Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

enable secure serving for metrics (#5169)

Signed-off-by: Rodrigo Kellermann <kellermann@gmail.com>
Rodrigo Kellermann 9 months ago
parent
cc894e6738
commit
e548593097
5 changed files with 55 additions and 5 deletions
Split View Show Diff Stats
  1. 19 5
      cmd/controller/root.go
  2. 4 0
      deploy/charts/external-secrets/README.md
  3. 6 0
      deploy/charts/external-secrets/templates/deployment.yaml
  4. 17 0
      deploy/charts/external-secrets/values.schema.json
  5. 9 0
      deploy/charts/external-secrets/values.yaml

+ 19 - 5
cmd/controller/root.go
View File 

@@ -64,6 +64,10 @@ var (
 
 	certDir                               string
 
 	liveAddr                              string
 
 	metricsAddr                           string
 
+	metricsSecure                         bool
 
+	metricsCertDir                        string
 
+	metricsCertName                       string
 
+	metricsKeyName                        string
 
 	healthzAddr                           string
 
 	controllerClass                       string
 
 	enableLeaderElection                  bool
 
@@ -137,12 +141,18 @@ var rootCmd = &cobra.Command{
 
 			// dont cache any configmaps
 
 			clientCacheDisableFor = append(clientCacheDisableFor, &v1.ConfigMap{})
 
 		}
 
-
 
-		mgrOpts := ctrl.Options{
 
+		metricsOpts := server.Options{
 
+			BindAddress: metricsAddr,
 
+	 	}
 
+	 	if metricsSecure {
 
+			metricsOpts.SecureServing = true
 
+			metricsOpts.CertDir = metricsCertDir
 
+			metricsOpts.CertName = metricsCertName
 
+			metricsOpts.KeyName = metricsKeyName
 
+		}
 
+	 	mgrOpts := ctrl.Options{
 
 			Scheme: scheme,
 
-			Metrics: server.Options{
 
-				BindAddress: metricsAddr,
 
-			},
 
+			Metrics: metricsOpts,
 
 			HealthProbeBindAddress: liveAddr,
 
 			WebhookServer: webhook.NewServer(webhook.Options{
 
 				Port: 9443,
 
@@ -316,6 +326,10 @@ func Execute() {
 
 
 func init() {
 
 	rootCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 
+	rootCmd.Flags().BoolVar(&metricsSecure, "metrics-secure", false, "Enable HTTPS for the metrics endpoint.")
 
+	rootCmd.Flags().StringVar(&metricsCertDir, "metrics-cert-dir", "", "Directory containing TLS certificate and key for metrics endpoint.")
 
+	rootCmd.Flags().StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "TLS certificate filename for metrics endpoint.")
 
+	rootCmd.Flags().StringVar(&metricsKeyName, "metrics-key-name", "tls.key", "TLS key filename for metrics endpoint.")
 
 	rootCmd.Flags().StringVar(&controllerClass, "controller-class", "default", "The controller is instantiated with a specific controller name and filters ES based on this property")
 
 	rootCmd.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,
 
 		"Enable leader election for controller manager. "+

+ 4 - 0
deploy/charts/external-secrets/README.md
View File 

@@ -138,6 +138,10 @@ The command removes all the Kubernetes components associated with the chart and
 
 | livenessProbe.timeoutSeconds | int | `5` | Specify the maximum amount of time to wait for a probe to respond before considering it fails. |
 
 | log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the External Secrets Operator |
 
 | metrics.listen.port | int | `8080` |  |
 
+| metrics.listen.secure.certDir | string | `"/etc/tls"` | TLS cert directory path |
 
+| metrics.listen.secure.certFile | string | `"/etc/tls/tls.crt"` | TLS cert file path |
 
+| metrics.listen.secure.enabled | bool | `false` |  |
 
+| metrics.listen.secure.keyFile | string | `"/etc/tls/tls.key"` | TLS key file path |
 
 | metrics.service.annotations | object | `{}` | Additional service annotations |
 
 | metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
 
 | metrics.service.port | int | `8080` | Metrics service port to scrape |

+ 6 - 0
deploy/charts/external-secrets/templates/deployment.yaml
View File 

@@ -105,6 +105,12 @@ spec:
 
           {{- if .Values.livenessProbe.enabled }}
 
           - --live-addr={{ .Values.livenessProbe.address }}:{{ .Values.livenessProbe.httpGet.port }}
 
           {{- end }}
 
+          {{- if .Values.metrics.listen.secure.enabled }}
 
+          - --metrics-secure=true
 
+          - --metrics-cert-dir={{ .Values.metrics.listen.secure.certDir }}
 
+          - --metrics-cert-name={{ .Values.metrics.listen.secure.certFile }}
 
+          - --metrics-key-name={{ .Values.metrics.listen.secure.keyFile }}
 
+          {{- end }}
 
           ports:
 
             - containerPort: {{ .Values.metrics.listen.port }}
 
               protocol: TCP

+ 17 - 0
deploy/charts/external-secrets/values.schema.json
View File 

@@ -462,6 +462,23 @@
 
                     "properties": {
 
                         "port": {
 
                             "type": "integer"
 
+                        },
 
+                        "secure": {
 
+                            "type": "object",
 
+                            "properties": {
 
+                                "certDir": {
 
+                                    "type": "string"
 
+                                },
 
+                                "certFile": {
 
+                                    "type": "string"
 
+                                },
 
+                                "enabled": {
 
+                                    "type": "boolean"
 
+                                },
 
+                                "keyFile": {
 
+                                    "type": "string"
 
+                                }
 
+                            }
 
                         }
 
                     }
 
                 },

+ 9 - 0
deploy/charts/external-secrets/values.yaml
View File 

@@ -252,6 +252,15 @@ metrics:
 
 
   listen:
 
     port: 8080
 
+    secure:
 
+      enabled: false
 
+      # -- if those are not set or invalid, self-signed certs will be generated
 
+      # -- TLS cert directory path
 
+      certDir: /etc/tls
 
+      # -- TLS cert file path
 
+      certFile: /etc/tls/tls.crt
 
+      # -- TLS key file path
 
+      keyFile: /etc/tls/tls.key
 
 
   service:
 
     # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics