Skip to content

Commit

Permalink
feat(deployment): support tls config using secrets (#2660)
Browse files Browse the repository at this point in the history 
Signed-off-by: Marcelo Clavel <marcelo.clavel@buda.com>

Signed-off-by: Marcelo Clavel <marcelo.clavel@buda.com>
  • Loading branch information
@mclavel
mclavel authored Nov 8, 2022
1 parent 3e5c963 commit 391bf7e
Show file tree
Hide file tree
Showing 3 changed files with 114 additions and 3 deletions.
2 changes: 1 addition & 1 deletion charts/prometheus-redis-exporter/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
appVersion: v1.44.0
description: Prometheus exporter for Redis metrics
name: prometheus-redis-exporter
version: 5.2.1
version: 5.3.0
home: https://github.com/oliver006/redis_exporter
sources:
- https://github.com/oliver006/redis_exporter
Expand Down
81 changes: 79 additions & 2 deletions charts/prometheus-redis-exporter/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,33 @@ spec:
{{- else }}
value: {{ .Values.redisAddress }}
{{- end }}
{{- if .Values.auth.enabled }}
{{- if .Values.redisTlsConfig.enabled }}
{{- if .Values.redisTlsConfig.skipTlsVerification }}
- name: REDIS_EXPORTER_SKIP_TLS_VERIFICATION
value: "true"
{{- end }}
{{- if and (.Values.redisTlsConfig.caCertFile.secret.name) (.Values.redisTlsConfig.caCertFile.secret.key) }}
- name: REDIS_EXPORTER_TLS_CA_CERT_FILE
value: {{ .Values.redisTlsConfig.mountPath }}/tls-ca-cert.crt
{{- end }}
{{- if and (.Values.redisTlsConfig.clientKeyFile.secret.name) (.Values.redisTlsConfig.clientKeyFile.secret.key) }}
- name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE
value: {{ .Values.redisTlsConfig.mountPath }}/tls-client-key.key
{{- end }}
{{- if and (.Values.redisTlsConfig.clientCertFile.secret.name) (.Values.redisTlsConfig.clientCertFile.secret.key) }}
- name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE
value: {{ .Values.redisTlsConfig.mountPath }}/tls-client-cert.crt
{{- end }}
{{- if and (.Values.redisTlsConfig.serverKeyFile.secret.name) (.Values.redisTlsConfig.serverKeyFile.secret.key) }}
- name: REDIS_EXPORTER_TLS_SERVER_KEY_FILE
value: {{ .Values.redisTlsConfig.mountPath }}/tls-server-key.key
{{- end }}
{{- if and (.Values.redisTlsConfig.serverCertFile.secret.name) (.Values.redisTlsConfig.serverCertFile.secret.key) }}
- name: REDIS_EXPORTER_TLS_SERVER_CERT_FILE
value: {{ .Values.redisTlsConfig.mountPath }}/tls-server-cert.crt
{{- end }}
{{- end }}
{{- if .Values.auth.enabled }}
{{- if and (.Values.auth.redisPasswordFile.secret.name) (.Values.auth.redisPasswordFile.secret.key) }}
- name: REDIS_PASSWORD_FILE
value: {{ .Values.auth.redisPasswordFile.mountPath }}/{{ .Values.auth.redisPasswordFile.secret.key }}
Expand Down Expand Up @@ -89,14 +115,25 @@ spec:
- mountPath: {{ .Values.auth.redisPasswordFile.mountPath }}
name: redis-password-file-mount
{{- end }}
{{- if .Values.redisTlsConfig.enabled }}
- mountPath: {{ .Values.redisTlsConfig.mountPath }}
name: tls
readOnly: true
{{- end}}
livenessProbe:
httpGet:
path: /
port: exporter-port
{{- if and (.Values.redisTlsConfig.enabled) (.Values.redisTlsConfig.serverCertFile.secret.name) (.Values.redisTlsConfig.serverCertFile.secret.key) }}
scheme: HTTPS
{{- end }}
readinessProbe:
httpGet:
path: /
