Commit 400708df authored by Matt Jibson's avatar Matt Jibson Committed by Julius Volz

Correct TLS configuration

parent 1d8daeac
...@@ -88,13 +88,11 @@ If the targets require authentication, the following options are available: ...@@ -88,13 +88,11 @@ If the targets require authentication, the following options are available:
* `basic_auth` - sets the `Authorization` header on every scrape request with the * `basic_auth` - sets the `Authorization` header on every scrape request with the
configured username and password. configured username and password.
* `client_cert` - configures the scrape request to use
[mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication) with the
configured certificate and key.
* `bearer_token` - sets the `Authorization` header on every scrape request with * `bearer_token` - sets the `Authorization` header on every scrape request with
the configured bearer token. the configured bearer token.
* `bearer_token_file` - sets the `Authorization` header on every scrape request * `bearer_token_file` - sets the `Authorization` header on every scrape request
with the bearer token read from the configured file. with the bearer token read from the configured file.
* `tls_config` - configures the scrape request's TLS settings.
See below for the configuration of these authentication options. See below for the configuration of these authentication options.
...@@ -141,17 +139,16 @@ basic_auth: ...@@ -141,17 +139,16 @@ basic_auth:
[ username: <string> ] [ username: <string> ]
[ password: <string> ] [ password: <string> ]
# Optional client certificate authentication information.
client_cert:
[ cert: /path/to/cert/file ]
[ key: /path/to/key/file ]
# Optional bearer token authentication information. # Optional bearer token authentication information.
[ bearer_token: <string> ] [ bearer_token: <string> ]
# Optional bearer token file authentication information. # Optional bearer token file authentication information.
[ bearer_token_file: /path/to/bearer/token/file ] [ bearer_token_file: /path/to/bearer/token/file ]
# Optional TLS configuration.
tls_config:
[ <tls_config> ]
# List of DNS service discovery configurations. # List of DNS service discovery configurations.
dns_sd_configs: dns_sd_configs:
[ - <dns_sd_config> ... ] [ - <dns_sd_config> ... ]
...@@ -190,6 +187,23 @@ Where `<scheme>` may be `http` or `https` and `<path>` is a valid URL path. ...@@ -190,6 +187,23 @@ Where `<scheme>` may be `http` or `https` and `<path>` is a valid URL path.
regex `[a-zA-Z_][a-zA-Z0-9_-]`. regex `[a-zA-Z_][a-zA-Z0-9_-]`.
### TLS configuration `<tls_config>`
A `tls_config` allows configuring TLS connections.
```
# CA certificate to validate API server certificate with.
[ ca_file: <filename> ]
# Certificate and key files for client cert authentication to the server.
[ cert_file: <filename> ]
[ key_file: <filename> ]
# Disable validation of the server certificate.
[ insecure_skip_verify: <boolean> ]
```
### Target groups `<target_group>` ### Target groups `<target_group>`
A `target_group` allows specifying a list of targets and a common label set for them. A `target_group` allows specifying a list of targets and a common label set for them.
...@@ -319,13 +333,6 @@ masters: ...@@ -319,13 +333,6 @@ masters:
# token file at /var/run/secrets/kubernetes.io/serviceaccount/ in the pod. # token file at /var/run/secrets/kubernetes.io/serviceaccount/ in the pod.
[ in_cluster: <boolean> ] [ in_cluster: <boolean> ]
# CA certificate to validate API server certificate with. If running in a pod,
# then it is best to use a service account and set in_cluster to true.
[ ca_file: <filename> ]
# Disable validation of the API server certificate. If running in a pod, then it
# is best to use a service account and set in_cluster to true.
[ insecure: <boolean> ]
# The kubelet port to scrape metrics from. This will normally be the read-only # The kubelet port to scrape metrics from. This will normally be the read-only
# port of 10255 (default). # port of 10255 (default).
[ kubelet_port: <int> ] [ kubelet_port: <int> ]
...@@ -339,9 +346,10 @@ masters: ...@@ -339,9 +346,10 @@ masters:
[ username: <string> ] [ username: <string> ]
[ password: <string> ] [ password: <string> ]
# Certificate and key files for client cert authentication to the API server. # TLS configuration. If running in a pod, then it is best to use a service
[ cert_file: <string> ] # account and set in_cluster to true.
[ key_file: <filename> ] tls_config:
[ <tls_config> ]
# Retry interval between watches if they disconnect. # Retry interval between watches if they disconnect.
[ retry_interval: <duration> | default = 1s ] [ retry_interval: <duration> | default = 1s ]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment