Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ServiceMonitor scrapping failed if internal TLS is activated #1828

Open
baaaaast opened this issue Sep 19, 2024 · 2 comments
Open

ServiceMonitor scrapping failed if internal TLS is activated #1828

baaaaast opened this issue Sep 19, 2024 · 2 comments
Assignees
@reasonerjt
Labels
follow-up help wanted Extra attention is needed

Comments

@baaaaast
Copy link

baaaaast commented Sep 19, 2024
edited
Loading

If we activate the auto cert generation with :

internalTLS:
    enabled: true
    certSource: "auto"

My prometheus service fails to scrap the https-metrics port because it doesn't have the ca bundle used to generate the certificate.

I'd like to be able to configure the tlsConfig part of the ServiceMonitor's endpoint : https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.TLSConfig

Can I do a PR ?
@reasonerjt
Copy link
Contributor

@baaaaast
Thanks for writing it up. I think this is a valid issue.
IMO ideally we wanna make sure in the tlgConfig it trusts the CA that signs the internal cert. Is that possible?

@reasonerjt reasonerjt added help wanted Extra attention is needed follow-up labels Sep 23, 2024
@reasonerjt reasonerjt self-assigned this Sep 23, 2024
@github-staff github-staff deleted a comment from nhatlaso1 Sep 23, 2024
@baaaaast
Copy link
Author

Yes @reasonerjt I think it's possible by setting something like :

kind: ServiceMonitor
...
spec:
  endpoints:
  - honorLabels: true
    port: https-metrics
    tlsConfig:
      ca: the_secret_name

It all depends on whether the certificate generation is automatic, manual or based on a secret.
I just thought I could configure tlsConfig in a completely free way like :

metrics-svcmon.yaml example


spec:
  jobLabel: app.kubernetes.io/name
  endpoints:
  - port:  {{ template "harbor.metricsPortName" . }}
    {{- if .Values.metrics.serviceMonitor.interval }}
    interval: {{ .Values.metrics.serviceMonitor.interval }}
    {{- end }}
    honorLabels: true
...
{{- if .Values.metrics.serviceMonitor.tlsConfig }}
    tlsConfig:
{{ toYaml .Values.metrics.serviceMonitor.tlsConfig | indent 4 }}
{{- end }}

Besides, I've decided to give up enabling internal tls as long as the services aren't able to reload the TLS secret if it's changed. This static aspect is too restrictive for me to use with certmanager.
I don't need it anymore for the moment.
Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reasonerjt reasonerjt

Labels
follow-up help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reasonerjt @baaaaast