Correct TLS configuration

400708df · Matt Jibson · Julius Volz · 1d8daeac · 400708df
Commit 400708df authored Sep 23, 2015 by Matt Jibson Committed by Julius Volz Oct 09, 2015
Show whitespace changes
Inline Side-by-side

Showing with 26 additions and 18 deletions

configuration.md content/docs/operating/configuration.md +26 -18

No files found.
--- a/content/docs/operating/configuration.md
+++ b/content/docs/operating/configuration.md
@@ -88,13 +88,11 @@ If the targets require authentication, the following options are available:

 * `basic_auth` - sets the `Authorization` header on every scrape request with the
 configured username and password.
-* `client_cert` - configures the scrape request to use
-[mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication) with the
-configured certificate and key.
 * `bearer_token` - sets the `Authorization` header on every scrape request with
 the configured bearer token.
 * `bearer_token_file` - sets the `Authorization` header on every scrape request
 with the bearer token read from the configured file.
+* `tls_config` - configures the scrape request's TLS settings.

 See below for the configuration of these authentication options.

@@ -141,17 +139,16 @@ basic_auth:
  [ username: <string> ]
  [ password: <string> ]

-# Optional client certificate authentication information.
-client_cert:
-  [ cert: /path/to/cert/file ]
-  [ key: /path/to/key/file ]
-
 # Optional bearer token authentication information.
 [ bearer_token: <string> ]

 # Optional bearer token file authentication information.
 [ bearer_token_file: /path/to/bearer/token/file ]

+# Optional TLS configuration.
+tls_config:
+  [ <tls_config> ]
+
 # List of DNS service discovery configurations.
 dns_sd_configs:
  [ - <dns_sd_config> ... ]
@@ -190,6 +187,23 @@ Where `<scheme>` may be `http` or `https` and `<path>` is a valid URL path.
 regex `[a-zA-Z_][a-zA-Z0-9_-]`.


+### TLS configuration `<tls_config>`
+
+A `tls_config` allows configuring TLS connections.
+
+```
+# CA certificate to validate API server certificate with.
+[ ca_file: <filename> ]
+
+# Certificate and key files for client cert authentication to the server.
+[ cert_file: <filename> ]
+[ key_file: <filename> ]
+
+# Disable validation of the server certificate.
+[ insecure_skip_verify: <boolean> ]
+```
+
+
 ### Target groups `<target_group>`

 A `target_group` allows specifying a list of targets and a common label set for them.
@@ -319,13 +333,6 @@ masters:
 # token file at /var/run/secrets/kubernetes.io/serviceaccount/ in the pod.
 [ in_cluster: <boolean> ]

-# CA certificate to validate API server certificate with. If running in a pod,
-# then it is best to use a service account and set in_cluster to true.
-[ ca_file: <filename> ]
-# Disable validation of the API server certificate. If running in a pod, then it
-# is best to use a service account and set in_cluster to true.
-[ insecure: <boolean> ]
-
 # The kubelet port to scrape metrics from. This will normally be the read-only
 # port of 10255 (default).
 [ kubelet_port: <int> ]
@@ -339,9 +346,10 @@ masters:
 [ username: <string> ]
 [ password: <string> ]

-# Certificate and key files for client cert authentication to the API server.
-[ cert_file: <string> ]
-[ key_file: <filename> ]
+# TLS configuration. If running in a pod, then it is best to use a service
+# account and set in_cluster to true.
+tls_config:
+  [ <tls_config> ]

 # Retry interval between watches if they disconnect.
 [ retry_interval: <duration> | default = 1s ]