From 1150afbdc2571a676eaf92f68715a560bfe0c95b Mon Sep 17 00:00:00 2001 From: Jaromir Wysoglad Date: Mon, 27 May 2024 04:15:54 -0400 Subject: [PATCH 1/5] feat: add WebTLSConfig struct --- pkg/apis/monitoring/v1alpha1/types.go | 25 ++++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/pkg/apis/monitoring/v1alpha1/types.go b/pkg/apis/monitoring/v1alpha1/types.go index 7419dd49e..3ef99d7b4 100644 --- a/pkg/apis/monitoring/v1alpha1/types.go +++ b/pkg/apis/monitoring/v1alpha1/types.go @@ -278,3 +278,28 @@ type ThanosQuerierSpec struct { // ThanosQuerierStatus defines the observed state of ThanosQuerier. // It should always be reconstructable from the state of the cluster and/or outside world. type ThanosQuerierStatus struct{} + +// SecretKeySelector selects a key of a secret. +type SecretKeySelector struct { + // The name of the secret in the object's namespace to select from. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Required + Name string `json:"name"` + // The key of the secret to select from. Must be a valid secret key. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Required + Key string `json:"key"` +} + +// WebTLSConfig contains configuration to enable TLS on web endpoints. +type WebTLSConfig struct { + // Reference to the TLS private key for the web server. + // +kubebuilder:validation:Required + PrivateKey SecretKeySelector `json:"privateKey"` + // Reference to the TLS public certificate for the web server. + // +kubebuilder:validation:Required + Certificate SecretKeySelector `json:"certificate"` + // Reference to the root Certificate Authority used to verify the web server's certificate. + // +kubebuilder:validation:Required + CertificateAuthority SecretKeySelector `json:"certificateAuthority"` +} diff --git a/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go index 3d661a2eb..334ae3038 100644 --- a/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go @@ -254,6 +254,21 @@ func (in *PrometheusConfig) DeepCopy() *PrometheusConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector. +func (in *SecretKeySelector) DeepCopy() *SecretKeySelector { + if in == nil { + return nil + } + out := new(SecretKeySelector) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ThanosQuerier) DeepCopyInto(out *ThanosQuerier) { *out = *in @@ -349,3 +364,21 @@ func (in *ThanosQuerierStatus) DeepCopy() *ThanosQuerierStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebTLSConfig) DeepCopyInto(out *WebTLSConfig) { + *out = *in + out.Key = in.Key + out.Cert = in.Cert + out.CA = in.CA +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebTLSConfig. +func (in *WebTLSConfig) DeepCopy() *WebTLSConfig { + if in == nil { + return nil + } + out := new(WebTLSConfig) + in.DeepCopyInto(out) + return out +} From 0eb6413fc9827f8bd0fbfa11969d565ca152d7c1 Mon Sep 17 00:00:00 2001 From: Jaromir Wysoglad Date: Wed, 29 May 2024 03:56:38 -0400 Subject: [PATCH 2/5] test: add TLS prometheus client --- test/e2e/framework/prometheus_client.go | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/test/e2e/framework/prometheus_client.go b/test/e2e/framework/prometheus_client.go index 5750ec9ad..2cdb3f78a 100644 --- a/test/e2e/framework/prometheus_client.go +++ b/test/e2e/framework/prometheus_client.go @@ -1,6 +1,8 @@ package framework import ( + "crypto/tls" + "crypto/x509" "encoding/json" "fmt" "net/http" @@ -36,6 +38,28 @@ func NewPrometheusClient(url string) *PrometheusClient { } } +func NewTLSPrometheusClient(url string, caCert string, serverName string) (*PrometheusClient, error) { + ca := x509.NewCertPool() + ok := ca.AppendCertsFromPEM([]byte(caCert)) + if !ok { + return nil, fmt.Errorf("failed to parse ca certificate") + } + tlsConf := tls.Config{ + RootCAs: ca, + ServerName: serverName, + } + transport := &http.Transport{ + TLSClientConfig: &tlsConf, + } + return &PrometheusClient{ + baseURL: url, + client: &http.Client{ + Transport: transport, + Timeout: 10 * time.Second, + }, + }, nil +} + func (c *PrometheusClient) Query(query string) (*PrometheusResponse, error) { url := fmt.Sprintf("%s/api/v1/query?query=%s", c.baseURL, query) resp, err := c.client.Get(url) From 2fb5b9912aaafb15e3333b3d787492cd4e003e3f Mon Sep 17 00:00:00 2001 From: Jaromir Wysoglad Date: Wed, 22 May 2024 04:09:37 -0400 Subject: [PATCH 3/5] feat: add TLS support for prometheus --- .../monitoring.rhobs_monitoringstacks.yaml | 62 ++++++++ .../monitoring.rhobs_monitoringstacks.yaml | 62 ++++++++ docs/api.md | 150 ++++++++++++++++++ pkg/apis/monitoring/v1alpha1/types.go | 3 + .../v1alpha1/zz_generated.deepcopy.go | 11 +- .../monitoring/monitoring-stack/components.go | 40 +++++ 6 files changed, 325 insertions(+), 3 deletions(-) diff --git a/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml b/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml index b03765a46..1c9404f4d 100644 --- a/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml +++ b/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml @@ -1163,6 +1163,68 @@ spec: description: Default interval between scrapes. pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ type: string + webTLSConfig: + description: Configure TLS options for the Prometheus web server. + properties: + certificate: + description: Reference to the TLS public certificate for the + web server. