From 431f73450922aa126a58241152cd50df1aed049c Mon Sep 17 00:00:00 2001 From: Simon Pasquier Date: Tue, 30 Sep 2025 09:41:44 +0200 Subject: [PATCH] fix: prevent duplicate authentication settings in PodMonitor This commit ensures that the operator discards PodMonitor resources with duplicate authentication settings. Otherwise Prometheus fails to load the generated configuration. Signed-off-by: Simon Pasquier --- Documentation/api-reference/api.md | 208 +++++++------- bundle.yaml | 36 +-- .../monitoring.coreos.com_podmonitors.yaml | 36 +-- .../monitoring.coreos.com_podmonitors.yaml | 36 +-- .../prometheus-operator/podmonitors-crd.json | 14 +- pkg/alertmanager/amcfg.go | 3 +- pkg/alertmanager/operator.go | 5 - pkg/alertmanager/validation/v1/validation.go | 8 +- pkg/apis/monitoring/v1/http_config.go | 54 ++-- pkg/apis/monitoring/v1/podmonitor_types.go | 56 +--- .../monitoring/v1/podmonitor_types_test.go | 2 +- pkg/apis/monitoring/v1/types.go | 4 + .../monitoring/v1/zz_generated.deepcopy.go | 33 +-- .../monitoring/v1/podmetricsendpoint.go | 143 +++++----- pkg/prometheus/promcfg.go | 34 ++- pkg/prometheus/promcfg_test.go | 16 +- pkg/prometheus/resource_selector.go | 65 +++-- pkg/prometheus/resource_selector_test.go | 266 ++++++++++++++---- test/e2e/prometheus_test.go | 112 ++++---- 19 files changed, 624 insertions(+), 507 deletions(-) diff --git a/Documentation/api-reference/api.md b/Documentation/api-reference/api.md index 0b224439f..0d6c7cc69 100644 --- a/Documentation/api-reference/api.md +++ b/Documentation/api-reference/api.md @@ -7762,7 +7762,7 @@ string

BasicAuth

-(Appears on:APIServerConfig, AlertmanagerEndpoints, Endpoint, HTTPConfig, PodMetricsEndpoint, ProbeSpec, RemoteReadSpec, RemoteWriteSpec, AzureSDConfig, ConsulSDConfig, DockerSDConfig, DockerSwarmSDConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, NomadSDConfig, PuppetDBSDConfig, ScrapeConfigSpec, HTTPConfig) +(Appears on:APIServerConfig, AlertmanagerEndpoints, Endpoint, HTTPConfig, ProbeSpec, RemoteReadSpec, RemoteWriteSpec, AzureSDConfig, ConsulSDConfig, DockerSDConfig, DockerSwarmSDConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, NomadSDConfig, PuppetDBSDConfig, ScrapeConfigSpec, HTTPConfig)

BasicAuth configures HTTP Basic Authentication settings.

@@ -11179,7 +11179,7 @@ Examples: 45ms, 30s, 1m, 1h20m15sHTTPConfig

-(Appears on:AlertmanagerGlobalConfig) +(Appears on:AlertmanagerGlobalConfig, PodMetricsEndpoint)

HTTPConfig defines the configuration for the HTTP client.

@@ -11731,7 +11731,7 @@ Examples: 30s, 1m, 1h20m15s, 15dOAuth2

-(Appears on:Endpoint, HTTPConfig, PodMetricsEndpoint, ProbeSpec, RemoteReadSpec, RemoteWriteSpec, AzureSDConfig, ConsulSDConfig, DigitalOceanSDConfig, DockerSDConfig, DockerSwarmSDConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, IonosSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, LinodeSDConfig, NomadSDConfig, PuppetDBSDConfig, ScrapeConfigSpec, HTTPConfig) +(Appears on:Endpoint, HTTPConfig, ProbeSpec, RemoteReadSpec, RemoteWriteSpec, AzureSDConfig, ConsulSDConfig, DigitalOceanSDConfig, DockerSDConfig, DockerSwarmSDConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, IonosSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, LinodeSDConfig, NomadSDConfig, PuppetDBSDConfig, ScrapeConfigSpec, HTTPConfig)

OAuth2 configures OAuth2 settings.

@@ -12295,37 +12295,6 @@ The value cannot be greater than the scrape interval otherwise the operator will -tlsConfig
- - -SafeTLSConfig - - - - -(Optional) -

tlsConfig defines the TLS configuration to use when scraping the target.

- - - - -bearerTokenSecret
- - -Kubernetes core/v1.SecretKeySelector - - - - -(Optional) -

bearerTokenSecret defines a key of a Secret containing the bearer -token for scraping targets. The secret needs to be in the same namespace -as the PodMonitor object and readable by the Prometheus Operator.

-

Deprecated: use authorization instead.

- - - - honorLabels
bool @@ -12367,54 +12336,6 @@ Has no effect if honorTimestamps is false.

-basicAuth
- - -BasicAuth - - - - -(Optional) -

basicAuth defines the Basic Authentication credentials to use when -scraping the target.

-

Cannot be set at the same time as authorization, or oauth2.

- - - - -oauth2
- - -OAuth2 - - - - -(Optional) -

oauth2 defines the OAuth2 settings to use when scraping the target.

-

It requires Prometheus >= 2.27.0.

-

Cannot be set at the same time as authorization, or basicAuth.

- - - - -authorization
- - -SafeAuthorization - - - - -(Optional) -

authorization defines the Authorization header credentials to use when -scraping the target.

-

Cannot be set at the same time as basicAuth, or oauth2.

- - - - metricRelabelings
@@ -12448,6 +12369,102 @@ metadata labels.

+filterRunning
+ +bool + + + +(Optional) +

filterRunning when true, the pods which are not running (e.g. either in Failed or +Succeeded state) are dropped during the target discovery.

+

If unset, the filtering is enabled.

+

More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase

+ + + + +authorization
+ + +SafeAuthorization + + + + +(Optional) +

authorization configures the Authorization header credentials used by +the client.

+

Cannot be set at the same time as basicAuth, bearerTokenSecret or oauth2.

+ + + + +basicAuth
+ + +BasicAuth + + + + +(Optional) +

basicAuth defines the Basic Authentication credentials used by the +client.

+

Cannot be set at the same time as authorization, bearerTokenSecret or oauth2.

+ + + + +oauth2
+ + +OAuth2 + + + + +(Optional) +

oauth2 defines the OAuth2 settings used by the client.

+

It requires Prometheus >= 2.27.0.

+

Cannot be set at the same time as authorization, basicAuth or bearerTokenSecret.

+ + + + +bearerTokenSecret
+ + +Kubernetes core/v1.SecretKeySelector + + + + +(Optional) +

bearerTokenSecret defines a key of a Secret containing the bearer token +used by the client for authentication. The secret needs to be in the +same namespace as the custom resource and readable by the Prometheus +Operator.

+

Cannot be set at the same time as authorization, basicAuth or oauth2.

+

Deprecated: use authorization instead.

+ + + + +tlsConfig
+ + +SafeTLSConfig + + + + +(Optional) +

tlsConfig defines the TLS configuration used by the client.

+ + + + proxyUrl
string @@ -12511,8 +12528,8 @@ bool (Optional) -

followRedirects defines whether the scrape requests should follow HTTP -3xx redirects.

+

followRedirects defines whether the client should follow HTTP 3xx +redirects.

@@ -12524,22 +12541,7 @@ bool (Optional) -

enableHttp2 can be used to disable HTTP2 when scraping the target.

- - - - -filterRunning
- -bool - - - -(Optional) -

filterRunning when true, the pods which are not running (e.g. either in Failed or -Succeeded state) are dropped during the target discovery.

-

If unset, the filtering is enabled.

-

More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase

+

enableHttp2 can be used to disable HTTP2.

@@ -15996,7 +15998,7 @@ A zero value means that Prometheus doesn’t accept any incoming connection.

