Open baaaaast opened 2 weeks ago
@baaaaast Thanks for writing it up. I think this is a valid issue. IMO ideally we wanna make sure in the tlgConfig it trusts the CA that signs the internal cert. Is that possible?
Yes @reasonerjt I think it's possible by setting something like :
kind: ServiceMonitor
...
spec:
endpoints:
- honorLabels: true
port: https-metrics
tlsConfig:
ca: the_secret_name
It all depends on whether the certificate generation is automatic, manual or based on a secret. I just thought I could configure tlsConfig in a completely free way like :
metrics-svcmon.yaml example
spec:
jobLabel: app.kubernetes.io/name
endpoints:
- port: {{ template "harbor.metricsPortName" . }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
honorLabels: true
...
{{- if .Values.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{ toYaml .Values.metrics.serviceMonitor.tlsConfig | indent 4 }}
{{- end }}
Besides, I've decided to give up enabling internal tls as long as the services aren't able to reload the TLS secret if it's changed. This static aspect is too restrictive for me to use with certmanager. I don't need it anymore for the moment. Thank you
If we activate the auto cert generation with :
My prometheus service fails to scrap the https-metrics port because it doesn't have the ca bundle used to generate the certificate.
I'd like to be able to configure the
tlsConfig
part of the ServiceMonitor's endpoint : https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.TLSConfigCan I do a PR ?