feat(helm): support for "web configuration" (HTTP auth and TLS)

deploy/charts/x509-certificate-exporter/README.md

@@ -360,6 +360,8 @@ in the container namespace.
 | hostPathsExporter.daemonSets | object | `{}` | [SEE README] Map to define one or many DaemonSets running hostPath exporters. Key is used as a name ; value is a map to override all default settings set by `hostPathsExporter.*`. |
 | podListenPort | int | `9793` | TCP port to expose Pods on (whether kube-rbac-proxy is enabled or not) |
 | hostNetwork | bool | `false` | Enable hostNetwork mode. Useful when Prometheus is deployed outside of the Kubernetes cluster |
+| webConfiguration | string | `""` | HTTP server configuration for enabling TLS and authentication (password, mTLS) ; see [documentation at Exporter Toolkit](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md) |
+| webConfigurationExistingSecret | string | `""` | Load the HTTP server configuration from an existing Secret instead of `webConfiguration`. Key must `webconfig.yaml`. |
 | service.create | bool | `true` | Should a headless Service be installed, targets all instances Deployment and DaemonSets (required for ServiceMonitor) |
 | service.port | int | `9793` | TCP port to expose the Service on |
 | service.annotations | object | `{}` | Annotations to add to the Service |

deploy/charts/x509-certificate-exporter/templates/_helpers.tpl

@@ -155,3 +155,10 @@ Secrets exporter Deployment
 {{- define "x509-certificate-exporter.secretsExporterName" -}}
 {{ include "x509-certificate-exporter.fullname" . }}
 {{- end -}}
+
+{{/*
+Web configuration Secret name
+*/}}
+{{- define "x509-certificate-exporter.webConfigurationSecretName" -}}
+{{ include "x509-certificate-exporter.fullname" . }}-webconf
+{{- end -}}

deploy/charts/x509-certificate-exporter/templates/daemonset.yaml

@@ -99,6 +99,9 @@ spec:
         {{- if $.Values.exposePerCertificateErrorMetrics }}
         - --expose-per-cert-error-metrics
         {{- end }}
+        {{- if or $.Values.webConfiguration $.Values.webConfigurationExistingSecret }}
+        - --web.config.file=/mnt/webconfig.yaml
+        {{- end }}
         volumeMounts:
         {{- range default $.Values.hostPathsExporter.watchDirectories $dsDef.watchDirectories }}
         - name: dir-{{ . | clean | sha1sum }}
@@ -115,6 +118,11 @@ spec:
           mountPath: /mnt/watch/kube-{{ . | clean | sha1sum }}/{{ . | clean | dir }}
           readOnly: true
         {{- end }}
+        {{- if or $.Values.webConfiguration $.Values.webConfigurationExistingSecret }}
+        - name: web-configuration
+          mountPath: /mnt/
+          readOnly: true
+        {{- end }}
         {{- range $extraVolumeMounts }}
         - {{ tpl (. | toYaml) $ | indent 10 | trim }}
         {{- end }}
@@ -168,6 +176,14 @@ spec:
           path: {{ . | clean | dir }}
           type: Directory
       {{- end }}
+      {{- if or $.Values.webConfiguration $.Values.webConfigurationExistingSecret }}
+      - name: web-configuration
+        secret:
+          secretName: "{{ default (include "x509-certificate-exporter.webConfigurationSecretName" $) $.Values.webConfigurationExistingSecret }}"
+          items:
+          - key: webconfig.yaml
+            path: webconfig.yaml
+      {{- end }}
       {{- range $extraVolumes }}
       - {{ tpl (. | toYaml) $ | indent 8 | trim }}
       {{- end }}

deploy/charts/x509-certificate-exporter/templates/deployment.yaml

@@ -28,14 +28,17 @@ spec:
         {{- with .Values.secretsExporter.podExtraLabels }}
         {{- . | toYaml | trim | nindent 8 }}
         {{- end }}
-      {{- if or .Values.podAnnotations .Values.secretsExporter.podAnnotations }}
+      {{- if or (or .Values.podAnnotations .Values.secretsExporter.podAnnotations) .Values.webConfiguration }}
       annotations:
         {{- with .Values.podAnnotations }}
         {{- toYaml . | trim | nindent 8 }}
         {{- end }}
         {{- with .Values.secretsExporter.podAnnotations }}
         {{- toYaml . | trim | nindent 8 }}
         {{- end }}
+        {{- if .Values.webConfiguration }}
+        checksum/config: {{ include (print .Template.BasePath "/webconfig.secret.yaml") . | sha256sum }}
+        {{- end }}
       {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
@@ -72,11 +75,16 @@ spec:
         {{- end }}
         image: {{ include "x509-certificate-exporter.image" . }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-        {{- with $extraVolumeMounts }}
+        {{- if or $extraVolumes .Values.webConfiguration .Values.webConfigurationExistingSecret }}
         volumeMounts:
         {{- range $extraVolumeMounts }}
         - {{ tpl (. | toYaml) $ | indent 10 | trim }}
         {{- end }}
+        {{- if or .Values.webConfiguration .Values.webConfigurationExistingSecret }}
+        - name: web-configuration
+          mountPath: /mnt/
+          readOnly: true
+        {{- end }}
         {{- end }}
         args:
         {{- if .Values.secretsExporter.debugMode }}
@@ -112,6 +120,9 @@ spec:
         {{- if .Values.exposePerCertificateErrorMetrics }}
         - --expose-per-cert-error-metrics
         {{- end }}
+        {{- if or .Values.webConfiguration .Values.webConfigurationExistingSecret }}
+        - --web.config.file=/mnt/webconfig.yaml
+        {{- end }}
       {{- if not .Values.rbacProxy.enabled }}
         - --listen-address=:{{ .Values.podListenPort }}
         ports:
@@ -144,10 +155,18 @@ spec:
         {{- . | toYaml | trim | nindent 10 }}
         {{- end }}
       {{- end }}
-      {{- with $extraVolumes }}
+      {{- if or $extraVolumes .Values.webConfiguration .Values.webConfigurationExistingSecret }}
       volumes:
       {{- range $extraVolumes }}
       - {{ tpl (. | toYaml) $ | indent 8 | trim }}
       {{- end }}
+      {{- if or .Values.webConfiguration .Values.webConfigurationExistingSecret }}
+      - name: web-configuration
+        secret:
+          secretName: "{{ default (include "x509-certificate-exporter.webConfigurationSecretName" .) .Values.webConfigurationExistingSecret }}"
+          items:
+          - key: webconfig.yaml
+            path: webconfig.yaml
+      {{- end }}
       {{- end }}
 {{- end }}

deploy/charts/x509-certificate-exporter/templates/webconfig.secret.yaml

@@ -0,0 +1,10 @@
+{{- if and .Values.webConfiguration (not .Values.webConfigurationExistingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "x509-certificate-exporter.webConfigurationSecretName" . }}
+  labels:
+    {{- include "x509-certificate-exporter.labels" . | nindent 4 }}
+data:
+    webconfig.yaml: {{ .Values.webConfiguration | b64enc | quote }}
+{{- end }}

deploy/charts/x509-certificate-exporter/values.yaml

@@ -88,7 +88,6 @@ secretsExporter:
   # -- Additionnal volume mounts added to Pod containers of the TLS Secrets exporter (combined with global `extraVolumeMounts`)
   extraVolumeMounts: []
 
-
   # -- Which type of Secrets should be watched ; "key" is the map key in the secret data
   # @default -- check `values.yaml`
   secretTypes:
@@ -168,6 +167,12 @@ podListenPort: 9793
 # -- Enable hostNetwork mode. Useful when Prometheus is deployed outside of the Kubernetes cluster
 hostNetwork: false
 
+# -- HTTP server configuration for enabling TLS and authentication (password, mTLS) ; see [documentation at Exporter Toolkit](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md)
+webConfiguration: ""
+
+# -- Load the HTTP server configuration from an existing Secret instead of `webConfiguration`. Key must `webconfig.yaml`.
+webConfigurationExistingSecret: ""
+
 service:
   # -- Should a headless Service be installed, targets all instances Deployment and DaemonSets (required for ServiceMonitor)
   create: true
@@ -257,6 +262,7 @@ podAnnotations: {}
 
 # -- Additionnal volumes added to all Pods (see also the `secretsExporter` and `hostPathsExporter` variants)
 extraVolumes: []
+
 # -- Additionnal volume mounts added to all Pod containers (see also the `secretsExporter` and `hostPathsExporter` variants)
 extraVolumeMounts: []