mirrors/prometheus-operator
mirrors/prometheus-operator
1
0
Fork 0
mirror of https://github.com/prometheus-operator/prometheus-operator.git synced 2025-04-21 19:49:46 +00:00
Code Activity

Inline SafeTLSConfig CA, Cert, Key in scrape_config ()

Browse source 
* Inline SafeTLSConfig CA,Cert,Key in scrape_config

The existing SafeTLSConfig specifies paths like:

```yaml
- job_name: scrapeConfig/default/testscrapeconfig1
  tls_config:
    ca_file: /etc/prometheus/certs/0_default_tls_ca
    cert_file: /etc/prometheus/certs/0_default_tls_cert
    key_file: /etc/prometheus/certs/0_default_tls_private-key
```

but these paths are not available to the scrapers.

This change will allow scrapers configured with http_sd (namely the OTel
Collector + Target Allocator setup) to be able to scrape endpoints that
require TLS certificates.

The new scrape configuration would look like:

```yaml
- job_name: scrapeConfig/default/testscrapeconfig1
  tls_config:
    ca: "ca-cert-info"
    cert: "cert-info"
    key: "<secret>"
```

Since the values are now inline in the scrape configuration, the
scrapers will be able to use it to scrape the endpoints with the
credentials it needs for secure communication.

- Updates test assets store to have secret information
- Updates golden files to recognize new values for tls_config

Fixes: https://github.com/open-telemetry/opentelemetry-operator/issues/3724

Signed-off-by: Charlie Le <charlie_le@apple.com>

* Add option in ConfigGenerator for inlining TLS Config

Signed-off-by: Charlie Le <charlie_le@apple.com>

---------

Signed-off-by: Charlie Le <charlie_le@apple.com>
This commit is contained in:
Charlie Le 2025-02-26 00:57:44 -08:00 committed by GitHub
parent 524131da78
commit c6927a2091
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 127 additions and 8 deletions

43
pkg/prometheus/promcfg.go
View file

@ -74,6 +74,7 @@ type ConfigGenerator struct {
defaultScrapeClassName string
daemonSet bool
prometheusTopologySharding bool
inlineTLSConfig bool
}
type ConfigGeneratorOption func(*ConfigGenerator)
@ -97,6 +98,12 @@ func WithPrometheusTopologySharding() ConfigGeneratorOption {
}
}
func WithInlineTLSConfig() ConfigGeneratorOption {
return func(cg *ConfigGenerator) {
cg.inlineTLSConfig = true
}
}
// NewConfigGenerator creates a ConfigGenerator for the provided Prometheus resource.
func NewConfigGenerator(
logger *slog.Logger,
@ -216,6 +223,7 @@ func (cg *ConfigGenerator) WithKeyVals(keyvals ...interface{}) *ConfigGenerator
scrapeClasses: cg.scrapeClasses,
defaultScrapeClassName: cg.defaultScrapeClassName,
daemonSet: cg.daemonSet,
inlineTLSConfig: cg.inlineTLSConfig,
}
}
@ -236,6 +244,7 @@ func (cg *ConfigGenerator) WithMinimumVersion(version string) *ConfigGenerator {
scrapeClasses: cg.scrapeClasses,
defaultScrapeClassName: cg.defaultScrapeClassName,
daemonSet: cg.daemonSet,
inlineTLSConfig: cg.inlineTLSConfig,
}
}
@ -259,6 +268,7 @@ func (cg *ConfigGenerator) WithMaximumVersion(version string) *ConfigGenerator {
scrapeClasses: cg.scrapeClasses,
defaultScrapeClassName: cg.defaultScrapeClassName,
daemonSet: cg.daemonSet,
inlineTLSConfig: cg.inlineTLSConfig,
}
}
@ -756,15 +766,42 @@ func (cg *ConfigGenerator) addSafeTLStoYaml(
}
if safetls.CA.Secret != nil || safetls.CA.ConfigMap != nil {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "ca_file", Value: path.Join(tlsAssetsDir, store.TLSAsset(safetls.CA))})
if cg.inlineTLSConfig {
b, err := store.GetSecretOrConfigMapKey(safetls.CA)
if err != nil {
cg.logger.Error("invalid CA reference", "err", err)
} else {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "ca", Value: b})
}
} else {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "ca_file", Value: path.Join(tlsAssetsDir, store.TLSAsset(safetls.CA))})
}
}
if safetls.Cert.Secret != nil || safetls.Cert.ConfigMap != nil {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "cert_file", Value: path.Join(tlsAssetsDir, store.TLSAsset(safetls.Cert))})
if cg.inlineTLSConfig {
b, err := store.GetSecretOrConfigMapKey(safetls.Cert)
if err != nil {
cg.logger.Error("invalid cert reference", "err", err)
} else {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "cert", Value: b})
}
} else {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "cert_file", Value: path.Join(tlsAssetsDir, store.TLSAsset(safetls.Cert))})
}
}
if safetls.KeySecret != nil {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "key_file", Value: path.Join(tlsAssetsDir, store.TLSAsset(safetls.KeySecret))})
if cg.inlineTLSConfig {
b, err := store.GetSecretKey(*safetls.KeySecret)
if err != nil {
cg.logger.Error("invalid key reference", "err", err)
} else {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "key", Value: string(b)})
}
} else {
safetlsConfig = append(safetlsConfig, yaml.MapItem{Key: "key_file", Value: path.Join(tlsAssetsDir, store.TLSAsset(safetls.KeySecret))})
}
}
if ptr.Deref(safetls.ServerName, "") != "" {

