Skip to content

Commit

Permalink
Support custom certificate for the object store (#260)
Browse files Browse the repository at this point in the history 
* Support custom certificate for the object store

Signed-off-by: clyang82 <[email protected]>

* Update changelog

Signed-off-by: clyang82 <[email protected]>

* fix rebase issue

Signed-off-by: clyang82 <[email protected]>
  • Loading branch information
@clyang82
clyang82 authored Jan 5, 2022
1 parent 5752646 commit c8a244f
Show file tree
Hide file tree
Showing 10 changed files with 94 additions and 36 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ We use *breaking* word for marking changes that are not backward compatible (rel
- [#237](https://github.com/thanos-io/kube-thanos/pull/237) Add new bucket replicate component.
- [#245](https://github.com/thanos-io/kube-thanos/pull/245) Support scraping config reloader sidecar for ruler.
- [#251](https://github.com/thanos-io/kube-thanos/pull/251) Add support for extraEnv (custom environment variables) to all components.
- [#260](https://github.com/thanos-io/kube-thanos/pull/260) Add support custom certificate for the object store by configuring `tlsSecretName` and `tlsSecretMountPath` in `objectStorageConfig`.

### Fixed

Expand Down
2 changes: 2 additions & 0 deletions all.jsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ local commonConfig = {
objectStorageConfig: {
name: 'thanos-objectstorage',
key: 'thanos.yaml',
tlsSecretName: '',
tlsSecretMountPath: '',
},
resources: {
requests: { cpu: 0.123, memory: '123Mi' },
Expand Down
2 changes: 2 additions & 0 deletions examples/all/manifests/thanos-bucket-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,12 @@ spec:
cpu: 0.123
memory: 123Mi
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: []
nodeSelector:
kubernetes.io/os: linux
securityContext:
fsGroup: 65534
runAsUser: 65534
serviceAccountName: thanos-bucket
terminationGracePeriodSeconds: 120
volumes: []
2 changes: 2 additions & 0 deletions examples/all/manifests/thanos-bucket-replicate-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,10 +84,12 @@ spec:
cpu: 0.123
memory: 123Mi
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: []
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:
fsGroup: 65534
runAsUser: 65534
serviceAccountName: thanos-bucket-replicate
terminationGracePeriodSeconds: 120
volumes: []
7 changes: 7 additions & 0 deletions jsonnet/kube-thanos/kube-thanos-bucket-replicate.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,9 @@ function(params) {
} },
resources: if tbr.config.resources != {} then tbr.config.resources else {},
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: if std.objectHas(tbr.config.objectStorageConfig, 'tlsSecretName') && std.length(tbr.config.objectStorageConfig.tlsSecretName) > 0 then [
{ name: 'tls-secret', mountPath: tbr.config.objectStorageConfig.tlsSecretMountPath },
] else [],
};

{
Expand All @@ -177,6 +180,10 @@ function(params) {
serviceAccountName: tbr.serviceAccount.metadata.name,
securityContext: tbr.config.securityContext,
containers: [container],
volumes: if std.objectHas(tbr.config.objectStorageConfig, 'tlsSecretName') && std.length(tbr.config.objectStorageConfig.tlsSecretName) > 0 then [{
name: 'tls-secret',
secret: { secretName: tbr.config.objectStorageConfig.tlsSecretName },
}] else [],
terminationGracePeriodSeconds: 120,
nodeSelector: {
'beta.kubernetes.io/os': 'linux',
Expand Down
7 changes: 7 additions & 0 deletions jsonnet/kube-thanos/kube-thanos-bucket.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,9 @@ function(params) {
} },
resources: if tb.config.resources != {} then tb.config.resources else {},
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: if std.objectHas(tb.config.objectStorageConfig, 'tlsSecretName') && std.length(tb.config.objectStorageConfig.tlsSecretName) > 0 then [
{ name: 'tls-secret', mountPath: tb.config.objectStorageConfig.tlsSecretMountPath },
] else [],
};