ProxyConfig

-(Appears on:APIServerConfig, AlertmanagerEndpoints, Endpoint, HTTPConfig, OAuth2, PodMetricsEndpoint, ProberSpec, RemoteReadSpec, RemoteWriteSpec, AzureSDConfig, ConsulSDConfig, DigitalOceanSDConfig, DockerSDConfig, DockerSwarmSDConfig, EC2SDConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, IonosSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, LinodeSDConfig, NomadSDConfig, PuppetDBSDConfig, ScalewaySDConfig, ScrapeConfigSpec, HTTPConfig) +(Appears on:APIServerConfig, AlertmanagerEndpoints, Endpoint, HTTPConfig, OAuth2, ProberSpec, RemoteReadSpec, RemoteWriteSpec, AzureSDConfig, ConsulSDConfig, DigitalOceanSDConfig, DockerSDConfig, DockerSwarmSDConfig, EC2SDConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, IonosSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, LinodeSDConfig, NomadSDConfig, PuppetDBSDConfig, ScalewaySDConfig, ScrapeConfigSpec, HTTPConfig)

@@ -17484,7 +17486,7 @@ See: https://tip.golang.org/d

SafeAuthorization

-(Appears on:AlertmanagerEndpoints, Authorization, Endpoint, HTTPConfig, PodMetricsEndpoint, ProbeSpec, AzureSDConfig, ConsulSDConfig, DigitalOceanSDConfig, DockerSDConfig, DockerSwarmSDConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, IonosSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, LinodeSDConfig, NomadSDConfig, PuppetDBSDConfig, ScrapeConfigSpec, HTTPConfig) +(Appears on:AlertmanagerEndpoints, Authorization, Endpoint, HTTPConfig, ProbeSpec, AzureSDConfig, ConsulSDConfig, DigitalOceanSDConfig, DockerSDConfig, DockerSwarmSDConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, IonosSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, LinodeSDConfig, NomadSDConfig, PuppetDBSDConfig, ScrapeConfigSpec, HTTPConfig)

SafeAuthorization specifies a subset of the Authorization struct, that is @@ -17532,7 +17534,7 @@ Kubernetes core/v1.SecretKeySelector

SafeTLSConfig

-(Appears on:ClusterTLSConfig, GlobalSMTPConfig, HTTPConfig, OAuth2, PodMetricsEndpoint, ProbeSpec, TLSConfig, AzureSDConfig, ConsulSDConfig, DigitalOceanSDConfig, DockerSDConfig, DockerSwarmSDConfig, EC2SDConfig, EmailConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, IonosSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, LinodeSDConfig, NomadSDConfig, OpenStackSDConfig, PuppetDBSDConfig, ScalewaySDConfig, ScrapeConfigSpec, EmailConfig, HTTPConfig) +(Appears on:ClusterTLSConfig, GlobalSMTPConfig, HTTPConfig, OAuth2, ProbeSpec, TLSConfig, AzureSDConfig, ConsulSDConfig, DigitalOceanSDConfig, DockerSDConfig, DockerSwarmSDConfig, EC2SDConfig, EmailConfig, EurekaSDConfig, HTTPConfig, HTTPSDConfig, HetznerSDConfig, IonosSDConfig, KubernetesSDConfig, KumaSDConfig, LightSailSDConfig, LinodeSDConfig, NomadSDConfig, OpenStackSDConfig, PuppetDBSDConfig, ScalewaySDConfig, ScrapeConfigSpec, EmailConfig, HTTPConfig)

SafeTLSConfig specifies safe TLS configuration parameters.

