diff --git a/cmd/operator/deploy/crds/monitoring.googleapis.com_clusterpodmonitorings.yaml b/cmd/operator/deploy/crds/monitoring.googleapis.com_clusterpodmonitorings.yaml
index 4a820f93a4..21d6a16389 100644
--- a/cmd/operator/deploy/crds/monitoring.googleapis.com_clusterpodmonitorings.yaml
+++ b/cmd/operator/deploy/crds/monitoring.googleapis.com_clusterpodmonitorings.yaml
@@ -143,6 +143,16 @@ spec:
timeout:
type: string
description: Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval.
+ tls:
+ type: object
+ description: Configures the scrape request's TLS settings.
+ properties:
+ insecureSkipVerify:
+ type: boolean
+ description: Disable target certificate validation.
+ serverName:
+ type: string
+ description: Used to verify the hostname for the targets.
required:
- port
limits:
diff --git a/cmd/operator/deploy/crds/monitoring.googleapis.com_podmonitorings.yaml b/cmd/operator/deploy/crds/monitoring.googleapis.com_podmonitorings.yaml
index e9fde00813..687c6a6fc5 100644
--- a/cmd/operator/deploy/crds/monitoring.googleapis.com_podmonitorings.yaml
+++ b/cmd/operator/deploy/crds/monitoring.googleapis.com_podmonitorings.yaml
@@ -143,6 +143,16 @@ spec:
timeout:
type: string
description: Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval.
+ tls:
+ type: object
+ description: Configures the scrape request's TLS settings.
+ properties:
+ insecureSkipVerify:
+ type: boolean
+ description: Disable target certificate validation.
+ serverName:
+ type: string
+ description: Used to verify the hostname for the targets.
required:
- port
limits:
diff --git a/doc/api.md b/doc/api.md
index 7ec987c948..55f3af0c46 100644
--- a/doc/api.md
+++ b/doc/api.md
@@ -30,6 +30,7 @@ This Document documents the types introduced by the GMP CRDs to be consumed by u
* [ExportFilters](#exportfilters)
* [GlobalRules](#globalrules)
* [GlobalRulesList](#globalruleslist)
+* [HTTPClientConfig](#httpclientconfig)
* [KubeletScraping](#kubeletscraping)
* [LabelMapping](#labelmapping)
* [ManagedAlertmanagerSpec](#managedalertmanagerspec)
@@ -54,6 +55,7 @@ This Document documents the types introduced by the GMP CRDs to be consumed by u
* [ScrapeEndpointStatus](#scrapeendpointstatus)
* [ScrapeLimits](#scrapelimits)
* [SecretOrConfigMap](#secretorconfigmap)
+* [TLS](#tls)
* [TLSConfig](#tlsconfig)
* [TargetLabels](#targetlabels)
* [TargetStatusSpec](#targetstatusspec)
@@ -243,6 +245,19 @@ GlobalRulesList is a list of GlobalRules.
[Back to TOC](#table-of-contents)
+## HTTPClientConfig
+
+HTTPClientConfig stores HTTP-client configurations.
+
+
+appears in: [ScrapeEndpoint](#scrapeendpoint)
+
+| Field | Description | Scheme | Required |
+| ----- | ----------- | ------ | -------- |
+| tls | Configures the scrape request's TLS settings. | *[TLS](#tls) | false |
+
+[Back to TOC](#table-of-contents)
+
## KubeletScraping
KubeletScraping allows enabling scraping of the Kubelets' metric endpoints.
@@ -555,6 +570,7 @@ ScrapeEndpoint specifies a Prometheus metrics endpoint to scrape.
| interval | Interval at which to scrape metrics. Must be a valid Prometheus duration. | string | false |
| timeout | Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval. | string | false |
| metricRelabeling | Relabeling rules for metrics scraped from this endpoint. Relabeling rules that override protected target labels (project_id, location, cluster, namespace, job, instance, or __address__) are not permitted. The labelmap action is not permitted in general. | [][RelabelingRule](#relabelingrule) | false |
+| tls | Configures the scrape request's TLS settings. | *TLS | false |
[Back to TOC](#table-of-contents)
@@ -606,9 +622,23 @@ SecretOrConfigMap allows to specify data as a Secret or ConfigMap. Fields are mu
[Back to TOC](#table-of-contents)
+## TLS
+
+TLS specifies TLS configuration parameters from Kubernetes resources.
