Configmap check is enabled by default

[fallen-up]

in the latest version 3.18.0 there is an error.
secretsExporter.configMapKeys is not announced, this option is not thrown in deployment and clusterrole.
nevertheless, there is an error in the logs:

time=2024-12-25T15:32:22.470Z level=WARN msg="failed to fetch configmaps from namespace \"xxx\": configmaps is forbidden: User \"system:serviceaccount:kube-monitoring:x509-certificate-exporter\" cannot list resource \"configmaps\" in API group \"\" in the namespace \"xxx\""
time=2024-12-25T15:32:22.470Z level=INFO msg="Discovered and parsed certificates" certificates=0 failures=1

it looks like the configmap check is enabled by default.

[nikatar]

I have this problem too

And the ClusterRole from your Chart doesn't have permissions for watching of ConfigMap resources by default

time=2024-12-26T10:28:38.862Z level=WARN msg="failed to fetch configmaps from namespace \"vault\": configmaps is forbidden: User \"system:serviceaccount:x509-certificate-exporter:x509-certificate-exporter\" cannot list resource \"configmaps\" in API group \"\" in the namespace \"vault\""

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/instance: x509-certificate-exporter
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: x509-certificate-exporter
    app.kubernetes.io/version: 3.18.0
    helm.sh/chart: x509-certificate-exporter-3.18.0
    helm.toolkit.fluxcd.io/name: x509-certificate-exporter
    helm.toolkit.fluxcd.io/namespace: x509-certificate-exporter
  name: x509-certificate-exporter
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - watch
  - list

It seems that because of this I only get the x509_read_errors metric

My values:

  prometheusRules:
     create: false

[npdgm]

Hi,
Thanks for reporting this issue. You are correct the implementation is flawed.
I'm adding a flag to enable fetching ConfigMaps and granting the ClusterRole only when needed.

[nikatar]

The problem is that if you don't enable configmap watching, secret watching doesn't work.
And the exporter started working correctly only after I set secretsExporter.configMapKeys in values. Although I don't have tls certificates in the configMaps

    prometheusRules:
      create: false
    secretsExporter:
      configMapKeys: ["tls.crt"]

[npdgm]

Yes I understand. It hasn't been a good release and we should have made a beta version this time. More than anything, this shows our tests are insufficient, we'll work on that to get back to 100% coverage and do true e2e testing. But rest assured we are very attentive nothing malicious is introduced by contributors.
There has been a bit of frustration from users wanting features that were not in line with the original vision. To be honest I don't like the idea of parsing ConfigMaps or other resources that are not Secrets, but when PRs are open and efforts made to add features to the project, it's better to go with what users need.

[monkeynator]

🎉 This issue has been resolved in version 3.18.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