diff --git a/bundle.yaml b/bundle.yaml index a160651c5..70d467deb 100644 --- a/bundle.yaml +++ b/bundle.yaml @@ -22102,10 +22102,10 @@ spec: properties: authorization: description: |- - authorization defines the Authorization header credentials to use when - scraping the target. + authorization configures the Authorization header credentials used by + the client. - Cannot be set at the same time as `basicAuth`, or `oauth2`. + Cannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`. properties: credentials: description: credentials defines a key of a Secret in the @@ -22143,10 +22143,10 @@ spec: type: object basicAuth: description: |- - basicAuth defines the Basic Authentication credentials to use when - scraping the target. + basicAuth defines the Basic Authentication credentials used by the + client. - Cannot be set at the same time as `authorization`, or `oauth2`. + Cannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`. properties: password: description: |- @@ -22203,9 +22203,12 @@ spec: type: object bearerTokenSecret: description: |- - bearerTokenSecret defines a key of a Secret containing the bearer - token for scraping targets. The secret needs to be in the same namespace - as the PodMonitor object and readable by the Prometheus Operator. + bearerTokenSecret defines a key of a Secret containing the bearer token + used by the client for authentication. The secret needs to be in the + same namespace as the custom resource and readable by the Prometheus + Operator. + + Cannot be set at the same time as `authorization`, `basicAuth` or `oauth2`. Deprecated: use `authorization` instead. properties: @@ -22231,8 +22234,7 @@ spec: type: object x-kubernetes-map-type: atomic enableHttp2: - description: enableHttp2 can be used to disable HTTP2 when scraping - the target. + description: enableHttp2 can be used to disable HTTP2. type: boolean filterRunning: description: |- @@ -22245,8 +22247,8 @@ spec: type: boolean followRedirects: description: |- - followRedirects defines whether the scrape requests should follow HTTP - 3xx redirects. + followRedirects defines whether the client should follow HTTP 3xx + redirects. type: boolean honorLabels: description: |- @@ -22364,11 +22366,11 @@ spec: type: string oauth2: description: |- - oauth2 defines the OAuth2 settings to use when scraping the target. + oauth2 defines the OAuth2 settings used by the client. It requires Prometheus >= 2.27.0. - Cannot be set at the same time as `authorization`, or `basicAuth`. + Cannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`. properties: clientId: description: |- @@ -22892,8 +22894,8 @@ spec: Deprecated: use 'port' or 'portNumber' instead. x-kubernetes-int-or-string: true tlsConfig: - description: tlsConfig defines the TLS configuration to use - when scraping the target. + description: tlsConfig defines the TLS configuration used by + the client. properties: ca: description: ca defines the Certificate authority used when diff --git a/example/prometheus-operator-crd-full/monitoring.coreos.com_podmonitors.yaml b/example/prometheus-operator-crd-full/monitoring.coreos.com_podmonitors.yaml index 20cf12795..1f61bd7fd 100644 --- a/example/prometheus-operator-crd-full/monitoring.coreos.com_podmonitors.yaml +++ b/example/prometheus-operator-crd-full/monitoring.coreos.com_podmonitors.yaml @@ -179,10 +179,10 @@ spec: properties: authorization: description: |- - authorization defines the Authorization header credentials to use when - scraping the target. + authorization configures the Authorization header credentials used by + the client. - Cannot be set at the same time as `basicAuth`, or `oauth2`. + Cannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`. properties: credentials: description: credentials defines a key of a Secret in the @@ -220,10 +220,10 @@ spec: type: object basicAuth: description: |- - basicAuth defines the Basic Authentication credentials to use when - scraping the target. + basicAuth defines the Basic Authentication credentials used by the + client. - Cannot be set at the same time as `authorization`, or `oauth2`. + Cannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`. properties: password: description: |- @@ -280,9 +280,12 @@ spec: type: object bearerTokenSecret: description: |- - bearerTokenSecret defines a key of a Secret containing the bearer - token for scraping targets. The secret needs to be in the same namespace - as the PodMonitor object and readable by the Prometheus Operator. + bearerTokenSecret defines a key of a Secret containing the bearer token + used by the client for authentication. The secret needs to be in the + same namespace as the custom resource and readable by the Prometheus + Operator. + + Cannot be set at the same time as `authorization`, `basicAuth` or `oauth2`. Deprecated: use `authorization` instead. properties: @@ -308,8 +311,7 @@ spec: type: object x-kubernetes-map-type: atomic enableHttp2: - description: enableHttp2 can be used to disable HTTP2 when scraping - the target. + description: enableHttp2 can be used to disable HTTP2. type: boolean filterRunning: description: |- @@ -322,8 +324,8 @@ spec: type: boolean followRedirects: description: |- - followRedirects defines whether the scrape requests should follow HTTP - 3xx redirects. + followRedirects defines whether the client should follow HTTP 3xx + redirects. type: boolean honorLabels: description: |- @@ -441,11 +443,11 @@ spec: type: string oauth2: description: |- - oauth2 defines the OAuth2 settings to use when scraping the target. + oauth2 defines the OAuth2 settings used by the client. It requires Prometheus >= 2.27.0. - Cannot be set at the same time as `authorization`, or `basicAuth`. + Cannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`. properties: clientId: description: |- @@ -969,8 +971,8 @@ spec: Deprecated: use 'port' or 'portNumber' instead. x-kubernetes-int-or-string: true tlsConfig: - description: tlsConfig defines the TLS configuration to use - when scraping the target. + description: tlsConfig defines the TLS configuration used by + the client. properties: ca: description: ca defines the Certificate authority used when diff --git a/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml b/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml index 2f6424faf..07c1797e0 100644 --- a/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +++ b/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml @@ -180,10 +180,10 @@ spec: properties: authorization: description: |- - authorization defines the Authorization header credentials to use when - scraping the target. + authorization configures the Authorization header credentials used by + the client. - Cannot be set at the same time as `basicAuth`, or `oauth2`. + Cannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`. properties: credentials: description: credentials defines a key of a Secret in the @@ -221,10 +221,10 @@ spec: type: object basicAuth: description: |- - basicAuth defines the Basic Authentication credentials to use when - scraping the target. + basicAuth defines the Basic Authentication credentials used by the + client. - Cannot be set at the same time as `authorization`, or `oauth2`. + Cannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`. properties: password: description: |- @@ -281,9 +281,12 @@ spec: type: object bearerTokenSecret: description: |- - bearerTokenSecret defines a key of a Secret containing the bearer - token for scraping targets. The secret needs to be in the same namespace - as the PodMonitor object and readable by the Prometheus Operator. + bearerTokenSecret defines a key of a Secret containing the bearer token + used by the client for authentication. The secret needs to be in the + same namespace as the custom resource and readable by the Prometheus + Operator. + + Cannot be set at the same time as `authorization`, `basicAuth` or `oauth2`. Deprecated: use `authorization` instead. properties: @@ -309,8 +312,7 @@ spec: type: object x-kubernetes-map-type: atomic enableHttp2: - description: enableHttp2 can be used to disable HTTP2 when scraping - the target. + description: enableHttp2 can be used to disable HTTP2. type: boolean filterRunning: description: |- @@ -323,8 +325,8 @@ spec: type: boolean followRedirects: description: |- - followRedirects defines whether the scrape requests should follow HTTP - 3xx redirects. + followRedirects defines whether the client should follow HTTP 3xx + redirects. type: boolean honorLabels: description: |- @@ -442,11 +444,11 @@ spec: type: string oauth2: description: |- - oauth2 defines the OAuth2 settings to use when scraping the target. + oauth2 defines the OAuth2 settings used by the client. It requires Prometheus >= 2.27.0. - Cannot be set at the same time as `authorization`, or `basicAuth`. + Cannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`. properties: clientId: description: |- @@ -970,8 +972,8 @@ spec: Deprecated: use 'port' or 'portNumber' instead. x-kubernetes-int-or-string: true tlsConfig: - description: tlsConfig defines the TLS configuration to use - when scraping the target. + description: tlsConfig defines the TLS configuration used by + the client. properties: ca: description: ca defines the Certificate authority used when diff --git a/jsonnet/prometheus-operator/podmonitors-crd.json b/jsonnet/prometheus-operator/podmonitors-crd.json index ebb702884..8881e06ca 100644 --- a/jsonnet/prometheus-operator/podmonitors-crd.json +++ b/jsonnet/prometheus-operator/podmonitors-crd.json @@ -139,7 +139,7 @@ "description": "PodMetricsEndpoint defines an endpoint serving Prometheus metrics to be scraped by\nPrometheus.", "properties": { "authorization": { - "description": "authorization defines the Authorization header credentials to use when\nscraping the target.\n\nCannot be set at the same time as `basicAuth`, or `oauth2`.", + "description": "authorization configures the Authorization header credentials used by\nthe client.\n\nCannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`.", "properties": { "credentials": { "description": "credentials defines a key of a Secret in the namespace that contains the credentials for authentication.", @@ -172,7 +172,7 @@ "type": "object" }, "basicAuth": { - "description": "basicAuth defines the Basic Authentication credentials to use when\nscraping the target.\n\nCannot be set at the same time as `authorization`, or `oauth2`.", + "description": "basicAuth defines the Basic Authentication credentials used by the\nclient.\n\nCannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`.", "properties": { "password": { "description": "password defines a key of a Secret containing the password for\nauthentication.", @@ -224,7 +224,7 @@ "type": "object" }, "bearerTokenSecret": { - "description": "bearerTokenSecret defines a key of a Secret containing the bearer\ntoken for scraping targets. The secret needs to be in the same namespace\nas the PodMonitor object and readable by the Prometheus Operator.\n\nDeprecated: use `authorization` instead.", + "description": "bearerTokenSecret defines a key of a Secret containing the bearer token\nused by the client for authentication. The secret needs to be in the\nsame namespace as the custom resource and readable by the Prometheus\nOperator.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `oauth2`.\n\nDeprecated: use `authorization` instead.", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", @@ -247,7 +247,7 @@ "x-kubernetes-map-type": "atomic" }, "enableHttp2": { - "description": "enableHttp2 can be used to disable HTTP2 when scraping the target.", + "description": "enableHttp2 can be used to disable HTTP2.", "type": "boolean" }, "filterRunning": { @@ -255,7 +255,7 @@ "type": "boolean" }, "followRedirects": { - "description": "followRedirects defines whether the scrape requests should follow HTTP\n3xx redirects.", + "description": "followRedirects defines whether the client should follow HTTP 3xx\nredirects.", "type": "boolean" }, "honorLabels": { @@ -345,7 +345,7 @@ "type": "string" }, "oauth2": { - "description": "oauth2 defines the OAuth2 settings to use when scraping the target.\n\nIt requires Prometheus >= 2.27.0.\n\nCannot be set at the same time as `authorization`, or `basicAuth`.", + "description": "oauth2 defines the OAuth2 settings used by the client.\n\nIt requires Prometheus >= 2.27.0.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`.", "properties": { "clientId": { "description": "clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.", @@ -814,7 +814,7 @@ "x-kubernetes-int-or-string": true }, "tlsConfig": { - "description": "tlsConfig defines the TLS configuration to use when scraping the target.", + "description": "tlsConfig defines the TLS configuration used by the client.", "properties": { "ca": { "description": "ca defines the Certificate authority used when verifying server certificates.", diff --git a/pkg/alertmanager/amcfg.go b/pkg/alertmanager/amcfg.go index adbdae94b..c47108b4e 100644 --- a/pkg/alertmanager/amcfg.go +++ b/pkg/alertmanager/amcfg.go @@ -36,6 +36,7 @@ import ( sortutil "github.com/prometheus-operator/prometheus-operator/internal/sortutil" "github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/validation" + validationv1 "github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/validation/v1" monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" monitoringv1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1alpha1" "github.com/prometheus-operator/prometheus-operator/pkg/assets" @@ -281,7 +282,7 @@ func (cb *ConfigBuilder) initializeFromAlertmanagerConfig(ctx context.Context, g return err } - if err := checkAlertmanagerGlobalConfigResource(globalConfig); err != nil { + if err := validationv1.ValidateAlertmanagerGlobalConfig(globalConfig); err != nil { return err } diff --git a/pkg/alertmanager/operator.go b/pkg/alertmanager/operator.go index 6eb11bdd8..db51bb378 100644 --- a/pkg/alertmanager/operator.go +++ b/pkg/alertmanager/operator.go @@ -42,7 +42,6 @@ import ( "github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/clustertlsconfig" "github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/validation" - validationv1 "github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/validation/v1" validationv1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/validation/v1alpha1" monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" monitoringv1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1alpha1" @@ -1920,7 +1919,3 @@ func ApplyConfigurationFromAlertmanager(a *monitoringv1.Alertmanager, updateScal return monitoringv1ac.Alertmanager(a.Name, a.Namespace).WithStatus(asac) } - -func checkAlertmanagerGlobalConfigResource(gc *monitoringv1.AlertmanagerGlobalConfig) error { - return validationv1.ValidateAlertmanagerGlobalConfig(gc) -} diff --git a/pkg/alertmanager/validation/v1/validation.go b/pkg/alertmanager/validation/v1/validation.go index 754dc14b8..c8e64d72f 100644 --- a/pkg/alertmanager/validation/v1/validation.go +++ b/pkg/alertmanager/validation/v1/validation.go @@ -15,6 +15,8 @@ package v1 import ( + "fmt" + monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" ) @@ -23,10 +25,8 @@ func ValidateAlertmanagerGlobalConfig(gc *monitoringv1.AlertmanagerGlobalConfig) return nil } - if gc.HTTPConfig != nil { - if err := gc.HTTPConfig.Validate(); err != nil { - return err - } + if err := gc.HTTPConfig.Validate(); err != nil { + return fmt.Errorf("httpConfig: %w", err) } return nil diff --git a/pkg/apis/monitoring/v1/http_config.go b/pkg/apis/monitoring/v1/http_config.go index 22734abe1..3d7a0b823 100644 --- a/pkg/apis/monitoring/v1/http_config.go +++ b/pkg/apis/monitoring/v1/http_config.go @@ -15,6 +15,7 @@ package v1 import ( + "errors" "fmt" v1 "k8s.io/api/core/v1" @@ -84,38 +85,41 @@ func (hc *HTTPConfig) Validate() error { return nil } - if (hc.BasicAuth != nil || hc.OAuth2 != nil) && (hc.BearerTokenSecret != nil) { - return fmt.Errorf("at most one of basicAuth, oauth2, bearerTokenSecret must be configured") - } - - if hc.Authorization != nil { - if hc.BearerTokenSecret != nil { - return fmt.Errorf("authorization is not compatible with bearerTokenSecret") + // Check duplicate authentication methods. + switch { + case hc.Authorization != nil: + switch { + case hc.BasicAuth != nil: + return errors.New("authorization and basicAuth cannot be configured at the same time") + case hc.BearerTokenSecret != nil: + return errors.New("authorization and bearerTokenSecret cannot be configured at the same time") + case hc.OAuth2 != nil: + return errors.New("authorization and oauth2 cannot be configured at the same time") } - - if hc.BasicAuth != nil || hc.OAuth2 != nil { - return fmt.Errorf("at most one of basicAuth, oauth2 & authorization must be configured") + case hc.BasicAuth != nil: + switch { + case hc.BearerTokenSecret != nil: + return errors.New("basicAuth and bearerTokenSecret cannot be configured at the same time") + case hc.OAuth2 != nil: + return errors.New("basicAuth and oauth2 cannot be configured at the same time") } - - if err := hc.Authorization.Validate(); err != nil { - return err + case hc.BearerTokenSecret != nil: + switch { + case hc.OAuth2 != nil: + return errors.New("bearerTokenSecret and oauth2 cannot be configured at the same time") } } - if hc.OAuth2 != nil { - if hc.BasicAuth != nil { - return fmt.Errorf("at most one of basicAuth, oauth2 & authorization must be configured") - } - - if err := hc.OAuth2.Validate(); err != nil { - return err - } + if err := hc.Authorization.Validate(); err != nil { + return fmt.Errorf("authorization: %w", err) } - if hc.TLSConfig != nil { - if err := hc.TLSConfig.Validate(); err != nil { - return err - } + if err := hc.OAuth2.Validate(); err != nil { + return fmt.Errorf("oauth2: %w", err) + } + + if err := hc.TLSConfig.Validate(); err != nil { + return fmt.Errorf("tlsConfig: %w", err) } if err := hc.ProxyConfig.Validate(); err != nil { diff --git a/pkg/apis/monitoring/v1/podmonitor_types.go b/pkg/apis/monitoring/v1/podmonitor_types.go index 575748d7a..58783ae82 100644 --- a/pkg/apis/monitoring/v1/podmonitor_types.go +++ b/pkg/apis/monitoring/v1/podmonitor_types.go @@ -15,7 +15,6 @@ package v1 import ( - v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/intstr" @@ -271,20 +270,6 @@ type PodMetricsEndpoint struct { // +optional ScrapeTimeout Duration `json:"scrapeTimeout,omitempty"` - // tlsConfig defines the TLS configuration to use when scraping the target. - // - // +optional - TLSConfig *SafeTLSConfig `json:"tlsConfig,omitempty"` - - // bearerTokenSecret defines a key of a Secret containing the bearer - // token for scraping targets. The secret needs to be in the same namespace - // as the PodMonitor object and readable by the Prometheus Operator. - // - // +optional - // - // Deprecated: use `authorization` instead. - BearerTokenSecret v1.SecretKeySelector `json:"bearerTokenSecret,omitempty"` - // honorLabels when true preserves the metric's labels when they collide // with the target's labels. // +optional @@ -305,31 +290,6 @@ type PodMetricsEndpoint struct { // +optional TrackTimestampsStaleness *bool `json:"trackTimestampsStaleness,omitempty"` - // basicAuth defines the Basic Authentication credentials to use when - // scraping the target. - // - // Cannot be set at the same time as `authorization`, or `oauth2`. - // - // +optional - BasicAuth *BasicAuth `json:"basicAuth,omitempty"` - - // oauth2 defines the OAuth2 settings to use when scraping the target. - // - // It requires Prometheus >= 2.27.0. - // - // Cannot be set at the same time as `authorization`, or `basicAuth`. - // - // +optional - OAuth2 *OAuth2 `json:"oauth2,omitempty"` - - // authorization defines the Authorization header credentials to use when - // scraping the target. - // - // Cannot be set at the same time as `basicAuth`, or `oauth2`. - // - // +optional - Authorization *SafeAuthorization `json:"authorization,omitempty"` - // metricRelabelings defines the relabeling rules to apply to the // samples before ingestion. // @@ -348,20 +308,6 @@ type PodMetricsEndpoint struct { // +optional RelabelConfigs []RelabelConfig `json:"relabelings,omitempty"` - // +optional - ProxyConfig `json:",inline"` - - // followRedirects defines whether the scrape requests should follow HTTP - // 3xx redirects. - // - // +optional - FollowRedirects *bool `json:"followRedirects,omitempty"` - - // enableHttp2 can be used to disable HTTP2 when scraping the target. - // - // +optional - EnableHttp2 *bool `json:"enableHttp2,omitempty"` - // filterRunning when true, the pods which are not running (e.g. either in Failed or // Succeeded state) are dropped during the target discovery. // @@ -371,4 +317,6 @@ type PodMetricsEndpoint struct { // // +optional FilterRunning *bool `json:"filterRunning,omitempty"` + + HTTPConfig `json:",inline"` } diff --git a/pkg/apis/monitoring/v1/podmonitor_types_test.go b/pkg/apis/monitoring/v1/podmonitor_types_test.go index f109ebdf8..4e0420b56 100644 --- a/pkg/apis/monitoring/v1/podmonitor_types_test.go +++ b/pkg/apis/monitoring/v1/podmonitor_types_test.go @@ -41,7 +41,7 @@ func TestMarshallPodMonitor(t *testing.T) { }, }, } - expected := `{"metadata":{"name":"test","namespace":"default","labels":{"group":"group1"}},"spec":{"podMetricsEndpoints":[{"port":"metric","bearerTokenSecret":{"key":""}}],"selector":{},"namespaceSelector":{"matchNames":["test"]}}}` + expected := `{"metadata":{"name":"test","namespace":"default","labels":{"group":"group1"}},"spec":{"podMetricsEndpoints":[{"port":"metric"}],"selector":{},"namespaceSelector":{"matchNames":["test"]}}}` r, err := json.Marshal(sm) if err != nil { diff --git a/pkg/apis/monitoring/v1/types.go b/pkg/apis/monitoring/v1/types.go index 9add91b13..b710ff60b 100644 --- a/pkg/apis/monitoring/v1/types.go +++ b/pkg/apis/monitoring/v1/types.go @@ -759,6 +759,10 @@ type OAuth2 struct { } func (o *OAuth2) Validate() error { + if o == nil { + return nil + } + if o.TokenURL == "" { return errors.New("OAuth2 tokenURL must be specified") } diff --git a/pkg/apis/monitoring/v1/zz_generated.deepcopy.go b/pkg/apis/monitoring/v1/zz_generated.deepcopy.go index 1d1f8f64c..62f3cfea2 100644 --- a/pkg/apis/monitoring/v1/zz_generated.deepcopy.go +++ b/pkg/apis/monitoring/v1/zz_generated.deepcopy.go @@ -2015,12 +2015,6 @@ func (in *PodMetricsEndpoint) DeepCopyInto(out *PodMetricsEndpoint) { (*out)[key] = outVal } } - if in.TLSConfig != nil { - in, out := &in.TLSConfig, &out.TLSConfig - *out = new(SafeTLSConfig) - (*in).DeepCopyInto(*out) - } - in.BearerTokenSecret.DeepCopyInto(&out.BearerTokenSecret) if in.HonorTimestamps != nil { in, out := &in.HonorTimestamps, &out.HonorTimestamps *out = new(bool) @@ -2031,21 +2025,6 @@ func (in *PodMetricsEndpoint) DeepCopyInto(out *PodMetricsEndpoint) { *out = new(bool) **out = **in } - if in.BasicAuth != nil { - in, out := &in.BasicAuth, &out.BasicAuth - *out = new(BasicAuth) - (*in).DeepCopyInto(*out) - } - if in.OAuth2 != nil { - in, out := &in.OAuth2, &out.OAuth2 - *out = new(OAuth2) - (*in).DeepCopyInto(*out) - } - if in.Authorization != nil { - in, out := &in.Authorization, &out.Authorization - *out = new(SafeAuthorization) - (*in).DeepCopyInto(*out) - } if in.MetricRelabelConfigs != nil { in, out := &in.MetricRelabelConfigs, &out.MetricRelabelConfigs *out = make([]RelabelConfig, len(*in)) @@ -2060,22 +2039,12 @@ func (in *PodMetricsEndpoint) DeepCopyInto(out *PodMetricsEndpoint) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - in.ProxyConfig.DeepCopyInto(&out.ProxyConfig) - if in.FollowRedirects != nil { - in, out := &in.FollowRedirects, &out.FollowRedirects - *out = new(bool) - **out = **in - } - if in.EnableHttp2 != nil { - in, out := &in.EnableHttp2, &out.EnableHttp2 - *out = new(bool) - **out = **in - } if in.FilterRunning != nil { in, out := &in.FilterRunning, &out.FilterRunning *out = new(bool) **out = **in } + in.HTTPConfig.DeepCopyInto(&out.HTTPConfig) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodMetricsEndpoint. diff --git a/pkg/client/applyconfiguration/monitoring/v1/podmetricsendpoint.go b/pkg/client/applyconfiguration/monitoring/v1/podmetricsendpoint.go index ac42e66ca..e61f85087 100644 --- a/pkg/client/applyconfiguration/monitoring/v1/podmetricsendpoint.go +++ b/pkg/client/applyconfiguration/monitoring/v1/podmetricsendpoint.go @@ -25,28 +25,21 @@ import ( // PodMetricsEndpointApplyConfiguration represents a declarative configuration of the PodMetricsEndpoint type for use // with apply. type PodMetricsEndpointApplyConfiguration struct { - Port *string `json:"port,omitempty"` - PortNumber *int32 `json:"portNumber,omitempty"` - TargetPort *intstr.IntOrString `json:"targetPort,omitempty"` - Path *string `json:"path,omitempty"` - Scheme *string `json:"scheme,omitempty"` - Params map[string][]string `json:"params,omitempty"` - Interval *monitoringv1.Duration `json:"interval,omitempty"` - ScrapeTimeout *monitoringv1.Duration `json:"scrapeTimeout,omitempty"` - TLSConfig *SafeTLSConfigApplyConfiguration `json:"tlsConfig,omitempty"` - BearerTokenSecret *corev1.SecretKeySelector `json:"bearerTokenSecret,omitempty"` - HonorLabels *bool `json:"honorLabels,omitempty"` - HonorTimestamps *bool `json:"honorTimestamps,omitempty"` - TrackTimestampsStaleness *bool `json:"trackTimestampsStaleness,omitempty"` - BasicAuth *BasicAuthApplyConfiguration `json:"basicAuth,omitempty"` - OAuth2 *OAuth2ApplyConfiguration `json:"oauth2,omitempty"` - Authorization *SafeAuthorizationApplyConfiguration `json:"authorization,omitempty"` - MetricRelabelConfigs []RelabelConfigApplyConfiguration `json:"metricRelabelings,omitempty"` - RelabelConfigs []RelabelConfigApplyConfiguration `json:"relabelings,omitempty"` - ProxyConfigApplyConfiguration `json:",inline"` - FollowRedirects *bool `json:"followRedirects,omitempty"` - EnableHttp2 *bool `json:"enableHttp2,omitempty"` - FilterRunning *bool `json:"filterRunning,omitempty"` + Port *string `json:"port,omitempty"` + PortNumber *int32 `json:"portNumber,omitempty"` + TargetPort *intstr.IntOrString `json:"targetPort,omitempty"` + Path *string `json:"path,omitempty"` + Scheme *string `json:"scheme,omitempty"` + Params map[string][]string `json:"params,omitempty"` + Interval *monitoringv1.Duration `json:"interval,omitempty"` + ScrapeTimeout *monitoringv1.Duration `json:"scrapeTimeout,omitempty"` + HonorLabels *bool `json:"honorLabels,omitempty"` + HonorTimestamps *bool `json:"honorTimestamps,omitempty"` + TrackTimestampsStaleness *bool `json:"trackTimestampsStaleness,omitempty"` + MetricRelabelConfigs []RelabelConfigApplyConfiguration `json:"metricRelabelings,omitempty"` + RelabelConfigs []RelabelConfigApplyConfiguration `json:"relabelings,omitempty"` + FilterRunning *bool `json:"filterRunning,omitempty"` + HTTPConfigApplyConfiguration `json:",inline"` } // PodMetricsEndpointApplyConfiguration constructs a declarative configuration of the PodMetricsEndpoint type for use with @@ -125,22 +118,6 @@ func (b *PodMetricsEndpointApplyConfiguration) WithScrapeTimeout(value monitorin return b } -// WithTLSConfig sets the TLSConfig field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the TLSConfig field is set to the value of the last call. -func (b *PodMetricsEndpointApplyConfiguration) WithTLSConfig(value *SafeTLSConfigApplyConfiguration) *PodMetricsEndpointApplyConfiguration { - b.TLSConfig = value - return b -} - -// WithBearerTokenSecret sets the BearerTokenSecret field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the BearerTokenSecret field is set to the value of the last call. -func (b *PodMetricsEndpointApplyConfiguration) WithBearerTokenSecret(value corev1.SecretKeySelector) *PodMetricsEndpointApplyConfiguration { - b.BearerTokenSecret = &value - return b -} - // WithHonorLabels sets the HonorLabels field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the HonorLabels field is set to the value of the last call. @@ -165,30 +142,6 @@ func (b *PodMetricsEndpointApplyConfiguration) WithTrackTimestampsStaleness(valu return b } -// WithBasicAuth sets the BasicAuth field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the BasicAuth field is set to the value of the last call. -func (b *PodMetricsEndpointApplyConfiguration) WithBasicAuth(value *BasicAuthApplyConfiguration) *PodMetricsEndpointApplyConfiguration { - b.BasicAuth = value - return b -} - -// WithOAuth2 sets the OAuth2 field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the OAuth2 field is set to the value of the last call. -func (b *PodMetricsEndpointApplyConfiguration) WithOAuth2(value *OAuth2ApplyConfiguration) *PodMetricsEndpointApplyConfiguration { - b.OAuth2 = value - return b -} - -// WithAuthorization sets the Authorization field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Authorization field is set to the value of the last call. -func (b *PodMetricsEndpointApplyConfiguration) WithAuthorization(value *SafeAuthorizationApplyConfiguration) *PodMetricsEndpointApplyConfiguration { - b.Authorization = value - return b -} - // WithMetricRelabelConfigs adds the given value to the MetricRelabelConfigs field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the MetricRelabelConfigs field. @@ -215,6 +168,54 @@ func (b *PodMetricsEndpointApplyConfiguration) WithRelabelConfigs(values ...*Rel return b } +// WithFilterRunning sets the FilterRunning field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the FilterRunning field is set to the value of the last call. +func (b *PodMetricsEndpointApplyConfiguration) WithFilterRunning(value bool) *PodMetricsEndpointApplyConfiguration { + b.FilterRunning = &value + return b +} + +// WithAuthorization sets the Authorization field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Authorization field is set to the value of the last call. +func (b *PodMetricsEndpointApplyConfiguration) WithAuthorization(value *SafeAuthorizationApplyConfiguration) *PodMetricsEndpointApplyConfiguration { + b.HTTPConfigApplyConfiguration.Authorization = value + return b +} + +// WithBasicAuth sets the BasicAuth field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the BasicAuth field is set to the value of the last call. +func (b *PodMetricsEndpointApplyConfiguration) WithBasicAuth(value *BasicAuthApplyConfiguration) *PodMetricsEndpointApplyConfiguration { + b.HTTPConfigApplyConfiguration.BasicAuth = value + return b +} + +// WithOAuth2 sets the OAuth2 field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the OAuth2 field is set to the value of the last call. +func (b *PodMetricsEndpointApplyConfiguration) WithOAuth2(value *OAuth2ApplyConfiguration) *PodMetricsEndpointApplyConfiguration { + b.HTTPConfigApplyConfiguration.OAuth2 = value + return b +} + +// WithBearerTokenSecret sets the BearerTokenSecret field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the BearerTokenSecret field is set to the value of the last call. +func (b *PodMetricsEndpointApplyConfiguration) WithBearerTokenSecret(value corev1.SecretKeySelector) *PodMetricsEndpointApplyConfiguration { + b.HTTPConfigApplyConfiguration.BearerTokenSecret = &value + return b +} + +// WithTLSConfig sets the TLSConfig field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TLSConfig field is set to the value of the last call. +func (b *PodMetricsEndpointApplyConfiguration) WithTLSConfig(value *SafeTLSConfigApplyConfiguration) *PodMetricsEndpointApplyConfiguration { + b.HTTPConfigApplyConfiguration.TLSConfig = value + return b +} + // WithProxyURL sets the ProxyURL field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the ProxyURL field is set to the value of the last call. @@ -257,22 +258,14 @@ func (b *PodMetricsEndpointApplyConfiguration) WithProxyConnectHeader(entries ma // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FollowRedirects field is set to the value of the last call. func (b *PodMetricsEndpointApplyConfiguration) WithFollowRedirects(value bool) *PodMetricsEndpointApplyConfiguration { - b.FollowRedirects = &value + b.HTTPConfigApplyConfiguration.FollowRedirects = &value return b } -// WithEnableHttp2 sets the EnableHttp2 field in the declarative configuration to the given value +// WithEnableHTTP2 sets the EnableHTTP2 field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the EnableHttp2 field is set to the value of the last call. -func (b *PodMetricsEndpointApplyConfiguration) WithEnableHttp2(value bool) *PodMetricsEndpointApplyConfiguration { - b.EnableHttp2 = &value - return b -} - -// WithFilterRunning sets the FilterRunning field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the FilterRunning field is set to the value of the last call. -func (b *PodMetricsEndpointApplyConfiguration) WithFilterRunning(value bool) *PodMetricsEndpointApplyConfiguration { - b.FilterRunning = &value +// If called multiple times, the EnableHTTP2 field is set to the value of the last call. +func (b *PodMetricsEndpointApplyConfiguration) WithEnableHTTP2(value bool) *PodMetricsEndpointApplyConfiguration { + b.HTTPConfigApplyConfiguration.EnableHTTP2 = &value return b } diff --git a/pkg/prometheus/promcfg.go b/pkg/prometheus/promcfg.go index 3d8dbd3a4..c70d6cae3 100644 --- a/pkg/prometheus/promcfg.go +++ b/pkg/prometheus/promcfg.go @@ -845,6 +845,28 @@ func (cg *ConfigGenerator) addSafeTLStoYaml( return cg.AppendMapItem(cfg, "tls_config", safetlsConfig) } +func (cg *ConfigGenerator) addHTTPConfigToYAML( + cfg yaml.MapSlice, + store assets.StoreGetter, + httpConfig *monitoringv1.HTTPConfig, + scrapeClass monitoringv1.ScrapeClass, + +) yaml.MapSlice { + if httpConfig == nil { + return cfg + } + + if httpConfig.FollowRedirects != nil { + cfg = cg.WithMinimumVersion("2.26.0").AppendMapItem(cfg, "follow_redirects", *httpConfig.FollowRedirects) + } + + if httpConfig.EnableHTTP2 != nil { + cfg = cg.WithMinimumVersion("2.35.0").AppendMapItem(cfg, "enable_http2", *httpConfig.EnableHTTP2) + } + + return cg.addTLStoYaml(cfg, store, mergeSafeTLSConfigWithScrapeClass(httpConfig.TLSConfig, scrapeClass)) +} + func (cg *ConfigGenerator) addTLStoYaml( cfg yaml.MapSlice, store assets.StoreGetter, @@ -1335,20 +1357,14 @@ func (cg *ConfigGenerator) generatePodMonitorConfig( if ep.Scheme != "" { cfg = append(cfg, yaml.MapItem{Key: "scheme", Value: ep.Scheme}) } - if ep.FollowRedirects != nil { - cfg = cg.WithMinimumVersion("2.26.0").AppendMapItem(cfg, "follow_redirects", *ep.FollowRedirects) - } - if ep.EnableHttp2 != nil { - cfg = cg.WithMinimumVersion("2.35.0").AppendMapItem(cfg, "enable_http2", *ep.EnableHttp2) - } - cfg = cg.addTLStoYaml(cfg, s, mergeSafeTLSConfigWithScrapeClass(ep.TLSConfig, scrapeClass)) + cfg = cg.addHTTPConfigToYAML(cfg, s, &ep.HTTPConfig, scrapeClass) //nolint:staticcheck // Ignore SA1019 this field is marked as deprecated. - if ep.BearerTokenSecret.Name != "" { + if ep.BearerTokenSecret != nil && ep.BearerTokenSecret.Name != "" { cg.logger.Debug("'bearerTokenSecret' is deprecated, use 'authorization' instead.") - b, err := s.GetSecretKey(ep.BearerTokenSecret) + b, err := s.GetSecretKey(*ep.HTTPConfig.BearerTokenSecret) if err != nil { cg.logger.Error("invalid bearer token secret reference", "err", err) } else { diff --git a/pkg/prometheus/promcfg_test.go b/pkg/prometheus/promcfg_test.go index b43cc7e97..138ebc371 100644 --- a/pkg/prometheus/promcfg_test.go +++ b/pkg/prometheus/promcfg_test.go @@ -2694,8 +2694,8 @@ func TestEndpointOAuth2(t *testing.T) { Spec: monitoringv1.PodMonitorSpec{ PodMetricsEndpoints: []monitoringv1.PodMetricsEndpoint{ { - Port: ptr.To("web"), - OAuth2: &oauth2, + Port: ptr.To("web"), + HTTPConfig: monitoringv1.HTTPConfig{OAuth2: &oauth2}, }, }, }, @@ -5224,9 +5224,9 @@ func TestPodMonitorEndpointFollowRedirects(t *testing.T) { Spec: monitoringv1.PodMonitorSpec{ PodMetricsEndpoints: []monitoringv1.PodMetricsEndpoint{ { - Port: ptr.To("web"), - Interval: "30s", - FollowRedirects: ptr.To(tc.followRedirects), + Port: ptr.To("web"), + Interval: "30s", + HTTPConfig: monitoringv1.HTTPConfig{FollowRedirects: ptr.To(tc.followRedirects)}, }, }, }, @@ -5405,9 +5405,9 @@ func TestPodMonitorEndpointEnableHttp2(t *testing.T) { Spec: monitoringv1.PodMonitorSpec{ PodMetricsEndpoints: []monitoringv1.PodMetricsEndpoint{ { - Port: ptr.To("web"), - Interval: "30s", - EnableHttp2: ptr.To(tc.enableHTTP2), + Port: ptr.To("web"), + Interval: "30s", + HTTPConfig: monitoringv1.HTTPConfig{EnableHTTP2: ptr.To(tc.enableHTTP2)}, }, }, }, diff --git a/pkg/prometheus/resource_selector.go b/pkg/prometheus/resource_selector.go index 07023c105..8e78f96c2 100644 --- a/pkg/prometheus/resource_selector.go +++ b/pkg/prometheus/resource_selector.go @@ -515,29 +515,6 @@ func (rs *ResourceSelector) checkPodMonitor(ctx context.Context, pm *monitoringv for i, endpoint := range pm.Spec.PodMetricsEndpoints { epErr := fmt.Errorf("endpoint[%d]", i) - //nolint:staticcheck // Ignore SA1019 this field is marked as deprecated. - if endpoint.BearerTokenSecret.Name != "" && endpoint.BearerTokenSecret.Key != "" { - if _, err := rs.store.GetSecretKey(ctx, pm.GetNamespace(), endpoint.BearerTokenSecret); err != nil { - return fmt.Errorf("%w: bearerTokenSecret: %w", epErr, err) - } - } - - if err := rs.store.AddBasicAuth(ctx, pm.GetNamespace(), endpoint.BasicAuth); err != nil { - return fmt.Errorf("%w: basicAuth: %w", epErr, err) - } - - if err := rs.store.AddSafeTLSConfig(ctx, pm.GetNamespace(), endpoint.TLSConfig); err != nil { - return fmt.Errorf("%w: tlsConfig: %w", epErr, err) - } - - if err := rs.store.AddOAuth2(ctx, pm.GetNamespace(), endpoint.OAuth2); err != nil { - return fmt.Errorf("%w: oauth2: %w", epErr, err) - } - - if err := rs.store.AddSafeAuthorizationCredentials(ctx, pm.GetNamespace(), endpoint.Authorization); err != nil { - return fmt.Errorf("%w: authorization: %w", epErr, err) - } - if err := validateScrapeIntervalAndTimeout(rs.p, endpoint.Interval, endpoint.ScrapeTimeout); err != nil { return fmt.Errorf("%w: %w", epErr, err) } @@ -550,8 +527,8 @@ func (rs *ResourceSelector) checkPodMonitor(ctx context.Context, pm *monitoringv return fmt.Errorf("%w: metricRelabelConfigs: %w", epErr, err) } - if err := addProxyConfigToStore(ctx, endpoint.ProxyConfig, rs.store, pm.GetNamespace()); err != nil { - return fmt.Errorf("%w: proxyConfig: %w", epErr, err) + if err := rs.addHTTPConfigToStore(ctx, endpoint.HTTPConfig, pm.GetNamespace()); err != nil { + return fmt.Errorf("%w: %w", epErr, err) } } @@ -562,6 +539,44 @@ func (rs *ResourceSelector) checkPodMonitor(ctx context.Context, pm *monitoringv return nil } +func (rs *ResourceSelector) addHTTPConfigToStore( + ctx context.Context, + httpConfig monitoringv1.HTTPConfig, + namespace string) error { + if err := httpConfig.Validate(); err != nil { + return err + } + + //nolint:staticcheck // Ignore SA1019 this field is marked as deprecated. + if httpConfig.BearerTokenSecret != nil && httpConfig.BearerTokenSecret.Name != "" && httpConfig.BearerTokenSecret.Key != "" { + if _, err := rs.store.GetSecretKey(ctx, namespace, *httpConfig.BearerTokenSecret); err != nil { + return fmt.Errorf("bearerTokenSecret: %w", err) + } + } + + if err := rs.store.AddBasicAuth(ctx, namespace, httpConfig.BasicAuth); err != nil { + return fmt.Errorf("basicAuth: %w", err) + } + + if err := rs.store.AddSafeTLSConfig(ctx, namespace, httpConfig.TLSConfig); err != nil { + return fmt.Errorf("tlsConfig: %w", err) + } + + if err := rs.store.AddOAuth2(ctx, namespace, httpConfig.OAuth2); err != nil { + return fmt.Errorf("oauth2: %w", err) + } + + if err := rs.store.AddSafeAuthorizationCredentials(ctx, namespace, httpConfig.Authorization); err != nil { + return fmt.Errorf("authorization: %w", err) + } + + if err := addProxyConfigToStore(ctx, httpConfig.ProxyConfig, rs.store, namespace); err != nil { + return fmt.Errorf("proxyConfig: %w", err) + } + + return nil +} + // SelectProbes returns the probes matching the selectors specified in the Prometheus CR. // This function also populates authentication stores and performs // validations against scrape intervals, relabel configs and Probe URLs. diff --git a/pkg/prometheus/resource_selector_test.go b/pkg/prometheus/resource_selector_test.go index 3e2eff183..6aa27e51a 100644 --- a/pkg/prometheus/resource_selector_test.go +++ b/pkg/prometheus/resource_selector_test.go @@ -1466,17 +1466,19 @@ func TestSelectPodMonitors(t *testing.T) { scenario: "valid proxy config", updateSpec: func(pm *monitoringv1.PodMonitorSpec) { pm.PodMetricsEndpoints = append(pm.PodMetricsEndpoints, monitoringv1.PodMetricsEndpoint{ - ProxyConfig: monitoringv1.ProxyConfig{ - ProxyURL: ptr.To("http://no-proxy.com"), - NoProxy: ptr.To("0.0.0.0"), - ProxyFromEnvironment: ptr.To(false), - ProxyConnectHeader: map[string][]v1.SecretKeySelector{ - "header": { - { - LocalObjectReference: v1.LocalObjectReference{ - Name: "secret", + HTTPConfig: monitoringv1.HTTPConfig{ + ProxyConfig: monitoringv1.ProxyConfig{ + ProxyURL: ptr.To("http://no-proxy.com"), + NoProxy: ptr.To("0.0.0.0"), + ProxyFromEnvironment: ptr.To(false), + ProxyConnectHeader: map[string][]v1.SecretKeySelector{ + "header": { + { + LocalObjectReference: v1.LocalObjectReference{ + Name: "secret", + }, + Key: "key1", }, - Key: "key1", }, }, }, @@ -1489,17 +1491,19 @@ func TestSelectPodMonitors(t *testing.T) { scenario: "invalid proxy config with invalid secret key", updateSpec: func(pm *monitoringv1.PodMonitorSpec) { pm.PodMetricsEndpoints = append(pm.PodMetricsEndpoints, monitoringv1.PodMetricsEndpoint{ - ProxyConfig: monitoringv1.ProxyConfig{ - ProxyURL: ptr.To("http://no-proxy.com"), - NoProxy: ptr.To("0.0.0.0"), - ProxyFromEnvironment: ptr.To(false), - ProxyConnectHeader: map[string][]v1.SecretKeySelector{ - "header": { - { - LocalObjectReference: v1.LocalObjectReference{ - Name: "secret", + HTTPConfig: monitoringv1.HTTPConfig{ + ProxyConfig: monitoringv1.ProxyConfig{ + ProxyURL: ptr.To("http://no-proxy.com"), + NoProxy: ptr.To("0.0.0.0"), + ProxyFromEnvironment: ptr.To(false), + ProxyConnectHeader: map[string][]v1.SecretKeySelector{ + "header": { + { + LocalObjectReference: v1.LocalObjectReference{ + Name: "secret", + }, + Key: "invalid_key", }, - Key: "invalid_key", }, }, }, @@ -1512,17 +1516,19 @@ func TestSelectPodMonitors(t *testing.T) { scenario: "invalid proxy config due to invalid proxy url", updateSpec: func(pm *monitoringv1.PodMonitorSpec) { pm.PodMetricsEndpoints = append(pm.PodMetricsEndpoints, monitoringv1.PodMetricsEndpoint{ - ProxyConfig: monitoringv1.ProxyConfig{ - ProxyURL: ptr.To("http://xxx-${dev}.svc.cluster.local:80"), - NoProxy: ptr.To("0.0.0.0"), - ProxyFromEnvironment: ptr.To(false), - ProxyConnectHeader: map[string][]v1.SecretKeySelector{ - "header": { - { - LocalObjectReference: v1.LocalObjectReference{ - Name: "secret", + HTTPConfig: monitoringv1.HTTPConfig{ + ProxyConfig: monitoringv1.ProxyConfig{ + ProxyURL: ptr.To("http://xxx-${dev}.svc.cluster.local:80"), + NoProxy: ptr.To("0.0.0.0"), + ProxyFromEnvironment: ptr.To(false), + ProxyConnectHeader: map[string][]v1.SecretKeySelector{ + "header": { + { + LocalObjectReference: v1.LocalObjectReference{ + Name: "secret", + }, + Key: "key1", }, - Key: "key1", }, }, }, @@ -1535,16 +1541,18 @@ func TestSelectPodMonitors(t *testing.T) { scenario: "invalid proxy config with noProxy defined but proxy from environment set to true", updateSpec: func(pm *monitoringv1.PodMonitorSpec) { pm.PodMetricsEndpoints = append(pm.PodMetricsEndpoints, monitoringv1.PodMetricsEndpoint{ - ProxyConfig: monitoringv1.ProxyConfig{ - NoProxy: ptr.To("0.0.0.0"), - ProxyFromEnvironment: ptr.To(true), - ProxyConnectHeader: map[string][]v1.SecretKeySelector{ - "header": { - { - LocalObjectReference: v1.LocalObjectReference{ - Name: "secret", + HTTPConfig: monitoringv1.HTTPConfig{ + ProxyConfig: monitoringv1.ProxyConfig{ + NoProxy: ptr.To("0.0.0.0"), + ProxyFromEnvironment: ptr.To(true), + ProxyConnectHeader: map[string][]v1.SecretKeySelector{ + "header": { + { + LocalObjectReference: v1.LocalObjectReference{ + Name: "secret", + }, + Key: "key1", }, - Key: "key1", }, }, }, @@ -1557,16 +1565,18 @@ func TestSelectPodMonitors(t *testing.T) { scenario: "invalid proxy config with proxy url defined but proxy from environment set to true", updateSpec: func(pm *monitoringv1.PodMonitorSpec) { pm.PodMetricsEndpoints = append(pm.PodMetricsEndpoints, monitoringv1.PodMetricsEndpoint{ - ProxyConfig: monitoringv1.ProxyConfig{ - ProxyURL: ptr.To("http://no-proxy.com"), - ProxyFromEnvironment: ptr.To(true), - ProxyConnectHeader: map[string][]v1.SecretKeySelector{ - "header": { - { - LocalObjectReference: v1.LocalObjectReference{ - Name: "secret", + HTTPConfig: monitoringv1.HTTPConfig{ + ProxyConfig: monitoringv1.ProxyConfig{ + ProxyURL: ptr.To("http://no-proxy.com"), + ProxyFromEnvironment: ptr.To(true), + ProxyConnectHeader: map[string][]v1.SecretKeySelector{ + "header": { + { + LocalObjectReference: v1.LocalObjectReference{ + Name: "secret", + }, + Key: "key1", }, - Key: "key1", }, }, }, @@ -1579,14 +1589,16 @@ func TestSelectPodMonitors(t *testing.T) { scenario: "invalid proxy config only with proxy connect header defined", updateSpec: func(pm *monitoringv1.PodMonitorSpec) { pm.PodMetricsEndpoints = append(pm.PodMetricsEndpoints, monitoringv1.PodMetricsEndpoint{ - ProxyConfig: monitoringv1.ProxyConfig{ - ProxyConnectHeader: map[string][]v1.SecretKeySelector{ - "header": { - { - LocalObjectReference: v1.LocalObjectReference{ - Name: "secret", + HTTPConfig: monitoringv1.HTTPConfig{ + ProxyConfig: monitoringv1.ProxyConfig{ + ProxyConnectHeader: map[string][]v1.SecretKeySelector{ + "header": { + { + LocalObjectReference: v1.LocalObjectReference{ + Name: "secret", + }, + Key: "key1", }, - Key: "key1", }, }, }, @@ -4675,3 +4687,147 @@ func TestSelectScrapeConfigs(t *testing.T) { }) } } + +func TestSelectPodMonitorsWithInvalidAuthentication(t *testing.T) { + storeBuilder := assets.NewTestStoreBuilder( + &v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "default", + }, + Data: map[string][]byte{ + "secret": []byte("xxx"), + }, + }, + ) + secretKey := v1.SecretKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: "foo", + }, + Key: "secret", + } + + for _, tc := range []struct { + name string + updateFunc func(pe *monitoringv1.PodMetricsEndpoint) + }{ + { + name: "duplicate bearerTokenSecret and authorization", + updateFunc: func(pe *monitoringv1.PodMetricsEndpoint) { + pe.BearerTokenSecret = &secretKey + pe.Authorization = &monitoringv1.SafeAuthorization{ + Credentials: &secretKey, + } + }, + }, + { + name: "duplicate bearerTokenSecret and basicAuth", + updateFunc: func(pe *monitoringv1.PodMetricsEndpoint) { + pe.BearerTokenSecret = &secretKey + pe.BasicAuth = &monitoringv1.BasicAuth{ + Username: secretKey, + Password: secretKey, + } + }, + }, + { + name: "duplicate bearerTokenSecret and oauth2", + updateFunc: func(pe *monitoringv1.PodMetricsEndpoint) { + pe.BearerTokenSecret = &secretKey + pe.OAuth2 = &monitoringv1.OAuth2{ + ClientID: monitoringv1.SecretOrConfigMap{ + Secret: &secretKey, + }, + ClientSecret: secretKey, + TokenURL: "http://example.com", + } + }, + }, + { + name: "duplicate authorization and basicAuth", + updateFunc: func(pe *monitoringv1.PodMetricsEndpoint) { + pe.Authorization = &monitoringv1.SafeAuthorization{ + Credentials: &secretKey, + } + pe.BasicAuth = &monitoringv1.BasicAuth{ + Username: secretKey, + Password: secretKey, + } + }, + }, + { + name: "duplicate authorization and oauth2", + updateFunc: func(pe *monitoringv1.PodMetricsEndpoint) { + pe.Authorization = &monitoringv1.SafeAuthorization{ + Credentials: &secretKey, + } + pe.OAuth2 = &monitoringv1.OAuth2{ + ClientID: monitoringv1.SecretOrConfigMap{ + Secret: &secretKey, + }, + ClientSecret: secretKey, + TokenURL: "http://example.com", + } + }, + }, + { + name: "duplicate basicAuth and oauth2", + updateFunc: func(pe *monitoringv1.PodMetricsEndpoint) { + pe.BasicAuth = &monitoringv1.BasicAuth{ + Username: secretKey, + Password: secretKey, + } + pe.OAuth2 = &monitoringv1.OAuth2{ + ClientID: monitoringv1.SecretOrConfigMap{ + Secret: &secretKey, + }, + ClientSecret: secretKey, + TokenURL: "http://example.com", + } + }, + }, + } { + t.Run(tc.name, func(t *testing.T) { + p := defaultPrometheus() + + pme := monitoringv1.PodMetricsEndpoint{ + Port: ptr.To("web"), + Interval: "30s", + } + tc.updateFunc(&pme) + pm := &monitoringv1.PodMonitor{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + Namespace: "default", + Labels: map[string]string{ + "group": "group1", + }, + }, + Spec: monitoringv1.PodMonitorSpec{ + PodMetricsEndpoints: []monitoringv1.PodMetricsEndpoint{pme}, + }, + } + + rs, err := NewResourceSelector( + newLogger(), + p, + storeBuilder, + nil, + operator.NewMetrics(prometheus.NewPedanticRegistry()), + operator.NewFakeRecorder(1, p), + ) + require.NoError(t, err) + + pms, err := rs.SelectPodMonitors(context.Background(), func(_ string, _ labels.Selector, appendFn cache.AppendFunc) error { + appendFn(pm) + return nil + }) + + require.NoError(t, err) + require.Len(t, pms, 1) + + valid := pms.ValidResources() + require.Empty(t, valid) + }) + } +} diff --git a/test/e2e/prometheus_test.go b/test/e2e/prometheus_test.go index 5a55e02dc..03d48cd07 100644 --- a/test/e2e/prometheus_test.go +++ b/test/e2e/prometheus_test.go @@ -3503,18 +3503,20 @@ func testPromSecurePodMonitor(t *testing.T) { name: "basic-auth-secret", endpoint: monitoringv1.PodMetricsEndpoint{ Port: ptr.To("web"), - BasicAuth: &monitoringv1.BasicAuth{ - Username: v1.SecretKeySelector{ - LocalObjectReference: v1.LocalObjectReference{ - Name: name, + HTTPConfig: monitoringv1.HTTPConfig{ + BasicAuth: &monitoringv1.BasicAuth{ + Username: v1.SecretKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: name, + }, + Key: "user", }, - Key: "user", - }, - Password: v1.SecretKeySelector{ - LocalObjectReference: v1.LocalObjectReference{ - Name: name, + Password: v1.SecretKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: name, + }, + Key: "password", }, - Key: "password", }, }, }, @@ -3526,11 +3528,13 @@ func testPromSecurePodMonitor(t *testing.T) { name: "bearer-secret", endpoint: monitoringv1.PodMetricsEndpoint{ Port: ptr.To("web"), - BearerTokenSecret: v1.SecretKeySelector{ - LocalObjectReference: v1.LocalObjectReference{ - Name: name, + HTTPConfig: monitoringv1.HTTPConfig{ + BearerTokenSecret: &v1.SecretKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: name, + }, + Key: "bearer-token", }, - Key: "bearer-token", }, Path: "/bearer-metrics", }, @@ -3543,30 +3547,32 @@ func testPromSecurePodMonitor(t *testing.T) { endpoint: monitoringv1.PodMetricsEndpoint{ Port: ptr.To("mtls"), Scheme: "https", - TLSConfig: &monitoringv1.SafeTLSConfig{ - InsecureSkipVerify: ptr.To(true), - CA: monitoringv1.SecretOrConfigMap{ - Secret: &v1.SecretKeySelector{ + HTTPConfig: monitoringv1.HTTPConfig{ + TLSConfig: &monitoringv1.SafeTLSConfig{ + InsecureSkipVerify: ptr.To(true), + CA: monitoringv1.SecretOrConfigMap{ + Secret: &v1.SecretKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: name, + }, + Key: "cert.pem", + }, + }, + Cert: monitoringv1.SecretOrConfigMap{ + Secret: &v1.SecretKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: name, + }, + Key: "cert.pem", + }, + }, + KeySecret: &v1.SecretKeySelector{ LocalObjectReference: v1.LocalObjectReference{ Name: name, }, - Key: "cert.pem", + Key: "key.pem", }, }, - Cert: monitoringv1.SecretOrConfigMap{ - Secret: &v1.SecretKeySelector{ - LocalObjectReference: v1.LocalObjectReference{ - Name: name, - }, - Key: "cert.pem", - }, - }, - KeySecret: &v1.SecretKeySelector{ - LocalObjectReference: v1.LocalObjectReference{ - Name: name, - }, - Key: "key.pem", - }, }, Path: "/", }, @@ -3576,30 +3582,32 @@ func testPromSecurePodMonitor(t *testing.T) { endpoint: monitoringv1.PodMetricsEndpoint{ Port: ptr.To("mtls"), Scheme: "https", - TLSConfig: &monitoringv1.SafeTLSConfig{ - InsecureSkipVerify: ptr.To(true), - CA: monitoringv1.SecretOrConfigMap{ - ConfigMap: &v1.ConfigMapKeySelector{ + HTTPConfig: monitoringv1.HTTPConfig{ + TLSConfig: &monitoringv1.SafeTLSConfig{ + InsecureSkipVerify: ptr.To(true), + CA: monitoringv1.SecretOrConfigMap{ + ConfigMap: &v1.ConfigMapKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: name, + }, + Key: "cert.pem", + }, + }, + Cert: monitoringv1.SecretOrConfigMap{ + ConfigMap: &v1.ConfigMapKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: name, + }, + Key: "cert.pem", + }, + }, + KeySecret: &v1.SecretKeySelector{ LocalObjectReference: v1.LocalObjectReference{ Name: name, }, - Key: "cert.pem", + Key: "key.pem", }, }, - Cert: monitoringv1.SecretOrConfigMap{ - ConfigMap: &v1.ConfigMapKeySelector{ - LocalObjectReference: v1.LocalObjectReference{ - Name: name, - }, - Key: "cert.pem", - }, - }, - KeySecret: &v1.SecretKeySelector{ - LocalObjectReference: v1.LocalObjectReference{ - Name: name, - }, - Key: "key.pem", - }, }, Path: "/", },