Merge pull request #4558 from camilamacedo86/fix-prometheus

🐛 (go/v4,ksutomize/v2,helm/v1-alpha): Fix prometheus integration with TLS check

Author: k8s-ci-robot

.github/workflows/test-e2e-samples.yml

@@ -43,8 +43,8 @@ jobs:
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           sed -i '47,49s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment all cert-manager injections
-          sed -i '59,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4/
           go mod tidy
 
@@ -86,10 +86,12 @@ jobs:
           # Uncomment only ValidatingWebhookConfiguration
           # from cert-manager replaces; we are leaving defaulting uncommented
           # since this sample has no defaulting webhooks
-          sed -i '59,164s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '120,186s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment only --conversion webhooks CA injection
-          sed -i '197,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '219,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-with-plugins/
           go mod tidy
 
@@ -129,9 +131,10 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4-multigroup/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment all cert-manager injections for webhooks only
-          sed -i '59,59s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '98,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '120,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-multigroup
           go mod tidy
 

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -75,6 +75,17 @@ replacements:
          delimiter: '.'
          index: 0
          create: true
+     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 0
+         create: true
 
  - source:
      kind: Service
@@ -94,6 +105,17 @@ replacements:
          delimiter: '.'
          index: 1
          create: true
+     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 1
+         create: true
 
  - source: # Uncomment the following block if you have any webhook
      kind: Service

docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml

@@ -1,22 +1,19 @@
 # Patch for Prometheus ServiceMonitor to enable secure TLS configuration
 # using certificates managed by cert-manager
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: controller-manager-metrics-monitor
-  namespace: system
-spec:
-  endpoints:
-    - tlsConfig:
-        insecureSkipVerify: false
-        ca:
-          secret:
-            name: metrics-server-cert
-            key: ca.crt
-        cert:
-          secret:
-            name: metrics-server-cert
-            key: tls.crt
-        keySecret:
-          name: metrics-server-cert
-          key: tls.key
+- op: replace
+  path: /spec/endpoints/0/tlsConfig
+  value:
+    # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+    serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
+    insecureSkipVerify: false
+    ca:
+      secret:
+        name: metrics-server-cert
+        key: ca.crt
+    cert:
+      secret:
+        name: metrics-server-cert
+        key: tls.crt
+    keySecret:
+      name: metrics-server-cert
+      key: tls.key

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml

@@ -15,6 +15,7 @@ spec:
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
         {{- if .Values.certmanager.enable }}
+        serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc
         # Apply secure TLS configuration with cert-manager
         insecureSkipVerify: false
         ca:

docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml

@@ -4276,7 +4276,11 @@ metadata:
   namespace: project-system
 spec:
   endpoints:
-  - tlsConfig:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    path: /metrics
+    port: https
+    scheme: https
+    tlsConfig:
       ca:
         secret:
           key: ca.crt
@@ -4289,6 +4293,7 @@ spec:
       keySecret:
         key: tls.key
         name: metrics-server-cert
+      serverName: project-controller-manager-metrics-service.project-system.svc
   selector:
     matchLabels:
       app.kubernetes.io/name: project

docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml

@@ -75,6 +75,17 @@ patches:
 #         delimiter: '.'
 #         index: 0
 #         create: true
+#     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
+#         kind: ServiceMonitor
+#         group: monitoring.coreos.com
+#         version: v1
+#         name: controller-manager-metrics-monitor
+#       fieldPaths:
+#         - spec.endpoints.0.tlsConfig.serverName
+#       options:
+#         delimiter: '.'
+#         index: 0
+#         create: true
 #
 # - source:
 #     kind: Service
@@ -94,6 +105,17 @@ patches:
 #         delimiter: '.'
 #         index: 1
 #         create: true
+#     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
+#         kind: ServiceMonitor
+#         group: monitoring.coreos.com
+#         version: v1
+#         name: controller-manager-metrics-monitor
+#       fieldPaths:
+#         - spec.endpoints.0.tlsConfig.serverName
+#       options:
+#         delimiter: '.'
+#         index: 1
+#         create: true
 #
 # - source: # Uncomment the following block if you have any webhook
 #     kind: Service

docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml

@@ -1,22 +1,19 @@
 # Patch for Prometheus ServiceMonitor to enable secure TLS configuration
 # using certificates managed by cert-manager
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: controller-manager-metrics-monitor
-  namespace: system
-spec:
-  endpoints:
-    - tlsConfig:
-        insecureSkipVerify: false
-        ca:
-          secret:
-            name: metrics-server-cert
-            key: ca.crt
-        cert:
-          secret:
-            name: metrics-server-cert
-            key: tls.crt
-        keySecret:
-          name: metrics-server-cert
-          key: tls.key
+- op: replace
+  path: /spec/endpoints/0/tlsConfig
+  value:
+    # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+    serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
+    insecureSkipVerify: false
+    ca:
+      secret:
+        name: metrics-server-cert
+        key: ca.crt
+    cert:
+      secret:
+        name: metrics-server-cert
+        key: tls.crt
+    keySecret:
+      name: metrics-server-cert
+      key: tls.key

docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml

@@ -15,6 +15,7 @@ spec:
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
         {{- if .Values.certmanager.enable }}
+        serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc
         # Apply secure TLS configuration with cert-manager
         insecureSkipVerify: false
         ca:

docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml

@@ -75,6 +75,17 @@ replacements:
          delimiter: '.'
          index: 0
          create: true
+     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 0
+         create: true
 
  - source:
      kind: Service
@@ -94,6 +105,17 @@ replacements:
          delimiter: '.'
          index: 1
          create: true
+     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 1
+         create: true
 
  - source: # Uncomment the following block if you have any webhook
      kind: Service

docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml

@@ -1,22 +1,19 @@
 # Patch for Prometheus ServiceMonitor to enable secure TLS configuration
 # using certificates managed by cert-manager
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: controller-manager-metrics-monitor
-  namespace: system
-spec:
-  endpoints:
-    - tlsConfig:
-        insecureSkipVerify: false
-        ca:
-          secret:
-            name: metrics-server-cert
-            key: ca.crt
-        cert:
-          secret:
-            name: metrics-server-cert
-            key: tls.crt
-        keySecret:
-          name: metrics-server-cert
-          key: tls.key
+- op: replace
+  path: /spec/endpoints/0/tlsConfig
+  value:
+    # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+    serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
+    insecureSkipVerify: false
+    ca:
+      secret:
+        name: metrics-server-cert
+        key: ca.crt
+    cert:
+      secret:
+        name: metrics-server-cert
+        key: tls.crt
+    keySecret:
+      name: metrics-server-cert
+      key: tls.key