Skip to content

[certificates] Add monitoring certificates #1354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
barroco merged 2 commits into from
Jan 20, 2026
Merged

[certificates] Add monitoring certificates #1354

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d9307b7
[certificates] Add monitoring certificates
the-glu Jan 19, 2026
5a12b9c
Apply suggestion from @barroco
barroco Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions build/apply-certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ NAMESPACE="$2"
WORKSPACE=$(echo "${CONTEXT}" | tr ':/' '_')
CLIENTS_CERTS_DIR="$DIR/workspace/$WORKSPACE/client_certs_dir"
NODE_CERTS_DIR="$DIR/workspace/$WORKSPACE/node_certs_dir"
PROMETHEUS_CERTS_DIR="$DIR/workspace/$WORKSPACE/prometheus_certs_dir"
CA_KEY_DIR="$DIR/workspace/$WORKSPACE/ca_key_dir"
CA_CRT_DIR="$DIR/workspace/$WORKSPACE/ca_certs_dir"
JWT_PUBLIC_CERTS_DIR="$DIR/jwt-public-certs"
Expand All @@ -43,6 +44,8 @@ kubectl delete secret cockroachdb.node --namespace "$NAMESPACE" --context "$CON
kubectl delete secret cockroachdb.ca.crt --namespace "$NAMESPACE" --context "$CONTEXT" || true
kubectl delete secret cockroachdb.ca.key --namespace "$NAMESPACE" --context "$CONTEXT" || true
kubectl delete secret dss.public.certs --namespace "$NAMESPACE" --context "$CONTEXT" || true
kubectl delete secret monitoring.grafana.certs --namespace "$NAMESPACE" --context "$CONTEXT" || true
kubectl delete secret monitoring.prometheus.certs --namespace "$NAMESPACE" --context "$CONTEXT" || true

kubectl create secret generic cockroachdb.client.root --namespace default --from-file "$CLIENTS_CERTS_DIR" --context "$CONTEXT"
if [[ $NAMESPACE != "default" ]]; then
Expand All @@ -57,6 +60,8 @@ $UPLOAD_CA_KEY && kubectl create secret generic cockroachdb.ca.key --namespace "
# This secret is kept for backward compatibility.
kubectl create secret generic cockroachdb.ca.crt --namespace "$NAMESPACE" --from-file "$CA_CRT_DIR" --context "$CONTEXT"
kubectl create secret generic dss.public.certs --namespace "$NAMESPACE" --from-file "$JWT_PUBLIC_CERTS_DIR" --context "$CONTEXT"
kubectl create secret generic monitoring.grafana.certs --namespace "$NAMESPACE" --from-file "$CLIENTS_CERTS_DIR" --context "$CONTEXT"
kubectl create secret generic monitoring.prometheus.certs --namespace "$NAMESPACE" --from-file "$PROMETHEUS_CERTS_DIR" --context "$CONTEXT"

echo '========================================================================='
echo '= Secrets uploaded successfully. ='
Expand Down
39 changes: 38 additions & 1 deletion build/make-certs.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,10 @@ def client_certs_dir(self):
def node_certs_dir(self):
return os.path.join(self.directory, "node_certs_dir")

@property
def prometheus_certs_dir(self):
return os.path.join(self.directory, "prometheus_certs_dir")


def parse_args():
parser = argparse.ArgumentParser(
Expand Down Expand Up @@ -115,8 +119,10 @@ def main():
# Delete and recreate the directories.
shutil.rmtree(cr.node_certs_dir, ignore_errors=True)
shutil.rmtree(cr.client_certs_dir, ignore_errors=True)
shutil.rmtree(cr.prometheus_certs_dir, ignore_errors=True)
os.mkdir(cr.client_certs_dir)
os.mkdir(cr.node_certs_dir)
os.mkdir(cr.prometheus_certs_dir)

if create_ca:
# Create the CA.
Expand All @@ -135,6 +141,7 @@ def main():
# Copy out the CA cert for generation, we delete these copies later.
shutil.copy(cr.ca_certs_file, cr.client_certs_dir)
shutil.copy(cr.ca_certs_file, cr.node_certs_dir)
shutil.copy(cr.ca_certs_file, cr.prometheus_certs_dir)

# We slightly abuse the rotate certs feature:
# https://www.cockroachlabs.com/docs/stable/rotate-certificates.html
Expand All @@ -160,7 +167,20 @@ def main():
]
)

print("Created new client certificate in {}".format(cr.client_certs_dir))
subprocess.check_call(
[
"cockroach",
"cert",
"create-client",
"grafana",
"--certs-dir",
cr.client_certs_dir,
"--ca-key",
cr.ca_key_file,
]
)

print("Created new clients certificate in {}".format(cr.client_certs_dir))

node_addresses = ["localhost"]
node_addresses.extend(args.node_address)
Expand Down Expand Up @@ -200,6 +220,23 @@ def main():

print("Created new node certificate in {}".format(cr.node_certs_dir))

node_addresses = ["prometheus"]

subprocess.check_call(
[
"cockroach",
"cert",
"create-node",
"--certs-dir",
cr.prometheus_certs_dir,
"--ca-key",
cr.ca_key_file,
]
+ node_addresses
)

print("Created new prometheus certificate in {}".format(cr.prometheus_certs_dir))


