lunny/helm-chart
1
0
Fork 0
Code Issues 36 Pull Requests 14 Actions Packages Projects Releases 93 Wiki Activity

feat(service-monitor): support bearer token authentication on metrics endpoint

Browse Source
This commit is contained in:
Hitesh Nayak 2024-10-24 00:18:36 +05:30
parent 5c7e78b467
commit e148ee9931
No known key found for this signature in database
GPG Key ID: D1EE65392CD1E987
8 changed files with 173 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@ -30,6 +30,7 @@
- [OAuth2 Settings](#oauth2-settings)
- [Configure commit signing](#configure-commit-signing)
- [Metrics and profiling](#metrics-and-profiling)
- [Secure Metrics Endpoint](#secure-metrics-endpoint)
- [Pod annotations](#pod-annotations)
- [Themes](#themes)
- [Renovate](#renovate)
@ -746,6 +747,24 @@ gitea:
ENABLE_PPROF: true
```
### Secure Metrics Endpoint
Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
```yaml
gitea:
metrics:
enabled: true
serviceMonitor:
enabled: true
config:
metrics:
TOKEN: "secure-token"
```
## Pod annotations
Annotations can be added to the Gitea pod.

4
templates/_helpers.tpl
View File

@ -426,3 +426,7 @@ https
{{- end -}}
{{- toYaml $probe -}}
{{- end -}}
{{- define "gitea.metrics-secret-name" -}}
{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
{{- end -}}

12
templates/gitea/metrics-secret.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if and (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.config.metrics) (.Values.gitea.config.metrics.TOKEN) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.metrics-secret-name" . }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
data:
token: {{ .Values.gitea.config.metrics.TOKEN | b64enc }}
{{- end }}

8
templates/gitea/servicemonitor.yaml
View File

@ -32,4 +32,12 @@ spec:
tlsConfig:
{{- . | toYaml | nindent 6 }}
{{- end }}
{{- if and (.Values.gitea.config.metrics) (.Values.gitea.config.metrics.TOKEN) }}
authorization:
type: Bearer
credentials:
name: {{ include "gitea.metrics-secret-name" . }}
key: token
optional: true
{{- end }}
{{- end -}}

23
unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml Normal file
View File

@ -0,0 +1,23 @@
suite: Metrics secret template (monitoring disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/metrics-secret.yaml
tests:
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN empty
set:
gitea.metrics.enabled: false
gitea.metrics.serviceMonitor.enabled: false
gitea.config.metrics.TOKEN: ""
asserts:
- hasDocuments:
count: 0
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN not empty
set:
gitea.metrics.enabled: false
gitea.metrics.serviceMonitor.enabled: false
gitea.config.metrics.TOKEN: "test-token"
asserts:
- hasDocuments:
count: 0

33
unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml Normal file
View File

@ -0,0 +1,33 @@
suite: Metrics secret template (monitoring enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/metrics-secret.yaml
tests:
- it: renders nothing if gitea.metrics.serviceMonitor enabled and gitea.config.metrics.TOKEN empty
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.config.metrics.TOKEN: ""
asserts:
- hasDocuments:
count: 0
- it: renders Secret if gitea.metrics.serviceMonitor enabled and gitea.config.metrics.TOKEN not empty
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.config.metrics.TOKEN: "test-token"
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-metrics-secret
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: data.token
value: "dGVzdC10b2tlbg=="

23
unittests/servicemonitor/servicemonitor-disabled.yaml Normal file
View File

@ -0,0 +1,23 @@
suite: ServiceMonitor template (monitoring disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/servicemonitor.yaml
tests:
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN empty
set:
gitea.metrics.enabled: false
gitea.metrics.serviceMonitor.enabled: false
gitea.config.metrics.TOKEN: ""
asserts:
- hasDocuments:
count: 0
- it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN not empty
set:
gitea.metrics.enabled: false
gitea.metrics.serviceMonitor.enabled: false
gitea.config.metrics.TOKEN: "test-token"
asserts:
- hasDocuments:
count: 0

51
unittests/servicemonitor/servicemonitor-enabled.yaml Normal file
View File

@ -0,0 +1,51 @@
suite: ServiceMonitor template (monitoring enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/servicemonitor.yaml
tests:
- it: renders unsecure ServiceMonitor if gitea.config.metrics.TOKEN empty
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.config.metrics.TOKEN: ""
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: spec.endpoints
value:
- port: http
- it: renders secure ServiceMonitor if gitea.config.metrics.TOKEN not empty
set:
gitea.metrics.enabled: true
gitea.metrics.serviceMonitor.enabled: true
gitea.config.metrics.TOKEN: "test-token"
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: ServiceMonitor
apiVersion: monitoring.coreos.com/v1
name: gitea-unittests
- isNotNullOrEmpty:
path: metadata.labels
- equal:
path: spec.endpoints
value:
- port: http
authorization:
type: Bearer
credentials:
name: gitea-unittests-metrics-secret
key: token
optional: true