Add support for insecure TLS scraping and example app

cmd/operator/deploy/crds/monitoring.googleapis.com_clusterpodmonitorings.yaml

@@ -143,6 +143,16 @@ spec:
                     timeout:
                       type: string
                       description: Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval.
+                    tls:
+                      type: object
+                      description: Configures the scrape request's TLS settings.
+                      properties:
+                        insecureSkipVerify:
+                          type: boolean
+                          description: Disable target certificate validation.
+                        serverName:
+                          type: string
+                          description: Used to verify the hostname for the targets.
                   required:
                   - port
               limits:

cmd/operator/deploy/crds/monitoring.googleapis.com_podmonitorings.yaml

@@ -143,6 +143,16 @@ spec:
                     timeout:
                       type: string
                       description: Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval.
+                    tls:
+                      type: object
+                      description: Configures the scrape request's TLS settings.
+                      properties:
+                        insecureSkipVerify:
+                          type: boolean
+                          description: Disable target certificate validation.
+                        serverName:
+                          type: string
+                          description: Used to verify the hostname for the targets.
                   required:
                   - port
               limits:

doc/api.md

@@ -30,6 +30,7 @@ This Document documents the types introduced by the GMP CRDs to be consumed by u
 * [ExportFilters](#exportfilters)
 * [GlobalRules](#globalrules)
 * [GlobalRulesList](#globalruleslist)
+* [HTTPClientConfig](#httpclientconfig)
 * [KubeletScraping](#kubeletscraping)
 * [LabelMapping](#labelmapping)
 * [ManagedAlertmanagerSpec](#managedalertmanagerspec)
@@ -54,6 +55,7 @@ This Document documents the types introduced by the GMP CRDs to be consumed by u
 * [ScrapeEndpointStatus](#scrapeendpointstatus)
 * [ScrapeLimits](#scrapelimits)
 * [SecretOrConfigMap](#secretorconfigmap)
+* [TLS](#tls)
 * [TLSConfig](#tlsconfig)
 * [TargetLabels](#targetlabels)
 * [TargetStatusSpec](#targetstatusspec)
@@ -243,6 +245,19 @@ GlobalRulesList is a list of GlobalRules.
 
 [Back to TOC](#table-of-contents)
 
+## HTTPClientConfig
+
+HTTPClientConfig stores HTTP-client configurations.
+
+
+<em>appears in: [ScrapeEndpoint](#scrapeendpoint)</em>
+
+| Field | Description | Scheme | Required |
+| ----- | ----------- | ------ | -------- |
+| tls | Configures the scrape request's TLS settings. | *[TLS](#tls) | false |
+
+[Back to TOC](#table-of-contents)
+
 ## KubeletScraping
 
 KubeletScraping allows enabling scraping of the Kubelets' metric endpoints.
@@ -555,6 +570,7 @@ ScrapeEndpoint specifies a Prometheus metrics endpoint to scrape.
 | interval | Interval at which to scrape metrics. Must be a valid Prometheus duration. | string | false |
 | timeout | Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval. | string | false |
 | metricRelabeling | Relabeling rules for metrics scraped from this endpoint. Relabeling rules that override protected target labels (project_id, location, cluster, namespace, job, instance, or __address__) are not permitted. The labelmap action is not permitted in general. | [][RelabelingRule](#relabelingrule) | false |
+| tls | Configures the scrape request's TLS settings. | *TLS | false |
 
 [Back to TOC](#table-of-contents)
 
@@ -606,9 +622,23 @@ SecretOrConfigMap allows to specify data as a Secret or ConfigMap. Fields are mu
 
 [Back to TOC](#table-of-contents)
 
+## TLS
+
+TLS specifies TLS configuration parameters from Kubernetes resources.
+
+
+<em>appears in: [HTTPClientConfig](#httpclientconfig)</em>
+
+| Field | Description | Scheme | Required |
+| ----- | ----------- | ------ | -------- |
+| serverName | Used to verify the hostname for the targets. | string | false |
+| insecureSkipVerify | Disable target certificate validation. | bool | false |
+
+[Back to TOC](#table-of-contents)
+
 ## TLSConfig
 
-SafeTLSConfig specifies TLS configuration parameters from Kubernetes resources.
+TLSConfig specifies TLS configuration parameters from Kubernetes resources.
 
