Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ServiceMonitor not working when tls/auth is enabled #74

Closed
tbnguyen1407 opened this issue Jan 16, 2024 · 2 comments · Fixed by #76
Closed

ServiceMonitor not working when tls/auth is enabled #74

tbnguyen1407 opened this issue Jan 16, 2024 · 2 comments · Fixed by #76
Labels
bug Something isn't working

Comments

@tbnguyen1407
Copy link

tbnguyen1407 commented Jan 16, 2024
edited
Loading

Problem

When tls/auth is enabled, ServiceMonitor is not working due to missing scheme: https and basicAuth config for endpoint.

Reproduction

Deploy with custom values file

~ values.yaml ~
http:
  enabled: true
  cert_file: /etc/tls/benthos/cert.pem
  key_file: /etc/tls/benthos/key.pem
  basic_auth:
    username: <username>
    password_hash: <password_hash>

extraVolumes:
  - name: benthos-tls-vol
    secret:
      secretName: benthos-tls-secret

extraVolumeMounts:
  - name: benthos-tls-vol
    mountPath: /etc/tls/benthos

serviceMonitor:
  enabled: true

Notes

ServiceMonitor resource endpoint scheme and basicAuth should be configurable.
@tbnguyen1407 tbnguyen1407 changed the title ServiceMonitor not working when tls is enabled ServiceMonitor not working when tls/auth is enabled Jan 16, 2024
@charlie-haley charlie-haley added the bug Something isn't working label Jan 22, 2024
@charlie-haley charlie-haley mentioned this issue Jan 22, 2024
Merged
@tbnguyen1407
Copy link
Author

Hello, I checked latest chart. Support for tls/auth in ServiceMonitor still has problems:

BasicAuth

basicAuth should be set at endpoint level, not ServiceMonitor.spec. Latest chart .Values.serviceMonitor.basicAuth config is ignored as it is set at wrong level.

TLS

tlsConfig is also required for endpoint as most certs do not include IP in SANs and hence cert validation must be skipped.

Error from Prometheus:

Get "https://10.42.0.13:4195/metrics": tls: failed to verify certificate: x509: cannot validate certificate for 10.42.0.13 because it doesn't contain any IP SANs

Proposed fix

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
spec:
- {{- with .Values.serviceMonitor.basicAuth }}
- basicAuth:
-   {{- toYaml . | nindent 4 }}
- {{- end }}
  endpoints:
    - interval: {{ .Values.serviceMonitor.interval}}
      targetPort: http
      path: /metrics
      scheme: {{ .Values.serviceMonitor.scheme }}
+     {{- with .Values.serviceMonitor.basicAuth }}
+     basicAuth:
+       {{- toYaml . | nindent 8 }}
+     {{- end }}
+     {{- with .Values.serviceMonitor.tlsConfig }}
+     tlsConfig:
+       {{- toYaml . | nindent 8 }}
+     {{- end }}

@charlie-haley
Copy link
Collaborator

I've released a fix for this as part of 2.1.1, I've also raised an issue to add schema linting so this can be better caught in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add extra config for service monitor charlie-haley/benthos-helm-chart
2 participants
@tbnguyen1407 @charlie-haley