UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Commit 8de9db2d authored by Ryan Garcia's avatar Ryan Garcia :dizzy:
Browse files

Merge branch 'mtls-prom-scraping' into 'master' 

Monitoring mTLS / Prometheus mTLS Scraping

Closes platform-one/big-bang/apps/core/monitoring#71

See merge request platform-one/big-bang/bigbang!1900
parents 43d35393 78f9fa69
No related branches found
No related tags found
1 merge request!1900Monitoring mTLS / Prometheus mTLS Scraping
Pipeline #938188 passed with warnings
Stage: .pre
Stage: 🔥 smoke tests
Hide whitespace changes
Inline Side-by-side
chart/templates/monitoring/values.yaml
+ 56
14
View file @ 8de9db2d
...@@ -81,6 +81,7 @@ alertmanager: ...@@ -81,6 +81,7 @@ alertmanager:
{{ include "istioAnnotation" . }} {{ include "istioAnnotation" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
prometheus: prometheus:
prometheusSpec: prometheusSpec:
# The operator performs a strategic merge to add our imagePullPolicy definition to the default containers # The operator performs a strategic merge to add our imagePullPolicy definition to the default containers
...@@ -107,15 +108,31 @@ prometheus: ...@@ -107,15 +108,31 @@ prometheus:
annotations: annotations:
{{- if $istioInjection }} {{- if $istioInjection }}
{{ include "istioAnnotation" . }} {{ include "istioAnnotation" . }}
traffic.sidecar.istio.io/includeOutboundIPRanges: ""
proxy.istio.io/config: |
proxyMetadata:
OUTPUT_CERTS: /etc/istio-output-certs
sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]'
{{- end }} {{- end }}
{{- if .Values.addons.vault.enabled }} {{- if .Values.addons.vault.enabled }}
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-init-first: "true" vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject-token: "true" vault.hashicorp.com/agent-inject-token: "true"
vault.hashicorp.com/role: "prometheus" vault.hashicorp.com/role: "prometheus"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if $istioInjection }}
# Add volume/mount for Istio certs for mTLS scraping
volumes:
- emptyDir:
medium: Memory
name: istio-certs
volumeMounts:
- mountPath: /etc/prom-certs/
name: istio-certs
{{- end }}
anchore: anchore:
enabled: {{ .Values.addons.anchore.enabled }} enabled: {{ .Values.addons.anchore.enabled }}
...@@ -129,7 +146,7 @@ loki: ...@@ -129,7 +146,7 @@ loki:
{{- if or $gitlabRedis $authserviceRedisEnabled $redisDatasource }} {{- if or $gitlabRedis $authserviceRedisEnabled $redisDatasource }}
redis: redis:
enabled: true enabled: true
{{- end }} {{- end }}
vault: vault:
enabled: {{ .Values.addons.vault.enabled }} enabled: {{ .Values.addons.vault.enabled }}
...@@ -146,7 +163,7 @@ grafana: ...@@ -146,7 +163,7 @@ grafana:
{{- if $gitlabRedis }} {{- if $gitlabRedis }}
envFromSecret: grafana-env-secret envFromSecret: grafana-env-secret
{{- end }} {{- end }}
image: image:
pullPolicy: {{ .Values.imagePullPolicy }} pullPolicy: {{ .Values.imagePullPolicy }}
...@@ -160,7 +177,7 @@ grafana: ...@@ -160,7 +177,7 @@ grafana:
{{ include "istioAnnotation" . }} {{ include "istioAnnotation" . }}
{{- if $gitlabRedis }} {{- if $gitlabRedis }}
checksum/gitlabRedisPassword: {{ sha256sum .Values.addons.gitlab.redis.password }} checksum/gitlabRedisPassword: {{ sha256sum .Values.addons.gitlab.redis.password }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if or .Values.loki.enabled .Values.tempo.enabled $gitlabRedis $authserviceRedisEnabled .Values.addons.argocd.enabled }} {{- if or .Values.loki.enabled .Values.tempo.enabled $gitlabRedis $authserviceRedisEnabled .Values.addons.argocd.enabled }}
...@@ -171,19 +188,19 @@ grafana: ...@@ -171,19 +188,19 @@ grafana:
access: proxy access: proxy
url: argocd-argocd-redis-bb-master.argocd.svc.cluster.local:6379 url: argocd-argocd-redis-bb-master.argocd.svc.cluster.local:6379
jsonData: jsonData:
client: standalone client: standalone
- name: Argo Headless - name: Argo Headless
type: redis-datasource type: redis-datasource
access: proxy access: proxy
url: argocd-argocd-redis-bb-headless.argocd.svc.cluster.local:6379 url: argocd-argocd-redis-bb-headless.argocd.svc.cluster.local:6379
jsonData: jsonData:
client: standalone client: standalone
- name: Argo Replicas - name: Argo Replicas
type: redis-datasource type: redis-datasource
access: proxy access: proxy
url: argocd-argocd-redis-bb-replicas.argocd.svc.cluster.local:6379 url: argocd-argocd-redis-bb-replicas.argocd.svc.cluster.local:6379
jsonData: jsonData:
client: standalone client: standalone
{{- end }} {{- end }}
{{- if $authserviceRedisEnabled }} {{- if $authserviceRedisEnabled }}
- name: AuthService Master - name: AuthService Master
...@@ -191,19 +208,19 @@ grafana: ...@@ -191,19 +208,19 @@ grafana:
access: proxy access: proxy
url: authservice-authservice-redis-bb-master.authservice.svc.cluster.local:6379 url: authservice-authservice-redis-bb-master.authservice.svc.cluster.local:6379
jsonData: jsonData:
client: standalone client: standalone
- name: AuthService Headless - name: AuthService Headless
type: redis-datasource type: redis-datasource
access: proxy access: proxy
url: authservice-authservice-redis-bb-headless.authservice.svc.cluster.local:6379 url: authservice-authservice-redis-bb-headless.authservice.svc.cluster.local:6379
jsonData: jsonData:
client: standalone client: standalone
- name: AuthService Replicas - name: AuthService Replicas
type: redis-datasource type: redis-datasource
access: proxy access: proxy
url: authservice-authservice-redis-bb-replicas.authservice.svc.cluster.local:6379 url: authservice-authservice-redis-bb-replicas.authservice.svc.cluster.local:6379
jsonData: jsonData:
client: standalone client: standalone
{{- end }} {{- end }}
{{- if $gitlabRedis }} {{- if $gitlabRedis }}
- name: GitLab - name: GitLab
...@@ -211,7 +228,7 @@ grafana: ...@@ -211,7 +228,7 @@ grafana:
access: proxy access: proxy
url: gitlab-redis-master.gitlab.svc.cluster.local:6379 url: gitlab-redis-master.gitlab.svc.cluster.local:6379
jsonData: jsonData:
client: standalone client: standalone
secureJsonData: secureJsonData:
password: $GITLAB_REDIS_PASSWORD password: $GITLAB_REDIS_PASSWORD
{{- end }} {{- end }}
...@@ -292,6 +309,16 @@ grafana: ...@@ -292,6 +309,16 @@ grafana:
{{- list "tls_client_key" .tls_client_key | include "bigbang.addValueIfSet" | indent 6 }} {{- list "tls_client_key" .tls_client_key | include "bigbang.addValueIfSet" | indent 6 }}
{{- end }} {{- end }}
{{- if $istioInjection }}
serviceMonitor:
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
certFile: /etc/prom-certs/cert-chain.pem
keyFile: /etc/prom-certs/key.pem
insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
{{- end }}
prometheus-node-exporter: prometheus-node-exporter:
image: image:
pullPolicy: {{ .Values.imagePullPolicy }} pullPolicy: {{ .Values.imagePullPolicy }}
...@@ -302,6 +329,14 @@ prometheus-node-exporter: ...@@ -302,6 +329,14 @@ prometheus-node-exporter:
{{- if $istioInjection }} {{- if $istioInjection }}
podAnnotations: podAnnotations:
{{ include "istioAnnotation" . }} {{ include "istioAnnotation" . }}
prometheus:
monitor:
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
certFile: /etc/prom-certs/cert-chain.pem
keyFile: /etc/prom-certs/key.pem
insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
{{- end }} {{- end }}
{{- if .Values.openshift }} {{- if .Values.openshift }}
...@@ -319,6 +354,14 @@ kube-state-metrics: ...@@ -319,6 +354,14 @@ kube-state-metrics:
{{- if $istioInjection }} {{- if $istioInjection }}
podAnnotations: podAnnotations:
{{ include "istioAnnotation" . }} {{ include "istioAnnotation" . }}
prometheus:
monitor:
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
certFile: /etc/prom-certs/cert-chain.pem
keyFile: /etc/prom-certs/key.pem
insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
{{- end }} {{- end }}
prometheusOperator: prometheusOperator:
...@@ -331,9 +374,8 @@ prometheusOperator: ...@@ -331,9 +374,8 @@ prometheusOperator:
patch: patch:
image: image:
pullPolicy: {{ .Values.imagePullPolicy }} pullPolicy: {{ .Values.imagePullPolicy }}
{{- if $istioInjection }} {{- if $istioInjection }}
podAnnotations: podAnnotations:
{{ include "istioAnnotation" . }} {{ include "istioAnnotation" . }}
{{- end }} {{- end }}
{{- end -}} {{- end }}
chart/values.yaml
+ 1
1
View file @ 8de9db2d
...@@ -612,7 +612,7 @@ monitoring: ...@@ -612,7 +612,7 @@ monitoring:
git: git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git
path: "./chart" path: "./chart"
tag: "39.2.1-bb.2" tag: "39.2.1-bb.5"
# -- Flux reconciliation overrides specifically for the Monitoring Package # -- Flux reconciliation overrides specifically for the Monitoring Package
flux: flux:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED - NO CUI