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + minLength: 1 + type: string + name: + description: The name of the secret in the object's namespace + to select from. + minLength: 1 + type: string + required: + - key + - name + type: object + certificateAuthority: + description: Reference to the root Certificate Authority used + to verify the web server's certificate. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + minLength: 1 + type: string + name: + description: The name of the secret in the object's namespace + to select from. + minLength: 1 + type: string + required: + - key + - name + type: object + privateKey: + description: Reference to the TLS private key for the web + server. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + minLength: 1 + type: string + name: + description: The name of the secret in the object's namespace + to select from. + minLength: 1 + type: string + required: + - key + - name + type: object + required: + - certificate + - certificateAuthority + - privateKey + type: object type: object resourceSelector: description: |- diff --git a/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml b/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml index 1490ff95b..a934bd7dc 100644 --- a/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml +++ b/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml @@ -1163,6 +1163,68 @@ spec: description: Default interval between scrapes. pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ type: string + webTLSConfig: + description: Configure TLS options for the Prometheus web server. + properties: + certificate: + description: Reference to the TLS public certificate for the + web server. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + minLength: 1 + type: string + name: + description: The name of the secret in the object's namespace + to select from. + minLength: 1 + type: string + required: + - key + - name + type: object + certificateAuthority: + description: Reference to the root Certificate Authority used + to verify the web server's certificate. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + minLength: 1 + type: string + name: + description: The name of the secret in the object's namespace + to select from. + minLength: 1 + type: string + required: + - key + - name + type: object + privateKey: + description: Reference to the TLS private key for the web + server. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + minLength: 1 + type: string + name: + description: The name of the secret in the object's namespace + to select from. + minLength: 1 + type: string + required: + - key + - name + type: object + required: + - certificate + - certificateAuthority + - privateKey + type: object type: object resourceSelector: description: |- diff --git a/docs/api.md b/docs/api.md index 1ff30a3ff..df01c1958 100644 --- a/docs/api.md +++ b/docs/api.md @@ -354,6 +354,13 @@ The resulting endpoint is /api/v1/otlp/v1/metrics.
Default interval between scrapes.
false + + webTLSConfig + object + + Configure TLS options for the Prometheus web server.
+ + false @@ -2455,6 +2462,149 @@ Regex capture groups are available.
+### MonitoringStack.spec.prometheusConfig.webTLSConfig +[↩ Parent](#monitoringstackspecprometheusconfig) + + + +Configure TLS options for the Prometheus web server. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
certificateobject + Reference to the TLS public certificate for the web server.
+ 		true
certificateAuthorityobject + Reference to the root Certificate Authority used to verify the web server's certificate.
+ 		true
privateKeyobject + Reference to the TLS private key for the web server.
+ 		true
+ + +### MonitoringStack.spec.prometheusConfig.webTLSConfig.certificate +[↩ Parent](#monitoringstackspecprometheusconfigwebtlsconfig) + + + +Reference to the TLS public certificate for the web server. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + The key of the secret to select from. Must be a valid secret key.
+ 		true
namestring + The name of the secret in the object's namespace to select from.
+ 		true
+ + +### MonitoringStack.spec.prometheusConfig.webTLSConfig.certificateAuthority +[↩ Parent](#monitoringstackspecprometheusconfigwebtlsconfig) + + + +Reference to the root Certificate Authority used to verify the web server's certificate. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + The key of the secret to select from. Must be a valid secret key.
+ 		true
namestring + The name of the secret in the object's namespace to select from.
+ 		true
+ + +### MonitoringStack.spec.prometheusConfig.webTLSConfig.privateKey +[↩ Parent](#monitoringstackspecprometheusconfigwebtlsconfig) + + + +Reference to the TLS private key for the web server. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + The key of the secret to select from. Must be a valid secret key.
+ 		true
namestring + The name of the secret in the object's namespace to select from.
+ 		true
+ + ### MonitoringStack.spec.resourceSelector [↩ Parent](#monitoringstackspec) diff --git a/pkg/apis/monitoring/v1alpha1/types.go b/pkg/apis/monitoring/v1alpha1/types.go index 3ef99d7b4..bf52da002 100644 --- a/pkg/apis/monitoring/v1alpha1/types.go +++ b/pkg/apis/monitoring/v1alpha1/types.go @@ -201,6 +201,9 @@ type PrometheusConfig struct { // Default interval between scrapes. // +optional ScrapeInterval *monv1.Duration `json:"scrapeInterval,omitempty"` + // Configure TLS options for the Prometheus web server. + // +optional + WebTLSConfig *WebTLSConfig `json:"webTLSConfig,omitempty"` } type AlertmanagerConfig struct { diff --git a/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go index 334ae3038..244f9b68c 100644 --- a/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go @@ -242,6 +242,11 @@ func (in *PrometheusConfig) DeepCopyInto(out *PrometheusConfig) { *out = new(monitoringv1.Duration) **out = **in } + if in.WebTLSConfig != nil { + in, out := &in.WebTLSConfig, &out.WebTLSConfig + *out = new(WebTLSConfig) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrometheusConfig. @@ -368,9 +373,9 @@ func (in *ThanosQuerierStatus) DeepCopy() *ThanosQuerierStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WebTLSConfig) DeepCopyInto(out *WebTLSConfig) { *out = *in - out.Key = in.Key - out.Cert = in.Cert - out.CA = in.CA + out.PrivateKey = in.PrivateKey + out.Certificate = in.Certificate + out.CertificateAuthority = in.CertificateAuthority } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebTLSConfig. diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go index ac225b0ed..833c4ea45 100644 --- a/pkg/controllers/monitoring/monitoring-stack/components.go +++ b/pkg/controllers/monitoring/monitoring-stack/components.go @@ -203,6 +203,33 @@ func newPrometheus( }, } + if ms.Spec.PrometheusConfig.WebTLSConfig != nil { + tlsConfig := ms.Spec.PrometheusConfig.WebTLSConfig + + prometheus.Spec.CommonPrometheusFields.Web = &monv1.PrometheusWebSpec{ + WebConfigFileFields: monv1.WebConfigFileFields{ + TLSConfig: &monv1.WebTLSConfig{ + KeySecret: corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: tlsConfig.PrivateKey.Name, + }, + Key: tlsConfig.PrivateKey.Key, + }, + Cert: monv1.SecretOrConfigMap{ + Secret: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: tlsConfig.Certificate.Name, + }, + Key: tlsConfig.Certificate.Key, + }, + }, + }, + }, + } + // Add a CA secret to use later for the self-scraping job + prometheus.Spec.Secrets = append(prometheus.Spec.Secrets, tlsConfig.CertificateAuthority.Name) + } + if prometheusCfg.Image != "" { prometheus.Spec.CommonPrometheusFields.Image = ptr.To(prometheusCfg.Image) } @@ -350,6 +377,18 @@ func newThanosSidecarService(ms *stack.MonitoringStack, instanceSelectorKey stri } func newAdditionalScrapeConfigsSecret(ms *stack.MonitoringStack, name string) *corev1.Secret { + prometheusScheme := "http" + prometheusTLSConfig := "" + + if ms.Spec.PrometheusConfig.WebTLSConfig != nil { + promCASecret := ms.Spec.PrometheusConfig.WebTLSConfig.CertificateAuthority + prometheusScheme = "https" + prometheusTLSConfig = ` + tls_config: + ca_file: /etc/prometheus/secrets/` + promCASecret.Name + `/` + promCASecret.Key + ` + server_name: ` + ms.Name + `-prometheus +` + } return &corev1.Secret{ TypeMeta: metav1.TypeMeta{ APIVersion: corev1.SchemeGroupVersion.String(), @@ -363,6 +402,7 @@ func newAdditionalScrapeConfigsSecret(ms *stack.MonitoringStack, name string) *c AdditionalScrapeConfigsSelfScrapeKey: ` - job_name: prometheus-self