diff --git a/README.md b/README.md index ee325cf..8ff042d 100644 --- a/README.md +++ b/README.md @@ -756,13 +756,10 @@ Metrics endpoint `/metrics` can be secured by using `Bearer` token authenticatio ```yaml gitea: metrics: + token: "secure-token" enabled: true serviceMonitor: enabled: true - - config: - metrics: - TOKEN: "secure-token" ``` ## Pod annotations @@ -1036,6 +1033,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | | `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | | `gitea.metrics.enabled` | Enable Gitea metrics | `false` | +| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` | | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | | `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | | `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 6057c0d..1a38084 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -278,6 +278,9 @@ https {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} {{- end -}} + {{- if not (hasKey .Values.gitea.config.metrics "TOKEN") -}} + {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}} + {{- end -}} {{- /* redis queue */ -}} {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}} {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}} diff --git a/templates/gitea/metrics-secret.yaml b/templates/gitea/metrics-secret.yaml index 9ab282d..fe26596 100644 --- a/templates/gitea/metrics-secret.yaml +++ b/templates/gitea/metrics-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.config.metrics) (.Values.gitea.config.metrics.TOKEN) -}} +{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}} apiVersion: v1 kind: Secret metadata: @@ -8,5 +8,5 @@ metadata: {{- include "gitea.labels" . | nindent 4 }} type: Opaque data: - token: {{ .Values.gitea.config.metrics.TOKEN | b64enc }} + token: {{ .Values.gitea.metrics.token | b64enc }} {{- end }} \ No newline at end of file diff --git a/templates/gitea/servicemonitor.yaml b/templates/gitea/servicemonitor.yaml index e108c36..831801b 100644 --- a/templates/gitea/servicemonitor.yaml +++ b/templates/gitea/servicemonitor.yaml @@ -32,7 +32,7 @@ spec: tlsConfig: {{- . | toYaml | nindent 6 }} {{- end }} - {{- if and (.Values.gitea.config.metrics) (.Values.gitea.config.metrics.TOKEN) }} + {{- if .Values.gitea.metrics.token }} authorization: type: Bearer credentials: diff --git a/unittests/config/metrics-section_metrics-token.yaml b/unittests/config/metrics-section_metrics-token.yaml new file mode 100644 index 0000000..3cac92a --- /dev/null +++ b/unittests/config/metrics-section_metrics-token.yaml @@ -0,0 +1,19 @@ +suite: config template | metrics section (metrics token) +release: + name: gitea-unittests + namespace: testing +tests: + - it: metrics token is set + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + TOKEN=somepassword diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml index 1908e3e..e3776ca 100644 --- a/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml +++ b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml @@ -5,19 +5,19 @@ release: templates: - templates/gitea/metrics-secret.yaml tests: - - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN empty + - it: renders nothing if monitoring disabled and gitea.metrics.token empty set: gitea.metrics.enabled: false gitea.metrics.serviceMonitor.enabled: false - gitea.config.metrics.TOKEN: "" + gitea.metrics.token: "" asserts: - hasDocuments: count: 0 - - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN not empty + - it: renders nothing if monitoring disabled and gitea.metrics.token not empty set: gitea.metrics.enabled: false gitea.metrics.serviceMonitor.enabled: false - gitea.config.metrics.TOKEN: "test-token" + gitea.metrics.token: "test-token" asserts: - hasDocuments: count: 0 diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml index da0eb30..78e714a 100644 --- a/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml +++ b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml @@ -5,19 +5,19 @@ release: templates: - templates/gitea/metrics-secret.yaml tests: - - it: renders nothing if gitea.metrics.serviceMonitor enabled and gitea.config.metrics.TOKEN empty + - it: renders nothing if monitoring enabled and gitea.metrics.token empty set: gitea.metrics.enabled: true gitea.metrics.serviceMonitor.enabled: true - gitea.config.metrics.TOKEN: "" + gitea.metrics.token: "" asserts: - hasDocuments: count: 0 - - it: renders Secret if gitea.metrics.serviceMonitor enabled and gitea.config.metrics.TOKEN not empty + - it: renders Secret if monitoring enabled and gitea.metrics.token not empty set: gitea.metrics.enabled: true gitea.metrics.serviceMonitor.enabled: true - gitea.config.metrics.TOKEN: "test-token" + gitea.metrics.token: "test-token" asserts: - hasDocuments: count: 1 diff --git a/unittests/servicemonitor/servicemonitor-disabled.yaml b/unittests/servicemonitor/servicemonitor-disabled.yaml index b7b2aec..5b2de44 100644 --- a/unittests/servicemonitor/servicemonitor-disabled.yaml +++ b/unittests/servicemonitor/servicemonitor-disabled.yaml @@ -5,19 +5,19 @@ release: templates: - templates/gitea/servicemonitor.yaml tests: - - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN empty + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty set: gitea.metrics.enabled: false + gitea.metrics.token: "" gitea.metrics.serviceMonitor.enabled: false - gitea.config.metrics.TOKEN: "" asserts: - hasDocuments: count: 0 - - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN not empty + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty set: gitea.metrics.enabled: false + gitea.metrics.token: "test-token" gitea.metrics.serviceMonitor.enabled: false - gitea.config.metrics.TOKEN: "test-token" asserts: - hasDocuments: count: 0 diff --git a/unittests/servicemonitor/servicemonitor-enabled.yaml b/unittests/servicemonitor/servicemonitor-enabled.yaml index 2d858c1..a07a017 100644 --- a/unittests/servicemonitor/servicemonitor-enabled.yaml +++ b/unittests/servicemonitor/servicemonitor-enabled.yaml @@ -5,11 +5,11 @@ release: templates: - templates/gitea/servicemonitor.yaml tests: - - it: renders unsecure ServiceMonitor if gitea.config.metrics.TOKEN empty + - it: renders unsecure ServiceMonitor if gitea.metrics.token nil set: gitea.metrics.enabled: true + gitea.metrics.token: gitea.metrics.serviceMonitor.enabled: true - gitea.config.metrics.TOKEN: "" asserts: - hasDocuments: count: 1 @@ -24,11 +24,30 @@ tests: path: spec.endpoints value: - port: http - - it: renders secure ServiceMonitor if gitea.config.metrics.TOKEN not empty + - it: renders unsecure ServiceMonitor if gitea.metrics.token empty set: gitea.metrics.enabled: true + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders secure ServiceMonitor if gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "test-token" gitea.metrics.serviceMonitor.enabled: true - gitea.config.metrics.TOKEN: "test-token" asserts: - hasDocuments: count: 1 diff --git a/values.yaml b/values.yaml index 2b7ad7d..07160db 100644 --- a/values.yaml +++ b/values.yaml @@ -365,6 +365,7 @@ gitea: passwordMode: keepUpdated ## @param gitea.metrics.enabled Enable Gitea metrics + ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. @@ -373,6 +374,7 @@ gitea: ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. metrics: enabled: false + token: serviceMonitor: enabled: false # additionalLabels: