Joshua Olson
@@ -21,12 +21,20 @@ local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') +
|
|||||||
clientKey: importstr 'etcd-client.key',
|
clientKey: importstr 'etcd-client.key',
|
||||||
clientCert: importstr 'etcd-client.crt',
|
clientCert: importstr 'etcd-client.crt',
|
||||||
|
|
||||||
// A valid name (DNS or Subject Alternative Name) that the client (i.e. prometheus) will use to verify the etcd TLS certificate.
|
// Note that you should specify a value EITHER for 'serverName' OR for 'insecureSkipVerify'. (Don't specify a value for both of them, and don't specify a value for neither of them.)
|
||||||
serverName: 'etcd.my-cluster.local', // a real-life e.g. value is "etcd.kube-system.svc.cluster.local"
|
// * Specifying serverName: Ideally you should provide a valid value for serverName (and then insecureSkipVerify should be left as false - so that serverName gets used).
|
||||||
|
// * Specifying insecureSkipVerify: insecureSkipVerify is only to be used (i.e. set to true) if you cannot (based on how your etcd certificates were created) use a Subject Alternative Name.
|
||||||
|
// * If you specify a value:
|
||||||
|
// ** for both of these variables: When 'insecureSkipVerify: true' is specified, then also specifying a value for serverName won't hurt anything but it will be ignored.
|
||||||
|
// ** for neither of these variables: then you'll get authentication errors on the prom '/targets' page with your etcd targets.
|
||||||
|
|
||||||
// TODO: prometheus-operator issue #1755 ("kube-prometheus: re-introduce insecureSkipVerify for etcd monitoring") will enhance kube-prometheus-static-etcd.libsonnet
|
// A valid name (DNS or Subject Alternative Name) that the client (i.e. prometheus) will use to verify the etcd TLS certificate.
|
||||||
// to allow 'insecureSkipVerify: true' to be specified here (as an alternative to specifying a value for 'serverName').
|
// * Note that doing `nslookup etcd.kube-system.svc.cluster.local` (on a pod in a K8s cluster where kube-prometheus has been installed) shows that kube-prometheus sets up this hostname.
|
||||||
// Note that once that issue #1755 is resolved, insecureSkipVerify is only to be used if you cannot use a Subject Alternative Name.
|
// * `openssl x509 -noout -text -in etcd-client.pem` will print the Subject Alternative Names.
|
||||||
|
serverName: 'etcd.kube-system.svc.cluster.local',
|
||||||
|
|
||||||
|
// When insecureSkipVerify isn't specified, the default value is "false".
|
||||||
|
//insecureSkipVerify: true,
|
||||||
|
|
||||||
// In case you have generated the etcd certificate with kube-aws:
|
// In case you have generated the etcd certificate with kube-aws:
|
||||||
// * If you only have one etcd node, you can use the value from 'etcd.internalDomainName' (specified in your kube-aws cluster.yaml) as the value for 'serverName'.
|
// * If you only have one etcd node, you can use the value from 'etcd.internalDomainName' (specified in your kube-aws cluster.yaml) as the value for 'serverName'.
|
||||||
|
|||||||
Reference in New Issue
Block a user