honor_labels: true + scheme: ` + prometheusScheme + prometheusTLSConfig + ` relabel_configs: - action: keep source_labels: From 891b53eaf32abdebab54308e9a4c6541ad13eda6 Mon Sep 17 00:00:00 2001 From: Jaromir Wysoglad Date: Wed, 29 May 2024 03:45:39 -0400 Subject: [PATCH 4/5] test: test Prometheus TLS --- test/e2e/monitoring_stack_controller_test.go | 115 +++++++++++++++++++ 1 file changed, 115 insertions(+) diff --git a/test/e2e/monitoring_stack_controller_test.go b/test/e2e/monitoring_stack_controller_test.go index 41c687818..ff54ab3db 100644 --- a/test/e2e/monitoring_stack_controller_test.go +++ b/test/e2e/monitoring_stack_controller_test.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "net" "net/http" "os/exec" "strings" @@ -23,6 +24,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/util/cert" "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" @@ -114,6 +116,9 @@ func TestMonitoringStackController(t *testing.T) { }, { name: "managed fields in Prometheus object", scenario: assertPrometheusManagedFields, + }, { + name: "Prometheus stacks can scrape themselves behind TLS", + scenario: assertPrometheusScrapesItselfTLS, }} for _, tc := range ts { t.Run(tc.name, tc.scenario) @@ -655,6 +660,107 @@ func assertPrometheusManagedFields(t *testing.T) { assert.DeepEqual(t, have, expected) } +func assertPrometheusScrapesItselfTLS(t *testing.T) { + // TODO: Test Alertmanager TLS too once it's available + // how to do this can be partialy seen at: + // https://github.com/vyzigold/observability-operator/commit/adc714f4792654978f02899429e05c4e26a404ef + + monitoringStackName := "self-scrape-tls" + prometheusServiceName := monitoringStackName + "-prometheus" + + certs, key, err := cert.GenerateSelfSignedCertKey(prometheusServiceName, []net.IP{}, []string{}) + assert.NilError(t, err) + + promKey := string(key) + promCerts := strings.SplitAfter(string(certs), "-----END CERTIFICATE-----") + + promTLSSecret := corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: corev1.SchemeGroupVersion.String(), + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "prom-test-tls-secret", + Namespace: e2eTestNamespace, + }, + StringData: map[string]string{ + "tls.key": promKey, + "tls.crt": promCerts[0], + "ca.crt": promCerts[1], + }, + } + + err = f.K8sClient.Create(context.Background(), &promTLSSecret) + assert.NilError(t, err) + + ms := newMonitoringStack(t, monitoringStackName) + ms.Spec.PrometheusConfig = &stack.PrometheusConfig{ + WebTLSConfig: &stack.WebTLSConfig{ + Certificate: stack.SecretKeySelector{ + Name: "prom-test-tls-secret", + Key: "tls.crt", + }, + PrivateKey: stack.SecretKeySelector{ + Name: "prom-test-tls-secret", + Key: "tls.key", + }, + CertificateAuthority: stack.SecretKeySelector{ + Name: "prom-test-tls-secret", + Key: "ca.crt", + }, + }, + } + err = f.K8sClient.Create(context.Background(), ms) + assert.NilError(t, err) + f.AssertStatefulsetReady("prometheus-self-scrape-tls", e2eTestNamespace, framework.WithTimeout(5*time.Minute))(t) + + stopChan := make(chan struct{}) + defer close(stopChan) + if err = wait.PollUntilContextTimeout(context.Background(), 5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) { + err = f.StartServicePortForward(prometheusServiceName, e2eTestNamespace, "9090", stopChan) + return err == nil, nil + }); err != nil { + t.Fatal(fmt.Errorf("Failed to poll for port-forward: %w", err)) + } + + promClient, err := framework.NewTLSPrometheusClient("https://localhost:9090", promCerts[1], prometheusServiceName) + expectedResults := map[string]int{ + "prometheus_build_info": 2, // scrapes from both endpoints + "alertmanager_build_info": 2, + } + if err != nil { + t.Fatal(fmt.Errorf("Failed to create prometheus client: %s", err)) + } + if err = wait.PollUntilContextTimeout(context.Background(), 5*time.Second, 5*time.Minute, true, func(ctx context.Context) (bool, error) { + correct := 0 + for query, value := range expectedResults { + result, err := promClient.Query(query) + if err != nil { + return false, nil + } + + if len(result.Data.Result) == 0 { + return false, nil + } + + if len(result.Data.Result) > value { + resultErr := fmt.Errorf("invalid result for query %s, got %d, want %d", query, len(result.Data.Result), value) + return true, resultErr + } + + if len(result.Data.Result) != value { + return false, nil + } + + correct++ + } + + return correct == len(expectedResults), nil + }); err != nil { + t.Fatal(fmt.Errorf("Could not query prometheus: %w", err)) + } +} + // Update this json when a new Prometheus field is set by MonitoringStack const oboManagedFieldsJson = ` { @@ -699,6 +805,7 @@ const oboManagedFieldsJson = ` "f:scrapeConfigNamespaceSelector": {}, "f:scrapeConfigSelector": {}, "f:scrapeInterval": {}, + "f:secrets": {}, "f:securityContext": { "f:fsGroup": {}, "f:runAsNonRoot": {}, @@ -722,6 +829,14 @@ const oboManagedFieldsJson = ` "f:resources": {} }, "f:tsdb": {} + "f:web": { + "f:tlsConfig": { + "f:cert": { + "f:secret": {} + }, + "f:client_ca": {}, + "f:keySecret": {} + } } ` From cc5e72404b8220383eae5cc07b0b4c491c58a694 Mon Sep 17 00:00:00 2001 From: Jaromir Wysoglad Date: Thu, 1 Aug 2024 14:02:43 -0400 Subject: [PATCH 5/5] test: add tls fields to managed fields test --- test/e2e/monitoring_stack_controller_test.go | 50 ++++++++++++++++++-- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/test/e2e/monitoring_stack_controller_test.go b/test/e2e/monitoring_stack_controller_test.go index ff54ab3db..3802dde10 100644 --- a/test/e2e/monitoring_stack_controller_test.go +++ b/test/e2e/monitoring_stack_controller_test.go @@ -604,7 +604,36 @@ func prometheusScaleDown(t *testing.T) { func assertPrometheusManagedFields(t *testing.T) { numOfRep := int32(1) - ms := newMonitoringStack(t, "prometheus-managed-fields-test") + + monitoringStackName := "prometheus-managed-fields-test" + prometheusServiceName := monitoringStackName + "-prometheus" + + certs, key, err := cert.GenerateSelfSignedCertKey(prometheusServiceName, []net.IP{}, []string{}) + assert.NilError(t, err) + + promKey := string(key) + promCerts := strings.SplitAfter(string(certs), "-----END CERTIFICATE-----") + + promTLSSecret := corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: corev1.SchemeGroupVersion.String(), + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "prom-test-managedfields-tls-secret", + Namespace: e2eTestNamespace, + }, + StringData: map[string]string{ + "tls.key": promKey, + "tls.crt": promCerts[0], + "ca.crt": promCerts[1], + }, + } + + err = f.K8sClient.Create(context.Background(), &promTLSSecret) + assert.NilError(t, err) + + ms := newMonitoringStack(t, monitoringStackName) var scrapeInterval monv1.Duration = "2m" ms.Spec.PrometheusConfig = &stack.PrometheusConfig{ Replicas: &numOfRep, @@ -623,6 +652,20 @@ func assertPrometheusManagedFields(t *testing.T) { }, EnableRemoteWriteReceiver: true, EnableOtlpHttpReceiver: func(b bool) *bool { return &b }(true), + WebTLSConfig: &stack.WebTLSConfig{ + Certificate: stack.SecretKeySelector{ + Name: "prom-test-managedfields-tls-secret", + Key: "tls.crt", + }, + PrivateKey: stack.SecretKeySelector{ + Name: "prom-test-managedfields-tls-secret", + Key: "tls.key", + }, + CertificateAuthority: stack.SecretKeySelector{ + Name: "prom-test-managedfields-tls-secret", + Key: "ca.crt", + }, + }, } ms.Spec.NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -630,7 +673,7 @@ func assertPrometheusManagedFields(t *testing.T) { }, } - err := f.K8sClient.Create(context.Background(), ms) + err = f.K8sClient.Create(context.Background(), ms) assert.NilError(t, err, "failed to create a monitoring stack") prom := monv1.Prometheus{} @@ -828,7 +871,7 @@ const oboManagedFieldsJson = ` "f:image": {}, "f:resources": {} }, - "f:tsdb": {} + "f:tsdb": {}, "f:web": { "f:tlsConfig": { "f:cert": { @@ -836,6 +879,7 @@ const oboManagedFieldsJson = ` }, "f:client_ca": {}, "f:keySecret": {} + } } } `