From dac1ec7a9e3a674aaa64828196f0b263dba4ed94 Mon Sep 17 00:00:00 2001 From: Miguel Ruiz Date: Tue, 13 Sep 2022 17:21:20 +0200 Subject: [PATCH 1/7] [bitnami/thanos] Add support for HTTPS and basic auth experimental settings Signed-off-by: Miguel Ruiz --- bitnami/thanos/Chart.yaml | 2 +- bitnami/thanos/templates/_helpers.tpl | 52 +++++++++++++++++++ .../templates/bucketweb/deployment.yaml | 39 ++++++++++++++ .../templates/compactor/deployment.yaml | 39 ++++++++++++++ .../thanos/templates/http-certs-secret.yaml | 32 ++++++++++++ .../thanos/templates/httpconfig-secret.yaml | 33 ++++++++++++ .../templates/query-frontend/deployment.yaml | 39 ++++++++++++++ .../thanos/templates/query/deployment.yaml | 39 ++++++++++++++ .../receive-distributor/deployment.yaml | 39 ++++++++++++++ .../thanos/templates/receive/statefulset.yaml | 39 ++++++++++++++ .../thanos/templates/ruler/statefulset.yaml | 39 ++++++++++++++ .../storegateway/statefulset-sharded.yaml | 41 ++++++++++++++- .../templates/storegateway/statefulset.yaml | 44 ++++++++++++++++ bitnami/thanos/values.yaml | 45 ++++++++++++++++ 14 files changed, 520 insertions(+), 2 deletions(-) create mode 100644 bitnami/thanos/templates/http-certs-secret.yaml create mode 100644 bitnami/thanos/templates/httpconfig-secret.yaml diff --git a/bitnami/thanos/Chart.yaml b/bitnami/thanos/Chart.yaml index 6deaf0110ae5ae..57648986b0b0e4 100644 --- a/bitnami/thanos/Chart.yaml +++ b/bitnami/thanos/Chart.yaml @@ -28,4 +28,4 @@ name: thanos sources: - https://github.com/bitnami/containers/tree/main/bitnami/thanos - https://thanos.io -version: 11.4.0 +version: 11.5.0 diff --git a/bitnami/thanos/templates/_helpers.tpl b/bitnami/thanos/templates/_helpers.tpl index e46901afd6f340..c160c28b7df767 100644 --- a/bitnami/thanos/templates/_helpers.tpl +++ b/bitnami/thanos/templates/_helpers.tpl @@ -58,6 +58,58 @@ Return true if a secret object should be created {{- end -}} {{- end -}} +{{/* +Return the Thanos HTTPS and basic auth configuration secret. +*/}} +{{- define "thanos.httpConfigEnabled" -}} +{{- if or .Values.existingHttpConfigSecret .Values.https.enabled .Values.auth.enabled .Values.httpConfig }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Thanos HTTPS and basic auth configuration secret. +*/}} +{{- define "thanos.httpCertsSecretName" -}} +{{- if .Values.https.existingSecret -}} + {{- printf "%s" (tpl .Values.https.existingSecret $) -}} +{{- else -}} + {{- printf "%s-http-certs-secret" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Thanos HTTPS and basic auth configuration secret. +*/}} +{{- define "thanos.httpConfigSecretName" -}} +{{- if .Values.existingHttpConfigSecret -}} + {{- printf "%s" (tpl .Values.existingHttpConfigSecret $) -}} +{{- else -}} + {{- printf "%s-http-config-secret" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "thanos.createHttpConfigSecret" -}} +{{- if and (not .Values.existingHttpConfigSecret) (or .Values.https.enabled .Values.auth.enabled .Values.httpConfig) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Returns Thanos basic auth user and password for the HTTP request. +*/}} +{{- define "thanos.basicAuth" -}} +{{- if .Values.auth.basicAuthUsers -}} +{{- $username := .Values.auth.basicAuthUsers | keys | first -}} +{{- $password := get .Values.auth.basicAuthUsers $username -}} +{{ printf "%s:%s" $username $password | b64enc }} +{{- end -}} +{{- end -}} + {{/* Return a YAML of either .Values.query or .Values.querier If .Values.querier is used, we merge in the defaults from .Values.query, giving preference to .Values.querier diff --git a/bitnami/thanos/templates/bucketweb/deployment.yaml b/bitnami/thanos/templates/bucketweb/deployment.yaml index 2f225e56e37a32..2cc05b581610d9 100644 --- a/bitnami/thanos/templates/bucketweb/deployment.yaml +++ b/bitnami/thanos/templates/bucketweb/deployment.yaml @@ -103,6 +103,9 @@ spec: {{- if .Values.bucketweb.timeout }} - --timeout={{ .Values.bucketweb.timeout }} {{- end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - --http.config=/conf/http/http-config.yml + {{- end }} {{- if .Values.bucketweb.extraFlags }} {{- .Values.bucketweb.extraFlags | toYaml | nindent 12 }} {{- end }} @@ -130,6 +133,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.bucketweb.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -138,6 +147,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.bucketweb.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -146,6 +161,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.bucketweb.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -158,6 +179,14 @@ spec: volumeMounts: - name: objstore-config mountPath: /conf + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + mountPath: /conf/http + {{- if .Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} {{- if .Values.bucketweb.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -168,6 +197,16 @@ spec: {{- if .Values.existingObjstoreSecretItems }} items: {{- toYaml .Values.existingObjstoreSecretItems | nindent 14 }} {{- end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" . }} + {{- if .Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" . }} + {{- end }} + {{- end }} {{- if .Values.bucketweb.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/thanos/templates/compactor/deployment.yaml b/bitnami/thanos/templates/compactor/deployment.yaml index c815ee61120a82..74a02c0fefb04f 100644 --- a/bitnami/thanos/templates/compactor/deployment.yaml +++ b/bitnami/thanos/templates/compactor/deployment.yaml @@ -117,6 +117,9 @@ spec: - --retention.resolution-1h={{ .Values.compactor.retentionResolution1h }} - --consistency-delay={{ .Values.compactor.consistencyDelay }} - --objstore.config-file=/conf/objstore.yml + {{- if (include "thanos.httpConfigEnabled" .) }} + - --http.config=/conf/http/http-config.yml + {{- end }} {{- if .Values.compactor.extraFlags }} {{- .Values.compactor.extraFlags | toYaml | nindent 12 }} {{- end }} @@ -145,6 +148,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.compactor.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -153,6 +162,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.compactor.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -161,6 +176,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.compactor.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -173,6 +194,14 @@ spec: volumeMounts: - name: objstore-config mountPath: /conf + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + mountPath: /conf/http + {{- if .Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} - name: data mountPath: /data {{- if .Values.compactor.extraVolumeMounts }} @@ -185,6 +214,16 @@ spec: {{- if .Values.existingObjstoreSecretItems }} items: {{- toYaml .Values.existingObjstoreSecretItems | nindent 14 }} {{- end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" . }} + {{- if .Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" . }} + {{- end }} + {{- end }} - name: data {{- if .Values.compactor.persistence.enabled }} persistentVolumeClaim: diff --git a/bitnami/thanos/templates/http-certs-secret.yaml b/bitnami/thanos/templates/http-certs-secret.yaml new file mode 100644 index 00000000000000..25c50f6038b3cb --- /dev/null +++ b/bitnami/thanos/templates/http-certs-secret.