store, m.Spec.Authorization)
cfg = cg.addSafeAuthorizationToYaml(cfg, s, m.Spec.Authorization)
metricRelabelings := []monitoringv1.RelabelConfig{}
metricRelabelings = append(metricRelabelings, scrapeClass.MetricRelabelings...)
@ -1391,14 +1398,19 @@ func (cg *ConfigGenerator) generateServiceMonitorConfig(
if ep.BearerTokenSecret != nil && ep.BearerTokenSecret.Name != "" { //nolint:staticcheck // Ignore SA1019 this field is marked as deprecated.
level.Debug(cg.logger).Log("msg", "'bearerTokenSecret' is deprecated, use 'authorization' instead.")
if s, ok := store.TokenAssets[fmt.Sprintf("serviceMonitor/%s/%s/%d", m.Namespace, m.Name, i)]; ok {
cfg = append(cfg, yaml.MapItem{Key: "bearer_token", Value: s})
//nolint:staticcheck // Ignore SA1019 this field is marked as deprecated.
b, err := s.GetSecretKey(*ep.BearerTokenSecret)
if err != nil {
level.Error(cg.logger).Log("err", fmt.Sprintf("invalid bearer token secret ref: %s", err))
} else {
cfg = append(cfg, yaml.MapItem{Key: "bearer_token", Value: string(b)})
}
}
cfg = cg.addBasicAuthToYaml(cfg, store.ForNamespace(m.Namespace), ep.BasicAuth)
cfg = cg.addSafeAuthorizationToYaml(cfg, fmt.Sprintf("serviceMonitor/auth/%s/%s/%d", m.Namespace, m.Name, i), store, ep.Authorization)
cfg = cg.addSafeAuthorizationToYaml(cfg, s, ep.Authorization)
relabelings := initRelabelings()
@ -1746,12 +1758,13 @@ func (cg *ConfigGenerator) generateK8SSDConfig(
})
}
s := store.ForNamespace(namespace)
if apiserverConfig != nil {
k8sSDConfig = append(k8sSDConfig, yaml.MapItem{
Key: "api_server", Value: apiserverConfig.Host,
})
k8sSDConfig = cg.addBasicAuthToYaml(k8sSDConfig, store.ForNamespace(namespace), apiserverConfig.BasicAuth)
k8sSDConfig = cg.addBasicAuthToYaml(k8sSDConfig, s, apiserverConfig.BasicAuth)
//nolint:staticcheck // Ignore SA1019 this field is marked as deprecated.
if apiserverConfig.BearerToken != "" {
@ -1765,7 +1778,7 @@ func (cg *ConfigGenerator) generateK8SSDConfig(
k8sSDConfig = append(k8sSDConfig, yaml.MapItem{Key: "bearer_token_file", Value: apiserverConfig.BearerTokenFile})
}
k8sSDConfig = cg.addAuthorizationToYaml(k8sSDConfig, "apiserver/auth", store, apiserverConfig.Authorization)
k8sSDConfig = cg.addAuthorizationToYaml(k8sSDConfig, s, apiserverConfig.Authorization)
// TODO: If we want to support secret refs for k8s service discovery tls
// config as well, make sure to path the right namespace here.
@ -1792,6 +1805,8 @@ func (cg *ConfigGenerator) generateAlertmanagerConfig(alerting *monitoringv1.Ale
alertmanagerConfigs := make([]yaml.MapSlice, 0, len(alerting.Alertmanagers))
for i, am := range alerting.Alertmanagers {
s := store.ForNamespace(am.Namespace)
if am.Scheme == "" {
am.Scheme = "http"
}
@ -1825,9 +1840,9 @@ func (cg *ConfigGenerator) generateAlertmanagerConfig(alerting *monitoringv1.Ale
cfg = append(cfg, yaml.MapItem{Key: "bearer_token_file", Value: am.BearerTokenFile})
}
cfg = cg.WithMinimumVersion("2.26.0").addBasicAuthToYaml(cfg, store.ForNamespace(am.Namespace), am.BasicAuth)
cfg = cg.WithMinimumVersion("2.26.0").addBasicAuthToYaml(cfg, s, am.BasicAuth)
cfg = cg.addSafeAuthorizationToYaml(cfg, fmt.Sprintf("alertmanager/auth/%d", i), store, am.Authorization)
cfg = cg.addSafeAuthorizationToYaml(cfg, s, am.Authorization)
cfg = cg.WithMinimumVersion("2.48.0").addSigv4ToYaml(cfg, fmt.Sprintf("alertmanager/auth/%d", i), store, am.Sigv4)
@ -1922,8 +1937,9 @@ func (cg *ConfigGenerator) generateRemoteReadConfig(
) yaml.MapItem {
cfgs := []yaml.MapSlice{}
objMeta := cg.prom.GetObjectMeta()
s := store.ForNamespace(objMeta.GetNamespace())
for i, spec := range remoteRead {
for _, spec := range remoteRead {
// defaults
if spec.RemoteTimeout == "" {
spec.RemoteTimeout = "30s"
@ -1950,7 +1966,6 @@ func (cg *ConfigGenerator) generateRemoteReadConfig(
cfg = append(cfg, yaml.MapItem{Key: "read_recent", Value: spec.ReadRecent})
}
s := store.ForNamespace(objMeta.GetNamespace())
cfg = cg.addBasicAuthToYaml(cfg, s, spec.BasicAuth)
//nolint:staticcheck // Ignore SA1019 this field is marked as deprecated.
@ -1969,7 +1984,7 @@ func (cg *ConfigGenerator) generateRemoteReadConfig(
cfg = addTLStoYaml(cfg, objMeta.GetNamespace(), spec.TLSConfig)
cfg = cg.addAuthorizationToYaml(cfg, fmt.Sprintf("remoteRead/auth/%d", i), store, spec.Authorization)
cfg = cg.addAuthorizationToYaml(cfg, s, spec.Authorization)
if spec.ProxyURL != "" {
cfg = append(cfg, yaml.MapItem{Key: "proxy_url", Value: spec.ProxyURL})
@ -2122,7 +2137,7 @@ func (cg *ConfigGenerator) generateRemoteWriteConfig(
cfg = addTLStoYaml(cfg, objMeta.GetNamespace(), spec.TLSConfig)
cfg = cg.addAuthorizationToYaml(cfg, fmt.Sprintf("remoteWrite/auth/%d", i), store, spec.Authorization)
cfg = cg.addAuthorizationToYaml(cfg, s, spec.Authorization)
if spec.ProxyURL != "" {
cfg = append(cfg, yaml.MapItem{Key: "proxy_url", Value: spec.ProxyURL})
@ -2525,6 +2540,7 @@ func (cg *ConfigGenerator) generateScrapeConfig(
store *assets.StoreBuilder,
shards int32,
) (yaml.MapSlice, error) {
s := store.ForNamespace(sc.Namespace)
scrapeClass := cg.getScrapeClassOrDefault(sc.Spec.ScrapeClassName)
jobName := fmt.Sprintf("scrapeConfig/%s/%s", sc.Namespace, sc.Name)
@ -2592,9 +2608,9 @@ func (cg *ConfigGenerator) generateScrapeConfig(
cfg = cg.addProxyConfigtoYaml(ctx, cfg, sc.GetNamespace(), store, sc.Spec.ProxyConfig)
cfg = cg.addBasicAuthToYaml(cfg, store.ForNamespace(sc.Namespace), sc.Spec.BasicAuth)
cfg = cg.addBasicAuthToYaml(cfg, s, sc.Spec.BasicAuth)
cfg = cg.addSafeAuthorizationToYaml(cfg, fmt.Sprintf("scrapeconfig/auth/%s/%s", sc.Namespace, sc.Name), store, sc.Spec.Authorization)
cfg = cg.addSafeAuthorizationToYaml(cfg, s, sc.Spec.Authorization)
cfg = addTLStoYaml(cfg, sc.Namespace, mergeSafeTLSConfigWithScrapeClass(sc.Spec.TLSConfig, scrapeClass))
@ -2672,9 +2688,9 @@ func (cg *ConfigGenerator) generateScrapeConfig(
})
}
configs[i] = cg.addBasicAuthToYaml(configs[i], store.ForNamespace(sc.Namespace), config.BasicAuth)
configs[i] = cg.addBasicAuthToYaml(configs[i], s, config.BasicAuth)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], fmt.Sprintf("scrapeconfig/auth/%s/%s/httpsdconfig/%d", sc.Namespace, sc.Name, i), store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
if config.TLSConfig != nil {
configs[i] = addSafeTLStoYaml(configs[i], sc.Namespace, *config.TLSConfig)
@ -2707,7 +2723,7 @@ func (cg *ConfigGenerator) generateScrapeConfig(
s := store.ForNamespace(sc.Namespace)
configs[i] = cg.addBasicAuthToYaml(configs[i], s, config.BasicAuth)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], fmt.Sprintf("scrapeconfig/auth/%s/%s/kubernetessdconfig/%d", sc.GetNamespace(), sc.GetName(), i), store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
configs[i] = cg.addOAuth2ToYaml(configs[i], s, config.OAuth2)
configs[i] = cg.addProxyConfigtoYaml(ctx, configs[i], sc.GetNamespace(), store, config.ProxyConfig)
@ -2798,7 +2814,7 @@ func (cg *ConfigGenerator) generateScrapeConfig(
for i, config := range sc.Spec.ConsulSDConfigs {
s := store.ForNamespace(sc.Namespace)
configs[i] = cg.addBasicAuthToYaml(configs[i], s, config.BasicAuth)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], fmt.Sprintf("scrapeconfig/auth/%s/%s/consulsdconfig/%d", sc.GetNamespace(), sc.GetName(), i), store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
configs[i] = cg.addOAuth2ToYaml(configs[i], s, config.Oauth2)
if config.TLSConfig != nil {
@ -3320,7 +3336,7 @@ func (cg *ConfigGenerator) generateScrapeConfig(
