From 4e7e25c9223a224058ae590ad77891cce1fa651a Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Wed, 17 Feb 2021 13:00:12 -0800 Subject: [PATCH] Clarify Prometheus TLS settings. (#8962) * Clarify Prometheus TLS settings. * Update content/en/docs/ops/integrations/prometheus/index.md Co-authored-by: Eric Van Norman * Update content/en/docs/ops/integrations/prometheus/index.md Co-authored-by: Eric Van Norman * Update content/en/docs/ops/integrations/prometheus/index.md Co-authored-by: Eric Van Norman Co-authored-by: Eric Van Norman --- .../docs/ops/integrations/prometheus/index.md | 30 ++++++++++++------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/content/en/docs/ops/integrations/prometheus/index.md b/content/en/docs/ops/integrations/prometheus/index.md index d605236e17..6e6184a3da 100644 --- a/content/en/docs/ops/integrations/prometheus/index.md +++ b/content/en/docs/ops/integrations/prometheus/index.md @@ -107,30 +107,38 @@ The control plane, gateway, and Envoy sidecar metrics will all be scraped over p One way to provision Istio certificates for Prometheus is by injecting a sidecar which will rotate SDS certificates and output them to a volume that can be shared with Prometheus. However, the sidecar should not intercept requests for Prometheus because the Prometheus's model of direct endpoint access is incompatible with Istio's sidecar proxy model. -Add the following annotations to the Prometheus deployment to inject a sidecar that will write a certificate to a shared volume, but without configuring traffic redirection: +To achieve this, configure a cert volume mount on the Prometheus server container: + +{{< text yaml >}} +containers: + - name: prometheus-server + ... + volumeMounts: + mountPath: /etc/prom-certs/ + name: istio-certs +volumes: + - emptyDir: + medium: Memory + name: istio-certs +{{< /text >}} + +Then add the following annotations to the Prometheus deployment pod template, and deploy it with [sidecar injection](/docs/setup/additional-setup/sidecar-injection/). +This configures the sidecar to write a certificate to the shared volume, but without configuring traffic redirection: {{< text yaml >}} spec: template: metadata: annotations: - sidecar.istio.io/inject: "true" traffic.sidecar.istio.io/includeInboundPorts: "" # do not intercept any inbound ports traffic.sidecar.istio.io/includeOutboundIPRanges: "" # do not intercept any outbound traffic proxy.istio.io/config: | # configure an env variable `OUTPUT_CERTS` to write certificates to the given folder proxyMetadata: OUTPUT_CERTS: /etc/istio-output-certs - sidecar.istio.io/userVolume: '[{"name": "istio-certs", "emptyDir": {"medium":"Memory"}}]' # mount the shared volume - sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]' + sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]' # mount the shared volume at sidecar proxy {{< /text >}} -To use the provisioned certificate, mount the shared volume for the Prometheus container and set the scraping job TLS context as follow: - -{{< text yaml >}} -volumeMounts: -- mountPath: /etc/prom-certs/ - name: istio-certs -{{< /text >}} +Finally, set the scraping job TLS context as follows: {{< text yaml >}} scheme: https