{
Expand All @@ -157,6 +160,10 @@ function(params) {
serviceAccountName: tb.serviceAccount.metadata.name,
securityContext: tb.config.securityContext,
containers: [container],
volumes: if std.objectHas(tb.config.objectStorageConfig, 'tlsSecretName') && std.length(tb.config.objectStorageConfig.tlsSecretName) > 0 then [{
name: 'tls-secret',
secret: { secretName: tb.config.objectStorageConfig.tlsSecretName },
}] else [],
terminationGracePeriodSeconds: 120,
nodeSelector: {
'kubernetes.io/os': 'linux',
Expand Down
11 changes: 9 additions & 2 deletions jsonnet/kube-thanos/kube-thanos-compact.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,11 @@ function(params) {
name: 'data',
mountPath: '/var/thanos/compact',
readOnly: false,
}],
}] + (
if std.objectHas(tc.config.objectStorageConfig, 'tlsSecretName') && std.length(tc.config.objectStorageConfig.tlsSecretName) > 0 then [
{ name: 'tls-secret', mountPath: tc.config.objectStorageConfig.tlsSecretMountPath },
] else []
),
resources: if tc.config.resources != {} then tc.config.resources else {},
terminationMessagePolicy: 'FallbackToLogsOnError',
};
Expand All @@ -139,7 +143,10 @@ function(params) {
serviceAccountName: tc.serviceAccount.metadata.name,
securityContext: tc.config.securityContext,
containers: [c],
volumes: [],
volumes: if std.objectHas(tc.config.objectStorageConfig, 'tlsSecretName') && std.length(tc.config.objectStorageConfig.tlsSecretName) > 0 then [{
name: 'tls-secret',
secret: { secretName: tc.config.objectStorageConfig.tlsSecretName },
}] else [],
terminationGracePeriodSeconds: 120,
nodeSelector: {
'kubernetes.io/os': 'linux',
Expand Down
19 changes: 15 additions & 4 deletions jsonnet/kube-thanos/kube-thanos-receive.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,10 @@ function(params) {
if tr.config.hashringConfigMapName != '' then [
{ name: 'hashring-config', mountPath: '/var/lib/thanos-receive' },
] else []
) + (
if tr.config.objectStorageConfig != null && std.objectHas(tr.config.objectStorageConfig, 'tlsSecretName') && std.length(tr.config.objectStorageConfig.tlsSecretName) > 0 then [
{ name: 'tls-secret', mountPath: tr.config.objectStorageConfig.tlsSecretMountPath },
] else []
),
livenessProbe: { failureThreshold: 8, periodSeconds: 30, httpGet: {
scheme: 'HTTP',
Expand Down Expand Up @@ -168,10 +172,17 @@ function(params) {
serviceAccountName: tr.serviceAccount.metadata.name,
securityContext: tr.config.securityContext,
containers: [c],
volumes: if tr.config.hashringConfigMapName != '' then [{
name: 'hashring-config',
configMap: { name: tr.config.hashringConfigMapName },
}] else [],
volumes: (
if tr.config.hashringConfigMapName != '' then [{
name: 'hashring-config',
configMap: { name: tr.config.hashringConfigMapName },
}] else []
) + (
if tr.config.objectStorageConfig != null && std.objectHas(tr.config.objectStorageConfig, 'tlsSecretName') && std.length(tr.config.objectStorageConfig.tlsSecretName) > 0 then [{
name: 'tls-secret',
secret: { secretName: tr.config.objectStorageConfig.tlsSecretName },
}] else []
),
terminationGracePeriodSeconds: 900,
nodeSelector: {
'kubernetes.io/os': 'linux',
Expand Down
68 changes: 40 additions & 28 deletions jsonnet/kube-thanos/kube-thanos-rule.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,10 @@ function(params) {
{ name: volumeMount.name, mountPath: volumeMount.mountPath }
for volumeMount in tr.config.extraVolumeMounts
] else []
) + (
if tr.config.objectStorageConfig != null && std.objectHas(tr.config.objectStorageConfig, 'tlsSecretName') && std.length(tr.config.objectStorageConfig.tlsSecretName) > 0 then [