if __name__ == "__main__":
main()
4 changes: 4 additions & 0 deletions deploy/operations/certificates-management/apply.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ def do_apply(cluster):
"yb-tserver-yugabyte-tls-cert",
"yugabyte-tls-client-cert",
"dss.public.certs",
"monitoring.grafana.certs",
"monitoring.prometheus.certs",
]:
try:
subprocess.check_call(
Expand All @@ -60,7 +62,9 @@ def do_apply(cluster):
for secret_name, folder in [
("yb-master-yugabyte-tls-cert", cluster.master_certs_dir),
("yb-tserver-yugabyte-tls-cert", cluster.tserver_certs_dir),
("monitoring.grafana.certs", cluster.client_certs_dir),
("yugabyte-tls-client-cert", cluster.client_certs_dir),
("monitoring.prometheus.certs", cluster.prometheus_certs_dir),
(
"dss.public.certs",
os.path.join("..", "..", "..", "build", "jwt-public-certs"),
Expand Down
2 changes: 1 addition & 1 deletion deploy/operations/certificates-management/ca_pool.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ def regenerate_ca_files(cluster):
shutil.copy(cluster.ca_pool_ca, cluster.client_ca)
shutil.copy(cluster.ca_cert_file, cluster.client_instance_ca)

for node_type in ["master", "tserver"]:
for node_type in ["master", "tserver", "prometheus"]:
shutil.copy(cluster.ca_pool_ca, getattr(cluster, f"{node_type}_ca"))

h = build_pool_hash(cluster)
Expand Down
33 changes: 32 additions & 1 deletion deploy/operations/certificates-management/cluster.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,14 @@ def tserver_certs_dir(self):
def tserver_ca(self):
return os.path.join(self.tserver_certs_dir, "ca.crt")

@property
def prometheus_certs_dir(self):
return os.path.join(self.directory, "prometheus")

@property
def prometheus_ca(self):
return os.path.join(self.prometheus_certs_dir, "ca.crt")

@property
def ca_pool_dir(self):
return os.path.join(self.directory, "ca_pool")
Expand All @@ -94,7 +102,10 @@ def is_ready(self):

@property
def clients(self):
return ["yugabyte"] # TODO: Do we need more, like a specifc one for the DSS?
return [
"yugabyte",
"client.grafana", # Grafana expects the 'client.'
] # TODO: Do we need more, like a specifc one for the DSS?

def get_client_cert_file(self, client):
return f"{self.client_certs_dir}/{client}.crt"
Expand All @@ -108,13 +119,22 @@ def get_client_csr_file(self, client):
def get_client_conf_file(self, client):
return f"{self.ca_key_dir}/client.{client}.conf"

def get_client_ca_file(self, client):
return f"{self.client_certs_dir}/ca.crt"

def is_client_ready(self, client):
return os.path.exists(self.get_client_cert_file(client))

def get_node_short_name(self, node_type, node_id):
if node_type == "prometheus":
return "prometheus"

return f"yb-{node_type}-{node_id}"

def get_node_short_name_group(self, node_type, node_id):
if node_type == "prometheus":
return "prometheus"

short_name = self.get_node_short_name(node_type, node_id)
return f"{short_name}.yb-{node_type}s"

Expand All @@ -134,11 +154,19 @@ def get_node_public_address(self, node_type, node_id):
def get_node_cert_file(self, node_type, node_id):
folder = getattr(self, f"{node_type}_certs_dir")
full_name = self.get_node_full_name(node_type, node_id)

if node_type == "prometheus":
return f"{folder}/node.crt"

return f"{folder}/node.{full_name}.crt"

def get_node_key_file(self, node_type, node_id):
folder = getattr(self, f"{node_type}_certs_dir")
full_name = self.get_node_full_name(node_type, node_id)

if node_type == "prometheus":
return f"{folder}/node.key"

return f"{folder}/node.{full_name}.key"

def get_node_cert_second_file(self, node_type, node_id):
Expand All @@ -157,6 +185,9 @@ def get_node_csr_file(self, node_type, node_id):
full_name = self.get_node_full_name(node_type, node_id)
return f"{self.ca_key_dir}/node.{full_name}.csr"

def get_node_ca_file(self, node_type, node_id):
return f"{self.ca_key_dir}/ca.crt"

def get_node_conf_file(self, node_type, node_id):
full_name = self.get_node_full_name(node_type, node_id)
return f"{self.ca_key_dir}/node.{full_name}.conf"
Expand Down
1 change: 1 addition & 0 deletions deploy/operations/certificates-management/init.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ def make_directories(cluster):
os.mkdir(cluster.ca_key_dir)
os.mkdir(cluster.master_certs_dir)
os.mkdir(cluster.tserver_certs_dir)
os.mkdir(cluster.prometheus_certs_dir)
os.mkdir(cluster.client_certs_dir)
os.mkdir(cluster.ca_pool_dir)

Expand Down
2 changes: 2 additions & 0 deletions deploy/operations/certificates-management/nodes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,4 +167,6 @@ def do_generate_nodes(cluster):
for node_id in range(0, int(cluster.nodes_count)):
generate_node(cluster, node_type, node_id)

generate_node(cluster, "prometheus", "")

l.info("All nodes certificates are ready")
Loading