if len(sc.Spec.DigitalOceanSDConfigs) > 0 {
configs := make([][]yaml.MapItem, len(sc.Spec.DigitalOceanSDConfigs))
for i, config := range sc.Spec.DigitalOceanSDConfigs {
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], fmt.Sprintf("scrapeconfig/auth/%s/%s/digitaloceansdconfig/%d", sc.GetNamespace(), sc.GetName(), i), store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
configs[i] = cg.addOAuth2ToYaml(configs[i], store.ForNamespace(sc.GetNamespace()), config.OAuth2)
configs[i] = cg.addProxyConfigtoYaml(ctx, configs[i], sc.GetNamespace(), store, config.ProxyConfig)
@ -3367,7 +3383,7 @@ func (cg *ConfigGenerator) generateScrapeConfig(
for i, config := range sc.Spec.KumaSDConfigs {
s := store.ForNamespace(sc.Namespace)
configs[i] = cg.addBasicAuthToYaml(configs[i], s, config.BasicAuth)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], fmt.Sprintf("scrapeconfig/auth/%s/%s/kumasdconfig/%d", sc.GetNamespace(), sc.GetName(), i), store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
configs[i] = cg.addOAuth2ToYaml(configs[i], s, config.OAuth2)
configs[i] = cg.addProxyConfigtoYaml(ctx, configs[i], sc.GetNamespace(), store, config.ProxyConfig)
@ -3427,7 +3443,7 @@ func (cg *ConfigGenerator) generateScrapeConfig(
for i, config := range sc.Spec.EurekaSDConfigs {
s := store.ForNamespace(sc.Namespace)
configs[i] = cg.addBasicAuthToYaml(configs[i], s, config.BasicAuth)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], fmt.Sprintf("scrapeconfig/auth/%s/%s/eurekasdconfig/%d", sc.GetNamespace(), sc.GetName(), i), store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
configs[i] = cg.addOAuth2ToYaml(configs[i], s, config.OAuth2)
configs[i] = cg.addProxyConfigtoYaml(ctx, configs[i], sc.GetNamespace(), store, config.ProxyConfig)
@ -3475,7 +3491,7 @@ func (cg *ConfigGenerator) generateScrapeConfig(
for i, config := range sc.Spec.DockerSDConfigs {
s := store.ForNamespace(sc.Namespace)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], fmt.Sprintf("scrapeconfig/auth/%s/%s/dockersdconfig/%d", sc.GetNamespace(), sc.GetName(), i), store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
configs[i] = cg.addOAuth2ToYaml(configs[i], s, config.OAuth2)
configs[i] = cg.addProxyConfigtoYaml(ctx, configs[i], sc.GetNamespace(), store, config.ProxyConfig)
configs[i] = cg.addBasicAuthToYaml(configs[i], s, config.BasicAuth)
@ -3558,7 +3574,7 @@ func (cg *ConfigGenerator) generateScrapeConfig(
for i, config := range sc.Spec.HetznerSDConfigs {
s := store.ForNamespace(sc.Namespace)
configs[i] = cg.addBasicAuthToYaml(configs[i], s, config.BasicAuth)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], fmt.Sprintf("scrapeconfig/auth/%s/%s/hetznersdconfig/%d", sc.GetNamespace(), sc.GetName(), i), store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
configs[i] = cg.addOAuth2ToYaml(configs[i], s, config.OAuth2)
configs[i] = cg.addProxyConfigtoYaml(ctx, configs[i], sc.GetNamespace(), store, config.ProxyConfig)
@ -3610,9 +3626,9 @@ func (cg *ConfigGenerator) generateScrapeConfig(
configs := make([][]yaml.MapItem, len(sc.Spec.NomadSDConfigs))
for i, config := range sc.Spec.NomadSDConfigs {
s := store.ForNamespace(sc.Namespace)
assetStoreKey := fmt.Sprintf("scrapeconfig/%s/%s/nomadsdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
configs[i] = cg.addBasicAuthToYaml(configs[i], s, config.BasicAuth)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], assetStoreKey, store, config.Authorization)
configs[i] = cg.addSafeAuthorizationToYaml(configs[i], s, config.Authorization)
configs[i] = cg.addOAuth2ToYaml(configs[i], s, config.OAuth2)
configs[i] = cg.addProxyConfigtoYaml(ctx, configs[i], sc.GetNamespace(), store, config.ProxyConfig)

