Skip to content

Commit

Permalink
feat(prometheus-postgres-exporter): support custom TLS config
Browse files Browse the repository at this point in the history
The following patch extends the serviceMonitor resource to allow users to apply
a custom TLS configuration for TLS authentication and encryption between
prometheus and the postgres-exporter. Furthermore, the protocol scheme can now
be customized. The default is `http` but needs to be changed to `https`, when
TLS authentication/encryption should be applied.

The following configuration example applies a user-specific TLS configuration:

```yaml
serviceMonitor:
  enabled: true
  scheme: https
  tlsConfig:
    caFile: /etc/prometheus/tls/ca/ca.crt
    certFile: /etc/prometheus/tls/app2app/tls.crt
    keyFile: /etc/prometheus/tls/app2app/tls.key
    insecureSkipVerify: false
    serverName: prometheus-postgres-exporter
```

Important Note: The `serverName` attribute must correspond to the CommonName or a
Subject Alternative Name (SAN) of the TLS certificate. If this is not the case,
prometheus will reject the connection trying to match the IP address of the pod
with the CommonName / SAN.

The client certificate and private key as well as the certificate of the
certificate authorithy must be mounted additionally via the `extraVolumes` and
`extraVolumeMounts` option. This configuration is not standard and must also be
implemented by the user if TLS client authentication is required. Furthermore
must be applied a `web-config.yaml` to start the web server of the
prometheus-postgres-exporter with TLS encryption.

```yaml
config:
  extraArgs:
    - "--web.config.file=/etc/prometheus-postgres-exporter/config/web-config.yaml"

extraVolumeMounts:
  - name: config
    mountPath: /etc/prometheus-postgres-exporter/config
  - name: tls
    mountPath: /etc/prometheus-postgres-exporter/tls

extraVolumes:
  - name: config
    secret:
      secretName: prometheus-postgres-exporter-config
  - name: tls
    secret:
      secretName: prometheus-postgres-exporter-tls
```

The secret `prometheus-postgres-exporter-config` requires the key `web-config.yaml`.
All keys are mounted as file to `/etc/prometheus-postgres-exporter/config`. The
mounted file `web-config.yaml` is passed as config argument to the exporter.

```yaml
apiVersion: v1
kind: Secret
metadata:
  annotations: {}
  labels: {}
  name: prometheus-postgres-exporter-config
stringData:
  webconfig.yaml: |
    tls_server_config:
      cert_file: /etc/prometheus-postgres-exporter/tls/tls.crt
      key_file: /etc/prometheus-postgres-exporter/tls/tls.key
      client_auth_type: RequireAndVerifyClientCert
      client_ca_file: /etc/prometheus-postgres-exporter/tls/ca.crt
      min_version: TLS12
      max_version: TLS13
```
  • Loading branch information
volker-raschek committed Oct 26, 2024
1 parent 3cc3dbd commit 7c8c9ca
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ spec:
{{- if .Values.serviceMonitor.telemetryPath }}
path: {{ .Values.serviceMonitor.telemetryPath }}
{{- end }}
{{- if .Values.serviceMonitor.scheme }}
scheme: {{ .Values.serviceMonitor.scheme }}
{{- end }}
{{- if .Values.serviceMonitor.timeout }}
scrapeTimeout: {{ .Values.serviceMonitor.timeout }}
{{- end }}
Expand All @@ -30,6 +33,10 @@ spec:
{{- if .Values.serviceMonitor.relabelings }}
relabelings:
{{ toYaml .Values.serviceMonitor.relabelings | nindent 4 }}
{{- end }}
{{- with .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- . | toYaml | nindent 6 }}
{{- end }}
jobLabel: {{ template "prometheus-postgres-exporter.fullname" . }}
namespaceSelector:
Expand Down
4 changes: 4 additions & 0 deletions charts/prometheus-postgres-exporter/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ serviceMonitor:
# metricRelabelings: []
# Set relabel_configs as per https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
# relabelings: []
# HTTP scheme to use for scraping. For example `http` or `https`. Default is `http`.
# scheme: http
# TLS configuration to use when scraping the metric endpoint by Prometheus.
# tlsConfig: {}

prometheusRule:
enabled: false
Expand Down

0 comments on commit 7c8c9ca

Please sign in to comment.