diff --git a/.github/workflows/test-e2e-samples.yml b/.github/workflows/test-e2e-samples.yml index 1e170ff60a8..f87f44bad2e 100644 --- a/.github/workflows/test-e2e-samples.yml +++ b/.github/workflows/test-e2e-samples.yml @@ -43,8 +43,8 @@ jobs: sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH sed -i '47,49s/^#//' $KUSTOMIZATION_FILE_PATH # Uncomment all cert-manager injections - sed -i '59,212s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '59,234s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '236,251/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4/ go mod tidy @@ -86,10 +86,12 @@ jobs: # Uncomment only ValidatingWebhookConfiguration # from cert-manager replaces; we are leaving defaulting uncommented # since this sample has no defaulting webhooks - sed -i '59,164s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '120,186s/^#//' $KUSTOMIZATION_FILE_PATH # Uncomment only --conversion webhooks CA injection - sed -i '197,212s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '219,234s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4-with-plugins/ go mod tidy @@ -129,9 +131,10 @@ jobs: KUSTOMIZATION_FILE_PATH="testdata/project-v4-multigroup/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH # Uncomment all cert-manager injections for webhooks only - sed -i '59,59s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '98,212s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '120,234s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4-multigroup go mod tidy diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index 3e54d96aea9..8230498cb42 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ replacements: delimiter: '.' index: 0 create: true + - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 0 + create: true - source: kind: Service @@ -94,6 +105,17 @@ replacements: delimiter: '.' index: 1 create: true + - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 1 + create: true - source: # Uncomment the following block if you have any webhook kind: Service diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml index 2ff384a1435..78d68d06f22 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml @@ -15,6 +15,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{- if .Values.certmanager.enable }} + serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml index a240adc8607..309f43d307c 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml @@ -4276,7 +4276,11 @@ metadata: namespace: project-system spec: endpoints: - - tlsConfig: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: https + scheme: https + tlsConfig: ca: secret: key: ca.crt @@ -4289,6 +4293,7 @@ spec: keySecret: key: tls.key name: metrics-server-cert + serverName: project-controller-manager-metrics-service.project-system.svc selector: matchLabels: app.kubernetes.io/name: project diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index 6cbecf19a15..5a206998350 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml index 2ff384a1435..78d68d06f22 100644 --- a/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml +++ b/docs/book/src/getting-started/testdata/project/dist/chart/templates/prometheus/monitor.yaml @@ -15,6 +15,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{- if .Values.certmanager.enable }} + serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml index f72c5a8890f..0cc2ff2331b 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ replacements: delimiter: '.' index: 0 create: true + - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 0 + create: true - source: kind: Service @@ -94,6 +105,17 @@ replacements: delimiter: '.' index: 1 create: true + - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 1 + create: true - source: # Uncomment the following block if you have any webhook kind: Service diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml index 2ff384a1435..78d68d06f22 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml @@ -15,6 +15,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{- if .Values.certmanager.enable }} + serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml index 0f6e2f94388..6296d65591b 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml @@ -8122,7 +8122,11 @@ metadata: namespace: project-system spec: endpoints: - - tlsConfig: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: https + scheme: https + tlsConfig: ca: secret: key: ca.crt @@ -8135,6 +8139,7 @@ spec: keySecret: key: tls.key name: metrics-server-cert + serverName: project-controller-manager-metrics-service.project-system.svc selector: matchLabels: app.kubernetes.io/name: project diff --git a/go.mod b/go.mod index 9ff861a1981..75c537fc07e 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.6 golang.org/x/text v0.22.0 - golang.org/x/tools v0.29.0 + golang.org/x/tools v0.30.0 sigs.k8s.io/yaml v1.4.0 ) @@ -28,10 +28,10 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/rogpeppe/go-internal v1.12.0 // indirect github.com/stretchr/testify v1.9.0 // indirect - golang.org/x/mod v0.22.0 // indirect - golang.org/x/net v0.34.0 // indirect + golang.org/x/mod v0.23.0 // indirect + golang.org/x/net v0.35.0 // indirect golang.org/x/sync v0.11.0 // indirect - golang.org/x/sys v0.29.0 // indirect + golang.org/x/sys v0.30.0 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 1b8a539de84..1c620a71d0e 100644 --- a/go.sum +++ b/go.sum @@ -54,19 +54,19 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= -golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= -golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0= -golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= +golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM= +golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8= +golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= -golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= +golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= -golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE= -golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588= +golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY= +golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY= google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/hack/docs/internal/cronjob-tutorial/sample.go b/hack/docs/internal/cronjob-tutorial/sample.go index dddea3baacc..2588789e849 100644 --- a/hack/docs/internal/cronjob-tutorial/sample.go +++ b/hack/docs/internal/cronjob-tutorial/sample.go @@ -52,6 +52,17 @@ const certManagerForMetricsAndWebhooks = `#replacements: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -71,6 +82,17 @@ const certManagerForMetricsAndWebhooks = `#replacements: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go index 1f1c1973397..5d327201ffb 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go @@ -120,6 +120,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -139,6 +150,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go index b134911a7e1..b9de3871d3b 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go @@ -44,24 +44,21 @@ func (f *ServiceMonitorPatch) SetTemplateDefaults() error { const serviceMonitorPatchTemplate = `# Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key ` diff --git a/pkg/plugins/optional/helm/v1alpha/scaffolds/internal/templates/chart-templates/prometheus/monitor.go b/pkg/plugins/optional/helm/v1alpha/scaffolds/internal/templates/chart-templates/prometheus/monitor.go index 8acd4d6ae15..a4e90fb66c9 100644 --- a/pkg/plugins/optional/helm/v1alpha/scaffolds/internal/templates/chart-templates/prometheus/monitor.go +++ b/pkg/plugins/optional/helm/v1alpha/scaffolds/internal/templates/chart-templates/prometheus/monitor.go @@ -59,6 +59,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{ "{{- if .Values.certmanager.enable }}" }} + serverName: {{ .ProjectName }}-controller-manager-metrics-service.{{ "{{ .Release.Namespace }}" }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index 6051dd3c5be..7975d891667 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -475,6 +475,17 @@ const metricsCertReplaces = `# - source: # Uncomment the following block to enab # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -493,4 +504,15 @@ const metricsCertReplaces = `# - source: # Uncomment the following block to enab # options: # delimiter: '.' # index: 1 +# create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 # create: true` diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 9f57d56c7f3..3fdc4dd6c70 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/testdata/project-v4-with-plugins/config/default/kustomization.yaml b/testdata/project-v4-with-plugins/config/default/kustomization.yaml index 7d10355c4a2..a9d169cbd76 100644 --- a/testdata/project-v4-with-plugins/config/default/kustomization.yaml +++ b/testdata/project-v4-with-plugins/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/testdata/project-v4-with-plugins/dist/chart/templates/prometheus/monitor.yaml b/testdata/project-v4-with-plugins/dist/chart/templates/prometheus/monitor.yaml index abb87440c0a..92773eb66b9 100644 --- a/testdata/project-v4-with-plugins/dist/chart/templates/prometheus/monitor.yaml +++ b/testdata/project-v4-with-plugins/dist/chart/templates/prometheus/monitor.yaml @@ -15,6 +15,7 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: {{- if .Values.certmanager.enable }} + serverName: project-v4-with-plugins-controller-manager-metrics-service.{{ .Release.Namespace }}.svc # Apply secure TLS configuration with cert-manager insecureSkipVerify: false ca: diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index e288dc06a02..e0fad41c4fc 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key