{ name: 'tls-secret', mountPath: tr.config.objectStorageConfig.tlsSecretMountPath },
] else []
),
livenessProbe: { failureThreshold: 24, periodSeconds: 5, httpGet: {
scheme: 'HTTP',
Expand Down Expand Up @@ -254,34 +258,42 @@ function(params) {
serviceAccountName: tr.serviceAccount.metadata.name,
securityContext: tr.config.securityContext,
containers: [c] +
(if std.length(tr.config.rulesConfig) > 0 || std.length(tr.config.extraVolumeMounts) > 0 || tr.config.alertmanagerConfigFile != {} then [
reloadContainer,
] else []),
volumes: [] +
(
if std.length(tr.config.rulesConfig) > 0 then [
{ name: ruleConfig.name, configMap: { name: ruleConfig.name } }
for ruleConfig in tr.config.rulesConfig
] else []
) + (
if tr.config.alertmanagerConfigFile != {} then [{
name: tr.config.alertmanagerConfigFile.name,
configMap: { name: tr.config.alertmanagerConfigFile.name },
}] else []
) + (
if std.length(tr.config.extraVolumeMounts) > 0 then [
{ name: volumeMount.name } +
(
if volumeMount.type == 'configMap' then {
configMap: { name: volumeMount.name },
}
else {
secret: { name: volumeMount.name },
}
)
for volumeMount in tr.config.extraVolumeMounts
] else []
),
(
if std.length(tr.config.rulesConfig) > 0 || std.length(tr.config.extraVolumeMounts) > 0 || tr.config.alertmanagerConfigFile != {} then [
reloadContainer,
] else []
),
volumes:
[] +
(
if std.length(tr.config.rulesConfig) > 0 then [
{ name: ruleConfig.name, configMap: { name: ruleConfig.name } }
for ruleConfig in tr.config.rulesConfig
] else []
) + (
if tr.config.alertmanagerConfigFile != {} then [{
name: tr.config.alertmanagerConfigFile.name,
configMap: { name: tr.config.alertmanagerConfigFile.name },
}] else []
) + (
if std.length(tr.config.extraVolumeMounts) > 0 then [
{ name: volumeMount.name } +
(
if volumeMount.type == 'configMap' then {
configMap: { name: volumeMount.name },
}
else {
secret: { name: volumeMount.name },
}
)
for volumeMount in tr.config.extraVolumeMounts
] else []
) + (
if tr.config.objectStorageConfig != null && std.objectHas(tr.config.objectStorageConfig, 'tlsSecretName') && std.length(tr.config.objectStorageConfig.tlsSecretName) > 0 then [{
name: 'tls-secret',
secret: { secretName: tr.config.objectStorageConfig.tlsSecretName },
}] else []
),
nodeSelector: {
'kubernetes.io/os': 'linux',
},
Expand Down
11 changes: 9 additions & 2 deletions jsonnet/kube-thanos/kube-thanos-store.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,11 @@ function(params) {
name: 'data',
mountPath: '/var/thanos/store',
readOnly: false,
}],
}] + (
if std.objectHas(ts.config.objectStorageConfig, 'tlsSecretName') && std.length(ts.config.objectStorageConfig.tlsSecretName) > 0 then [
{ name: 'tls-secret', mountPath: ts.config.objectStorageConfig.tlsSecretMountPath },
] else []
),
livenessProbe: { failureThreshold: 8, periodSeconds: 30, httpGet: {
scheme: 'HTTP',
port: ts.config.ports.http,
Expand Down Expand Up @@ -163,7 +167,10 @@ function(params) {
serviceAccountName: ts.serviceAccount.metadata.name,
securityContext: ts.config.securityContext,
containers: [c],
volumes: [],
volumes: if std.objectHas(ts.config.objectStorageConfig, 'tlsSecretName') && std.length(ts.config.objectStorageConfig.tlsSecretName) > 0 then [{
name: 'tls-secret',
secret: { secretName: ts.config.objectStorageConfig.tlsSecretName },
}] else [],
terminationGracePeriodSeconds: 120,
nodeSelector: {
'kubernetes.io/os': 'linux',
Expand Down

0 comments on commit c8a244f

Please sign in to comment.