(go/v4,ksutomize/v2,helm/v1-alpha): Fix prometheus integration with T…

…LS check Co-Author: Abhisek Dwivedi <[email protected]>
kubernetes-sigs · Feb 11, 2025 · 1b55b12 · 1b55b12
1 parent 1c98e2c
commit 1b55b12
Show file tree

Hide file tree

Showing 26 changed files with 357 additions and 162 deletions.
diff --git a/.github/workflows/test-e2e-samples.yml b/.github/workflows/test-e2e-samples.yml
@@ -43,8 +43,8 @@ jobs:
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           sed -i '47,49s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment all cert-manager injections
-          sed -i '59,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4/
           go mod tidy
 
@@ -86,10 +86,12 @@ jobs:
           # Uncomment only ValidatingWebhookConfiguration
           # from cert-manager replaces; we are leaving defaulting uncommented
           # since this sample has no defaulting webhooks
-          sed -i '59,164s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '120,186s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment only --conversion webhooks CA injection
-          sed -i '197,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '219,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-with-plugins/
           go mod tidy
 
@@ -129,9 +131,10 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4-multigroup/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment all cert-manager injections for webhooks only
-          sed -i '59,59s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '98,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '120,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-multigroup
           go mod tidy
 

diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml
@@ -75,6 +75,17 @@ replacements:
          delimiter: '.'
          index: 0
          create: true
+     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 0
+         create: true
 
  - source:
      kind: Service
@@ -94,6 +105,17 @@ replacements:
          delimiter: '.'
          index: 1
          create: true
+     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 1
+         create: true
 
  - source: # Uncomment the following block if you have any webhook
      kind: Service

diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml
@@ -1,22 +1,19 @@
 # Patch for Prometheus ServiceMonitor to enable secure TLS configuration
 # using certificates managed by cert-manager
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: controller-manager-metrics-monitor
-  namespace: system
-spec:
-  endpoints:
-    - tlsConfig:
-        insecureSkipVerify: false
-        ca:
-          secret:
-            name: metrics-server-cert
-            key: ca.crt
-        cert:
-          secret:
-            name: metrics-server-cert
-            key: tls.crt
-        keySecret:
-          name: metrics-server-cert
-          key: tls.key
+- op: replace
+  path: /spec/endpoints/0/tlsConfig
+  value:
+    # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+    serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
+    insecureSkipVerify: false
+    ca:
+      secret:
+        name: metrics-server-cert
+        key: ca.crt
+    cert:
+      secret:
+        name: metrics-server-cert
+        key: tls.crt
+    keySecret:
+      name: metrics-server-cert
+      key: tls.key
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml
@@ -15,6 +15,7 @@ spec:
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
         {{- if .Values.certmanager.enable }}
+        serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc
         # Apply secure TLS configuration with cert-manager
         insecureSkipVerify: false
         ca:

diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml
@@ -4276,7 +4276,11 @@ metadata:
   namespace: project-system
 spec:
   endpoints:
-  - tlsConfig:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    path: /metrics
+    port: https
+    scheme: https
+    tlsConfig:
       ca:
         secret:
           key: ca.crt
@@ -4289,6 +4293,7 @@ spec:
       keySecret:
         key: tls.key
         name: metrics-server-cert
+      serverName: project-controller-manager-metrics-service.project-system.svc
   selector:
     matchLabels:
       app.kubernetes.io/name: project

diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml
@@ -75,6 +75,17 @@ patches:
 #         delimiter: '.'
 #         index: 0
 #         create: true
+#     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
+#         kind: ServiceMonitor
+#         group: monitoring.coreos.com
+#         version: v1
+#         name: controller-manager-metrics-monitor
+#       fieldPaths:
+#         - spec.endpoints.0.tlsConfig.serverName
+#       options:
+#         delimiter: '.'
+#         index: 0
+#         create: true
 #
 # - source:
 #     kind: Service
@@ -94,6 +105,17 @@ patches:
 #         delimiter: '.'
 #         index: 1
 #         create: true
+#     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
+#         kind: ServiceMonitor
+#         group: monitoring.coreos.com
+#         version: v1
+#         name: controller-manager-metrics-monitor
+#       fieldPaths:
+#         - spec.endpoints.0.tlsConfig.serverName
+#       options:
+#         delimiter: '.'
+#         index: 1
+#         create: true
 #
 # - source: # Uncomment the following block if you have any webhook
 #     kind: Service

