tls

Author: levkk

templates/prometheus-collector/deployment.yaml

@@ -1,4 +1,7 @@
 {{- if .Values.prometheusCollector.enabled }}
+{{- $tlsEnabled := .Values.prometheusCollector.tls.enabled }}
+{{- $basicAuthEnabled := .Values.prometheusCollector.basicAuth.enabled }}
+{{- $webConfigEnabled := or $tlsEnabled $basicAuthEnabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -33,7 +36,7 @@ spec:
             - "--web.enable-lifecycle"
             - "--storage.tsdb.retention.time={{ .Values.prometheusCollector.retention.time }}"
             - "--storage.tsdb.retention.size={{ .Values.prometheusCollector.retention.size }}"
-            {{- if .Values.prometheusCollector.basicAuth.enabled }}
+            {{- if $webConfigEnabled }}
             - "--web.config.file=/etc/prometheus-web/web.yml"
             {{- end }}
           ports:
@@ -49,21 +52,47 @@ spec:
               mountPath: /etc/prometheus
             - name: storage
               mountPath: /prometheus
-            {{- if .Values.prometheusCollector.basicAuth.enabled }}
+            {{- if $webConfigEnabled }}
             - name: web-config
               mountPath: /etc/prometheus-web
               readOnly: true
             {{- end }}
           livenessProbe:
+            {{- if or $tlsEnabled $basicAuthEnabled }}
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  {{- if $basicAuthEnabled }}
+                  wget -q --spider {{ if $tlsEnabled }}--no-check-certificate https{{ else }}http{{ end }}://{{ .Values.prometheusCollector.basicAuth.username }}:$(cat /etc/prometheus-web/password)@localhost:{{ .Values.prometheusCollector.port }}/-/healthy
+                  {{- else }}
+                  wget -q --spider --no-check-certificate https://localhost:{{ .Values.prometheusCollector.port }}/-/healthy
+                  {{- end }}
+            {{- else }}
             httpGet:
               path: /-/healthy
               port: prometheus
+            {{- end }}
             initialDelaySeconds: 30
             periodSeconds: 15
           readinessProbe:
+            {{- if or $tlsEnabled $basicAuthEnabled }}
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  {{- if $basicAuthEnabled }}
+                  wget -q --spider {{ if $tlsEnabled }}--no-check-certificate https{{ else }}http{{ end }}://{{ .Values.prometheusCollector.basicAuth.username }}:$(cat /etc/prometheus-web/password)@localhost:{{ .Values.prometheusCollector.port }}/-/ready
+                  {{- else }}
+                  wget -q --spider --no-check-certificate https://localhost:{{ .Values.prometheusCollector.port }}/-/ready
+                  {{- end }}
+            {{- else }}
             httpGet:
               path: /-/ready
               port: prometheus
+            {{- end }}
             initialDelaySeconds: 5
             periodSeconds: 5
       volumes:
@@ -73,7 +102,7 @@ spec:
         - name: storage
           emptyDir:
             sizeLimit: {{ .Values.prometheusCollector.storage.size }}
-        {{- if .Values.prometheusCollector.basicAuth.enabled }}
+        {{- if $webConfigEnabled }}
         - name: web-config
           secret:
             secretName: {{ include "pgdog.fullname" . }}-prometheus-collector

templates/prometheus-collector/secret.yaml

@@ -1,4 +1,8 @@
-{{- if and .Values.prometheusCollector.enabled .Values.prometheusCollector.basicAuth.enabled }}
+{{- if .Values.prometheusCollector.enabled }}
+{{- $tlsEnabled := .Values.prometheusCollector.tls.enabled }}
+{{- $basicAuthEnabled := .Values.prometheusCollector.basicAuth.enabled }}
+{{- if or $tlsEnabled $basicAuthEnabled }}
+{{- $cert := genSelfSignedCert "prometheus-collector" nil (list "localhost" (printf "%s-prometheus-collector" (include "pgdog.fullname" .))) 3650 }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,6 +12,23 @@ metadata:
 type: Opaque
 stringData:
   web.yml: |
+    {{- if $tlsEnabled }}
+    tls_server_config:
+      cert_file: /etc/prometheus-web/tls.crt
+      key_file: /etc/prometheus-web/tls.key
+    {{- end }}
+    {{- if $basicAuthEnabled }}
     basic_auth_users:
       {{ .Values.prometheusCollector.basicAuth.username }}: {{ .Values.prometheusCollector.basicAuth.passwordHash }}
+    {{- end }}
+  {{- if $basicAuthEnabled }}
+  password: {{ .Values.prometheusCollector.basicAuth.password | quote }}
+  {{- end }}
+  {{- if $tlsEnabled }}
+  tls.crt: |
+{{ $cert.Cert | indent 4 }}
+  tls.key: |
+{{ $cert.Key | indent 4 }}
+  {{- end }}
+{{- end }}
 {{- end }}

values.yaml

@@ -438,12 +438,19 @@ prometheusCollector:
     # size is the maximum size of data to retain (e.g., 5GB, 500MB)
     # Prometheus will delete oldest data first when this limit is exceeded
     size: 5GB
+  # tls configuration for enabling HTTPS on the Prometheus endpoint
+  tls:
+    # enabled controls whether TLS is enabled for Prometheus
+    # When enabled, a self-signed certificate is automatically generated
+    enabled: false
   # basicAuth configuration for protecting the Prometheus endpoint
   basicAuth:
     # enabled controls whether basic auth is required to access Prometheus
     enabled: false
     # username for basic auth
     username: ""
+    # password is the plaintext password (used for health checks)
+    password: ""
     # passwordHash is the bcrypt hash of the password
     # Generate with: htpasswd -nBC 10 "" | tr -d ':\n'
     # Or use Python: python -c "import bcrypt; print(bcrypt.hashpw(b'password', bcrypt.gensalt()).decode())"