From 7c4b6c9b4b093dee2b610dd9bbbbe91527487302 Mon Sep 17 00:00:00 2001 From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com> Date: Tue, 11 Feb 2025 06:25:28 +0000 Subject: [PATCH] (go/v4,ksutomize/v2,helm/v1-alpha): Fix prometheus integration with TLS check Co-Author: Abhisek Dwivedi --- .github/workflows/test-e2e-samples.yml | 19 ++++++---- .../project/config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../chart/templates/prometheus/monitor.yaml | 1 + .../testdata/project/dist/install.yaml | 7 +++- .../project/config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../chart/templates/prometheus/monitor.yaml | 1 + .../project/config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../chart/templates/prometheus/monitor.yaml | 1 + .../testdata/project/dist/install.yaml | 7 +++- hack/docs/internal/cronjob-tutorial/sample.go | 22 +++++++++++ .../config/kdefault/kustomization.go | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.go | 37 +++++++++---------- .../chart-templates/prometheus/monitor.go | 1 + test/e2e/v4/generate_test.go | 22 +++++++++++ .../config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../chart/templates/prometheus/monitor.yaml | 1 + .../config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- 24 files changed, 345 insertions(+), 150 deletions(-) diff --git a/.github/workflows/test-e2e-samples.yml b/.github/workflows/test-e2e-samples.yml index 1e170ff60a8..97be2426b9f 100644 --- a/.github/workflows/test-e2e-samples.yml +++ b/.github/workflows/test-e2e-samples.yml @@ -43,8 +43,8 @@ jobs: sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH sed -i '47,49s/^#//' $KUSTOMIZATION_FILE_PATH # Uncomment all cert-manager injections - sed -i '59,212s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '59,234s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4/ go mod tidy @@ -86,10 +86,12 @@ jobs: # Uncomment only ValidatingWebhookConfiguration # from cert-manager replaces; we are leaving defaulting uncommented # since this sample has no defaulting webhooks - sed -i '59,164s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '120,186s/^#//' $KUSTOMIZATION_FILE_PATH # Uncomment only --conversion webhooks CA injection - sed -i '197,212s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '219,234s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4-with-plugins/ go mod tidy @@ -129,9 +131,10 @@ jobs: KUSTOMIZATION_FILE_PATH="testdata/project-v4-multigroup/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH # Uncomment all cert-manager injections for webhooks only - sed -i '59,59s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '98,212s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '120,234s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4-multigroup go mod tidy diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index 3e54d96aea9..8230498cb42 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ replacements: delimiter: '.' index: 0 create: true + - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 0 + create: true - source: kind: Service @@ -94,6 +105,17 @@ replacements: delimiter: '.' index: 1 create: true + - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 1 + create: true - source: # Uncomment the following block if you have any webhook kind: Service diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml index 2ff384a1435..78d68d06f22 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml @@ -15,6 +15,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{- if .Values.certmanager.enable }} + serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml index bf18d472577..535cc39b47c 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml @@ -4276,7 +4276,11 @@ metadata: namespace: project-system spec: endpoints: - - tlsConfig: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: https + scheme: https + tlsConfig: ca: secret: key: ca.crt @@ -4289,6 +4293,7 @@ spec: keySecret: key: tls.key name: metrics-server-cert + serverName: project-controller-manager-metrics-service.project-system.svc selector: matchLabels: app.kubernetes.io/name: project diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index 6cbecf19a15..5a206998350 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml index 2ff384a1435..78d68d06f22 100644 --- a/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml +++ b/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml @@ -15,6 +15,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{- if .Values.certmanager.enable }} + serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml index f72c5a8890f..0cc2ff2331b 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ replacements: delimiter: '.' index: 0 create: true + - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 0 + create: true - source: kind: Service @@ -94,6 +105,17 @@ replacements: delimiter: '.' index: 1 create: true + - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 1 + create: true - source: # Uncomment the following block if you have any webhook kind: Service diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml index 2ff384a1435..78d68d06f22 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml @@ -15,6 +15,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{- if .Values.certmanager.enable }} + serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml index acf7b937049..0cadd70d49c 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml @@ -8122,7 +8122,11 @@ metadata: namespace: project-system spec: endpoints: - - tlsConfig: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: https + scheme: https + tlsConfig: ca: secret: key: ca.crt @@ -8135,6 +8139,7 @@ spec: keySecret: key: tls.key name: metrics-server-cert + serverName: project-controller-manager-metrics-service.project-system.svc selector: matchLabels: app.kubernetes.io/name: project diff --git a/hack/docs/internal/cronjob-tutorial/sample.go b/hack/docs/internal/cronjob-tutorial/sample.go index dddea3baacc..2588789e849 100644 --- a/hack/docs/internal/cronjob-tutorial/sample.go +++ b/hack/docs/internal/cronjob-tutorial/sample.go @@ -52,6 +52,17 @@ const certManagerForMetricsAndWebhooks = `#replacements: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -71,6 +82,17 @@ const certManagerForMetricsAndWebhooks = `#replacements: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go index 1f1c1973397..5d327201ffb 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go @@ -120,6 +120,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -139,6 +150,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go index b134911a7e1..b9de3871d3b 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go @@ -44,24 +44,21 @@ func (f *ServiceMonitorPatch) SetTemplateDefaults() error { const serviceMonitorPatchTemplate = `# Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key ` diff --git a/pkg/plugins/optional/helm/v1alpha/scaffolds/internal/templates/chart-templates/prometheus/monitor.go b/pkg/plugins/optional/helm/v1alpha/scaffolds/internal/templates/chart-templates/prometheus/monitor.go index 8acd4d6ae15..a4e90fb66c9 100644 --- a/pkg/plugins/optional/helm/v1alpha/scaffolds/internal/templates/chart-templates/prometheus/monitor.go +++ b/pkg/plugins/optional/helm/v1alpha/scaffolds/internal/templates/chart-templates/prometheus/monitor.go @@ -59,6 +59,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{ "{{- if .Values.certmanager.enable }}" }} + serverName: {{ .ProjectName }}-controller-manager-metrics-service.{{ "{{ .Release.Namespace }}" }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index 6051dd3c5be..7975d891667 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -475,6 +475,17 @@ const metricsCertReplaces = `# - source: # Uncomment the following block to enab # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -493,4 +504,15 @@ const metricsCertReplaces = `# - source: # Uncomment the following block to enab # options: # delimiter: '.' # index: 1 +# create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 # create: true` diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 9f57d56c7f3..3fdc4dd6c70 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/testdata/project-v4-with-plugins/config/default/kustomization.yaml b/testdata/project-v4-with-plugins/config/default/kustomization.yaml index 7d10355c4a2..a9d169cbd76 100644 --- a/testdata/project-v4-with-plugins/config/default/kustomization.yaml +++ b/testdata/project-v4-with-plugins/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/testdata/project-v4-with-plugins/dist/chart/templates/prometheus/monitor.yaml b/testdata/project-v4-with-plugins/dist/chart/templates/prometheus/monitor.yaml index abb87440c0a..92773eb66b9 100644 --- a/testdata/project-v4-with-plugins/dist/chart/templates/prometheus/monitor.yaml +++ b/testdata/project-v4-with-plugins/dist/chart/templates/prometheus/monitor.yaml @@ -15,6 +15,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{- if .Values.certmanager.enable }} + serverName: project-v4-with-plugins-controller-manager-metrics-service.{{ .Release.Namespace }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index e288dc06a02..e0fad41c4fc 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key