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.https.enabled (not .Values.https.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-http-certs-secret" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if .Values.https.autoGenerated }} + {{- $ca := genCA "thanos-ca" 365 }} + {{- $hostname := printf "%s" (include "common.names.fullname" .) }} + {{- $cert := genSignedCert $hostname nil (list $hostname) 365 $ca }} + {{ .Values.https.certFilename }}: {{ $cert.Cert | b64enc | quote }} + {{ .Values.https.keyFilename }}: {{ $cert.Key | b64enc | quote }} + {{- if .Values.https.clientAuthType }} + {{ .Values.https.caFilename }}: {{ $ca.Cert | b64enc | quote }} + {{- end }} + {{- else }} + {{ .Values.https.certFilename }}: {{ required "'https.cert' is required when 'https.enabled=true'" .Values.https.cert | b64enc | quote }} + {{ .Values.https.keyFilename }}: {{ required "'https.key' is required when 'https.enabled=true'" .Values.https.key | b64enc | quote }} + {{- if .Values.https.clientAuthType }} + {{ .Values.https.caFilename }}: {{ required "'https.ca' is required when 'https.clientAuthType' is provided" .Values.https.ca | b64enc | quote }} + {{- end }} + {{- end }} +{{ end }} diff --git a/bitnami/thanos/templates/httpconfig-secret.yaml b/bitnami/thanos/templates/httpconfig-secret.yaml new file mode 100644 index 00000000000000..7c2acb5fed728e --- /dev/null +++ b/bitnami/thanos/templates/httpconfig-secret.yaml @@ -0,0 +1,33 @@ +{{- if (include "thanos.createHttpConfigSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-http-config-secret + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} +stringData: + http-config.yml: |- +{{- if .Values.httpConfig }} + {{- include "common.tplvalues.render" (dict "value" .Values.httpConfig "context" $) | b64enc | nindent 4 }} +{{- else }} + {{- if .Values.https.enabled }} + tls_server_config: + cert_file: /certs/{{ .Values.https.certFilename }} + key_file: /certs/{{ .Values.https.keyFilename }} + {{- if .Values.https.clientAuthType }} + client_auth_type: {{ .Values.https.clientAuthType }} + # CA certificate for client certificate authentication to the server. + client_ca_file: /certs/{{ .Values.https.caFilename }} + {{- end }} + {{- end }} + {{- if .Values.auth.basicAuthUsers }} + basic_auth_users: + {{- range $user, $password := .Values.auth.basicAuthUsers }} + {{ $user }}: {{ (split ":" (htpasswd $user $password))._1 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/bitnami/thanos/templates/query-frontend/deployment.yaml b/bitnami/thanos/templates/query-frontend/deployment.yaml index 358159108d0a2b..2fa7f71daabd2a 100644 --- a/bitnami/thanos/templates/query-frontend/deployment.yaml +++ b/bitnami/thanos/templates/query-frontend/deployment.yaml @@ -100,6 +100,9 @@ spec: - --log.format={{ .Values.queryFrontend.logFormat }} - --http-address=0.0.0.0:10902 - --query-frontend.downstream-url=http://{{ include "common.names.fullname" . }}-query:{{ if $query.service.http }}{{ coalesce $query.service.ports.http $query.service.http.port }}{{ else }}{{ $query.service.ports.http }}{{ end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - --http.config=/conf/http/http-config.yml + {{- end }} {{- if or .Values.queryFrontend.config .Values.queryFrontend.existingConfigmap }} - --query-range.response-cache-config-file=/conf/cache/config.yml {{- end }} @@ -130,6 +133,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.queryFrontend.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.queryFrontend.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -138,6 +147,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.queryFrontend.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.queryFrontend.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -146,6 +161,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.queryFrontend.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.queryFrontend.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -160,10 +181,28 @@ spec: - name: cache-config mountPath: /conf/cache {{- end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + mountPath: /conf/http + {{- if .Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} {{- if .Values.queryFrontend.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.queryFrontend.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} volumes: + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" . }} + {{- if .Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" . }} + {{- end }} + {{- end }} {{- if or .Values.queryFrontend.config .Values.queryFrontend.existingConfigmap }} - name: cache-config configMap: diff --git a/bitnami/thanos/templates/query/deployment.yaml b/bitnami/thanos/templates/query/deployment.yaml index 1ad0531c981719..820e5d15b7ee28 100644 --- a/bitnami/thanos/templates/query/deployment.yaml +++ b/bitnami/thanos/templates/query/deployment.yaml @@ -99,6 +99,9 @@ spec: - --log.format={{ .Values.query.logFormat }} - --grpc-address=0.0.0.0:10901 - --http-address=0.0.0.0:10902 + {{- if (include "thanos.httpConfigEnabled" .) }} + - --http.config=/conf/http/http-config.yml + {{- end }} {{- if kindIs "string" .Values.query.replicaLabel }} - --query.replica-label={{ .Values.query.replicaLabel }} {{- else }} @@ -179,6 +182,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.query.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.query.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -187,6 +196,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.query.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.query.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -195,6 +210,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.query.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.query.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -205,6 +226,14 @@ spec: resources: {{- toYaml .Values.query.resources | nindent 12 }} {{- end }} volumeMounts: + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + mountPath: /conf/http + {{- if .Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} {{- if or (include "thanos.query.createSDConfigmap" .) .Values.query.existingSDConfigmap }} - name: sd-config mountPath: /conf/servicediscovery.yml @@ -222,6 +251,16 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.query.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} volumes: + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" . }} + {{- if .Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" . }} + {{- end }} + {{- end }} {{- if or (include "thanos.query.createSDConfigmap" .) .Values.query.existingSDConfigmap }} - name: sd-config configMap: diff --git a/bitnami/thanos/templates/receive-distributor/deployment.yaml b/bitnami/thanos/templates/receive-distributor/deployment.yaml index eed3f07949ad82..6af8f56e91c48e 100644 --- a/bitnami/thanos/templates/receive-distributor/deployment.yaml +++ b/bitnami/thanos/templates/receive-distributor/deployment.yaml @@ -103,6 +103,9 @@ spec: - --label=receive="true" - --receive.hashrings-file=/var/lib/thanos-receive/hashrings.json - --receive.replication-factor={{ .Values.receiveDistributor.replicationFactor }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - --http.config=/conf/http/http-config.yml + {{- end }} {{- if .Values.receiveDistributor.extraFlags }} {{- .Values.receiveDistributor.extraFlags | toYaml | nindent 12 }} {{- end }} @@ -150,6 +153,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.receiveDistributor.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receiveDistributor.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -158,6 +167,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.receiveDistributor.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receiveDistributor.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -166,6 +181,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.receiveDistributor.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receiveDistributor.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -176,6 +197,14 @@ spec: resources: {{- toYaml .Values.receiveDistributor.resources | nindent 12 }} {{- end }} volumeMounts: + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + mountPath: /conf/http + {{- if .Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} - name: hashring-config mountPath: /var/lib/thanos-receive {{- if .Values.receiveDistributor.extraVolumeMounts }} @@ -185,6 +214,16 @@ spec: - name: hashring-config configMap: name: {{ include "thanos.receive.configmapName" . }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" . }} + {{- if .Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" . }} + {{- end }} + {{- end }} {{- if .Values.receiveDistributor.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.receiveDistributor.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/thanos/templates/receive/statefulset.yaml b/bitnami/thanos/templates/receive/statefulset.yaml index a97a8ac76e0b07..49a4fbd5ff06b3 100644 --- a/bitnami/thanos/templates/receive/statefulset.yaml +++ b/bitnami/thanos/templates/receive/statefulset.yaml @@ -123,6 +123,9 @@ spec: {{- if or .Values.objstoreConfig .Values.existingObjstoreSecret }} - --objstore.config=$(OBJSTORE_CONFIG) {{- end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - --http.config=/conf/http/http-config.yml + {{- end }} - --tsdb.path=/var/thanos/receive - --label={{ .Values.receive.replicaLabel }}="$(NAME)" - --label=receive="true" @@ -190,6 +193,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.receive.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receive.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -198,6 +207,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.receive.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receive.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -206,6 +221,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.receive.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receive.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -216,6 +237,14 @@ spec: resources: {{- toYaml .Values.receive.resources | nindent 12 }} {{- end }} volumeMounts: + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + mountPath: /conf/http + {{- if .Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} - name: hashring-config mountPath: /var/lib/thanos-receive - name: data @@ -236,6 +265,16 @@ spec: secret: secretName: {{ include "common.secrets.name" (dict "existingSecret" .Values.receive.grpc.server.tls.existingSecret "defaultNameSuffix" "receive-grpc-server" "context" $) }} {{- end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" . }} + {{- if .Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" . }} + {{- end }} + {{- end }} {{- if .Values.receive.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.receive.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/thanos/templates/ruler/statefulset.yaml b/bitnami/thanos/templates/ruler/statefulset.yaml index da0aafa1c5ec32..52c93e583291d6 100644 --- a/bitnami/thanos/templates/ruler/statefulset.yaml +++ b/bitnami/thanos/templates/ruler/statefulset.yaml @@ -120,6 +120,9 @@ spec: - --http-address=0.0.0.0:10902 - --data-dir=/data - --eval-interval={{ .Values.ruler.evalInterval }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - --http.config=/conf/http/http-config.yml + {{- end }} {{- range .Values.ruler.alertmanagers }} - --alertmanagers.url={{ . }} {{- end }} @@ -172,6 +175,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.ruler.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ruler.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -180,6 +189,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.ruler.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ruler.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -188,6 +203,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.ruler.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ruler.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -202,6 +223,14 @@ spec: mountPath: /conf/rules - name: objstore-config mountPath: /conf/objstore + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + mountPath: /conf/http + {{- if .Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} - name: data mountPath: /data {{- if .Values.ruler.alertmanagersConfig }} @@ -221,6 +250,16 @@ spec: {{- if .Values.existingObjstoreSecretItems }} items: {{- toYaml .Values.existingObjstoreSecretItems | nindent 14 }} {{- end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" . }} + {{- if .Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" . }} + {{- end }} + {{- end }} {{- if .Values.ruler.alertmanagersConfig }} - name: alertmanagers-config secret: diff --git a/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml b/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml index b41eaf7f944a22..e354e5f2b3b132 100644 --- a/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml +++ b/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml @@ -60,7 +60,7 @@ spec: spec: {{- include "thanos.imagePullSecrets" $ | nindent 6 }} serviceAccount: {{ include "thanos.serviceAccount.name" (dict "component" "storegateway" "context" $) }} - automountServiceAccountToken: {{ $.Values.storegateway.automountServiceAccountToken }} + automountServiceAccountToken: {{ $.Values.storegateway.automountServiceAccountToken }} {{- if $.Values.storegateway.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" $.Values.storegateway.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -136,6 +136,9 @@ spec: - --http-address=0.0.0.0:10902 - --data-dir=/data - --objstore.config-file=/conf/objstore.yml + {{- if (include "thanos.httpConfigEnabled" $) }} + - --http.config=/conf/http/http-config.yml + {{- end }} {{- if $.Values.indexCacheConfig }} - --index-cache.config-file=/conf/index-cache.yml {{- end }} @@ -200,6 +203,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" $.Values.https.enabled }} + {{- if $.Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" $ }} + {{- end }} {{- else if $.Values.storegateway.