From a9d1f34a7b721d7039d76909f85031505c363774 Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Tue, 29 Oct 2024 18:33:05 +0000 Subject: [PATCH] Enable ServiceMonitor to use cert-manager-managed serving-cert with TLS verification Adds a patch to configure ServiceMonitor with to ensure TLS verification using cert-manager certificates. Updates documentation and corrects misaligned comments. --- .../testdata/project/cmd/main.go | 15 +-- .../project/config/default/kustomization.yaml | 9 +- .../project/config/prometheus/monitor.yaml | 12 +-- .../testdata/project/cmd/main.go | 15 +-- .../project/config/default/kustomization.yaml | 9 +- .../project/config/prometheus/monitor.yaml | 12 +-- .../testdata/project/cmd/main.go | 15 +-- .../project/config/default/kustomization.yaml | 9 +- .../project/config/prometheus/monitor.yaml | 12 +-- docs/book/src/reference/metrics.md | 96 +++++++++++-------- .../config/kdefault/kustomization.go | 9 +- .../templates/config/prometheus/monitor.go | 12 +-- .../config/prometheus/monitor_tls_patch.go | 67 +++++++++++++ .../v4/scaffolds/internal/templates/main.go | 13 +-- test/e2e/v4/generate_test.go | 21 ++++ testdata/project-v4-multigroup/cmd/main.go | 15 +-- .../config/default/kustomization.yaml | 9 +- .../config/prometheus/monitor.yaml | 12 +-- testdata/project-v4-with-plugins/cmd/main.go | 15 +-- .../config/default/kustomization.yaml | 9 +- .../config/prometheus/monitor.yaml | 12 +-- testdata/project-v4/cmd/main.go | 15 +-- .../config/default/kustomization.yaml | 9 +- .../project-v4/config/prometheus/monitor.yaml | 12 +-- 24 files changed, 281 insertions(+), 153 deletions(-) create mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go diff --git a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go index 47efc36be87..bd88d0f4979 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go @@ -123,16 +123,17 @@ func main() { metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, SecureServing: secureMetrics, - // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are - // not provided, self-signed certificates will be generated by default. This option is not recommended for - // production environments as self-signed certificates do not offer the same level of trust and security - // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing - // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName - // to provide certificates, ensuring the server communicates using trusted and secure certificates. - TLSOpts: tlsOpts, + TLSOpts: tlsOpts, } if secureMetrics { + // TODO(user): If cert-manager is enabled under config/default/kustomizaton.yaml, you can uncomment the following + // lines to use the certificate managed by cert-manager, mounted as a Kubernetes secret named 'serving-cert'. + // This setup is recommended for production environments to ensure trusted and secure communication. + // metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key" + // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index eda09817f4e..cdad5baac49 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -41,8 +41,15 @@ patches: target: kind: Deployment +# [CERTMANAGER] The following patch configures the ServiceMonitor under ../prometheus +# to securely reference certificates created and managed by cert-manager. Also, uncomment the +# [WEBHOOK] patch bellow to mount the "serving-cert" in the Manager Deployment. +#- path: ../prometheus/monitor_tls_patch.yaml +#target: +# kind: ServiceMonitor + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml +# crd/kustomization.yaml. - path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml index 1dea5d5fd7b..1c561728ef0 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml @@ -16,14 +16,10 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables - # certificate verification. This poses a significant security risk by making the system vulnerable to - # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between - # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, - # compromising the integrity and confidentiality of the information. - # Please use the following options for secure configurations: - # caFile: /etc/metrics-certs/ca.crt - # certFile: /etc/metrics-certs/tls.crt - # keyFile: /etc/metrics-certs/tls.key + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'serving-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/docs/book/src/getting-started/testdata/project/cmd/main.go b/docs/book/src/getting-started/testdata/project/cmd/main.go index ee576426ed6..ddd0ac73d00 100644 --- a/docs/book/src/getting-started/testdata/project/cmd/main.go +++ b/docs/book/src/getting-started/testdata/project/cmd/main.go @@ -103,16 +103,17 @@ func main() { metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, SecureServing: secureMetrics, - // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are - // not provided, self-signed certificates will be generated by default. This option is not recommended for - // production environments as self-signed certificates do not offer the same level of trust and security - // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing - // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName - // to provide certificates, ensuring the server communicates using trusted and secure certificates. - TLSOpts: tlsOpts, + TLSOpts: tlsOpts, } if secureMetrics { + // TODO(user): If cert-manager is enabled under config/default/kustomizaton.yaml, you can uncomment the following + // lines to use the certificate managed by cert-manager, mounted as a Kubernetes secret named 'serving-cert'. + // This setup is recommended for production environments to ensure trusted and secure communication. + // metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key" + // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index cf350655f86..026865ff3b0 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -41,8 +41,15 @@ patches: target: kind: Deployment +# [CERTMANAGER] The following patch configures the ServiceMonitor under ../prometheus +# to securely reference certificates created and managed by cert-manager. Also, uncomment the +# [WEBHOOK] patch bellow to mount the "serving-cert" in the Manager Deployment. +#- path: ../prometheus/monitor_tls_patch.yaml +#target: +# kind: ServiceMonitor + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml +# crd/kustomization.yaml. #- path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml index 1dea5d5fd7b..1c561728ef0 100644 --- a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml @@ -16,14 +16,10 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables - # certificate verification. This poses a significant security risk by making the system vulnerable to - # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between - # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, - # compromising the integrity and confidentiality of the information. - # Please use the following options for secure configurations: - # caFile: /etc/metrics-certs/ca.crt - # certFile: /etc/metrics-certs/tls.crt - # keyFile: /etc/metrics-certs/tls.key + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'serving-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go b/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go index 6fcd19f57da..48723fdf810 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go @@ -122,16 +122,17 @@ func main() { metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, SecureServing: secureMetrics, - // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are - // not provided, self-signed certificates will be generated by default. This option is not recommended for - // production environments as self-signed certificates do not offer the same level of trust and security - // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing - // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName - // to provide certificates, ensuring the server communicates using trusted and secure certificates. - TLSOpts: tlsOpts, + TLSOpts: tlsOpts, } if secureMetrics { + // TODO(user): If cert-manager is enabled under config/default/kustomizaton.yaml, you can uncomment the following + // lines to use the certificate managed by cert-manager, mounted as a Kubernetes secret named 'serving-cert'. + // This setup is recommended for production environments to ensure trusted and secure communication. + // metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key" + // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml index eda09817f4e..cdad5baac49 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml @@ -41,8 +41,15 @@ patches: target: kind: Deployment +# [CERTMANAGER] The following patch configures the ServiceMonitor under ../prometheus +# to securely reference certificates created and managed by cert-manager. Also, uncomment the +# [WEBHOOK] patch bellow to mount the "serving-cert" in the Manager Deployment. +#- path: ../prometheus/monitor_tls_patch.yaml +#target: +# kind: ServiceMonitor + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml +# crd/kustomization.yaml. - path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor.yaml index 1dea5d5fd7b..1c561728ef0 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor.yaml @@ -16,14 +16,10 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables - # certificate verification. This poses a significant security risk by making the system vulnerable to - # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between - # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, - # compromising the integrity and confidentiality of the information. - # Please use the following options for secure configurations: - # caFile: /etc/metrics-certs/ca.crt - # certFile: /etc/metrics-certs/tls.crt - # keyFile: /etc/metrics-certs/tls.key + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'serving-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/docs/book/src/reference/metrics.md b/docs/book/src/reference/metrics.md index 535c8bb7959..9958e708115 100644 --- a/docs/book/src/reference/metrics.md +++ b/docs/book/src/reference/metrics.md @@ -136,40 +136,16 @@ spec: +### By exposing the metrics endpoint using HTTPS and Cert-Manager + +Integrating `cert-manager` with your metrics service enables secure +HTTPS access via TLS encryption. Follow the steps below to configure +your project to expose the metrics endpoint using HTTPS with cert-manager. + +1. **Enable Cert-Manager in `config/default/kustomization.yaml`:** + - Uncomment the cert-manager resource to include it in your project: + + ```yaml + - ../certmanager + ``` + +2. **Enable the Patch for the `ServiceMonitor` to Use the Cert-Manager-Managed Secret:** + - Add or uncomment the `ServiceMonitor` patch to securely reference the cert-manager-managed secret, replacing insecure configurations with secure certificate verification: + + ```yaml + - path: ../prometheus/monitor_tls_patch.yaml + target: + kind: ServiceMonitor + ``` + +3. **Enable the Patch to Mount the Cert-Manager-Managed Secret in the Controller Deployment:** + - Use the `manager_webhook_patch.yaml` (or create a custom metrics patch) to mount the `serving-cert` secret in the Manager Deployment. This makes the cert-manager-managed certificate available for the metrics endpoint without enabling webhooks: + + ```yaml + - path: manager_webhook_patch.yaml + ``` + +4. **Update `cmd/main.go` to Use the Certificate Managed by Cert-Manager:** + - Modify `cmd/main.go` to configure the metrics server to use the cert-manager-managed certificates. + Uncomment the lines for `CertDir`, `CertName`, and `KeyName`: + + ```go + if secureMetrics { + // TODO(user): If cert-manager is enabled under config/default/kustomization.yaml, you can uncomment the following + // lines to use the certificate managed by cert-manager, mounted as a Kubernetes secret named 'serving-cert'. + // This setup is recommended for production environments to ensure trusted and secure communication. + // metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key" + } + ``` + +By following these steps, you’ll configure your metrics endpoint to securely expose metrics over HTTPS using cert-manager-managed +certificates, improving security for production environments. ### By using Network Policy (You can optionally enable) @@ -202,16 +224,6 @@ Uncomment the following line in the `config/default/kustomization.yaml`: #- ../network-policy ``` -### By exposing the metrics endpoint using HTTPS and CertManager - -Integrating `cert-manager` with your metrics service can secure the endpoint via TLS encryption. - -To modify your project setup to expose metrics using HTTPS with -the help of cert-manager, you'll need to change the configuration of both -the `Service` under `config/default/metrics_service.yaml` and -the `ServiceMonitor` under `config/prometheus/monitor.yaml` to use a secure HTTPS port -and ensure the necessary certificate is applied. - ## Exporting Metrics for Prometheus Follow the steps below to export the metrics using the Prometheus Operator: diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go index ecd24a05b9f..0c97bdc9cfe 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go @@ -86,8 +86,15 @@ patches: target: kind: Deployment +# [CERTMANAGER] The following patch configures the ServiceMonitor under ../prometheus +# to securely reference certificates created and managed by cert-manager. Also, uncomment the +# [WEBHOOK] patch bellow to mount the "serving-cert" in the Manager Deployment. +#- path: ../prometheus/monitor_tls_patch.yaml +#target: +# kind: ServiceMonitor + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml +# crd/kustomization.yaml. #- path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go index 73ce389aa01..01c0dda5a57 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go @@ -59,14 +59,10 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables - # certificate verification. This poses a significant security risk by making the system vulnerable to - # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between - # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, - # compromising the integrity and confidentiality of the information. - # Please use the following options for secure configurations: - # caFile: /etc/metrics-certs/ca.crt - # certFile: /etc/metrics-certs/tls.crt - # keyFile: /etc/metrics-certs/tls.key + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'serving-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go new file mode 100644 index 00000000000..7a10bd18d31 --- /dev/null +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go @@ -0,0 +1,67 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package prometheus + +import ( + "path/filepath" + + "sigs.k8s.io/kubebuilder/v4/pkg/machinery" +) + +var _ machinery.Template = &ServiceMonitorPatch{} + +// ServiceMonitorPatch scaffolds a file that defines the patch for the ServiceMonitor +// to use cert-manager managed certificates for secure TLS configuration. +type ServiceMonitorPatch struct { + machinery.TemplateMixin + machinery.ProjectNameMixin +} + +// SetTemplateDefaults implements file.Template +func (f *ServiceMonitorPatch) SetTemplateDefaults() error { + if f.Path == "" { + f.Path = filepath.Join("config", "prometheus", "monitor_tls_patch.yaml") + } + + f.TemplateBody = serviceMonitorPatchTemplate + + return nil +} + +const serviceMonitorPatchTemplate = `# Patch for Prometheus ServiceMonitor to enable secure TLS configuration +# using certificates managed by cert-manager +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - tlsConfig: + insecureSkipVerify: false + ca: + secret: + name: serving-cert + key: ca.crt + cert: + secret: + name: serving-cert + key: tls.crt + keySecret: + name: serving-cert + key: tls.key +` diff --git a/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go b/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go index 87ae4f131da..80cc83baccd 100644 --- a/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go +++ b/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go @@ -305,16 +305,17 @@ func main() { metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, SecureServing: secureMetrics, - // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are - // not provided, self-signed certificates will be generated by default. This option is not recommended for - // production environments as self-signed certificates do not offer the same level of trust and security - // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing - // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName - // to provide certificates, ensuring the server communicates using trusted and secure certificates. TLSOpts: tlsOpts, } if secureMetrics { + // TODO(user): If cert-manager is enabled under config/default/kustomizaton.yaml, you can uncomment the following + // lines to use the certificate managed by cert-manager, mounted as a Kubernetes secret named 'serving-cert'. + // This setup is recommended for production environments to ensure trusted and secure communication. + // metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key" + // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index b0b84c07c78..9f71a716596 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -63,6 +63,13 @@ func GenerateV4(kbc *utils.TestContext) { "#- ../prometheus", "#")).To(Succeed()) ExpectWithOffset(1, pluginutil.UncommentCode(filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), certManagerTarget, "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + monitorTlsPatch, "#")).To(Succeed()) + + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "cmd", "main.go"), + tlsConfigManager, "//")).To(Succeed()) if kbc.IsRestricted { By("uncomment kustomize files to ensure that pods are restricted") @@ -162,6 +169,12 @@ func GenerateV4WithNetworkPolicies(kbc *utils.TestContext) { ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), metricsTarget, "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + monitorTlsPatch, "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "cmd", "main.go"), + tlsConfigManager, "//")).To(Succeed()) By("uncomment kustomization.yaml to enable network policy") ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), @@ -368,3 +381,11 @@ func uncommentPodStandards(kbc *utils.TestContext) { ExpectWithOffset(1, err).NotTo(HaveOccurred()) } } + +const monitorTlsPatch = `#- path: ../prometheus/monitor_tls_patch.yaml +#target: +# kind: ServiceMonitor` + +const tlsConfigManager = `// metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key"` diff --git a/testdata/project-v4-multigroup/cmd/main.go b/testdata/project-v4-multigroup/cmd/main.go index 7c12566db71..3171f0a253e 100644 --- a/testdata/project-v4-multigroup/cmd/main.go +++ b/testdata/project-v4-multigroup/cmd/main.go @@ -139,16 +139,17 @@ func main() { metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, SecureServing: secureMetrics, - // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are - // not provided, self-signed certificates will be generated by default. This option is not recommended for - // production environments as self-signed certificates do not offer the same level of trust and security - // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing - // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName - // to provide certificates, ensuring the server communicates using trusted and secure certificates. - TLSOpts: tlsOpts, + TLSOpts: tlsOpts, } if secureMetrics { + // TODO(user): If cert-manager is enabled under config/default/kustomizaton.yaml, you can uncomment the following + // lines to use the certificate managed by cert-manager, mounted as a Kubernetes secret named 'serving-cert'. + // This setup is recommended for production environments to ensure trusted and secure communication. + // metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key" + // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 556ccec1c19..01f2e7f468d 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -41,8 +41,15 @@ patches: target: kind: Deployment +# [CERTMANAGER] The following patch configures the ServiceMonitor under ../prometheus +# to securely reference certificates created and managed by cert-manager. Also, uncomment the +# [WEBHOOK] patch bellow to mount the "serving-cert" in the Manager Deployment. +#- path: ../prometheus/monitor_tls_patch.yaml +#target: +# kind: ServiceMonitor + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml +# crd/kustomization.yaml. - path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/testdata/project-v4-multigroup/config/prometheus/monitor.yaml b/testdata/project-v4-multigroup/config/prometheus/monitor.yaml index 89d2f351f5b..c4dda955498 100644 --- a/testdata/project-v4-multigroup/config/prometheus/monitor.yaml +++ b/testdata/project-v4-multigroup/config/prometheus/monitor.yaml @@ -16,14 +16,10 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables - # certificate verification. This poses a significant security risk by making the system vulnerable to - # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between - # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, - # compromising the integrity and confidentiality of the information. - # Please use the following options for secure configurations: - # caFile: /etc/metrics-certs/ca.crt - # certFile: /etc/metrics-certs/tls.crt - # keyFile: /etc/metrics-certs/tls.key + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'serving-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/testdata/project-v4-with-plugins/cmd/main.go b/testdata/project-v4-with-plugins/cmd/main.go index 565ee94cc72..6bb661925aa 100644 --- a/testdata/project-v4-with-plugins/cmd/main.go +++ b/testdata/project-v4-with-plugins/cmd/main.go @@ -104,16 +104,17 @@ func main() { metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, SecureServing: secureMetrics, - // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are - // not provided, self-signed certificates will be generated by default. This option is not recommended for - // production environments as self-signed certificates do not offer the same level of trust and security - // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing - // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName - // to provide certificates, ensuring the server communicates using trusted and secure certificates. - TLSOpts: tlsOpts, + TLSOpts: tlsOpts, } if secureMetrics { + // TODO(user): If cert-manager is enabled under config/default/kustomizaton.yaml, you can uncomment the following + // lines to use the certificate managed by cert-manager, mounted as a Kubernetes secret named 'serving-cert'. + // This setup is recommended for production environments to ensure trusted and secure communication. + // metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key" + // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: diff --git a/testdata/project-v4-with-plugins/config/default/kustomization.yaml b/testdata/project-v4-with-plugins/config/default/kustomization.yaml index feac2c91a36..4307cc59d37 100644 --- a/testdata/project-v4-with-plugins/config/default/kustomization.yaml +++ b/testdata/project-v4-with-plugins/config/default/kustomization.yaml @@ -41,8 +41,15 @@ patches: target: kind: Deployment +# [CERTMANAGER] The following patch configures the ServiceMonitor under ../prometheus +# to securely reference certificates created and managed by cert-manager. Also, uncomment the +# [WEBHOOK] patch bellow to mount the "serving-cert" in the Manager Deployment. +#- path: ../prometheus/monitor_tls_patch.yaml +#target: +# kind: ServiceMonitor + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml +# crd/kustomization.yaml. - path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/testdata/project-v4-with-plugins/config/prometheus/monitor.yaml b/testdata/project-v4-with-plugins/config/prometheus/monitor.yaml index 58e9d5440eb..65d094406c7 100644 --- a/testdata/project-v4-with-plugins/config/prometheus/monitor.yaml +++ b/testdata/project-v4-with-plugins/config/prometheus/monitor.yaml @@ -16,14 +16,10 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables - # certificate verification. This poses a significant security risk by making the system vulnerable to - # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between - # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, - # compromising the integrity and confidentiality of the information. - # Please use the following options for secure configurations: - # caFile: /etc/metrics-certs/ca.crt - # certFile: /etc/metrics-certs/tls.crt - # keyFile: /etc/metrics-certs/tls.key + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'serving-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/testdata/project-v4/cmd/main.go b/testdata/project-v4/cmd/main.go index 28ddffa5fd6..4a00e9b8a65 100644 --- a/testdata/project-v4/cmd/main.go +++ b/testdata/project-v4/cmd/main.go @@ -109,16 +109,17 @@ func main() { metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, SecureServing: secureMetrics, - // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are - // not provided, self-signed certificates will be generated by default. This option is not recommended for - // production environments as self-signed certificates do not offer the same level of trust and security - // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing - // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName - // to provide certificates, ensuring the server communicates using trusted and secure certificates. - TLSOpts: tlsOpts, + TLSOpts: tlsOpts, } if secureMetrics { + // TODO(user): If cert-manager is enabled under config/default/kustomizaton.yaml, you can uncomment the following + // lines to use the certificate managed by cert-manager, mounted as a Kubernetes secret named 'serving-cert'. + // This setup is recommended for production environments to ensure trusted and secure communication. + // metricsServerOptions.CertDir = "/var/run/secrets/kubernetes.io/certs" + // metricsServerOptions.CertName = "tls.crt" + // metricsServerOptions.KeyName = "tls.key" + // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index aa9b5bfe626..a21ab432ac4 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -41,8 +41,15 @@ patches: target: kind: Deployment +# [CERTMANAGER] The following patch configures the ServiceMonitor under ../prometheus +# to securely reference certificates created and managed by cert-manager. Also, uncomment the +# [WEBHOOK] patch bellow to mount the "serving-cert" in the Manager Deployment. +#- path: ../prometheus/monitor_tls_patch.yaml +#target: +# kind: ServiceMonitor + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml +# crd/kustomization.yaml. - path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/testdata/project-v4/config/prometheus/monitor.yaml b/testdata/project-v4/config/prometheus/monitor.yaml index 1e3f1aec14c..2bed1cb0f76 100644 --- a/testdata/project-v4/config/prometheus/monitor.yaml +++ b/testdata/project-v4/config/prometheus/monitor.yaml @@ -16,14 +16,10 @@ spec: bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables - # certificate verification. This poses a significant security risk by making the system vulnerable to - # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between - # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, - # compromising the integrity and confidentiality of the information. - # Please use the following options for secure configurations: - # caFile: /etc/metrics-certs/ca.crt - # certFile: /etc/metrics-certs/tls.crt - # keyFile: /etc/metrics-certs/tls.key + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'serving-cert' secret. insecureSkipVerify: true selector: matchLabels: