diff --git a/README.md b/README.md index 2888fc7..ee325cf 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ - [OAuth2 Settings](#oauth2-settings) - [Configure commit signing](#configure-commit-signing) - [Metrics and profiling](#metrics-and-profiling) + - [Secure Metrics Endpoint](#secure-metrics-endpoint) - [Pod annotations](#pod-annotations) - [Themes](#themes) - [Renovate](#renovate) @@ -746,6 +747,24 @@ gitea: ENABLE_PPROF: true ``` +### Secure Metrics Endpoint + +Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication. + +**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`. + +```yaml +gitea: + metrics: + enabled: true + serviceMonitor: + enabled: true + + config: + metrics: + TOKEN: "secure-token" +``` + ## Pod annotations Annotations can be added to the Gitea pod. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9e9c613..6057c0d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -426,3 +426,7 @@ https {{- end -}} {{- toYaml $probe -}} {{- end -}} + +{{- define "gitea.metrics-secret-name" -}} +{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }} +{{- end -}} \ No newline at end of file diff --git a/templates/gitea/metrics-secret.yaml b/templates/gitea/metrics-secret.yaml new file mode 100644 index 0000000..9ab282d --- /dev/null +++ b/templates/gitea/metrics-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.config.metrics) (.Values.gitea.config.metrics.TOKEN) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.metrics-secret-name" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +data: + token: {{ .Values.gitea.config.metrics.TOKEN | b64enc }} +{{- end }} \ No newline at end of file diff --git a/templates/gitea/servicemonitor.yaml b/templates/gitea/servicemonitor.yaml index 1774214..e108c36 100644 --- a/templates/gitea/servicemonitor.yaml +++ b/templates/gitea/servicemonitor.yaml @@ -32,4 +32,12 @@ spec: tlsConfig: {{- . | toYaml | nindent 6 }} {{- end }} + {{- if and (.Values.gitea.config.metrics) (.Values.gitea.config.metrics.TOKEN) }} + authorization: + type: Bearer + credentials: + name: {{ include "gitea.metrics-secret-name" . }} + key: token + optional: true + {{- end }} {{- end -}} \ No newline at end of file diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml new file mode 100644 index 0000000..1908e3e --- /dev/null +++ b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: Metrics secret template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.config.metrics.TOKEN: "" + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN not empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.config.metrics.TOKEN: "test-token" + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml new file mode 100644 index 0000000..da0eb30 --- /dev/null +++ b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml @@ -0,0 +1,33 @@ +suite: Metrics secret template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if gitea.metrics.serviceMonitor enabled and gitea.config.metrics.TOKEN empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.config.metrics.TOKEN: "" + asserts: + - hasDocuments: + count: 0 + - it: renders Secret if gitea.metrics.serviceMonitor enabled and gitea.config.metrics.TOKEN not empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.config.metrics.TOKEN: "test-token" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-metrics-secret + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: data.token + value: "dGVzdC10b2tlbg==" diff --git a/unittests/servicemonitor/servicemonitor-disabled.yaml b/unittests/servicemonitor/servicemonitor-disabled.yaml new file mode 100644 index 0000000..b7b2aec --- /dev/null +++ b/unittests/servicemonitor/servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: ServiceMonitor template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.config.metrics.TOKEN: "" + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN not empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.config.metrics.TOKEN: "test-token" + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/servicemonitor/servicemonitor-enabled.yaml b/unittests/servicemonitor/servicemonitor-enabled.yaml new file mode 100644 index 0000000..2d858c1 --- /dev/null +++ b/unittests/servicemonitor/servicemonitor-enabled.yaml @@ -0,0 +1,51 @@ +suite: ServiceMonitor template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders unsecure ServiceMonitor if gitea.config.metrics.TOKEN empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.config.metrics.TOKEN: "" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders secure ServiceMonitor if gitea.config.metrics.TOKEN not empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.config.metrics.TOKEN: "test-token" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + authorization: + type: Bearer + credentials: + name: gitea-unittests-metrics-secret + key: token + optional: true