88
pkg/prometheus/promcfg_test.go
View file

@ -400,7 +400,7 @@ func TestNamespaceSetCorrectly(t *testing.T) {
}
}
c := cg.generateK8SSDConfig(tc.ServiceMonitor.Spec.NamespaceSelector, tc.ServiceMonitor.Namespace, nil, nil, kubernetesSDRoleEndpoint, attachMetaConfig)
c := cg.generateK8SSDConfig(tc.ServiceMonitor.Spec.NamespaceSelector, tc.ServiceMonitor.Namespace, nil, assets.NewTestStoreBuilder(), kubernetesSDRoleEndpoint, attachMetaConfig)
s, err := yaml.Marshal(yaml.MapSlice{c})
require.NoError(t, err)
golden.Assert(t, string(s), tc.Golden)
@ -441,7 +441,7 @@ func TestNamespaceSetCorrectlyForPodMonitor(t *testing.T) {
MinimumVersion: "2.35.0",
AttachMetadata: pm.Spec.AttachMetadata,
}
c := cg.generateK8SSDConfig(pm.Spec.NamespaceSelector, pm.Namespace, nil, nil, kubernetesSDRolePod, attachMetadataConfig)
c := cg.generateK8SSDConfig(pm.Spec.NamespaceSelector, pm.Namespace, nil, assets.NewTestStoreBuilder(), kubernetesSDRolePod, attachMetadataConfig)
s, err := yaml.Marshal(yaml.MapSlice{c})
require.NoError(t, err)
@ -838,7 +838,7 @@ func TestK8SSDConfigGeneration(t *testing.T) {
}{
{
apiServerConfig: nil,
store: nil,
store: assets.NewTestStoreBuilder(),
golden: "K8SSDConfigGenerationFirst.golden",
},
{
@ -3633,8 +3633,9 @@ func TestRemoteReadConfig(t *testing.T) {
SafeAuthorization: monitoringv1.SafeAuthorization{
Credentials: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "key",
Name: "auth",
},
Key: "bearer",
},
},
},
@ -3666,10 +3667,16 @@ func TestRemoteReadConfig(t *testing.T) {
"client_secret": []byte("client-secret"),
},
},
&v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "auth",
Namespace: "default",
},
Data: map[string][]byte{
"bearer": []byte("secret"),
},
},
)
s.TokenAssets = map[string]assets.Token{
"remoteRead/auth/0": assets.Token("secret"),
}
cg := mustNewConfigGenerator(t, p)
cfg, err := cg.GenerateServerConfiguration(
@ -3705,7 +3712,7 @@ func TestRemoteReadConfig(t *testing.T) {
func TestRemoteWriteConfig(t *testing.T) {
sendNativeHistograms := true
enableHTTP2 := false
for _, tc := range []struct {
for i, tc := range []struct {
version string
remoteWrite monitoringv1.RemoteWriteSpec
golden string
@ -3907,8 +3914,9 @@ func TestRemoteWriteConfig(t *testing.T) {
SafeAuthorization: monitoringv1.SafeAuthorization{
Credentials: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "key",
Name: "auth",
},
Key: "token",
},
},
},
@ -4071,7 +4079,7 @@ func TestRemoteWriteConfig(t *testing.T) {
golden: "RemoteWriteConfig_v2.50.0.golden",
},
} {
t.Run(fmt.Sprintf("version=%s", tc.version), func(t *testing.T) {
t.Run(fmt.Sprintf("i=%d,version=%s", i, tc.version), func(t *testing.T) {
p := defaultPrometheus()
p.Spec.CommonPrometheusFields.Version = tc.version
p.Spec.CommonPrometheusFields.RemoteWrite = []monitoringv1.RemoteWriteSpec{tc.remoteWrite}
@ -4096,10 +4104,17 @@ func TestRemoteWriteConfig(t *testing.T) {
"client_secret": []byte("client-secret"),
},
},
&v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "auth",
Namespace: "default",
},
Data: map[string][]byte{
"token": []byte("secret"),
},
},
)
store.TokenAssets = map[string]assets.Token{
"remoteWrite/auth/0": assets.Token("secret"),
}
if tc.remoteWrite.Sigv4 != nil && tc.remoteWrite.Sigv4.AccessKey != nil {
store.SigV4Assets = map[string]assets.SigV4Credentials{
"remoteWrite/0": {
@ -5642,8 +5657,9 @@ func TestScrapeConfigSpecConfig(t *testing.T) {
Authorization: &monitoringv1.SafeAuthorization{
Credentials: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "key",
Name: "auth",
},
Key: "scrape-key",
},
},
HTTPSDConfigs: []monitoringv1alpha1.HTTPSDConfig{
@ -5652,8 +5668,9 @@ func TestScrapeConfigSpecConfig(t *testing.T) {
Authorization: &monitoringv1.SafeAuthorization{
Credentials: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "key",
Name: "auth",
},
Key: "http-sd-key",
},
},
},
@ -5972,13 +5989,18 @@ func TestScrapeConfigSpecConfig(t *testing.T) {
"token": []byte("bar-value"),
},
},
&v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "auth",
Namespace: "default",
},
Data: map[string][]byte{
"scrape-key": []byte("scrape-secret"),
"http-sd-key": []byte("http-sd-secret"),
},
},
)
store.TokenAssets = map[string]assets.Token{
"scrapeconfig/auth/default/testscrapeconfig1": assets.Token("scrape-secret"),
"scrapeconfig/auth/default/testscrapeconfig1/httpsdconfig/0": assets.Token("http-sd-secret"),
}
cfg, err := cg.GenerateServerConfiguration(
context.Background(),
p.Spec.EvaluationInterval,
@ -6148,7 +6170,7 @@ func TestScrapeConfigSpecConfigWithKubernetesSD(t *testing.T) {
LocalObjectReference: v1.LocalObjectReference{
Name: "secret",
},
Key: "credential",
Key: "token",
},
},
},
@ -6378,9 +6400,9 @@ func TestScrapeConfigSpecConfigWithConsulSD(t *testing.T) {
Authorization: &monitoringv1.SafeAuthorization{
Credentials: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "foo",
Name: "auth",
},
Key: "credential",
Key: "token",
},
},
},
@ -6484,10 +6506,16 @@ func TestScrapeConfigSpecConfigWithConsulSD(t *testing.T) {
"client_secret": []byte("client-secret"),
},
},
&v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "auth",
Namespace: "default",
},
Data: map[string][]byte{
"token": []byte("secret"),
},
},
)
store.TokenAssets = map[string]assets.Token{
"scrapeconfig/auth/default/testscrapeconfig1/consulsdconfig/0": assets.Token("authorization"),
}
scs := map[string]*monitoringv1alpha1.ScrapeConfig{
"sc": {
@ -6989,7 +7017,7 @@ func TestScrapeConfigSpecConfigWithDigitalOceanSD(t *testing.T) {
LocalObjectReference: v1.LocalObjectReference{
Name: "secret",
},
Key: "credential",
Key: "token",
},
},
ProxyConfig: monitoringv1.ProxyConfig{
@ -7057,7 +7085,7 @@ func TestScrapeConfigSpecConfigWithDigitalOceanSD(t *testing.T) {
LocalObjectReference: v1.LocalObjectReference{
Name: "secret",
},
Key: "credential",
Key: "token",
},
},
TLSConfig: &monitoringv1.SafeTLSConfig{
@ -7174,7 +7202,7 @@ func TestScrapeConfigSpecConfigWithDockerSDConfig(t *testing.T) {
LocalObjectReference: v1.LocalObjectReference{
Name: "secret",
},
Key: "credential",
Key: "token",
},
},
ProxyConfig: monitoringv1.ProxyConfig{
@ -7485,7 +7513,7 @@ func TestScrapeConfigSpecConfigWithHetznerSD(t *testing.T) {
LocalObjectReference: v1.LocalObjectReference{
Name: "secret",
},
Key: "credential",
Key: "token",
},
},
},

