From 334a8b877b2abed2f31fe305469e6d4276a89680 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Mon, 29 Sep 2025 22:53:21 +0200 Subject: [PATCH] feat(secret): support annotations and labels for the basic auth secret --- README.md | 66 ++++++----- templates/_deployment.tpl | 4 +- templates/_pod.tpl | 2 +- templates/_secrets.tpl | 38 ++++++- templates/podMonitor.yaml | 4 +- templates/secretPrometheusBasicAuth.yaml | 6 +- templates/serviceMonitor.yaml | 4 +- .../deployment/prometheusPodMonitor.yaml | 70 ++++++++++++ .../deployment/prometheusServiceMonitor.yaml | 107 ++++++++++++++++++ unittests/secrets/basicAuth.yaml | 78 +++++++++++++ unittests/serviceMonitors/serviceMonitor.yaml | 13 +++ values.yaml | 27 ++++- 12 files changed, 372 insertions(+), 47 deletions(-) create mode 100644 unittests/deployment/prometheusServiceMonitor.yaml create mode 100644 unittests/secrets/basicAuth.yaml diff --git a/README.md b/README.md index 761638a..d3e7f48 100644 --- a/README.md +++ b/README.md @@ -304,36 +304,42 @@ helm install --version "${CHART_VERSION}" reposilite volker.raschek/reposilite \ ### Prometheus -| Name | Description | Value | -| --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `prometheus.metrics.enabled` | Enable of scraping metrics by Prometheus. | `false` | -| `prometheus.metrics.basicAuthUsername` | Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string. | `""` | -| `prometheus.metrics.basicAuthPassword` | Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string. | `""` | -| `prometheus.metrics.podMonitor.enabled` | Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource. | `false` | -| `prometheus.metrics.podMonitor.annotations` | Additional podMonitor annotations. | `{}` | -| `prometheus.metrics.podMonitor.enableHttp2` | Enable HTTP2. | `false` | -| `prometheus.metrics.podMonitor.followRedirects` | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. | `false` | -| `prometheus.metrics.podMonitor.honorLabels` | Honor labels. | `false` | -| `prometheus.metrics.podMonitor.labels` | Additional podMonitor labels. | `{}` | -| `prometheus.metrics.podMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `60s` | -| `prometheus.metrics.podMonitor.path` | HTTP path of the Reposilite pod for scraping Prometheus metrics. | `/metrics` | -| `prometheus.metrics.podMonitor.port` | HTTP port of the Reposilite pod for scraping Prometheus metrics. | `http` | -| `prometheus.metrics.podMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]` | -| `prometheus.metrics.podMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `30s` | -| `prometheus.metrics.podMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. | `http` | -| `prometheus.metrics.podMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` | -| `prometheus.metrics.serviceMonitor.enabled` | Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource. | `false` | -| `prometheus.metrics.serviceMonitor.annotations` | Additional serviceMonitor annotations. | `{}` | -| `prometheus.metrics.serviceMonitor.labels` | Additional serviceMonitor labels. | `{}` | -| `prometheus.metrics.serviceMonitor.enableHttp2` | Enable HTTP2. | `false` | -| `prometheus.metrics.serviceMonitor.followRedirects` | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. | `false` | -| `prometheus.metrics.serviceMonitor.honorLabels` | Honor labels. | `false` | -| `prometheus.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `60s` | -| `prometheus.metrics.serviceMonitor.path` | HTTP path for scraping Prometheus metrics. | `/metrics` | -| `prometheus.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]` | -| `prometheus.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `30s` | -| `prometheus.metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. | `http` | -| `prometheus.metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` | +| Name | Description | Value | +| --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `prometheus.metrics.enabled` | Enable of scraping metrics by Prometheus. | `false` | +| `prometheus.metrics.secret.existing.enabled` | Use an existing secret containing the basic auth credentials. | `false` | +| `prometheus.metrics.secret.existing.secretName` | Name of the secret containing the basic auth credentials. | `""` | +| `prometheus.metrics.secret.existing.basicAuthUsernameKey` | Name of the key in the secret that contains the username for basic auth. | `""` | +| `prometheus.metrics.secret.existing.basicAuthPasswordKey` | Name of the key in the secret that contains the password for basic auth. | `""` | +| `prometheus.metrics.secret.new.annotations` | Additional secret annotations. | `{}` | +| `prometheus.metrics.secret.new.labels` | Additional secret