From 97071c1a5ef08873f29caa7652efbac671295843 Mon Sep 17 00:00:00 2001 From: Abhisek Dwivedi Date: Sun, 2 Feb 2025 23:43:40 +0530 Subject: [PATCH] :bug:(kustomize/v2): fix ServiceMonitor with TLS kustomize scaffolding --- .../project/config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../testdata/project/dist/install.yaml | 7 +++- .../project/config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../project/config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../testdata/project/dist/install.yaml | 7 +++- hack/docs/internal/cronjob-tutorial/sample.go | 22 +++++++++++ .../config/kdefault/kustomization.go | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.go | 37 +++++++++---------- test/e2e/v4/generate_test.go | 22 +++++++++++ .../config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- .../config/default/kustomization.yaml | 22 +++++++++++ .../config/prometheus/monitor_tls_patch.yaml | 37 +++++++++---------- 18 files changed, 329 insertions(+), 142 deletions(-) diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index 3e54d96aea9..eeec68bd0a2 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ replacements: delimiter: '.' index: 0 create: true + - select: + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 0 + create: true - source: kind: Service @@ -94,6 +105,17 @@ replacements: delimiter: '.' index: 1 create: true + - select: + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 1 + create: true - source: # Uncomment the following block if you have any webhook kind: Service diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml index a240adc8607..309f43d307c 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml @@ -4276,7 +4276,11 @@ metadata: namespace: project-system spec: endpoints: - - tlsConfig: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: https + scheme: https + tlsConfig: ca: secret: key: ca.crt @@ -4289,6 +4293,7 @@ spec: keySecret: key: tls.key name: metrics-server-cert + serverName: project-controller-manager-metrics-service.project-system.svc selector: matchLabels: app.kubernetes.io/name: project diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index 6cbecf19a15..234fb1bed10 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml index f72c5a8890f..c59e99b23fe 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml @@ -75,6 +75,17 @@ replacements: delimiter: '.' index: 0 create: true + - select: + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 0 + create: true - source: kind: Service @@ -94,6 +105,17 @@ replacements: delimiter: '.' index: 1 create: true + - select: + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 1 + create: true - source: # Uncomment the following block if you have any webhook kind: Service diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml index 0f6e2f94388..6296d65591b 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml @@ -8122,7 +8122,11 @@ metadata: namespace: project-system spec: endpoints: - - tlsConfig: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: https + scheme: https + tlsConfig: ca: secret: key: ca.crt @@ -8135,6 +8139,7 @@ spec: keySecret: key: tls.key name: metrics-server-cert + serverName: project-controller-manager-metrics-service.project-system.svc selector: matchLabels: app.kubernetes.io/name: project diff --git a/hack/docs/internal/cronjob-tutorial/sample.go b/hack/docs/internal/cronjob-tutorial/sample.go index dddea3baacc..61205e6994e 100644 --- a/hack/docs/internal/cronjob-tutorial/sample.go +++ b/hack/docs/internal/cronjob-tutorial/sample.go @@ -52,6 +52,17 @@ const certManagerForMetricsAndWebhooks = `#replacements: # delimiter: '.' # index: 0 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -71,6 +82,17 @@ const certManagerForMetricsAndWebhooks = `#replacements: # delimiter: '.' # index: 1 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go index 1f1c1973397..4264457a8a8 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go @@ -120,6 +120,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -139,6 +150,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go index b134911a7e1..b9de3871d3b 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor_tls_patch.go @@ -44,24 +44,21 @@ func (f *ServiceMonitorPatch) SetTemplateDefaults() error { const serviceMonitorPatchTemplate = `# Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key ` diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index 6051dd3c5be..15b3cd679c1 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -475,6 +475,17 @@ const metricsCertReplaces = `# - source: # Uncomment the following block to enab # delimiter: '.' # index: 0 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -493,4 +504,15 @@ const metricsCertReplaces = `# - source: # Uncomment the following block to enab # options: # delimiter: '.' # index: 1 +# create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 # create: true` diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 9f57d56c7f3..5f64c6b9525 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4-multigroup/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/testdata/project-v4-with-plugins/config/default/kustomization.yaml b/testdata/project-v4-with-plugins/config/default/kustomization.yaml index 7d10355c4a2..5f22015cf40 100644 --- a/testdata/project-v4-with-plugins/config/default/kustomization.yaml +++ b/testdata/project-v4-with-plugins/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4-with-plugins/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index e288dc06a02..a5f7c37c892 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -75,6 +75,17 @@ patches: # delimiter: '.' # index: 0 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true # # - source: # kind: Service @@ -94,6 +105,17 @@ patches: # delimiter: '.' # index: 1 # create: true +# - select: +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true # # - source: # Uncomment the following block if you have any webhook # kind: Service diff --git a/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml b/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml index e824dd0ff86..5bf84ce0d53 100644 --- a/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml +++ b/testdata/project-v4/config/prometheus/monitor_tls_patch.yaml @@ -1,22 +1,19 @@ # Patch for Prometheus ServiceMonitor to enable secure TLS configuration # using certificates managed by cert-manager -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - tlsConfig: - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key