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" $.Values.storegateway.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -208,6 +217,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" $.Values.https.enabled }} + {{- if $.Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" $ }} + {{- end }} {{- else if $.Values.storegateway.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" $.Values.storegateway.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -216,6 +231,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" $.Values.https.enabled }} + {{- if $.Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" $ }} + {{- end }} {{- else if $.Values.storegateway.customReadinessProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" $.Values.storegateway.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -228,6 +249,14 @@ spec: volumeMounts: - name: objstore-config mountPath: /conf + {{- if (include "thanos.httpConfigEnabled" $) }} + - name: http-config + mountPath: /conf/http + {{- if $.Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} - name: data mountPath: /data {{- if or $.Values.storegateway.config $.Values.storegateway.existingConfigmap }} @@ -248,6 +277,16 @@ spec: {{- if $.Values.existingObjstoreSecretItems }} items: {{- toYaml $.Values.existingObjstoreSecretItems | nindent 14 }} {{- end }} + {{- if (include "thanos.httpConfigEnabled" $) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" $ }} + {{- if $.Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" $ }} + {{- end }} + {{- end }} {{- if $.Values.storegateway.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" $.Values.storegateway.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/thanos/templates/storegateway/statefulset.yaml b/bitnami/thanos/templates/storegateway/statefulset.yaml index 6798780eab8613..34983059bfcd2f 100644 --- a/bitnami/thanos/templates/storegateway/statefulset.yaml +++ b/bitnami/thanos/templates/storegateway/statefulset.yaml @@ -121,6 +121,9 @@ spec: - --http-address=0.0.0.0:10902 - --data-dir=/data - --objstore.config-file=/conf/objstore.yml + {{- if (include "thanos.httpConfigEnabled" .) }} + - --http.config=/conf/http/http-config.yml + {{- end }} {{- if .Values.indexCacheConfig }} - --index-cache.config-file=/conf/index-cache.yml {{- end }} @@ -165,6 +168,12 @@ spec: httpGet: path: /-/healthy port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.storegateway.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.storegateway.customLivenessProbe "context" $) | nindent 12 }} {{- end }} @@ -173,6 +182,12 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.storegateway.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.storegateway.customReadinessProbe "context" $) | nindent 12 }} {{- end }} @@ -181,6 +196,17 @@ spec: httpGet: path: /-/ready port: http + scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} + {{- if .Values.auth.basicAuthUsers }} + httpHeaders: + - name: Authorization + value: Basic {{ include "thanos.basicAuth" . }} + {{- end }} {{- else if .Values.storegateway.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.storegateway.customStartupProbe "context" $) | nindent 12 }} {{- end }} @@ -191,6 +217,14 @@ spec: resources: {{- toYaml .Values.storegateway.resources | nindent 12 }} {{- end }} volumeMounts: + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + mountPath: /conf/http + {{- if .Values.https.enabled }} + - name: http-certs + mountPath: /certs + {{- end }} + {{- end }} - name: objstore-config mountPath: /conf - name: data @@ -221,6 +255,16 @@ spec: configMap: name: {{ include "thanos.storegateway.configmapName" . }} {{- end }} + {{- if (include "thanos.httpConfigEnabled" .) }} + - name: http-config + secret: + secretName: {{ include "thanos.httpConfigSecretName" . }} + {{- if .Values.https.enabled }} + - name: http-certs + secret: + secretName: {{ include "thanos.httpCertsSecretName" . }} + {{- end }} + {{- end }} {{- if .Values.storegateway.grpc.server.tls.enabled }} - name: grpc-server-tls secret: diff --git a/bitnami/thanos/values.yaml b/bitnami/thanos/values.yaml index 044f36099a017c..6eb22b3cd52984 100644 --- a/bitnami/thanos/values.yaml +++ b/bitnami/thanos/values.yaml @@ -87,6 +87,51 @@ existingObjstoreSecret: "" ## @param existingObjstoreSecretItems Optional item list for specifying a custom Secret key. If so, path should be objstore.yml ## existingObjstoreSecretItems: [] +## @param httpConfig The [https and basic auth configuration](https://thanos.io/tip/operating/https.md/) +## If provided, overrides settings under https.* and auth.* +httpConfig: "" +## @param existingHttpConfigSecret Secret containing the HTTPS and Basic auth configuration +## +existingHttpConfigSecret: "" + +## HTTPS configuration (Experimental) +## Ref: https://thanos.io/tip/operating/https.md/ +## +https: + ## @param https.enabled Set to true to enable HTTPS. Requires a secret containing the certificate and key. + ## + enabled: false + ## @param https.autoGenerated Create self-signed TLS certificates. + ## + autoGenerated: false + ## @param https.existingSecret Existing secret containing your own server key and certificate + ## + existingSecret: "" + ## @param https.certFilename + ## + certFilename: "tls.crt" + ## @param https.keyFilename + ## + keyFilename: "tls.key" + ## @param https.caFilename + ## + caFilename: "ca.crt" + ## @param https.key TLS Key for Thanos HTTPS - ignored if existingSecret is provided + ## @param https.cert TLS Certificate for Thanos HTTPS - ignored if existingSecret is provided + ## @param https.ca (Optional, used for client) CA Certificate for Thanos HTTPS - ignored if existingSecret is provided + ## + key: "" + cert: "" + ca: "" + ## @param https.clientAuthType Server policy for client authentication using certificates. Maps to ClientAuth Policies. + ## For more detail on clientAuth options: https://golang.org/pkg/crypto/tls/#ClientAuthType + clientAuthType: "" +## Thanos Basic authentication (Experimental) +## +auth: + ## @param auth.basicAuthUsers Object containing : key-value pairs for each user that will have access via basic authentication + ## Note: Passwords will be later encripted using bcrypt + basicAuthUsers: {} ## Common Service Account ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ From 7c911deecc9c4711d97ae080c95041e4b1a96e85 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 13 Sep 2022 15:24:28 +0000 Subject: [PATCH 2/7] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --- bitnami/thanos/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/bitnami/thanos/README.md b/bitnami/thanos/README.md index e6765379c1c9c2..46b792df0445ef 100644 --- a/bitnami/thanos/README.md +++ b/bitnami/thanos/README.md @@ -120,6 +120,19 @@ Check the section [Integrate Thanos with Prometheus and Alertmanager](#integrate | `bucketCacheConfig` | The [bucket cache configuration](https://thanos.io/tip/components/store.md/) | `""` | | `existingObjstoreSecret` | Secret with Objstore Configuration | `""` | | `existingObjstoreSecretItems` | Optional item list for specifying a custom Secret key. If so, path should be objstore.yml | `[]` | +| `httpConfig` | The [https and basic auth configuration](https://thanos.io/tip/operating/https.md/) | `""` | +| `existingHttpConfigSecret` | Secret containing the HTTPS and Basic auth configuration | `""` | +| `https.enabled` | Set to true to enable HTTPS. Requires a secret containing the certificate and key. | `false` | +| `https.autoGenerated` | Create self-signed TLS certificates. | `false` | +| `https.existingSecret` | Existing secret containing your own server key and certificate | `""` | +| `https.certFilename` | | `tls.crt` | +| `https.keyFilename` | | `tls.key` | +| `https.caFilename` | | `ca.crt` | +| `https.key` | TLS Key for Thanos HTTPS - ignored if existingSecret is provided | `""` | +| `https.cert` | TLS Certificate for Thanos HTTPS - ignored if existingSecret is provided | `""` | +| `https.ca` | (Optional, used for client) CA Certificate for Thanos HTTPS - ignored if existingSecret is provided | `""` | +| `https.clientAuthType` | Server policy for client authentication using certificates. Maps to ClientAuth Policies. | `""` | +| `auth.basicAuthUsers` | Object containing : key-value pairs for each user that will have access via basic authentication | `{}` | | `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | | `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | | `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | From 1091cd6d8fb1de4a3e02e1274e0f1ea077302cc1 Mon Sep 17 00:00:00 2001 From: Miguel Ruiz Date: Wed, 14 Sep 2022 08:59:16 +0200 Subject: [PATCH 3/7] Add Readme section for https and basic authentication Signed-off-by: Miguel Ruiz --- bitnami/thanos/README.md | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/bitnami/thanos/README.md b/bitnami/thanos/README.md index 46b792df0445ef..af3b4fa9b536a4 100644 --- a/bitnami/thanos/README.md +++ b/bitnami/thanos/README.md @@ -7,7 +7,7 @@ Thanos is a highly available metrics system that can be added on top of existing [Overview of Thanos](https://thanos.io/) Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - + ## TL;DR ```bash @@ -1204,6 +1204,25 @@ You can specify the Ruler configuration using the `ruler.config` parameter. In addition, you can also set an external ConfigMap with the configuration file. This is done by setting the `ruler.existingConfigmap` parameter. Note that this will override the previous option. +### Running Thanos with HTTPS and basic authentication + +This helm charts supports using HTTPS and basic authentitacion. The underlying feature is experimental and might change in the future, so are the associated settings in the chart. +For more information, please refer to [Thanos documentation](https://thanos.io/tip/operating/https.md/#running-thanos-with-https-and-basic-authentication). + +This feature can be enabled by using the following values: + +- `https.enabled=true`. Enabling HTTPS requires the user to provide the TLS certificate and Key for Thanos, which can be done using one of the following options: + + - Provide a secret using `https.existingSecret`. The secret must contain the keys `tls.crt` or `tls.key` (key names can be renamed using the values `https.keyFilename` and `https.certFilename`). + - Provide the certificate and key in your values.yaml under the values `https.cert` and `https.key`. + - Use `https.autoGenerated=true`, using this value Helm will generate a self-signed key pair during the chart initialization. Not recommended for production environments. + +- `auth.basicAuthUsers.*`. An dictionary of key / values, where the keys corresponds to the users that will have access to Thanos and the values are the plaintext passwords. Passwords will be later encrypted with bcrypt. +- Alternatively, provide your own Thanos http config file using the value `httpConfig` or `existingHttpConfigSecret`. This may cause any settings under `https.*` or `auth.*` to be ignored, except for the settings related to the TLS certificates. When providing a configuration file using these parameters, the chart Probes will fail to initialize unless one of the following fixes are applied: + - Set `https.enabled` or `auth.basicAuthUsers` with at least one user, matching the configuration file you provided. That way Probes will be configured with HTTPS and/or basic authentication accordingly. + - Configure your own Probes using `.customLivenessProbe`, `.customReadinessProbe` and `.customStartupProbe`. + - **Not recommended**. Disable the Probes. + ### Store time partitions Thanos store supports partion based on time. @@ -1550,4 +1569,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. From 22a50c7eb639d11c5fd840fa7c3c3a82d3cb1685 Mon Sep 17 00:00:00 2001 From: Miguel Ruiz Date: Wed, 14 Sep 2022 09:47:13 +0200 Subject: [PATCH 4/7] Fix minor issue Signed-off-by: Miguel Ruiz --- bitnami/thanos/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/thanos/templates/_helpers.tpl b/bitnami/thanos/templates/_helpers.tpl index c160c28b7df767..ba93271600948e 100644 --- a/bitnami/thanos/templates/_helpers.tpl +++ b/bitnami/thanos/templates/_helpers.tpl @@ -62,7 +62,7 @@ Return true if a secret object should be created Return the Thanos HTTPS and basic auth configuration secret. */}} {{- define "thanos.httpConfigEnabled" -}} -{{- if or .Values.existingHttpConfigSecret .Values.https.enabled .Values.auth.enabled .Values.httpConfig }} +{{- if or .Values.existingHttpConfigSecret .Values.https.enabled .Values.auth.basicAuthUsers .Values.httpConfig }} {{- true -}} {{- end -}} {{- end -}} @@ -93,7 +93,7 @@ Return the Thanos HTTPS and basic auth configuration secret. Return true if a secret object should be created */}} {{- define "thanos.createHttpConfigSecret" -}} -{{- if and (not .Values.existingHttpConfigSecret) (or .Values.https.enabled .Values.auth.enabled .Values.httpConfig) }} +{{- if and (not .Values.existingHttpConfigSecret) (or .Values.https.enabled .Values.auth.basicAuthUsers .Values.httpConfig) }} {{- true -}} {{- else -}} {{- end -}} From cdb9bd05a9a255814d80c1a933a1f32880faded7 Mon Sep 17 00:00:00 2001 From: Miguel Ruiz Date: Wed, 14 Sep 2022 10:38:01 +0200 Subject: [PATCH 5/7] Fix typo Signed-off-by: Miguel Ruiz --- bitnami/thanos/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/thanos/README.md b/bitnami/thanos/README.md index af3b4fa9b536a4..e9b799cbc64961 100644 --- a/bitnami/thanos/README.md +++ b/bitnami/thanos/README.md @@ -1206,7 +1206,7 @@ In addition, you can also set an external ConfigMap with the configuration file. ### Running Thanos with HTTPS and basic authentication -This helm charts supports using HTTPS and basic authentitacion. The underlying feature is experimental and might change in the future, so are the associated settings in the chart. +This helm charts supports using HTTPS and basic authentication. The underlying feature is experimental and might change in the future, so are the associated settings in the chart. For more information, please refer to [Thanos documentation](https://thanos.io/tip/operating/https.md/#running-thanos-with-https-and-basic-authentication). This feature can be enabled by using the following values: From 996a5772447aab5f228cab4591be7b1dbc9824c7 Mon Sep 17 00:00:00 2001 From: Miguel Ruiz Date: Wed, 14 Sep 2022 11:05:38 +0200 Subject: [PATCH 6/7] Use tcpSocket instead of httpGet when basic auth enabled Signed-off-by: Miguel Ruiz --- .../templates/bucketweb/deployment.yaml | 30 ++++++++-------- .../templates/compactor/deployment.yaml | 30 ++++++++-------- .../templates/query-frontend/deployment.yaml | 30 ++++++++-------- .../thanos/templates/query/deployment.yaml | 30 ++++++++-------- .../receive-distributor/deployment.yaml | 30 ++++++++-------- .../thanos/templates/receive/statefulset.yaml | 30 ++++++++-------- .../thanos/templates/ruler/statefulset.yaml | 30 ++++++++-------- .../storegateway/statefulset-sharded.yaml | 30 ++++++++-------- .../templates/storegateway/statefulset.yaml | 35 ++++++++----------- 9 files changed, 135 insertions(+), 140 deletions(-) diff --git a/bitnami/thanos/templates/bucketweb/deployment.yaml b/bitnami/thanos/templates/bucketweb/deployment.yaml index 2cc05b581610d9..8db7732531642e 100644 --- a/bitnami/thanos/templates/bucketweb/deployment.yaml +++ b/bitnami/thanos/templates/bucketweb/deployment.yaml @@ -130,43 +130,43 @@ spec: protocol: TCP {{- if .Values.bucketweb.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.bucketweb.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.bucketweb.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.bucketweb.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.bucketweb.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.bucketweb.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.bucketweb.customStartupProbe "context" $) | nindent 12 }} {{- end }} diff --git a/bitnami/thanos/templates/compactor/deployment.yaml b/bitnami/thanos/templates/compactor/deployment.yaml index 74a02c0fefb04f..0c465101d87acb 100644 --- a/bitnami/thanos/templates/compactor/deployment.yaml +++ b/bitnami/thanos/templates/compactor/deployment.yaml @@ -145,43 +145,43 @@ spec: protocol: TCP {{- if .Values.compactor.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.compactor.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.compactor.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.compactor.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.compactor.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.compactor.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.customStartupProbe "context" $) | nindent 12 }} {{- end }} diff --git a/bitnami/thanos/templates/query-frontend/deployment.yaml b/bitnami/thanos/templates/query-frontend/deployment.yaml index 2fa7f71daabd2a..676b5f7acc3228 100644 --- a/bitnami/thanos/templates/query-frontend/deployment.yaml +++ b/bitnami/thanos/templates/query-frontend/deployment.yaml @@ -130,43 +130,43 @@ spec: protocol: TCP {{- if .Values.queryFrontend.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.queryFrontend.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.queryFrontend.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.queryFrontend.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.queryFrontend.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.queryFrontend.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.queryFrontend.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.queryFrontend.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.queryFrontend.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.queryFrontend.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.queryFrontend.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.queryFrontend.customStartupProbe "context" $) | nindent 12 }} {{- end }} diff --git a/bitnami/thanos/templates/query/deployment.yaml b/bitnami/thanos/templates/query/deployment.yaml index 820e5d15b7ee28..11d599049e6a61 100644 --- a/bitnami/thanos/templates/query/deployment.yaml +++ b/bitnami/thanos/templates/query/deployment.yaml @@ -179,43 +179,43 @@ spec: protocol: TCP {{- if .Values.query.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.query.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.query.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.query.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.query.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.query.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.query.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.query.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.query.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.query.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.query.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.query.customStartupProbe "context" $) | nindent 12 }} {{- end }} diff --git a/bitnami/thanos/templates/receive-distributor/deployment.yaml b/bitnami/thanos/templates/receive-distributor/deployment.yaml index 6af8f56e91c48e..35ee1b5c960ea8 100644 --- a/bitnami/thanos/templates/receive-distributor/deployment.yaml +++ b/bitnami/thanos/templates/receive-distributor/deployment.yaml @@ -150,43 +150,43 @@ spec: protocol: TCP {{- if .Values.receiveDistributor.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receiveDistributor.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.receiveDistributor.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receiveDistributor.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.receiveDistributor.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receiveDistributor.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.receiveDistributor.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receiveDistributor.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.receiveDistributor.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receiveDistributor.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.receiveDistributor.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receiveDistributor.customStartupProbe "context" $) | nindent 12 }} {{- end }} diff --git a/bitnami/thanos/templates/receive/statefulset.yaml b/bitnami/thanos/templates/receive/statefulset.yaml index 49a4fbd5ff06b3..f4d70352ab78d1 100644 --- a/bitnami/thanos/templates/receive/statefulset.yaml +++ b/bitnami/thanos/templates/receive/statefulset.yaml @@ -190,43 +190,43 @@ spec: protocol: TCP {{- if .Values.receive.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receive.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.receive.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receive.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.receive.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receive.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.receive.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receive.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.receive.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receive.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.receive.