Allow to not skip the TLS verification in kubelet servicemonitor

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>
prometheus-community · May 9, 2024 · 0973b9c · 0973b9c
1 parent f29a258
commit 0973b9c
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml
@@ -23,7 +23,7 @@ name: kube-prometheus-stack
 sources:
   - https://github.com/prometheus-community/helm-charts
   - https://github.com/prometheus-operator/kube-prometheus
-version: 58.4.0
+version: 58.4.1
 appVersion: v0.73.2
 kubeVersion: ">=1.19.0-0"
 home: https://github.com/prometheus-operator/kube-prometheus

diff --git a/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml b/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml
@@ -35,7 +35,7 @@ spec:
     {{- end }}
     tlsConfig:
       caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-      insecureSkipVerify: true
+      insecureSkipVerify: {{ .Values.kubelet.serviceMonitor.insecureSkipVerify }}
     bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
     honorLabels: {{ .Values.kubelet.serviceMonitor.honorLabels }}
     honorTimestamps: {{ .Values.kubelet.serviceMonitor.honorTimestamps }}

diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml
@@ -1290,6 +1290,12 @@ kubelet:
     ##
     https: true
 
+    ## Skip TLS certificate validation when scraping.
+    ## This is enabled by default because kubelet serving certificate deployed by kubeadm is by default self-signed
+    ## ref: https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs
+    ##
+    insecureSkipVerify: true
+
     ## Enable scraping /metrics/cadvisor from kubelet's service
     ##
     cAdvisor: true