71
pkg/prometheus/promcfg_test.go
View file

@ -5856,11 +5856,12 @@ func TestProbeSpecConfig(t *testing.T) {
func TestScrapeConfigSpecConfig(t *testing.T) {
refreshInterval := monitoringv1.Duration("5m")
for _, tc := range []struct {
name string
version string
patchProm func(*monitoringv1.Prometheus)
scSpec monitoringv1alpha1.ScrapeConfigSpec
golden string
name string
version string
patchProm func(*monitoringv1.Prometheus)
scSpec monitoringv1alpha1.ScrapeConfigSpec
inlineTLSConfig bool
golden string
}{
{
name: "empty_scrape_config",
@ -6106,6 +6107,53 @@ func TestScrapeConfigSpecConfig(t *testing.T) {
},
golden: "ScrapeConfigSpecConfig_Authorization.golden",
},
{
name: "inline_tlsconfig",
scSpec: monitoringv1alpha1.ScrapeConfigSpec{
TLSConfig: &monitoringv1.SafeTLSConfig{
CA: monitoringv1.SecretOrConfigMap{
Secret: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "tls",
},
Key: "ca",
},
},
Cert: monitoringv1.SecretOrConfigMap{
Secret: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "tls",
},
Key: "cert",
},
},
KeySecret: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "tls",
},
Key: "private-key",
},
},
HTTPSDConfigs: []monitoringv1alpha1.HTTPSDConfig{
{
URL: "http://localhost:9100/sd.json",
TLSConfig: &monitoringv1.SafeTLSConfig{
InsecureSkipVerify: ptr.To(false),
CA: monitoringv1.SecretOrConfigMap{
Secret: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "tls",
},
Key: "ca2",
},
},
},
},
},
},
inlineTLSConfig: true,
golden: "ScrapeConfigSpecConfig_Inline_TLSConfig.golden",
},
{
name: "tlsconfig",
scSpec: monitoringv1alpha1.ScrapeConfigSpec{
@ -6529,6 +6577,7 @@ func TestScrapeConfigSpecConfig(t *testing.T) {
}
cg := mustNewConfigGenerator(t, p)
cg.inlineTLSConfig = tc.inlineTLSConfig
store := assets.NewTestStoreBuilder(
&v1.Secret{
@ -6583,6 +6632,18 @@ func TestScrapeConfigSpecConfig(t *testing.T) {
"client_secret": []byte("client-secret"),
},
},
&v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "tls",
Namespace: "default",
},
Data: map[string][]byte{
"ca": []byte("ca"),
"ca2": []byte("ca2"),
"cert": []byte("cert"),
"private-key": []byte("private-key"),
},
},
)
cfg, err := cg.GenerateServerConfiguration(

21
pkg/prometheus/testdata/ScrapeConfigSpecConfig_Inline_TLSConfig.golden generated vendored Normal file
View file

@ -0,0 +1,21 @@
global:
scrape_interval: 30s
external_labels:
prometheus: default/test
prometheus_replica: $(POD_NAME)
evaluation_interval: 30s
scrape_configs:
- job_name: scrapeConfig/default/testscrapeconfig1
tls_config:
ca: ca
cert: cert
key: private-key
http_sd_configs:
- tls_config:
insecure_skip_verify: false
ca: ca2
url: http://localhost:9100/sd.json
relabel_configs:
- source_labels:
- job
target_label: __tmp_prometheus_job_name