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.receive.customStartupProbe "context" $) | nindent 12 }} {{- end }} diff --git a/bitnami/thanos/templates/ruler/statefulset.yaml b/bitnami/thanos/templates/ruler/statefulset.yaml index 52c93e583291d6..c2991764fb968c 100644 --- a/bitnami/thanos/templates/ruler/statefulset.yaml +++ b/bitnami/thanos/templates/ruler/statefulset.yaml @@ -172,43 +172,43 @@ spec: protocol: TCP {{- if .Values.ruler.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.ruler.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.ruler.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ruler.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.ruler.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.ruler.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.ruler.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ruler.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.ruler.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.ruler.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.ruler.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ruler.customStartupProbe "context" $) | nindent 12 }} {{- end }} diff --git a/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml b/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml index e354e5f2b3b132..3f392355d6a76e 100644 --- a/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml +++ b/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml @@ -200,43 +200,43 @@ spec: protocol: TCP {{- if $.Values.storegateway.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit $.Values.storegateway.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not $.Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" $.Values.https.enabled }} - {{- if $.Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" $ }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if $.Values.storegateway.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" $.Values.storegateway.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if $.Values.storegateway.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit $.Values.storegateway.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not $.Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" $.Values.https.enabled }} - {{- if $.Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" $ }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if $.Values.storegateway.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" $.Values.storegateway.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if $.Values.storegateway.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit $.Values.storegateway.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not $.Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" $.Values.https.enabled }} - {{- if $.Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" $ }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if $.Values.storegateway.customReadinessProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" $.Values.storegateway.customStartupProbe "context" $) | nindent 12 }} {{- end }} diff --git a/bitnami/thanos/templates/storegateway/statefulset.yaml b/bitnami/thanos/templates/storegateway/statefulset.yaml index 34983059bfcd2f..2b906b61a9363b 100644 --- a/bitnami/thanos/templates/storegateway/statefulset.yaml +++ b/bitnami/thanos/templates/storegateway/statefulset.yaml @@ -165,48 +165,43 @@ spec: protocol: TCP {{- if .Values.storegateway.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.storegateway.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/healthy port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.storegateway.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.storegateway.customLivenessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.storegateway.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.storegateway.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.storegateway.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.storegateway.customReadinessProbe "context" $) | nindent 12 }} {{- end }} {{- if .Values.storegateway.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.storegateway.startupProbe "enabled") "context" $) | nindent 12 }} + {{- if not .Values.https.basicAuthUsers }} httpGet: path: /-/ready port: http scheme: {{ ternary "HTTPS" "HTTP" .Values.https.enabled }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} - {{- if .Values.auth.basicAuthUsers }} - httpHeaders: - - name: Authorization - value: Basic {{ include "thanos.basicAuth" . }} - {{- end }} + {{- else }} + tcpSocket: + port: http + {{- end }} {{- else if .Values.storegateway.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.storegateway.customStartupProbe "context" $) | nindent 12 }} {{- end }} From 7a0d83a33c972020572a8786051bc62a095ecf80 Mon Sep 17 00:00:00 2001 From: Miguel Ruiz Date: Wed, 14 Sep 2022 11:19:41 +0200 Subject: [PATCH 7/7] Fix typo Signed-off-by: Miguel Ruiz --- bitnami/thanos/templates/_helpers.tpl | 11 ----------- bitnami/thanos/templates/bucketweb/deployment.yaml | 6 +++--- bitnami/thanos/templates/compactor/deployment.yaml | 6 +++--- .../thanos/templates/query-frontend/deployment.yaml | 6 +++--- bitnami/thanos/templates/query/deployment.yaml | 6 +++--- .../templates/receive-distributor/deployment.yaml | 6 +++--- bitnami/thanos/templates/receive/statefulset.yaml | 6 +++--- bitnami/thanos/templates/ruler/statefulset.yaml | 6 +++--- .../templates/storegateway/statefulset-sharded.yaml | 6 +++--- .../thanos/templates/storegateway/statefulset.yaml | 6 +++--- 10 files changed, 27 insertions(+), 38 deletions(-) diff --git a/bitnami/thanos/templates/_helpers.tpl b/bitnami/thanos/templates/_helpers.tpl index ba93271600948e..c63b5e6dd2bcb6 100644 --- a/bitnami/thanos/templates/_helpers.tpl +++ b/bitnami/thanos/templates/_helpers.tpl @@ -99,17 +99,6 @@ Return true if a secret object should be created {{- end -}} {{- end -}} -{{/* -Returns Thanos basic auth user and password for the HTTP request. -*/}} -{{- define "thanos.basicAuth" -}} -{{- if .Values.auth.basicAuthUsers -}} -{{- $username := .Values.auth.basicAuthUsers | keys | first -}} -{{- $password := get .Values.auth.basicAuthUsers $username -}} -{{ printf "%s:%s" $username $password | b64enc }} -{{- end -}} -{{- end -}} - {{/* Return a YAML of either .Values.query or .Values.querier If .Values.querier is used, we merge in the defaults from .Values.query, giving preference to .Values.querier diff --git a/bitnami/thanos/templates/bucketweb/deployment.yaml b/bitnami/thanos/templates/bucketweb/deployment.yaml index 8db7732531642e..a8a28f65d885cd 100644 --- a/bitnami/thanos/templates/bucketweb/deployment.yaml +++ b/bitnami/thanos/templates/bucketweb/deployment.yaml @@ -130,7 +130,7 @@ spec: protocol: TCP {{- if .Values.bucketweb.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -144,7 +144,7 @@ spec: {{- end }} {{- if .Values.bucketweb.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -158,7 +158,7 @@ spec: {{- end }} {{- if .Values.bucketweb.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.bucketweb.