port: exporter-port
{{- if and (.Values.redisTlsConfig.enabled) (.Values.redisTlsConfig.serverCertFile.secret.name) (.Values.redisTlsConfig.serverCertFile.secret.key) }}
scheme: HTTPS
{{- end }}
resources:
{{ toYaml .Values.resources | indent 12 }}
volumes:
Expand All @@ -111,7 +148,47 @@ spec:
{{- if and (.Values.auth.enabled) (.Values.auth.redisPasswordFile.secret.name) }}
- name: redis-password-file-mount
secret:
secretName: {{ .Values.auth.redisPasswordFile.secret.name }}
secretName: {{ .Values.auth.redisPasswordFile.secret.name }}
{{- end }}
{{- if .Values.redisTlsConfig.enabled }}
- name: tls
projected:
sources:
{{- if and (.Values.redisTlsConfig.caCertFile.secret.name) (.Values.redisTlsConfig.caCertFile.secret.key) }}
- secret:
name: {{ .Values.redisTlsConfig.caCertFile.secret.name }}
items:
- key: {{ .Values.redisTlsConfig.caCertFile.secret.key }}
path: tls-ca-cert.crt
{{- end }}
{{- if and (.Values.redisTlsConfig.clientKeyFile.secret.name) (.Values.redisTlsConfig.clientKeyFile.secret.key) }}
- secret:
name: {{ .Values.redisTlsConfig.clientKeyFile.secret.name }}
items:
- key: {{ .Values.redisTlsConfig.clientKeyFile.secret.key }}
path: tls-client-key.key
{{- end }}
{{- if and (.Values.redisTlsConfig.clientCertFile.secret.name) (.Values.redisTlsConfig.clientCertFile.secret.key) }}
- secret:
name: {{ .Values.redisTlsConfig.clientCertFile.secret.name }}
items:
- key: {{ .Values.redisTlsConfig.clientCertFile.secret.key }}
path: tls-client-cert.crt
{{- end }}
{{- if and (.Values.redisTlsConfig.serverKeyFile.secret.name) (.Values.redisTlsConfig.serverKeyFile.secret.key) }}
- secret:
name: {{ .Values.redisTlsConfig.serverKeyFile.secret.name }}
items:
- key: {{ .Values.redisTlsConfig.serverKeyFile.secret.key }}
path: tls-server-key.key
{{- end }}
{{- if and (.Values.redisTlsConfig.serverCertFile.secret.name) (.Values.redisTlsConfig.serverCertFile.secret.key) }}
- secret:
name: {{ .Values.redisTlsConfig.serverCertFile.secret.name }}
items:
- key: {{ .Values.redisTlsConfig.serverCertFile.secret.key }}
path: tls-server-cert.crt
{{- end }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
Expand Down
34 changes: 34 additions & 0 deletions charts/prometheus-redis-exporter/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,40 @@ redisAddressConfig:
name: ""
key: ""

redisTlsConfig:
# Use TLS configuration
enabled: false
# Whether to to skip TLS verification
skipTlsVerification: false
# All secrets key about TLS config will be mounted into this path
mountPath: /tls

# REDIS_EXPORTER_TLS_CA_CERT_FILE will be set to /tls/tls-ca-cert.crt
caCertFile:
secret:
name: ""
key: ""
# REDIS_EXPORTER_TLS_CLIENT_KEY_FILE will be set to /tls/tls-client-key.key
clientKeyFile:
secret:
name: ""
key: ""
# REDIS_EXPORTER_TLS_CLIENT_CERT_FILE will be set to /tls/tls-client-cert.crt
clientCertFile:
secret:
name: ""
key: ""
# REDIS_EXPORTER_TLS_SERVER_KEY_FILE will be set to /tls/tls-server-key.key
serverKeyFile:
secret:
name: ""
key: ""
# REDIS_EXPORTER_TLS_SERVER_CERT_FILE will be set to /tls/tls-server-cert.crt
serverCertFile:
secret:
name: ""
key: ""

serviceMonitor:
# When set true then use a ServiceMonitor to configure scraping
enabled: false
Expand Down

0 comments on commit 391bf7e

Please sign in to comment.