sql_exporter/examples/tls-only/secret-tls.yaml at master · burningalchemist/sql_exporter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Example: Kubernetes Secret for TLS Certificates
# This file shows how to create a secret containing TLS certificates for sql-exporter
#
# There are multiple ways to create this secret:

# ============================================================================
# Method 1: kubectl create secret tls (Recommended - simplest)
# ============================================================================
# Kubernetes has a dedicated secret type for TLS that validates cert/key pairs:
#
#   kubectl create secret tls sql-exporter-tls \
#     --cert=path/to/your/certificate.crt \
#     --key=path/to/your/private.key \
#     --namespace=your-namespace
#
# This creates a kubernetes.io/tls secret type with standard tls.crt and tls.key keys.
#
# If you also need to include CA certificate, use generic secret:
#
#   kubectl create secret generic sql-exporter-tls \
#     --from-file=tls.crt=path/to/your/certificate.crt \
#     --from-file=tls.key=path/to/your/private.key \
#     --from-file=ca.crt=path/to/your/ca.crt \
#     --namespace=your-namespace
#
# The TLS secret will typycally look like this:
---
apiVersion: v1
kind: Secret
metadata:
  name: sql-exporter-tls
  namespace: default  # Change to your namespace
  labels:
    app: sql-exporter
type: Opaque
data:
  # Base64-encoded certificate (PEM format)
  # Replace this with your actual base64-encoded certificate
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURyakNDQXBhZ0F3SUJBZ0lSQU01emFuTzlsVUMyakdSSlZwNDZvL1F3RFFZSktvWklodmNOQVFFTEJRQXcKSFRFYk1Ca0dBMVVFQXd3U1FXMWtiMk56SUVsdWRHVnlibUZzSUVOQk1CNFhEVEkxTVRJeU9URTBORGd5TkZvWApEVEkyTVRJeU9URTBORGd5T1Zvd0Z6RVZNQk1HQTFVRUF3d01jM0ZzTFdWNGNHOXlkR1Z5TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBczRzV040aGRodUZiUUNydWJxUHZjNDdCQ3dKUWZzaXkKZVo0T3g5Z1RaMWlYUzRHaWYvVFF0VGcwbTdMOERXSFlxN0RCTjgvMWdQM3YrcHh3QXhrdUh1SlB4NVpSV1FjUQp2aUhMN2hKc2tGdGsyWW1ndkxRa3NuSlc4VEpTbXJHTW9MVnNuaEtpdFZkNG5TZldQTldUZFVHdEM1dGx3Mkh6CmptSThXVmJqMkJTSlovWDN0clM3TitSczhucWN3Z0pyZGMvVE43S2w3VW91akhMNksvRkRNY2JieW5tdFFucW8KVWVwSzdrL0NUdkh5bnRTVXBlSWQxblg0clRRZ2hEUUR6a2JINUpBN0paV3ZPeWFjcCtHRkkzTXc2TWZXTnhYNAoycGdWak5GZTRoVzVGcGp3YW82RmRDM01zcVZmUzV1N0hON3dEalVzMDlKOU16bVQzWHhkSndJREFRQUJvNEh1Ck1JSHJNQWtHQTFVZEV3UUNNQUF3SFFZRFZSME9CQllFRkNxQVRCaVFDSWprMk16b2JYbnRPRlR5RzRTaU1GUUcKQTFVZEl3Uk5NRXVBRkRyd1VGNWFYbDI3Wll0TmRjR0V3WjJzODd5aG9TR2tIekFkTVJzd0dRWURWUVFEREJKQgpiV1J2WTNNZ1NXNTBaWEp1WVd3Z1EwR0NFQkMrSSt1NGtFbEd2VnJCTUpwZWJKY3dSd1lEVlIwUkJFQXdQb0lNCmMzRnNMV1Y0Y0c5eWRHVnlnaTV6Y1d3dFpYaHdiM0owWlhJdWRHTXRZMlJoYzNNdGF6aHpMVzl6TG5OMll5NWoKYkhWemRHVnlMbXh2WTJGc01Bc0dBMVVkRHdRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRBTgpCZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFmSXBoa0JLaDI1V0hxZHFJWmJkeGtqSTQ1NDV4eW42SW1WeENpSk1oCmNHRkFwN3QrOHM0cVp3anlYNy9QWE96RnBwdlNKTTR4azdtY25oRTl3NTFmeHNXZk5naVdpMlFnS2laaGZuZUgKRytOR0tuaGtjeHkyckpVcERrNnRybzFzK2F1YnRaYVkvdTMzRWYwanNhRitLb2k2K0JCeU1kZ0c4WnNDbUV3ZQpsTVNMbE5jNGpMUkE0L3lGQzc5Q0dUaWc5Skh5b1YzZFk2Y3R6M3NjV2ZBQ3M2UXpmQk02VnpKOEtBT2xveFlOCnMzVmlCQlpocW5BWnJvc05CQnl4RzlTQWpJTlFIY3JZVFk3dkdzVGJidGpJNmgyendmazBzWUdmS1pOQTZDd2kKUExxUGhFeVV3WTNuQW01ajJtOWZ6NDNFVzZaaHFZUkpTQ2JsV2NURHJMK1pyQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

  # Base64-encoded private key (PEM format)
  # Replace this with your actual base64-encoded private key
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBczRzV040aGRodUZiUUNydWJxUHZjNDdCQ3dKUWZzaXllWjRPeDlnVFoxaVhTNEdpCmYvVFF0VGcwbTdMOERXSFlxN0RCTjgvMWdQM3YrcHh3QXhrdUh1SlB4NVpSV1FjUXZpSEw3aEpza0Z0azJZbWcKdkxRa3NuSlc4VEpTbXJHTW9MVnNuaEtpdFZkNG5TZldQTldUZFVHdEM1dGx3Mkh6am1JOFdWYmoyQlNKWi9YMwp0clM3TitSczhucWN3Z0pyZGMvVE43S2w3VW91akhMNksvRkRNY2JieW5tdFFucW9VZXBLN2svQ1R2SHludFNVCnBlSWQxblg0clRRZ2hEUUR6a2JINUpBN0paV3ZPeWFjcCtHRkkzTXc2TWZXTnhYNDJwZ1ZqTkZlNGhXNUZwancKYW82RmRDM01zcVZmUzV1N0hON3dEalVzMDlKOU16bVQzWHhkSndJREFRQUJBb0lCQUFuQ1FXMWk5ZTV3WTZvcgp0ZCtyL1J1K0Fua2c0Wk9GUU1vdEpmd3Z5WnpnUUZla0pBWFV5VFA5djVlYzZyMVJlRnBHQVEwOFpQUTR3K2xPCmI4K0RUVnlldHNabGx4Q3NqODQ5MDdIM2doRExTWmZYWVdDN0MrbVZIeFpTR0JKU0hJK0VVa2lQUVJVZWtZUTkKUWo3MmxEZ1hOSnJXWjA3RTRySkxzdlcwMXRmZzdSazNLUjBUZVRKeVZpZlI5aTZkN3lkQmNrSnloUTA5VTA3WgpIZ1Z2eHBwZ3ROb2l0eURvNFQvMDhYV0xHalVqUkxWS2NaaklabXpZZE9rV1dnajBmbkV6M2lERFhtbnN5MGtrCnJrc0lkMmh4N1F6TFFFMjkwWFBVcDBFcWhDOUVyUlZiaDNiOG1RWWpnQ1p4MlFLUzl5dHhYWTlESzB1Y29ncUcKOCtFMSsyRUNnWUVBdjZ1a21xejdmZTdlSjF0TXhhRnh5Yit0QUdoL1FsMjZuWVloVWhtd095UkEwbjFHN285Rwpsd3NneFBsWVkwVWd4d05uZFRUcUpkcUc2ZGVFN0pQcUEzU1puSjhwQVZwMERzU1AxdEl4dXUxa2RXWDNTRFZMCnpOSzVYR01YZU5HN0NROUxQcVFYT0hmbWt5RFpzNG5saHYxV3BsSUZjNmx2TVpOY1NYZWNkdUVDZ1lFQTc4MTUKcXpZcXJEMmVpWkNiV2tEMDFIV2Q1OUJnNFdGUzJSVUxneW4vR21wbWplZ0hpOVZtTWQ0ZnVKWjFKTENHVzBZMApyZ3MzMGFsa1RUQUdpU05jS3IvUy9yRk1nTEZIeS9KbnQ0U1hQV0lseEJoZTgyOVhYUTZPMW5NVkQxZTNNTGIvCktFSC85RENGOTZqMTduMkFGU3JXT2hoUWpOUHA4Q09ZanArUnZRY0NnWUEzOWFjRE9jbmJSS2c3bVY1YXZQMzUKeHlwOVdnVDluVnZrcmNxQXE5dFdDUW1iNnRPUXh1ZjNKVnFWNTY2MG5QUXE1b1dJSk1EUCtITTNScU1hWnowRgpjVCtBQ0wveUV6U2JNeXhEcmU2ekFxZzMxbU5TQTYxenlYb3d6UVdIVXNSbXFyNXZOWDFLRVVlU1lSN3VXaTVYCk1SUGhUMFVrTmEydkxiVGVCanY2UVFLQmdER3dsaUdRRzgrTkJTamtPZ3k5b1AzVlVWOFRvcitROXlYY1lvSlAKVlhrWHl5QmtrQXU5c0d0czU0M01QNEhXd2tCdmo4THd1Q1JOd1didEtLMktFak1aaEpNYUVnd29zQVBtdXU4ZwpIbWF0eTcyU2Z6cGFPL1FnYkNDcndCVnB5NS9naTRiQUJsV0hLSHRsRzNETHVKcXFRYkhRRUFEZWVIODJJUXFNCnJocEpBb0dBY2xTMzY0eEUyYis4dTg3bVFMMDBOMkhYS0hhcHVXT1c0bkVZSkVEYkRDck5icHlkKzJJVUJjTXkKWlR3MFRBYWNYaGZkSHNhenM1V0FCL2x4eExaK1lDUkZPNDAraXRpdkE1ZWhlQ2ZzWXBWQk9rekxwcTNtWjB4NAp3ZmlNcndKSnZKS2t3SzEvRnA2TEhkbm1tekhPOVNmWjViMVdMMjExRUltaU03TmtZQjA9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

# ============================================================================
# Method 2: Self-signed certificate (for testing only) - this is the simplest way to get started
# ============================================================================
# Generate a self-signed certificate for testing:
#
#   # Generate private key
#   openssl genrsa -out tls.key 2048
#
#   # Generate self-signed certificate
#   openssl req -new -x509 -key tls.key -out tls.crt -days 365 \
#     -subj "/CN=sql-exporter/O=testing"
#
#   # Create TLS secret
#   kubectl create secret tls sql-exporter-tls \
#     --cert=tls.crt \
#     --key=tls.key
#
# WARNING: Self-signed certificates should NOT be used in production!

# ============================================================================
# Verify the secret
# ============================================================================
# After creating the secret, verify it:
#
#   kubectl get secret sql-exporter-tls
#   kubectl describe secret sql-exporter-tls
#
# Check the certificate details:
#
#   kubectl get secret sql-exporter-tls -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout

# ============================================================================
# Important Notes
# ============================================================================
# 1. The secret MUST be in the same namespace as the sql-exporter pod
# 2. The certificate should be in PEM format
# 3. Common key names are:
#    - tls.crt (certificate)
#    - tls.key (private key)
#    - ca.crt (CA certificate, optional)
# 4. You can use custom key names by configuring webConfig.tls.certKey and webConfig.tls.keyKey
# 5. For production, use proper CA-signed certificates or cert-manager
# 6. Ensure the certificate includes appropriate SANs (Subject Alternative Names) for your service DNS