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http diff --git a/bitnami/thanos/templates/compactor/deployment.yaml b/bitnami/thanos/templates/compactor/deployment.yaml index 0c465101d87acb..a43ddeb925217d 100644 --- a/bitnami/thanos/templates/compactor/deployment.yaml +++ b/bitnami/thanos/templates/compactor/deployment.yaml @@ -145,7 +145,7 @@ spec: protocol: TCP {{- if .Values.compactor.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -159,7 +159,7 @@ spec: {{- end }} {{- if .Values.compactor.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -173,7 +173,7 @@ spec: {{- end }} {{- if .Values.compactor.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.compactor.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http diff --git a/bitnami/thanos/templates/query-frontend/deployment.yaml b/bitnami/thanos/templates/query-frontend/deployment.yaml index 676b5f7acc3228..d096b56395cc61 100644 --- a/bitnami/thanos/templates/query-frontend/deployment.yaml +++ b/bitnami/thanos/templates/query-frontend/deployment.yaml @@ -130,7 +130,7 @@ spec: protocol: TCP {{- if .Values.queryFrontend.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.queryFrontend.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -144,7 +144,7 @@ spec: {{- end }} {{- if .Values.queryFrontend.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.queryFrontend.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -158,7 +158,7 @@ spec: {{- end }} {{- if .Values.queryFrontend.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.queryFrontend.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http diff --git a/bitnami/thanos/templates/query/deployment.yaml b/bitnami/thanos/templates/query/deployment.yaml index 11d599049e6a61..1da69c22652d58 100644 --- a/bitnami/thanos/templates/query/deployment.yaml +++ b/bitnami/thanos/templates/query/deployment.yaml @@ -179,7 +179,7 @@ spec: protocol: TCP {{- if .Values.query.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.query.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -193,7 +193,7 @@ spec: {{- end }} {{- if .Values.query.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.query.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -207,7 +207,7 @@ spec: {{- end }} {{- if .Values.query.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.query.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http diff --git a/bitnami/thanos/templates/receive-distributor/deployment.yaml b/bitnami/thanos/templates/receive-distributor/deployment.yaml index 35ee1b5c960ea8..f6abdbba2465fc 100644 --- a/bitnami/thanos/templates/receive-distributor/deployment.yaml +++ b/bitnami/thanos/templates/receive-distributor/deployment.yaml @@ -150,7 +150,7 @@ spec: protocol: TCP {{- if .Values.receiveDistributor.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receiveDistributor.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -164,7 +164,7 @@ spec: {{- end }} {{- if .Values.receiveDistributor.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receiveDistributor.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -178,7 +178,7 @@ spec: {{- end }} {{- if .Values.receiveDistributor.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receiveDistributor.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http diff --git a/bitnami/thanos/templates/receive/statefulset.yaml b/bitnami/thanos/templates/receive/statefulset.yaml index f4d70352ab78d1..25ce8a925f26ee 100644 --- a/bitnami/thanos/templates/receive/statefulset.yaml +++ b/bitnami/thanos/templates/receive/statefulset.yaml @@ -190,7 +190,7 @@ spec: protocol: TCP {{- if .Values.receive.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receive.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -204,7 +204,7 @@ spec: {{- end }} {{- if .Values.receive.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receive.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -218,7 +218,7 @@ spec: {{- end }} {{- if .Values.receive.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.receive.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http diff --git a/bitnami/thanos/templates/ruler/statefulset.yaml b/bitnami/thanos/templates/ruler/statefulset.yaml index c2991764fb968c..3156ea50ba6c13 100644 --- a/bitnami/thanos/templates/ruler/statefulset.yaml +++ b/bitnami/thanos/templates/ruler/statefulset.yaml @@ -172,7 +172,7 @@ spec: protocol: TCP {{- if .Values.ruler.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.ruler.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -186,7 +186,7 @@ spec: {{- end }} {{- if .Values.ruler.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.ruler.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -200,7 +200,7 @@ spec: {{- end }} {{- if .Values.ruler.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.ruler.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http diff --git a/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml b/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml index 3f392355d6a76e..efc04f576c301c 100644 --- a/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml +++ b/bitnami/thanos/templates/storegateway/statefulset-sharded.yaml @@ -200,7 +200,7 @@ spec: protocol: TCP {{- if $.Values.storegateway.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit $.Values.storegateway.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not $.Values.https.basicAuthUsers }} + {{- if not $.Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -214,7 +214,7 @@ spec: {{- end }} {{- if $.Values.storegateway.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit $.Values.storegateway.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not $.Values.https.basicAuthUsers }} + {{- if not $.Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -228,7 +228,7 @@ spec: {{- end }} {{- if $.Values.storegateway.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit $.Values.storegateway.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not $.Values.https.basicAuthUsers }} + {{- if not $.Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http diff --git a/bitnami/thanos/templates/storegateway/statefulset.yaml b/bitnami/thanos/templates/storegateway/statefulset.yaml index 2b906b61a9363b..2190684700710e 100644 --- a/bitnami/thanos/templates/storegateway/statefulset.yaml +++ b/bitnami/thanos/templates/storegateway/statefulset.yaml @@ -165,7 +165,7 @@ spec: protocol: TCP {{- if .Values.storegateway.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.storegateway.livenessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/healthy port: http @@ -179,7 +179,7 @@ spec: {{- end }} {{- if .Values.storegateway.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.storegateway.readinessProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http @@ -193,7 +193,7 @@ spec: {{- end }} {{- if .Values.storegateway.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.storegateway.startupProbe "enabled") "context" $) | nindent 12 }} - {{- if not .Values.https.basicAuthUsers }} + {{- if not .Values.auth.basicAuthUsers }} httpGet: path: /-/ready port: http