diff --git a/docs/blackbox-exporter.md b/docs/blackbox-exporter.md
index cb40fd5f1bdf8943c0e446a2da295804672691c6..9136944d17b33c0c58d8a16c12aa61cf81d583fc 100644
--- a/docs/blackbox-exporter.md
+++ b/docs/blackbox-exporter.md
@@ -19,7 +19,8 @@ The `prometheus-operator` defines a `Probe` resource type that can be used to de
* `_config.versions.configmapReloader`: the tag of the ConfigMap reloader image to deploy. Defaults to the version `kube-prometheus` was tested with.
* `_config.resources.blackbox-exporter.requests`: the requested resources; this is used for each container. Defaults to `10m` CPU and `20Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
* `_config.resources.blackbox-exporter.limits`: the resource limits; this is used for each container. Defaults to `20m` CPU and `40Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
-* `_config.blackboxExporter.port`: the port of the exporter. Defaults to `9115`.
+* `_config.blackboxExporter.port`: the exposed HTTPS port of the exporter. This is where Prometheus should send the probe requests. Defaults to `9115`.
+* `_config.blackboxExporter.internalPort`: the internal plaintext port of the exporter. Not accessible from outside the pod. Defaults to `19115`.
* `_config.blackboxExporter.replicas`: the number of exporter replicas to be deployed. Defaults to `1`.
* `_config.blackboxExporter.matchLabels`: map of the labels to be used to select resources belonging to the instance deployed. Defaults to `{ 'app.kubernetes.io/name': 'blackbox-exporter' }`
* `_config.blackboxExporter.assignLabels`: map of the labels applied to components of the instance deployed. Defaults to all the labels included in the `matchLabels` option, and additionally `app.kubernetes.io/version` is set to the version of the blackbox exporter.
diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
index 06599f9474f1636ac4eb687ce70c3509e18d2803..fcd2280bff785b506c973112290577daac566a19 100644
--- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
@@ -1,3 +1,5 @@
+local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet';
+
{
_config+:: {
namespace: 'default',
@@ -21,6 +23,7 @@
blackboxExporter: {
port: 9115,
+ internalPort: 19115,
replicas: 1,
matchLabels: {
'app.kubernetes.io/name': 'blackbox-exporter',
@@ -121,9 +124,13 @@
{
name: 'blackbox-exporter',
image: $._config.imageRepos.blackboxExporter + ':' + $._config.versions.blackboxExporter,
+ args: [
+ '--config.file=/etc/blackbox_exporter/config.yml',
+ '--web.listen-address=:%d' % bb.internalPort,
+ ],
ports: [{
name: 'http',
- containerPort: bb.port,
+ containerPort: bb.internalPort,
}],
resources: {
requests: $._config.resources['blackbox-exporter'].requests,
@@ -146,7 +153,7 @@
name: 'module-configmap-reloader',
image: $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader,
args: [
- '--webhook-url=http://localhost:' + bb.port + '/-/reload',
+ '--webhook-url=http://localhost:%d/-/reload' % bb.internalPort,
'--volume-dir=/etc/blackbox_exporter/',
],
resources: {
@@ -208,5 +215,18 @@
},
},
},
- },
+ } +
+ (kubeRbacProxyContainer {
+ config+:: {
+ kubeRbacProxy: {
+ image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
+ name: 'kube-rbac-proxy',
+ securePortName: 'https',
+ securePort: bb.port,
+ secureListenAddress: ':%d' % self.securePort,
+ upstream: 'http://127.0.0.1:%d/' % bb.internalPort,
+ tlsCipherSuites: $._config.tlsCipherSuites,
+ },
+ },
+ }).deploymentMixin,
}
diff --git a/manifests/blackbox-exporter-deployment.yaml b/manifests/blackbox-exporter-deployment.yaml
index c7874949a5c78925da97fba898979b37d645fe69..3a4bd821ac2ae49528e859cfba80e72feb62004b 100644
--- a/manifests/blackbox-exporter-deployment.yaml
+++ b/manifests/blackbox-exporter-deployment.yaml
@@ -18,10 +18,13 @@ spec:
app.kubernetes.io/version: v0.18.0
spec:
containers:
- - image: quay.io/prometheus/blackbox-exporter:v0.18.0
+ - args:
+ - --config.file=/etc/blackbox_exporter/config.yml
+ - --web.listen-address=:19115
+ image: quay.io/prometheus/blackbox-exporter:v0.18.0
name: blackbox-exporter
ports:
- - containerPort: 9115
+ - containerPort: 19115
name: http
resources:
limits:
@@ -38,7 +41,7 @@ spec:
name: config
readOnly: true
- args:
- - --webhook-url=http://localhost:9115/-/reload
+ - --webhook-url=http://localhost:19115/-/reload
- --volume-dir=/etc/blackbox_exporter/
image: jimmidyson/configmap-reload:v0.4.0
name: module-configmap-reloader
@@ -58,6 +61,18 @@ spec:
- mountPath: /etc/blackbox_exporter/
name: config
readOnly: true
+ - args:
+ - --logtostderr
+ - --secure-listen-address=:9115
+ - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+ - --upstream=http://127.0.0.1:19115/
+ image: quay.io/brancz/kube-rbac-proxy:v0.8.0
+ name: kube-rbac-proxy
+ ports:
+ - containerPort: 9115
+ name: https
+ securityContext:
+ runAsUser: 65534
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: blackbox-exporter