search

opensearch-project / opensearch-k8s-operator

OpenSearch Kubernetes Operator
Apache License 2.0
402 stars 218 forks source link

Unable to specify ca and cert info for tlsConfig for service monitor #659

Open jonathon2nd opened 1 year ago

jonathon2nd commented 1 year ago

I would like to set the following in my opensearch yaml

    monitoring:
      enable: true # Enable or disable the monitoring plugin
      scrapeInterval: 30s # The scrape interval for Prometheus
      tlsConfig: # Optional, use this to override the tlsConfig of the generated ServiceMonitor
        ca:
          secret:
            name: opensearch-certs-pki
            key: ca.crt
        cert:
          secret:
            name: opensearch-certs-pki
            key: tls.crt
        keySecret:
          name: opensearch-certs-pki
          key: tls.key
        serverName: mycluster.opensearch

To use the certs I have setup. But the operator does not seem to support it, as it only deploys the following to the opensearch cluster after I apply yaml

    monitoring:
      enable: true
      scrapeInterval: 30s
      tlsConfig:
        serverName: mycluster.opensearch

image

so what I am doing for now it manually creating the service monitor, and just install the plugin as pluginsList: ["repository-s3","https://github.com/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.10.0.0/prometheus-exporter-2.10.0.0.zip"]

Then apply the service monitor yaml

---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: opensearch-service-monitor
  namespace: opensearch
spec:
  endpoints:
    - basicAuth:
        password:
          key: password
          name: mycluster-admin-password
        username:
          key: username
          name: mycluster-admin-password
      bearerTokenSecret:
        key: ''
      interval: 30s
      path: /_prometheus/metrics
      port: http
      scheme: https
      tlsConfig:
        ca:
          secret:
            key: ca.crt
            name: opensearch-certs-pki
        cert:
          secret:
            key: tls.crt
            name: opensearch-certs-pki
        keySecret:
          key: tls.key
          name: opensearch-certs-pki
        serverName: mycluster.opensearch
  jobLabel: mycluster-monitor
  namespaceSelector:
    matchNames:
      - opensearch
  podTargetLabels:
    - opster.io/opensearch-cluster
  selector:
    matchLabels:
      opster.io/opensearch-cluster: mycluster
  targetLabels:
    - opster.io/opensearch-cluster
swoehrl-mw commented 1 year ago

Hi @jonathon2nd. The operator does not currently not support specifying certs for the ServiceMonitor. You can only set monitoring.tlsConfig.insecureSkipVerify=true to handle this.

I'll mark this issue as a feature request, but I don't see this as a priority, so it will have to wait for someone to contribute a PR.

jonathon2nd commented 12 months ago

NPNP, maybe a reference this in the doc for monitoring setup for those using PKI would be nice.