74
pkg/prometheus/resource_selector.go
View file

@ -133,7 +133,7 @@ func (rs *ResourceSelector) SelectServiceMonitors(ctx context.Context, listFn Li
rs.eventRecorder.Eventf(sm, v1.EventTypeWarning, operator.InvalidConfigurationEvent, "ServiceMonitor %s was rejected due to invalid configuration: %v", sm.GetName(), err)
}
for i, endpoint := range sm.Spec.Endpoints {
for _, endpoint := range sm.Spec.Endpoints {
// If denied by Prometheus spec, filter out all service monitors that access
// the file system.
if cpf.ArbitraryFSAccessThroughSMs.Deny {
@ -143,12 +143,12 @@ func (rs *ResourceSelector) SelectServiceMonitors(ctx context.Context, listFn Li
}
}
smKey := fmt.Sprintf("serviceMonitor/%s/%s/%d", sm.GetNamespace(), sm.GetName(), i)
//nolint:staticcheck // Ignore SA1019 this field is marked as deprecated.
if err = rs.store.AddBearerToken(ctx, sm.GetNamespace(), endpoint.BearerTokenSecret, smKey); err != nil {
rejectFn(sm, err)
break
if endpoint.BearerTokenSecret != nil && endpoint.BearerTokenSecret.Name != "" {
if _, err = rs.store.GetSecretKey(ctx, sm.GetNamespace(), *endpoint.BearerTokenSecret); err != nil {
rejectFn(sm, err)
break
}
}
if err = rs.store.AddBasicAuth(ctx, sm.GetNamespace(), endpoint.BasicAuth); err != nil {
@ -166,8 +166,7 @@ func (rs *ResourceSelector) SelectServiceMonitors(ctx context.Context, listFn Li
break
}
smAuthKey := fmt.Sprintf("serviceMonitor/auth/%s/%s/%d", sm.GetNamespace(), sm.GetName(), i)
if err = rs.store.AddSafeAuthorizationCredentials(ctx, sm.GetNamespace(), endpoint.Authorization, smAuthKey); err != nil {
if err = rs.store.AddSafeAuthorizationCredentials(ctx, sm.GetNamespace(), endpoint.Authorization); err != nil {
rejectFn(sm, err)
break
}
@ -417,13 +416,13 @@ func (rs *ResourceSelector) SelectPodMonitors(ctx context.Context, listFn ListAl
rs.eventRecorder.Eventf(pm, v1.EventTypeWarning, operator.InvalidConfigurationEvent, "PodMonitor %s was rejected due to invalid configuration: %v", pm.GetName(), err)
}
for i, endpoint := range pm.Spec.PodMetricsEndpoints {
pmKey := fmt.Sprintf("podMonitor/%s/%s/%d", pm.GetNamespace(), pm.GetName(), i)
for _, endpoint := range pm.Spec.PodMetricsEndpoints {
//nolint:staticcheck // Ignore SA1019 this field is marked as deprecated.
if err = rs.store.AddBearerToken(ctx, pm.GetNamespace(), &endpoint.BearerTokenSecret, pmKey); err != nil {
rejectFn(pm, err)
break
if endpoint.BearerTokenSecret.Name != "" && endpoint.BearerTokenSecret.Key != "" {
if _, err = rs.store.GetSecretKey(ctx, pm.GetNamespace(), endpoint.BearerTokenSecret); err != nil {
rejectFn(pm, err)
break
}
}
if err = rs.store.AddBasicAuth(ctx, pm.GetNamespace(), endpoint.BasicAuth); err != nil {
@ -443,8 +442,7 @@ func (rs *ResourceSelector) SelectPodMonitors(ctx context.Context, listFn ListAl
break
}
pmAuthKey := fmt.Sprintf("podMonitor/auth/%s/%s/%d", pm.GetNamespace(), pm.GetName(), i)
if err = rs.store.AddSafeAuthorizationCredentials(ctx, pm.GetNamespace(), endpoint.Authorization, pmAuthKey); err != nil {
if err = rs.store.AddSafeAuthorizationCredentials(ctx, pm.GetNamespace(), endpoint.Authorization); err != nil {
rejectFn(pm, err)
break
}
@ -570,10 +568,11 @@ func (rs *ResourceSelector) SelectProbes(ctx context.Context, listFn ListAllByNa
continue
}
pnKey := fmt.Sprintf("probe/%s/%s", probe.GetNamespace(), probe.GetName())
if err = rs.store.AddBearerToken(ctx, probe.GetNamespace(), &probe.Spec.BearerTokenSecret, pnKey); err != nil {
rejectFn(probe, err)
continue
if probe.Spec.BearerTokenSecret.Name != "" && probe.Spec.BearerTokenSecret.Key != "" {
if _, err = rs.store.GetSecretKey(ctx, probe.GetNamespace(), probe.Spec.BearerTokenSecret); err != nil {
rejectFn(probe, err)
continue
}
}
if err = rs.store.AddBasicAuth(ctx, probe.GetNamespace(), probe.Spec.BasicAuth); err != nil {
@ -587,8 +586,8 @@ func (rs *ResourceSelector) SelectProbes(ctx context.Context, listFn ListAllByNa
