prometheus: allow mounting custom secrets

pkg/client/monitoring/v1alpha1/types.go

@@ -84,6 +84,14 @@ type PrometheusSpec struct {
 	// ServiceAccountName is the name of the ServiceAccount to use to run the
 	// Prometheus Pods.
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+	// Secrets is a list of Secrets in the same namespace as the Prometheus
+	// object, which shall be mounted into the Prometheus Pods.
+	// The Secrets are mounted into /etc/prometheus/secrets/<secret-name>.
+	// Secrets changes after initial creation of a Prometheus object are not
+	// reflected in the running Pods. To change the secrets mounted into the
+	// Prometheus Pods, the object must be deleted and recreated with the new list
+	// of secrets.
+	Secrets []string `json:"secrets,omitempty"`
 	// EvaluationInterval string                    `json:"evaluationInterval"`
 	// Remote          RemoteSpec                 `json:"remote"`
 	// Sharding...

pkg/prometheus/statefulset.go

@@ -104,6 +104,13 @@ func makeStatefulSet(p v1alpha1.Prometheus, old *v1beta1.StatefulSet, config *Co
 
 	if old != nil {
 		statefulset.Annotations = old.Annotations
+
+		// mounted volumes are not reconciled as StatefulSets do not allow
+		// modification of the PodTemplate.
+		// TODO(brancz): remove this once StatefulSets allow modification of the
+		// PodTemplate.
+		statefulset.Spec.Template.Spec.Containers[0].VolumeMounts = old.Spec.Template.Spec.Containers[0].VolumeMounts
+		statefulset.Spec.Template.Spec.Volumes = old.Spec.Template.Spec.Volumes
 	}
 	return statefulset
 }
@@ -247,7 +254,7 @@ func makeStatefulSetSpec(p v1alpha1.Prometheus, c *Config, ruleConfigMaps []*v1.
 		Path:   path.Clean(webRoutePrefix + "/-/reload"),
 	}
 
-	volumes := append([]v1.Volume{
+	volumes := []v1.Volume{
 		{
 			Name: "config",
 			VolumeSource: v1.VolumeSource{
@@ -262,9 +269,9 @@ func makeStatefulSetSpec(p v1alpha1.Prometheus, c *Config, ruleConfigMaps []*v1.
 				EmptyDir: &v1.EmptyDirVolumeSource{},
 			},
 		},
-	})
+	}
 
-	promVolumeMounts := append([]v1.VolumeMount{
+	promVolumeMounts := []v1.VolumeMount{
 		{
 			Name:      "config",
 			ReadOnly:  true,
@@ -280,9 +287,25 @@ func makeStatefulSetSpec(p v1alpha1.Prometheus, c *Config, ruleConfigMaps []*v1.
 			MountPath: "/var/prometheus/data",
 			SubPath:   subPathForStorage(p.Spec.Storage),
 		},
-	})
+	}
 
-	configReloadVolumeMounts := append([]v1.VolumeMount{
+	for _, s := range p.Spec.Secrets {
+		volumes = append(volumes, v1.Volume{
+			Name: "secret-" + s,
+			VolumeSource: v1.VolumeSource{
+				Secret: &v1.SecretVolumeSource{
+					SecretName: s,
+				},
+			},
+		})
+		promVolumeMounts = append(promVolumeMounts, v1.VolumeMount{
+			Name:      "secret-" + s,
+			ReadOnly:  true,
+			MountPath: "/etc/prometheus/secrets/" + s,
+		})
+	}
+
+	configReloadVolumeMounts := []v1.VolumeMount{
 		{
 			Name:      "config",
 			ReadOnly:  true,
@@ -292,13 +315,13 @@ func makeStatefulSetSpec(p v1alpha1.Prometheus, c *Config, ruleConfigMaps []*v1.
 			Name:      "rules",
 			MountPath: "/etc/prometheus/rules",
 		},
-	})
+	}
 
-	configReloadArgs := append([]string{
+	configReloadArgs := []string{
 		fmt.Sprintf("-reload-url=%s", localReloadURL),
 		"-config-volume-dir=/etc/prometheus/config",
 		"-rule-volume-dir=/etc/prometheus/rules",
-	})
+	}
 
 	return v1beta1.StatefulSetSpec{
 		ServiceName: governingServiceName,

pkg/prometheus/statefulset_test.go

@@ -19,6 +19,7 @@ import (
 	"testing"
 
 	"k8s.io/client-go/pkg/api/v1"
+	"k8s.io/client-go/pkg/apis/apps/v1beta1"
 
