From e3b9df96bf6e1b39909cb69e244ac9b91f05f28f Mon Sep 17 00:00:00 2001
From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>
Date: Tue, 19 Nov 2024 19:00:54 +0000
Subject: [PATCH] Add an option to enable Prometheus with real certificates

While the install scripts do not enable Prometheus integration by default, solutions running upstream may want to use and enable it with Prometheus. This addition offers a way for upstream users to understand how to properly configure Prometheus using real certificates.

At the very least, it serves as documentation and provides an option for those installing from source who want to implement secure Prometheus integration.
---
 config/base/prometheus/kustomization.yaml     |  9 ++++++++
 .../prometheus/paches/monitor_tls_patch.yaml  | 22 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 config/base/prometheus/paches/monitor_tls_patch.yaml

diff --git a/config/base/prometheus/kustomization.yaml b/config/base/prometheus/kustomization.yaml
index ed137168a..0edad079c 100644
--- a/config/base/prometheus/kustomization.yaml
+++ b/config/base/prometheus/kustomization.yaml
@@ -1,2 +1,11 @@
 resources:
 - monitor.yaml
+
+# [PROMETHEUS WITH CERTMANAGER] The following patch configures the ServiceMonitor in ../prometheus
+# to securely reference certificates created and managed by cert-manager.
+# Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml
+# to mount the "metrics-server-cert" secret in the Manager Deployment.
+patches:
+  - path: patches/monitor_tls_patch.yaml
+    target:
+      kind: ServiceMonitor
diff --git a/config/base/prometheus/paches/monitor_tls_patch.yaml b/config/base/prometheus/paches/monitor_tls_patch.yaml
new file mode 100644
index 000000000..13584a303
--- /dev/null
+++ b/config/base/prometheus/paches/monitor_tls_patch.yaml
@@ -0,0 +1,22 @@
+# Patch for Prometheus ServiceMonitor to enable secure TLS configuration
+# using certificates managed by cert-manager
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: controller-manager-metrics-monitor
+  namespace: system
+spec:
+  endpoints:
+    - tlsConfig:
+        insecureSkipVerify: false
+        ca:
+          secret:
+            name: olmv1-ca
+            key: ca.crt
+        cert:
+          secret:
+            name: olmv1-ca
+            key: olm-ca.crt
+        keySecret:
+          name: olmv1-ca
+          key: ca.crt