+
+
+appears in: [HTTPClientConfig](#httpclientconfig)
+
+| Field | Description | Scheme | Required |
+| ----- | ----------- | ------ | -------- |
+| serverName | Used to verify the hostname for the targets. | string | false |
+| insecureSkipVerify | Disable target certificate validation. | bool | false |
+
+[Back to TOC](#table-of-contents)
+
## TLSConfig
-SafeTLSConfig specifies TLS configuration parameters from Kubernetes resources.
+TLSConfig specifies TLS configuration parameters from Kubernetes resources.
appears in: [AlertmanagerEndpoints](#alertmanagerendpoints)
diff --git a/examples/instrumentation/go-synthetic/go-synthetic.yaml b/examples/instrumentation/go-synthetic/go-synthetic.yaml
index 6f85d56a5e..8c48781a4a 100644
--- a/examples/instrumentation/go-synthetic/go-synthetic.yaml
+++ b/examples/instrumentation/go-synthetic/go-synthetic.yaml
@@ -34,6 +34,12 @@ spec:
- "--listen-address=:8080"
- "--cpu-burn-ops=75"
- "--memory-ballast-mbs=1024"
+ env:
+ # Needed when using --tls-create-self-signed
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
ports:
- name: web
containerPort: 8080
diff --git a/manifests/setup.yaml b/manifests/setup.yaml
index 9de2639140..f97edce537 100644
--- a/manifests/setup.yaml
+++ b/manifests/setup.yaml
@@ -145,6 +145,16 @@ spec:
timeout:
type: string
description: Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval.
+ tls:
+ type: object
+ description: Configures the scrape request's TLS settings.
+ properties:
+ insecureSkipVerify:
+ type: boolean
+ description: Disable target certificate validation.
+ serverName:
+ type: string
+ description: Used to verify the hostname for the targets.
required:
- port
limits:
@@ -1535,6 +1545,16 @@ spec:
timeout:
type: string
description: Timeout for metrics scrapes. Must be a valid Prometheus duration. Must not be larger then the scrape interval.
+ tls:
+ type: object
+ description: Configures the scrape request's TLS settings.
+ properties:
+ insecureSkipVerify:
+ type: boolean
+ description: Disable target certificate validation.
+ serverName:
+ type: string
+ description: Used to verify the hostname for the targets.
required:
- port
limits:
diff --git a/pkg/operator/apis/monitoring/v1/http.go b/pkg/operator/apis/monitoring/v1/http.go
new file mode 100644
index 0000000000..067c74fdf7
--- /dev/null
+++ b/pkg/operator/apis/monitoring/v1/http.go
@@ -0,0 +1,12 @@
+package v1
+
+import (
+ "github.com/prometheus/common/config"
+)
+
+func (c *TLS) ToPrometheusConfig() *config.TLSConfig {
+ return &config.TLSConfig{
+ InsecureSkipVerify: c.InsecureSkipVerify,
+ ServerName: c.ServerName,
+ }
+}
diff --git a/pkg/operator/apis/monitoring/v1/types.go b/pkg/operator/apis/monitoring/v1/types.go
index 169d1cb446..4e157d9fb8 100644
--- a/pkg/operator/apis/monitoring/v1/types.go
+++ b/pkg/operator/apis/monitoring/v1/types.go
@@ -204,7 +204,15 @@ type Authorization struct {
Credentials *v1.SecretKeySelector `json:"credentials,omitempty"`
}
-// SafeTLSConfig specifies TLS configuration parameters from Kubernetes resources.
+// TLS specifies TLS configuration parameters from Kubernetes resources.
+type TLS struct {
+ // Used to verify the hostname for the targets.
+ ServerName string `json:"serverName,omitempty"`
+ // Disable target certificate validation.
+ InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+}
+
+// TLSConfig specifies TLS configuration parameters from Kubernetes resources.
type TLSConfig struct {
// Struct containing the CA cert to use for the targets.
CA *SecretOrConfigMap `json:"ca,omitempty"`
@@ -708,6 +716,10 @@ func endpointScrapeConfig(id, projectID, location, cluster string, ep ScrapeEndp
httpCfg.ProxyURL.URL = proxyURL
}
+ if ep.HTTPClientConfig.TLS != nil {
+ httpCfg.TLSConfig = *ep.HTTPClientConfig.TLS.ToPrometheusConfig()
+ }
+
scrapeCfg := &promconfig.ScrapeConfig{
// Generate a job name to make it easy to track what generated the scrape configuration.
// The actual job label attached to its metrics is overwritten via relabeling.
@@ -1012,6 +1024,14 @@ type ScrapeEndpoint struct {
// instance, or __address__) are not permitted. The labelmap action is not permitted
// in general.
MetricRelabeling []RelabelingRule `json:"metricRelabeling,omitempty"`
+ // Prometheus HTTP client configuration.
+ HTTPClientConfig `json:",inline"`
+}
+
+// HTTPClientConfig stores HTTP-client configurations.
+type HTTPClientConfig struct {
+ // Configures the scrape request's TLS settings.
+ TLS *TLS `json:"tls,omitempty"`
}
// TargetLabels configures labels for the discovered Prometheus targets.
diff --git a/pkg/operator/apis/monitoring/v1/zz_generated.deepcopy.go b/pkg/operator/apis/monitoring/v1/zz_generated.deepcopy.go
index 6ca4c57409..1a162f8cc2 100644
--- a/pkg/operator/apis/monitoring/v1/zz_generated.deepcopy.go
+++ b/pkg/operator/apis/monitoring/v1/zz_generated.deepcopy.go
@@ -380,6 +380,27 @@ func (in *GlobalRulesList) DeepCopyObject() runtime.Object {
return nil
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPClientConfig) DeepCopyInto(out *HTTPClientConfig) {
+ *out = *in
+ if in.TLS != nil {
+ in, out := &in.TLS, &out.TLS
+ *out = new(TLS)
+ **out = **in
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPClientConfig.
+func (in *HTTPClientConfig) DeepCopy() *HTTPClientConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(HTTPClientConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubeletScraping) DeepCopyInto(out *KubeletScraping) {
*out = *in
@@ -942,6 +963,7 @@ func (in *ScrapeEndpoint) DeepCopyInto(out *ScrapeEndpoint) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ in.HTTPClientConfig.DeepCopyInto(&out.HTTPClientConfig)
return
}
@@ -1021,6 +1043,22 @@ func (in *SecretOrConfigMap) DeepCopy() *SecretOrConfigMap {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLS) DeepCopyInto(out *TLS) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLS.
+func (in *TLS) DeepCopy() *TLS {
+ if in == nil {
+ return nil
+ }
+ out := new(TLS)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
*out = *in
diff --git a/pkg/operator/operator_config.go b/pkg/operator/operator_config.go
index 81bcb52d15..fb7c9f90bc 100644
--- a/pkg/operator/operator_config.go
+++ b/pkg/operator/operator_config.go
@@ -522,6 +522,7 @@ func (r *operatorConfigReconciler) makeAlertmanagerConfigs(ctx context.Context,
InsecureSkipVerify: am.TLS.InsecureSkipVerify,
ServerName: am.TLS.ServerName,
}
+
if am.TLS.CA != nil {
p := pathForSelector(r.opts.PublicNamespace, am.TLS.CA)
b, err := getSecretOrConfigMapBytes(ctx, r.client, r.opts.PublicNamespace, am.TLS.CA)
@@ -634,7 +635,7 @@ func getSecretOrConfigMapBytes(ctx context.Context, kClient client.Reader, names
return b, nil
}
-// getSecretKeyBytes processes the given NamespacedSecretKeySelector and returns the referenced data.
+// getSecretKeyBytes processes the given SecretKeySelector and returns the referenced data.
func getSecretKeyBytes(ctx context.Context, kClient client.Reader, namespace string, sel *corev1.SecretKeySelector) ([]byte, error) {
var (
secret = &corev1.Secret{}