 	"github.com/coreos/prometheus-operator/pkg/client/monitoring/v1alpha1"
 )
@@ -48,3 +49,164 @@ func TestStatefulSetLabelingAndAnnotations(t *testing.T) {
 		t.Fatal("Labels or Annotations are not properly being propagated to the StatefulSet")
 	}
 }
+
+func TestStatefulSetVolumeInitial(t *testing.T) {
+	expected := &v1beta1.StatefulSet{
+		Spec: v1beta1.StatefulSetSpec{
+			Template: v1.PodTemplateSpec{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "config",
+									ReadOnly:  true,
+									MountPath: "/etc/prometheus/config",
+									SubPath:   "",
+								}, {
+									Name:      "rules",
+									ReadOnly:  true,
+									MountPath: "/etc/prometheus/rules",
+									SubPath:   "",
+								}, {
+									Name:      "prometheus--db",
+									ReadOnly:  false,
+									MountPath: "/var/prometheus/data",
+									SubPath:   "",
+								}, {
+									Name:      "secret-test-secret1",
+									ReadOnly:  true,
+									MountPath: "/etc/prometheus/secrets/test-secret1",
+									SubPath:   "",
+								},
+							},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "config",
+							VolumeSource: v1.VolumeSource{
+								Secret: &v1.SecretVolumeSource{
+									SecretName: configSecretName(""),
+								},
+							},
+						},
+						{
+							Name: "rules",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+						{
+							Name: "secret-test-secret1",
+							VolumeSource: v1.VolumeSource{
+								Secret: &v1.SecretVolumeSource{
+									SecretName: "test-secret1",
+								},
+							},
+						},
+						{
+							Name: "prometheus--db",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	sset := makeStatefulSet(v1alpha1.Prometheus{
+		Spec: v1alpha1.PrometheusSpec{
+			Secrets: []string{
+				"test-secret1",
+			},
+		},
+	}, nil, defaultTestConfig, []*v1.ConfigMap{})
+
+	if !reflect.DeepEqual(expected.Spec.Template.Spec.Volumes, sset.Spec.Template.Spec.Volumes) || !reflect.DeepEqual(expected.Spec.Template.Spec.Containers[0].VolumeMounts, sset.Spec.Template.Spec.Containers[0].VolumeMounts) {
+		t.Fatal("Volumes mounted in a Pod are not created correctly initially.")
+	}
+}
+
+func TestStatefulSetVolumeSkip(t *testing.T) {
+	old := &v1beta1.StatefulSet{
+		Spec: v1beta1.StatefulSetSpec{
+			Template: v1.PodTemplateSpec{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "config",
+									ReadOnly:  true,
+									MountPath: "/etc/prometheus/config",
+									SubPath:   "",
+								}, {
+									Name:      "rules",
+									ReadOnly:  true,
+									MountPath: "/etc/prometheus/rules",
+									SubPath:   "",
+								}, {
+									Name:      "prometheus--db",
+									ReadOnly:  false,
+									MountPath: "/var/prometheus/data",
+									SubPath:   "",
+								}, {
+									Name:      "secret-test-secret1",
+									ReadOnly:  true,
+									MountPath: "/etc/prometheus/secrets/test-secret1",
+									SubPath:   "",
+								},
+							},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "config",
+							VolumeSource: v1.VolumeSource{
+								Secret: &v1.SecretVolumeSource{
+									SecretName: configSecretName(""),
+								},
+							},
+						},
+						{
+							Name: "rules",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+						{
+							Name: "secret-test-secret1",
+							VolumeSource: v1.VolumeSource{
+								Secret: &v1.SecretVolumeSource{
+									SecretName: "test-secret1",
+								},
+							},
+						},
+						{
+							Name: "prometheus--db",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	sset := makeStatefulSet(v1alpha1.Prometheus{
+		Spec: v1alpha1.PrometheusSpec{
+			Secrets: []string{
+				"test-secret1",
+				"test-secret2",
+			},
+		},
+	}, old, defaultTestConfig, []*v1.ConfigMap{})
+
+	if !reflect.DeepEqual(old.Spec.Template.Spec.Volumes, sset.Spec.Template.Spec.Volumes) || !reflect.DeepEqual(old.Spec.Template.Spec.Containers[0].VolumeMounts, sset.Spec.Template.Spec.Containers[0].VolumeMounts) {
+		t.Fatal("Volumes mounted in a Pod should not be reconciled.")
+	}
+}