labels. | `{}` | +| `prometheus.metrics.secret.new.basicAuthUsername` | Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string. | `""` | +| `prometheus.metrics.secret.new.basicAuthPassword` | Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string. | `""` | +| `prometheus.metrics.podMonitor.enabled` | Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource. | `false` | +| `prometheus.metrics.podMonitor.annotations` | Additional podMonitor annotations. | `{}` | +| `prometheus.metrics.podMonitor.enableHttp2` | Enable HTTP2. | `false` | +| `prometheus.metrics.podMonitor.followRedirects` | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. | `false` | +| `prometheus.metrics.podMonitor.honorLabels` | Honor labels. | `false` | +| `prometheus.metrics.podMonitor.labels` | Additional podMonitor labels. | `{}` | +| `prometheus.metrics.podMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `60s` | +| `prometheus.metrics.podMonitor.path` | HTTP path of the Reposilite pod for scraping Prometheus metrics. | `/metrics` | +| `prometheus.metrics.podMonitor.port` | HTTP port of the Reposilite pod for scraping Prometheus metrics. | `http` | +| `prometheus.metrics.podMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]` | +| `prometheus.metrics.podMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `30s` | +| `prometheus.metrics.podMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. | `http` | +| `prometheus.metrics.podMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` | +| `prometheus.metrics.serviceMonitor.enabled` | Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource. | `false` | +| `prometheus.metrics.serviceMonitor.annotations` | Additional serviceMonitor annotations. | `{}` | +| `prometheus.metrics.serviceMonitor.labels` | Additional serviceMonitor labels. | `{}` | +| `prometheus.metrics.serviceMonitor.enableHttp2` | Enable HTTP2. | `false` | +| `prometheus.metrics.serviceMonitor.followRedirects` | FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. | `false` | +| `prometheus.metrics.serviceMonitor.honorLabels` | Honor labels. | `false` | +| `prometheus.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `60s` | +| `prometheus.metrics.serviceMonitor.path` | HTTP path for scraping Prometheus metrics. | `/metrics` | +| `prometheus.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | `[]` | +| `prometheus.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `30s` | +| `prometheus.metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. | `http` | +| `prometheus.metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` | ### Service diff --git a/templates/_deployment.tpl b/templates/_deployment.tpl index 566ba14..154377f 100644 --- a/templates/_deployment.tpl +++ b/templates/_deployment.tpl @@ -27,8 +27,8 @@ {{- end }} {{- if or (eq (include "reposilite.podMonitor.enabled" $ ) "true") (eq (include "reposilite.serviceMonitor.enabled" $ ) "true") -}} -{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_USER" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" "username")))) }} -{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PASSWORD" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" "password")))) }} +{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_USER" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.usernameKey" $))))) }} +{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PASSWORD" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.passwordKey" $))))) }} {{- end }} {{ toYaml (dict "env" $env) }} diff --git a/templates/_pod.tpl b/templates/_pod.tpl index c2b17eb..99195af 100644 --- a/templates/_pod.tpl +++ b/templates/_pod.tpl @@ -4,7 +4,7 @@ {{- define "reposilite.pod.annotations" -}} {{ include "reposilite.annotations" . }} -{{- if .Values.prometheus.metrics.enabled -}} +{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) -}} {{- printf "checksum/secret-%s: %s" (include "reposilite.secrets.prometheusBasicAuth.name" $) (include (print $.Template.BasePath "/secretPrometheusBasicAuth.yaml") . | sha256sum) }} {{- end -}} {{- end }} diff --git a/templates/_secrets.tpl b/templates/_secrets.tpl index 9c345d6..d24bb7b 100644 --- a/templates/_secrets.tpl +++ b/templates/_secrets.tpl @@ -4,16 +4,50 @@ {{- define "reposilite.secrets.prometheusBasicAuth.annotations" -}} {{ include "reposilite.annotations" . }} +{{- if .Values.prometheus.metrics.secret.new.annotations }} +{{ toYaml .Values.prometheus.metrics.secret.new.annotations }} +{{- end }} {{- end }} {{/* labels */}} {{- define "reposilite.secrets.prometheusBasicAuth.labels" -}} {{ include "reposilite.labels" . }} +{{- if .Values.prometheus.metrics.secret.new.labels }} +{{ toYaml .Values.prometheus.metrics.secret.new.labels }} +{{- end }} {{- end }} {{/* names */}} {{- define "reposilite.secrets.prometheusBasicAuth.name" -}} -{{ include "reposilite.fullname" . }}-basic-auth-credentials -{{- end -}} +{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.secretName) 0) }} +{{- print .Values.prometheus.metrics.secret.existing.secretName -}} +{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.secretName) 0) }} +{{ fail "Name of the existing secret that contains the credentials for basic auth is not defined!" }} +{{- else if not .Values.prometheus.metrics.secret.existing.enabled }} +{{- printf "%s-basic-auth-credentials" (include "reposilite.fullname" $) -}} +{{- end }} +{{- end }} + +{{/* secretKeyNames */}} + +{{- define "reposilite.secrets.prometheusBasicAuth.passwordKey" -}} +{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) -}} +{{- .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey -}} +{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) }} +{{ fail "Name of the key in the secret that contains the password for basic auth is not defined!" }} +{{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }} +{{- print "password" -}} +{{- end }} +{{- end }} + +{{- define "reposilite.secrets.prometheusBasicAuth.usernameKey" -}} +{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) -}} +{{- .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey -}} +{{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) }} +{{ fail "Name of the key in the secret that contains the username for basic auth is not defined!" }} +{{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }} +{{- print "username" -}} +{{- end }} +{{- end }} diff --git a/templates/podMonitor.yaml b/templates/podMonitor.yaml index cd04b2b..1469173 100644 --- a/templates/podMonitor.yaml +++ b/templates/podMonitor.yaml @@ -17,10 +17,10 @@ spec: podMetricsEndpoints: - basicAuth: password: - key: password + key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }} name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }} username: - key: username + key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }} name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }} enableHttp2: {{ required "The enableHttp2 option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.enableHttp2 }} followRedirects: {{ required "The followRedirects option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.followRedirects }} diff --git a/templates/secretPrometheusBasicAuth.yaml b/templates/secretPrometheusBasicAuth.yaml index 9c4b2e1..2bb0a9f 100644 --- a/templates/secretPrometheusBasicAuth.yaml +++ b/templates/secretPrometheusBasicAuth.yaml @@ -1,4 +1,4 @@ -{{- if .Values.prometheus.metrics.enabled }} +{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) }} --- apiVersion: v1 kind: Secret @@ -14,6 +14,6 @@ metadata: name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }} namespace: {{ .Release.Namespace }} stringData: - password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.basicAuthPassword }} - username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.basicAuthUsername }} + password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthPassword }} + username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthUsername }} {{- end }} diff --git a/templates/serviceMonitor.yaml b/templates/serviceMonitor.yaml index 5f6e027..e1f21f0 100644 --- a/templates/serviceMonitor.yaml +++ b/templates/serviceMonitor.yaml @@ -17,10 +17,10 @@ spec: endpoints: - basicAuth: password: - key: password + key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }} name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }} username: - key: username + key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }} name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }} enableHttp2: {{ required "The enableHttp2 option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.enableHttp2 }} followRedirects: {{ required "The followRedirects option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.followRedirects }} diff --git a/unittests/deployment/prometheusPodMonitor.yaml b/unittests/deployment/prometheusPodMonitor.yaml index 6a1ca00..565058f 100644 --- a/unittests/deployment/prometheusPodMonitor.yaml +++ b/unittests/deployment/prometheusPodMonitor.yaml @@ -35,3 +35,73 @@ tests: name: reposilite-unittest-basic-auth-credentials key: username template: templates/deployment.yaml + +- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key + prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key + prometheus.metrics.secret.existing.secretName: my-secret + prometheus.metrics.podMonitor.enabled: true + asserts: + - notExists: + path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: REPOSILITE_PROMETHEUS_PASSWORD + valueFrom: + secretKeyRef: + name: my-secret + key: my-password-key + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: REPOSILITE_PROMETHEUS_USER + valueFrom: + secretKeyRef: + name: my-secret + key: my-username-key + template: templates/deployment.yaml + +- it: Fail when existing secret name is undefined + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key" + prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key" + prometheus.metrics.secret.existing.secretName: "" + prometheus.metrics.podMonitor.enabled: true + asserts: + - failedTemplate: + errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!" + template: templates/deployment.yaml + +- it: Fail when the name of the key in the secret that contains the username for basic auth is undefined + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.basicAuthUsernameKey: "" + prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key" + prometheus.metrics.secret.existing.secretName: "my-secret" + prometheus.metrics.podMonitor.enabled: true + asserts: + - failedTemplate: + errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!" + template: templates/deployment.yaml + +- it: Fail when the name of the key in the secret that contains the password for basic auth is undefined + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key" + prometheus.metrics.secret.existing.basicAuthPasswordKey: "" + prometheus.metrics.secret.existing.secretName: "my-secret" + prometheus.metrics.podMonitor.enabled: true + asserts: + - failedTemplate: + errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!" + template: templates/deployment.yaml \ No newline at end of file diff --git a/unittests/deployment/prometheusServiceMonitor.yaml b/unittests/deployment/prometheusServiceMonitor.yaml new file mode 100644 index 0000000..5d43fa3 --- /dev/null +++ b/unittests/deployment/prometheusServiceMonitor.yaml @@ -0,0 +1,107 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: Add prometheus basic auth variables +release: + name: reposilite-unittest + namespace: testing +templates: +- templates/deployment.yaml +- templates/secretPrometheusBasicAuth.yaml +tests: +- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor + set: + prometheus.metrics.enabled: true + prometheus.metrics.serviceMonitor.enabled: true + asserts: + - exists: + path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: REPOSILITE_PROMETHEUS_PASSWORD + valueFrom: + secretKeyRef: + name: reposilite-unittest-basic-auth-credentials + key: password + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: REPOSILITE_PROMETHEUS_USER + valueFrom: + secretKeyRef: + name: reposilite-unittest-basic-auth-credentials + key: username + template: templates/deployment.yaml + +- it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key + prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key + prometheus.metrics.secret.existing.secretName: my-secret + prometheus.metrics.serviceMonitor.enabled: true + asserts: + - notExists: + path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: REPOSILITE_PROMETHEUS_PASSWORD + valueFrom: + secretKeyRef: + name: my-secret + key: my-password-key + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: REPOSILITE_PROMETHEUS_USER + valueFrom: + secretKeyRef: + name: my-secret + key: my-username-key + template: templates/deployment.yaml + +- it: Fail when existing secret name is undefined + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key" + prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key" + prometheus.metrics.secret.existing.secretName: "" + prometheus.metrics.serviceMonitor.enabled: true + asserts: + - failedTemplate: + errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!" + template: templates/deployment.yaml + +- it: Fail when the name of the key in the secret that contains the username for basic auth is undefined + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.basicAuthUsernameKey: "" + prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key" + prometheus.metrics.secret.existing.secretName: "my-secret" + prometheus.metrics.serviceMonitor.enabled: true + asserts: + - failedTemplate: + errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!" + template: templates/deployment.yaml + +- it: Fail when the name of the key in the secret that contains the password for basic auth is undefined + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key" + prometheus.metrics.secret.existing.basicAuthPasswordKey: "" + prometheus.metrics.secret.existing.secretName: "my-secret" + prometheus.metrics.serviceMonitor.enabled: true + asserts: + - failedTemplate: + errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!" + template: templates/deployment.yaml \ No newline at end of file diff --git a/unittests/secrets/basicAuth.yaml b/unittests/secrets/basicAuth.yaml new file mode 100644 index 0000000..38ad9a0 --- /dev/null +++ b/unittests/secrets/basicAuth.yaml @@ -0,0 +1,78 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: Secret reposilite template +release: + name: reposilite-unittest + namespace: testing +templates: +- templates/secretPrometheusBasicAuth.yaml +tests: +- it: Skip rendering + asserts: + - hasDocuments: + count: 0 + +- it: Rendering secret with default values. + set: + prometheus.metrics.enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + apiVersion: v1 + kind: Secret + name: reposilite-unittest-basic-auth-credentials + namespace: testing + - notExists: + path: metadata.annotations + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: reposilite-unittest + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: reposilite + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: reposilite-0.1.0 + - exists: + path: stringData.password + - exists: + path: stringData.username + +- it: Rendering secret with custom values. + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.new.basicAuthPassword: foo + prometheus.metrics.secret.new.basicAuthUsername: bar + prometheus.metrics.secret.new.annotations: + foo: bar + prometheus.metrics.secret.new.labels: + bar: foo + asserts: + - hasDocuments: + count: 1 + - exists: + path: metadata.annotations + value: + foo: bar + - exists: + path: metadata.labels + value: + bar: foo + - equal: + path: metadata.name + value: reposilite-unittest-basic-auth-credentials + - equal: + path: stringData.password + value: foo + - equal: + path: stringData.username + value: bar + +- it: Skip rendering if existing secret is used + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/serviceMonitors/serviceMonitor.yaml b/unittests/serviceMonitors/serviceMonitor.yaml index 1f8447e..7db7814 100644 --- a/unittests/serviceMonitors/serviceMonitor.yaml +++ b/unittests/serviceMonitors/serviceMonitor.yaml @@ -129,6 +129,10 @@ tests: - it: Change defaults set: prometheus.metrics.enabled: true + prometheus.metrics.secret.existing.enabled: true + prometheus.metrics.secret.existing.secretName: "my-secret" + prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key" + prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key" prometheus.metrics.serviceMonitor.enabled: true prometheus.metrics.serviceMonitor.enableHttp2: false prometheus.metrics.serviceMonitor.followRedirects: true @@ -147,6 +151,15 @@ tests: asserts: - hasDocuments: count: 1 + - isSubset: + path: spec.endpoints[0].basicAuth + content: + password: + key: my-password-key + name: my-secret + username: + key: my-username-key + name: my-secret - equal: path: spec.endpoints[0].enableHttp2 value: false diff --git a/values.yaml b/values.yaml index a62b3b2..4971bb4 100644 --- a/values.yaml +++ b/values.yaml @@ -396,13 +396,30 @@ persistentVolumeClaim: ## @section Prometheus prometheus: - ## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus. - ## @param prometheus.metrics.basicAuthUsername Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string. - ## @param prometheus.metrics.basicAuthPassword Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string. metrics: + ## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus. enabled: false - basicAuthUsername: "" - basicAuthPassword: "" + + secret: + ## @param prometheus.metrics.secret.existing.enabled Use an existing secret containing the basic auth credentials. + ## @param prometheus.metrics.secret.existing.secretName Name of the secret containing the basic auth credentials. + ## @param prometheus.metrics.secret.existing.basicAuthUsernameKey Name of the key in the secret that contains the username for basic auth. + ## @param prometheus.metrics.secret.existing.basicAuthPasswordKey Name of the key in the secret that contains the password for basic auth. + existing: + enabled: false + secretName: "" + basicAuthUsernameKey: "" + basicAuthPasswordKey: "" + + ## @param prometheus.metrics.secret.new.annotations Additional secret annotations. + ## @param prometheus.metrics.secret.new.labels Additional secret labels. + ## @param prometheus.metrics.secret.new.basicAuthUsername Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string. + ## @param prometheus.metrics.secret.new.basicAuthPassword Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string. + new: + annotations: {} + labels: {} + basicAuthUsername: "" + basicAuthPassword: "" ## @param prometheus.metrics.podMonitor.enabled Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource. ## @param prometheus.metrics.podMonitor.annotations Additional podMonitor annotations.