如何将TLS证书放入Pod以便与Prometheus掌舵表一起使用?

时间:2019-09-07 01:10:24

标签: kubernetes prometheus kubernetes-helm

以下是stable/prometheushttps://github.com/helm/charts/blob/master/stable/prometheus/values.yaml

的头盔图表值

我能够使它起作用:

helm upgrade --install prometheus stable/prometheus \
--set extraScrapeConfigs="- job_name: 'myjob'
  scrape_interval: 1s
  metrics_path: /metrics
  scheme: https
  static_configs:
    - targets: ['###.##.###.###:#####']
  tls_config:
    ca_file: /prometheus/ca.pem
    key_file: /prometheus/key.pem
    cert_file: /prometheus/cert.pem
    insecure_skip_verify: true"

为此,我必须做:

kubectl cp localdir/ca.pem prometheus-server-abc:/prometheus -c prometheus-server
kubectl cp localdir/key.pem prometheus-server-abc:/prometheus -c prometheus-server
kubectl cp localdir/cert.pem prometheus-server-abc:/prometheus -c prometheus-server

我相信使用SecretmountPath可以找到更好,更合适的方法。我没有运气就尝试了以下类似方法:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
data:
  ca.pem: base64encodedcapem
  key.pem: base64encodedkeypem
  cert.pem: base64encodedcertpem
kubectl apply -f mysecret
helm upgrade --install prometheus stable/prometheus \
--set extraSecretMounts="- name: mysecret-mount
  mountPath: /somepathinpod/mysecret
  secretName: mysecret" \
--set extraScrapeConfigs="- job_name: 'myjob'
  scrape_interval: 1s
  metrics_path: /metrics
  scheme: https
  static_configs:
    - targets: ['###.##.###.###:#####']
  tls_config:
    ca_file: /somepathinpod/mysecret/ca.pem
    key_file: /somepathinpod/mysecret/key.pem
    cert_file: /somepathinpod/mysecret/cert.pem
    insecure_skip_verify: true"

我希望证书能够神奇地出现在/somepathinpod上,但它们没有出现。

我假设我不必克隆整个存储库,而是手动编辑头盔图表以将volumeMount放入prometheus-server部署/容器中,并且可以以某种方式更改我的头盔命令。关于如何获得我的证书的任何建议?

1 个答案:

答案 0 :(得分:2)

根据documentation,正确使用的密钥将是server.extraSecretMounts,而不只是extraSecretMounts

还要通过以下方式验证Kubernetes上生成的YAML是否包含正确的挂载:

kubectl get deployment prometheus-server-object-name -o yaml

override.yaml

server:
  extraSecretMounts:
    - name: mysecret-mount
      mountPath: /etc/config/mysecret
      secretName: mysecret

extraScrapeConfigs: |
  - job_name: myjob
    scrape_interval: 15s
    metrics_path: /metrics
    scheme: https
    static_configs:
      - targets:
          - ###.##.###.###:#####
    tls_config:
      ca_file: /etc/config/mysecret/ca.pem
      key_file: /etc/config/mysecret/key.pem
      cert_file: /etc/config/mysecret/cert.pem
      insecure_skip_verify: true
helm upgrade -f override.yaml prometheus stable/prometheus