 
 <em>appears in: [AlertmanagerEndpoints](#alertmanagerendpoints)</em>

examples/instrumentation/go-synthetic/go-synthetic.yaml

@@ -34,6 +34,12 @@ spec:
         - "--listen-address=:8080"
         - "--cpu-burn-ops=75"
         - "--memory-ballast-mbs=1024"
+        env:
+        # Needed when using --tls-create-self-signed
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
         ports:
         - name: web
           containerPort: 8080

manifests/setup.yaml

@@ -145,6 +145,16 @@ spec:
                     timeout:
                       type: string
                       description: Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval.
+                    tls:
+                      type: object
+                      description: Configures the scrape request's TLS settings.
+                      properties:
+                        insecureSkipVerify:
+                          type: boolean
+                          description: Disable target certificate validation.
+                        serverName:
+                          type: string
+                          description: Used to verify the hostname for the targets.
                   required:
                   - port
               limits:
@@ -1535,6 +1545,16 @@ spec:
                     timeout:
                       type: string
                       description: Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval.
+                    tls:
+                      type: object
+                      description: Configures the scrape request's TLS settings.
+                      properties:
+                        insecureSkipVerify:
+                          type: boolean
+                          description: Disable target certificate validation.
+                        serverName:
+                          type: string
+                          description: Used to verify the hostname for the targets.
                   required:
                   - port
               limits:

pkg/operator/apis/monitoring/v1/http.go

@@ -0,0 +1,12 @@
+package v1
+
+import (
+	"github.com/prometheus/common/config"
+)
+
+func (c *TLS) ToPrometheusConfig() *config.TLSConfig {
+	return &config.TLSConfig{
+		InsecureSkipVerify: c.InsecureSkipVerify,
+		ServerName:         c.ServerName,
+	}
+}

pkg/operator/apis/monitoring/v1/types.go

@@ -204,7 +204,15 @@ type Authorization struct {
 	Credentials *v1.SecretKeySelector `json:"credentials,omitempty"`
 }
 
-// SafeTLSConfig specifies TLS configuration parameters from Kubernetes resources.
+// TLS specifies TLS configuration parameters from Kubernetes resources.
+type TLS struct {
+	// Used to verify the hostname for the targets.
+	ServerName string `json:"serverName,omitempty"`
+	// Disable target certificate validation.
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+}
+
+// TLSConfig specifies TLS configuration parameters from Kubernetes resources.
 type TLSConfig struct {
 	// Struct containing the CA cert to use for the targets.
 	CA *SecretOrConfigMap `json:"ca,omitempty"`
@@ -708,6 +716,10 @@ func endpointScrapeConfig(id, projectID, location, cluster string, ep ScrapeEndp
 		httpCfg.ProxyURL.URL = proxyURL
 	}
 
+	if ep.HTTPClientConfig.TLS != nil {
+		httpCfg.TLSConfig = *ep.HTTPClientConfig.TLS.ToPrometheusConfig()
+	}
+
 	scrapeCfg := &promconfig.ScrapeConfig{
 		// Generate a job name to make it easy to track what generated the scrape configuration.
 		// The actual job label attached to its metrics is overwritten via relabeling.
@@ -1012,6 +1024,14 @@ type ScrapeEndpoint struct {
 	// instance, or __address__) are not permitted. The labelmap action is not permitted
 	// in general.
 	MetricRelabeling []RelabelingRule `json:"metricRelabeling,omitempty"`
+	// Prometheus HTTP client configuration.
+	HTTPClientConfig `json:",inline"`
+}
+
+// HTTPClientConfig stores HTTP-client configurations.
+type HTTPClientConfig struct {
+	// Configures the scrape request's TLS settings.
+	TLS *TLS `json:"tls,omitempty"`
 }
 
 // TargetLabels configures labels for the discovered Prometheus targets.

pkg/operator/operator_config.go

@@ -522,6 +522,7 @@ func (r *operatorConfigReconciler) makeAlertmanagerConfigs(ctx context.Context,
 				InsecureSkipVerify: am.TLS.InsecureSkipVerify,
 				ServerName:         am.TLS.ServerName,
 			}
+
 			if am.TLS.CA != nil {
 				p := pathForSelector(r.opts.PublicNamespace, am.TLS.CA)
 				b, err := getSecretOrConfigMapBytes(ctx, r.client, r.opts.PublicNamespace, am.TLS.CA)
@@ -634,7 +635,7 @@ func getSecretOrConfigMapBytes(ctx context.Context, kClient client.Reader, names
 	return b, nil
 }
 
-// getSecretKeyBytes processes the given NamespacedSecretKeySelector and returns the referenced data.
+// getSecretKeyBytes processes the given SecretKeySelector and returns the referenced data.
 func getSecretKeyBytes(ctx context.Context, kClient client.Reader, namespace string, sel *corev1.SecretKeySelector) ([]byte, error) {
 	var (
 		secret = &corev1.Secret{}