Skip to content

Commit

Permalink
feat: TLS support for the Alertmanager web endpoint (#495)
Browse files Browse the repository at this point in the history 
* feat: tls support for alertmanager

* test: test alarm receiving when am TLS enabled

* test: test scraping alertmanager with TLS enabled
  • Loading branch information
@vyzigold
vyzigold authored Sep 30, 2024
1 parent 4ce18d9 commit a6f1387
Show file tree
Hide file tree
Showing 9 changed files with 502 additions and 7 deletions.
62 changes: 62 additions & 0 deletions bundle/manifests/monitoring.rhobs_monitoringstacks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,68 @@ spec:
default: false
description: Disables the deployment of Alertmanager.
type: boolean
webTLSConfig:
description: Configure TLS options for the Alertmanager web server.
properties:
certificate:
description: Reference to the TLS public certificate for the
web server.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
minLength: 1
type: string
name:
description: The name of the secret in the object's namespace
to select from.
minLength: 1
type: string
required:
- key
- name
type: object
certificateAuthority:
description: Reference to the root Certificate Authority used
to verify the web server's certificate.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
minLength: 1
type: string
name:
description: The name of the secret in the object's namespace
to select from.
minLength: 1
type: string
required:
- key
- name
type: object
privateKey:
description: Reference to the TLS private key for the web
server.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
minLength: 1
type: string
name:
description: The name of the secret in the object's namespace
to select from.
minLength: 1
type: string
required:
- key
- name
type: object
required:
- certificate
- certificateAuthority
- privateKey
type: object
type: object
logLevel:
default: info
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/observability-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ metadata:
categories: Monitoring
certified: "false"
containerImage: observability-operator:0.4.0
createdAt: "2024-09-19T09:20:36Z"
createdAt: "2024-09-25T15:30:42Z"
description: A Go based Kubernetes operator to setup and manage highly available
Monitoring Stack using Prometheus, Alertmanager and Thanos Querier.
operators.operatorframework.io/builder: operator-sdk-v1.36.1
Expand Down
62 changes: 62 additions & 0 deletions deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,68 @@ spec:
default: false
description: Disables the deployment of Alertmanager.
type: boolean
webTLSConfig:
description: Configure TLS options for the Alertmanager web server.
properties:
certificate:
description: Reference to the TLS public certificate for the
web server.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
minLength: 1
type: string
name:
description: The name of the secret in the object's namespace
to select from.
minLength: 1
type: string
required:
- key
- name
type: object
certificateAuthority:
description: Reference to the root Certificate Authority used
to verify the web server's certificate.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
minLength: 1
type: string
name:
description: The name of the secret in the object's namespace
to select from.
minLength: 1
type: string
required:
- key
- name
type: object
privateKey:
description: Reference to the TLS private key for the web
server.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
minLength: 1
type: string
name:
description: The name of the secret in the object's namespace
to select from.
minLength: 1
type: string
required:
- key
- name
type: object
required:
- certificate
- certificateAuthority
- privateKey
type: object
type: object
logLevel:
default: info
Expand Down
150 changes: 150 additions & 0 deletions docs/api.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,156 @@ Define Alertmanager config
<i>Default</i>: false<br/>
</td>
<td>false</td>
</tr><tr>
<td><b><a href="#monitoringstackspecalertmanagerconfigwebtlsconfig">webTLSConfig</a></b></td>
<td>object</td>
<td>
Configure TLS options for the Alertmanager web server.<br/>
</td>
<td>false</td>
</tr></tbody>
</table>


### MonitoringStack.spec.alertmanagerConfig.webTLSConfig
<sup><sup>[↩ Parent](#monitoringstackspecalertmanagerconfig)</sup></sup>



Configure TLS options for the Alertmanager web server.

<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b><a href="#monitoringstackspecalertmanagerconfigwebtlsconfigcertificate">certificate</a></b></td>
<td>object</td>
<td>
Reference to the TLS public certificate for the web server.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b><a href="#monitoringstackspecalertmanagerconfigwebtlsconfigcertificateauthority">certificateAuthority</a></b></td>
<td>object</td>
<td>
Reference to the root Certificate Authority used to verify the web server's certificate.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b><a href="#monitoringstackspecalertmanagerconfigwebtlsconfigprivatekey">privateKey</a></b></td>
<td>object</td>
<td>
Reference to the TLS private key for the web server.<br/>
</td>
<td>true</td>
</tr></tbody>
</table>


### MonitoringStack.spec.alertmanagerConfig.webTLSConfig.certificate
<sup><sup>[↩ Parent](#monitoringstackspecalertmanagerconfigwebtlsconfig)</sup></sup>



Reference to the TLS public certificate for the web server.

<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b>key</b></td>
<td>string</td>
<td>
The key of the secret to select from. Must be a valid secret key.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b>name</b></td>
<td>string</td>
<td>
The name of the secret in the object's namespace to select from.<br/>
</td>
<td>true</td>
</tr></tbody>
</table>


### MonitoringStack.spec.alertmanagerConfig.webTLSConfig.certificateAuthority
<sup><sup>[↩ Parent](#monitoringstackspecalertmanagerconfigwebtlsconfig)</sup></sup>



Reference to the root Certificate Authority used to verify the web server's certificate.

<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b>key</b></td>
<td>string</td>
<td>
The key of the secret to select from. Must be a valid secret key.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b>name</b></td>
<td>string</td>
<td>
The name of the secret in the object's namespace to select from.<br/>
</td>
<td>true</td>
</tr></tbody>
</table>


### MonitoringStack.spec.alertmanagerConfig.webTLSConfig.privateKey
<sup><sup>[↩ Parent](#monitoringstackspecalertmanagerconfigwebtlsconfig)</sup></sup>



Reference to the TLS private key for the web server.

<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b>key</b></td>
<td>string</td>
<td>
The key of the secret to select from. Must be a valid secret key.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b>name</b></td>
<td>string</td>
<td>
The name of the secret in the object's namespace to select from.<br/>
</td>
<td>true</td>
</tr></tbody>
</table>

Expand Down
3 changes: 3 additions & 0 deletions pkg/apis/monitoring/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,9 @@ type AlertmanagerConfig struct {
// +optional
// +kubebuilder:default=false
Disabled bool `json:"disabled,omitempty"`
// Configure TLS options for the Alertmanager web server.
// +optional
WebTLSConfig *WebTLSConfig `json:"webTLSConfig,omitempty"`
}

// NamespaceSelector is a selector for selecting either all namespaces or a
Expand Down
7 changes: 6 additions & 1 deletion pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

23 changes: 23 additions & 0 deletions pkg/controllers/monitoring/monitoring-stack/alertmanager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,29 @@ func newAlertmanager(
if alertmanagerCfg.Image != "" {
am.Spec.Image = ptr.To(alertmanagerCfg.Image)
}
if ms.Spec.AlertmanagerConfig.WebTLSConfig != nil {
tlsConfig := ms.Spec.AlertmanagerConfig.WebTLSConfig
am.Spec.Web = &monv1.AlertmanagerWebSpec{
WebConfigFileFields: monv1.WebConfigFileFields{
TLSConfig: &monv1.WebTLSConfig{
KeySecret: corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: tlsConfig.PrivateKey.Name,
},
Key: tlsConfig.PrivateKey.Key,
},
Cert: monv1.SecretOrConfigMap{
Secret: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: tlsConfig.Certificate.Name,
},
Key: tlsConfig.Certificate.Key,
},
},
},
},
}
}
return am
}

Expand Down
Loading

0 comments on commit a6f1387

Please sign in to comment.