Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(prometheus-postgres-exporter): support custom TLS config
The following patch extends the serviceMonitor resource to allow users to apply a custom TLS configuration for TLS authentication and encryption between prometheus and the postgres-exporter. Furthermore, the protocol scheme can now be customized. The default is `http` but needs to be changed to `https`, when TLS authentication/encryption should be applied. The following configuration example applies a user-specific TLS configuration: ```yaml serviceMonitor: enabled: true scheme: https tlsConfig: caFile: /etc/prometheus/tls/ca/ca.crt certFile: /etc/prometheus/tls/app2app/tls.crt keyFile: /etc/prometheus/tls/app2app/tls.key insecureSkipVerify: false serverName: prometheus-postgres-exporter ``` Important Note: The `serverName` attribute must correspond to the CommonName or a Subject Alternative Name (SAN) of the TLS certificate. If this is not the case, prometheus will reject the connection trying to match the IP address of the pod with the CommonName / SAN. The client certificate and private key as well as the certificate of the certificate authorithy must be mounted additionally via the `extraVolumes` and `extraVolumeMounts` option. This configuration is not standard and must also be implemented by the user if TLS client authentication is required. Furthermore must be applied a `web-config.yaml` to start the web server of the prometheus-postgres-exporter with TLS encryption. ```yaml config: extraArgs: - "--web.config.file=/etc/prometheus-postgres-exporter/config/web-config.yaml" extraVolumeMounts: - name: config mountPath: /etc/prometheus-postgres-exporter/config - name: tls mountPath: /etc/prometheus-postgres-exporter/tls extraVolumes: - name: config secret: secretName: prometheus-postgres-exporter-config - name: tls secret: secretName: prometheus-postgres-exporter-tls ``` The secret `prometheus-postgres-exporter-config` requires the key `web-config.yaml`. All keys are mounted as file to `/etc/prometheus-postgres-exporter/config`. The mounted file `web-config.yaml` is passed as config argument to the exporter. ```yaml apiVersion: v1 kind: Secret metadata: annotations: {} labels: {} name: prometheus-postgres-exporter-config stringData: webconfig.yaml: | tls_server_config: cert_file: /etc/prometheus-postgres-exporter/tls/tls.crt key_file: /etc/prometheus-postgres-exporter/tls/tls.key client_auth_type: RequireAndVerifyClientCert client_ca_file: /etc/prometheus-postgres-exporter/tls/ca.crt min_version: TLS12 max_version: TLS13 ``` Signed-off-by: Markus Pesch <[email protected]>
- Loading branch information