Add an option to enable Prometheus with real certificates

While the install scripts do not enable Prometheus integration by default, solutions running upstream may want to use and enable it with Prometheus. This addition offers a way for upstream users to understand how to properly configure Prometheus using real certificates. At the very least, it serves as documentation and provides an option for those installing from source who want to implement secure Prometheus integration.
operator-framework · Nov 19, 2024 · aaf8ce9 · aaf8ce9
1 parent b72cd2e
commit aaf8ce9
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/config/base/prometheus/kustomization.yaml b/config/base/prometheus/kustomization.yaml
@@ -1,2 +1,11 @@
 resources:
 - monitor.yaml
+
+# [PROMETHEUS WITH CERTMANAGER] The following patch configures the ServiceMonitor in ../prometheus
+# to securely reference certificates created and managed by cert-manager.
+# Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml
+# to mount the "metrics-server-cert" secret in the Manager Deployment.
+patches:
+  - path: patches/monitor_tls_patch.yaml
+    target:
+      kind: ServiceMonitor
diff --git a/config/base/prometheus/paches/monitor_tls_patch.yaml b/config/base/prometheus/paches/monitor_tls_patch.yaml
@@ -0,0 +1,22 @@
+# Patch for Prometheus ServiceMonitor to enable secure TLS configuration
+# using certificates managed by cert-manager
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: controller-manager-metrics-monitor
+  namespace: system
+spec:
+  endpoints:
+    - tlsConfig:
+        insecureSkipVerify: false
+        ca:
+          secret:
+            name: olmv1-ca
+            key: ca.crt
+        cert:
+          secret:
+            name: olmv1-ca
+            key: olm-ca.crt
+        keySecret:
+          name: olmv1-ca
+          key: ca.crt