continue
}
}
pnAuthKey := fmt.Sprintf("probe/auth/%s/%s", probe.GetNamespace(), probe.GetName())
if err = rs.store.AddSafeAuthorizationCredentials(ctx, probe.GetNamespace(), probe.Spec.Authorization, pnAuthKey); err != nil {
if err = rs.store.AddSafeAuthorizationCredentials(ctx, probe.GetNamespace(), probe.Spec.Authorization); err != nil {
rejectFn(probe, err)
continue
}
@ -769,8 +768,7 @@ func (rs *ResourceSelector) SelectScrapeConfigs(ctx context.Context, listFn List
continue
}
scAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s", sc.GetNamespace(), sc.GetName())
if err = rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), sc.Spec.Authorization, scAuthKey); err != nil {
if err = rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), sc.Spec.Authorization); err != nil {
rejectFn(sc, err)
continue
}
@ -890,8 +888,8 @@ func (rs *ResourceSelector) validateKubernetesSDConfigs(ctx context.Context, sc
if err := rs.store.AddBasicAuth(ctx, sc.GetNamespace(), config.BasicAuth); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/kubernetessdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
@ -960,8 +958,7 @@ func (rs *ResourceSelector) validateConsulSDConfigs(ctx context.Context, sc *mon
return fmt.Errorf("[%d]: %w", i, err)
}
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/consulsdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
@ -988,8 +985,7 @@ func (rs *ResourceSelector) validateHTTPSDConfigs(ctx context.Context, sc *monit
return fmt.Errorf("[%d]: %w", i, err)
}
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/httpsdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
@ -1089,8 +1085,7 @@ func (rs *ResourceSelector) validateOpenStackSDConfigs(ctx context.Context, sc *
func (rs *ResourceSelector) validateDigitalOceanSDConfigs(ctx context.Context, sc *monitoringv1alpha1.ScrapeConfig) error {
for i, config := range sc.Spec.DigitalOceanSDConfigs {
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/digitaloceansdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
@ -1116,8 +1111,7 @@ func (rs *ResourceSelector) validateDockerSDConfigs(ctx context.Context, sc *mon
return fmt.Errorf("[%d]: %w", i, err)
}
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/dockersdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
@ -1148,8 +1142,7 @@ func (rs *ResourceSelector) validateKumaSDConfigs(ctx context.Context, sc *monit
return fmt.Errorf("[%d]: %w", i, err)
}
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/kumasdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
@ -1174,8 +1167,7 @@ func (rs *ResourceSelector) validateKumaSDConfigs(ctx context.Context, sc *monit
func (rs *ResourceSelector) validateEurekaSDConfigs(ctx context.Context, sc *monitoringv1alpha1.ScrapeConfig) error {
for i, config := range sc.Spec.EurekaSDConfigs {
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/eurekasdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
@ -1204,8 +1196,7 @@ func (rs *ResourceSelector) validateHetznerSDConfigs(ctx context.Context, sc *mo
return fmt.Errorf("[%d]: %w", i, err)
}
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/hetznersdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}
@ -1226,8 +1217,7 @@ func (rs *ResourceSelector) validateHetznerSDConfigs(ctx context.Context, sc *mo
func (rs *ResourceSelector) validateNomadSDConfigs(ctx context.Context, sc *monitoringv1alpha1.ScrapeConfig) error {
for i, config := range sc.Spec.NomadSDConfigs {
configAuthKey := fmt.Sprintf("scrapeconfig/auth/%s/%s/nomadsdconfig/%d", sc.GetNamespace(), sc.GetName(), i)
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization, configAuthKey); err != nil {
if err := rs.store.AddSafeAuthorizationCredentials(ctx, sc.GetNamespace(), config.Authorization); err != nil {
return fmt.Errorf("[%d]: %w", i, err)
}

13
pkg/prometheus/resource_selector_test.go
View file

@ -632,6 +632,8 @@ func TestSelectProbes(t *testing.T) {
},
} {
t.Run(tc.scenario, func(t *testing.T) {
cs := fake.NewSimpleClientset()
rs := NewResourceSelector(
newLogger(),
&monitoringv1.Prometheus{
@ -645,7 +647,7 @@ func TestSelectProbes(t *testing.T) {
},
},
},
nil,
assets.NewStoreBuilder(cs.CoreV1(), cs.CoreV1()),
nil,
operator.NewMetrics(prometheus.NewPedanticRegistry()),
record.NewFakeRecorder(1),
@ -1271,6 +1273,7 @@ func TestSelectPodMonitors(t *testing.T) {
},
} {
t.Run(tc.scenario, func(t *testing.T) {
cs := fake.NewSimpleClientset()
rs := NewResourceSelector(
newLogger(),
&monitoringv1.Prometheus{
@ -1284,7 +1287,7 @@ func TestSelectPodMonitors(t *testing.T) {
},
},
},
nil,
assets.NewStoreBuilder(cs.CoreV1(), cs.CoreV1()),
nil,
operator.NewMetrics(prometheus.NewPedanticRegistry()),
record.NewFakeRecorder(1),
@ -1309,11 +1312,13 @@ func TestSelectPodMonitors(t *testing.T) {
})
require.NoError(t, err)
if tc.selected {
require.Len(t, sms, 1)
} else {
require.Empty(t, sms)
return
}
require.Empty(t, sms)
})
}
}

4
pkg/prometheus/server/operator.go
View file

@ -1311,9 +1311,11 @@ func addAlertmanagerEndpointsToStore(ctx context.Context, store *assets.StoreBui
if err := store.AddBasicAuth(ctx, namespace, am.BasicAuth); err != nil {
return fmt.Errorf("alertmanager %d: %w", i, err)
}
if err := store.AddSafeAuthorizationCredentials(ctx, namespace, am.Authorization, fmt.Sprintf("alertmanager/auth/%d", i)); err != nil {
if err := store.AddSafeAuthorizationCredentials(ctx, namespace, am.Authorization); err != nil {
return fmt.Errorf("alertmanager %d: %w", i, err)
}
if err := store.AddSigV4(ctx, namespace, am.Sigv4, fmt.Sprintf("alertmanager/auth/%d", i)); err != nil {
return fmt.Errorf("alertmanager %d: %w", i, err)
}