diff --git a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml
@@ -1,22 +1,19 @@
 # Patch for Prometheus ServiceMonitor to enable secure TLS configuration
 # using certificates managed by cert-manager
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: controller-manager-metrics-monitor
-  namespace: system
-spec:
-  endpoints:
-    - tlsConfig:
-        insecureSkipVerify: false
-        ca:
-          secret:
-            name: metrics-server-cert
-            key: ca.crt
-        cert:
-          secret:
-            name: metrics-server-cert
-            key: tls.crt
-        keySecret:
-          name: metrics-server-cert
-          key: tls.key
+- op: replace
+  path: /spec/endpoints/0/tlsConfig
+  value:
+    # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+    serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
+    insecureSkipVerify: false
+    ca:
+      secret:
+        name: metrics-server-cert
+        key: ca.crt
+    cert:
+      secret:
+        name: metrics-server-cert
+        key: tls.crt
+    keySecret:
+      name: metrics-server-cert
+      key: tls.key
diff --git a/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml
@@ -15,6 +15,7 @@ spec:
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
         {{- if .Values.certmanager.enable }}
+        serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc
         # Apply secure TLS configuration with cert-manager
         insecureSkipVerify: false
         ca:

diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml
@@ -75,6 +75,17 @@ replacements:
          delimiter: '.'
          index: 0
          create: true
+     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 0
+         create: true
 
  - source:
      kind: Service
@@ -94,6 +105,17 @@ replacements:
          delimiter: '.'
          index: 1
          create: true
+     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 1
+         create: true
 
  - source: # Uncomment the following block if you have any webhook
      kind: Service

diff --git a/.../book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml b/.../book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml
@@ -1,22 +1,19 @@
 # Patch for Prometheus ServiceMonitor to enable secure TLS configuration
 # using certificates managed by cert-manager
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: controller-manager-metrics-monitor
-  namespace: system
-spec:
-  endpoints:
-    - tlsConfig:
-        insecureSkipVerify: false
-        ca:
-          secret:
-            name: metrics-server-cert
-            key: ca.crt
-        cert:
-          secret:
-            name: metrics-server-cert
-            key: tls.crt
-        keySecret:
-          name: metrics-server-cert
-          key: tls.key
+- op: replace
+  path: /spec/endpoints/0/tlsConfig
+  value:
+    # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+    serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
+    insecureSkipVerify: false
+    ca:
+      secret:
+        name: metrics-server-cert
+        key: ca.crt
+    cert:
+      secret:
+        name: metrics-server-cert
+        key: tls.crt
+    keySecret:
+      name: metrics-server-cert
+      key: tls.key
diff --git a/...k/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/...k/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml
@@ -15,6 +15,7 @@ spec:
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
         {{- if .Values.certmanager.enable }}
+        serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc
         # Apply secure TLS configuration with cert-manager
         insecureSkipVerify: false
         ca:

diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml
@@ -8122,7 +8122,11 @@ metadata:
   namespace: project-system
 spec:
   endpoints:
-  - tlsConfig:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    path: /metrics
+    port: https
+    scheme: https
+    tlsConfig:
       ca:
         secret:
           key: ca.crt
@@ -8135,6 +8139,7 @@ spec:
       keySecret:
         key: tls.key
         name: metrics-server-cert
+      serverName: project-controller-manager-metrics-service.project-system.svc
   selector:
     matchLabels:
       app.kubernetes.io/name: project

diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.6
 	golang.org/x/text v0.22.0
-	golang.org/x/tools v0.29.0
+	golang.org/x/tools v0.30.0
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -28,10 +28,10 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
-	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -54,19 +54,19 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
-golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
 golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
-golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
+golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
+golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
 google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
 google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=