8
pkg/prometheus/store.go
View file

@ -42,7 +42,7 @@ func AddRemoteWritesToStore(ctx context.Context, store *assets.StoreBuilder, nam
return fmt.Errorf("remote write %d: %w", i, err)
}
if err := store.AddAuthorizationCredentials(ctx, namespace, remote.Authorization, fmt.Sprintf("remoteWrite/auth/%d", i)); err != nil {
if err := store.AddAuthorizationCredentials(ctx, namespace, remote.Authorization); err != nil {
return fmt.Errorf("remote write %d: %w", i, err)
}
@ -72,7 +72,7 @@ func AddRemoteReadsToStore(ctx context.Context, store *assets.StoreBuilder, name
return fmt.Errorf("remote read %d: %w", i, err)
}
if err := store.AddAuthorizationCredentials(ctx, namespace, remote.Authorization, fmt.Sprintf("remoteRead/auth/%d", i)); err != nil {
if err := store.AddAuthorizationCredentials(ctx, namespace, remote.Authorization); err != nil {
return fmt.Errorf("remote read %d: %w", i, err)
}
}
@ -87,9 +87,11 @@ func AddAPIServerConfigToStore(ctx context.Context, store *assets.StoreBuilder,
if err := store.AddBasicAuth(ctx, namespace, config.BasicAuth); err != nil {
return fmt.Errorf("apiserver config: %w", err)
}
if err := store.AddAuthorizationCredentials(ctx, namespace, config.Authorization, "apiserver/auth"); err != nil {
if err := store.AddAuthorizationCredentials(ctx, namespace, config.Authorization); err != nil {
return fmt.Errorf("apiserver config: %w", err)
}
return nil
}

2
pkg/prometheus/testdata/ConsulScrapeConfigAuthorization.golden generated vendored
View file

@ -9,7 +9,7 @@ scrape_configs:
consul_sd_configs:
- authorization:
type: Bearer
credentials: authorization
credentials: secret
server: localhost:8500
relabel_configs:
- source_labels:

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_DigitalOceanSD.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
digitalocean_sd_configs:
- authorization:
type: Bearer
credentials: value
proxy_url: http://no-proxy.com
no_proxy: 0.0.0.0
proxy_from_environment: true

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_DigitalOceanSD_with_TLSConfig.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
digitalocean_sd_configs:
- authorization:
type: Bearer
credentials: value
tls_config:
ca_file: /etc/prometheus/certs/secret_default_secret-ca_
cert_file: /etc/prometheus/certs/secret_default_secret-cert_

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_DockerSDConfig.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
docker_sd_configs:
- authorization:
type: Bearer
credentials: value
proxy_url: http://no-proxy.com
no_proxy: 0.0.0.0
proxy_from_environment: true

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_EurekaSD.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
eureka_sd_configs:
- authorization:
type: Bearer
credentials: value
proxy_url: http://no-proxy.com
no_proxy: 0.0.0.0
proxy_from_environment: true

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_EurekaSD_with_TLSConfig.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
eureka_sd_configs:
- authorization:
type: Bearer
credentials: value
tls_config:
ca_file: /etc/prometheus/certs/secret_default_secret-ca_
cert_file: /etc/prometheus/certs/secret_default_secret-cert_

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_HetznerSD_with_Authorization.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
hetzner_sd_configs:
- authorization:
type: Bearer
credentials: value
role: hcloud
relabel_configs:
- source_labels:

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_K8SSD_with_Authorization.golden generated vendored
View file

@ -10,6 +10,7 @@ scrape_configs:
- role: node
authorization:
type: Bearer
credentials: value
relabel_configs:
- source_labels:
- job

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_KumaSD.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
kuma_sd_configs:
- authorization:
type: Bearer
credentials: value
proxy_url: http://no-proxy.com
no_proxy: 0.0.0.0
proxy_from_environment: true

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_KumaSD_with_TLSConfig.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
kuma_sd_configs:
- authorization:
type: Bearer
credentials: value
server: ""
tls_config:
ca_file: /etc/prometheus/certs/secret_default_secret-ca_

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_NomadSD.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
nomad_sd_configs:
- authorization:
type: Bearer
credentials: value
proxy_url: http://no-proxy.com
no_proxy: 0.0.0.0
proxy_from_environment: true

1
pkg/prometheus/testdata/ScrapeConfigSpecConfig_NomadSD_with_TLSConfig.golden generated vendored
View file

@ -9,6 +9,7 @@ scrape_configs:
nomad_sd_configs:
- authorization:
type: Bearer
credentials: value
server: ""
tls_config:
ca_file: /etc/prometheus/certs/secret_default_secret-ca_