From ecbaa85d817eafcb9f8ab46a8856fb1c0d024b03 Mon Sep 17 00:00:00 2001 From: paulfantom Date: Tue, 24 Nov 2020 13:22:59 +0100 Subject: [PATCH 1/4] *: add jsonnet-lint to tooling Signed-off-by: paulfantom --- Makefile | 8 +++++++- scripts/go.mod | 2 +- scripts/go.sum | 2 ++ scripts/tools.go | 1 + 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 754ba59a..198e1788 100644 --- a/Makefile +++ b/Makefile @@ -6,8 +6,9 @@ EMBEDMD_BIN=$(BIN_DIR)/embedmd JB_BIN=$(BIN_DIR)/jb GOJSONTOYAML_BIN=$(BIN_DIR)/gojsontoyaml JSONNET_BIN=$(BIN_DIR)/jsonnet +JSONNETLINT_BIN=$(BIN_DIR)/jsonnet-lint JSONNETFMT_BIN=$(BIN_DIR)/jsonnetfmt -TOOLING=$(EMBEDMD_BIN) $(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETFMT_BIN) +TOOLING=$(EMBEDMD_BIN) $(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETLINT_BIN) $(JSONNETFMT_BIN) JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s @@ -36,6 +37,11 @@ fmt: $(JSONNETFMT_BIN) find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \ xargs -n 1 -- $(JSONNETFMT_BIN) $(JSONNETFMT_ARGS) -i +.PHONY: lint +lint: $(JSONNETLINT_BIN) vendor + find jsonnet/ -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \ + xargs -n 1 -- $(JSONNETLINT_BIN) -J vendor + .PHONY: test test: $(JB_BIN) $(JB_BIN) install diff --git a/scripts/go.mod b/scripts/go.mod index 59363cba..9c6c10c8 100644 --- a/scripts/go.mod +++ b/scripts/go.mod @@ -5,6 +5,6 @@ go 1.15 require ( github.com/brancz/gojsontoyaml v0.0.0-20200602132005-3697ded27e8c github.com/campoy/embedmd v1.0.0 - github.com/google/go-jsonnet v0.17.0 + github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6 // 7 commits after 0.17.0. Needed by jsonnet linter github.com/jsonnet-bundler/jsonnet-bundler v0.4.0 ) diff --git a/scripts/go.sum b/scripts/go.sum index 1e2cedbd..08d45587 100644 --- a/scripts/go.sum +++ b/scripts/go.sum @@ -16,6 +16,8 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/google/go-jsonnet v0.17.0 h1:/9NIEfhK1NQRKl3sP2536b2+x5HnZMdql7x3yK/l8JY= github.com/google/go-jsonnet v0.17.0/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw= +github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6 h1:91EupyycmO5ctzKuWEZ9nX0Cal1NveMiWcXxmRtLyLQ= +github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw= github.com/jsonnet-bundler/jsonnet-bundler v0.4.0 h1:4BKZ6LDqPc2wJDmaKnmYD/vDjUptJtnUpai802MibFc= github.com/jsonnet-bundler/jsonnet-bundler v0.4.0/go.mod h1:/by7P/OoohkI3q4CgSFqcoFsVY+IaNbzOVDknEsKDeU= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= diff --git a/scripts/tools.go b/scripts/tools.go index b6cba4f2..d5b67e32 100644 --- a/scripts/tools.go +++ b/scripts/tools.go @@ -8,6 +8,7 @@ import ( _ "github.com/brancz/gojsontoyaml" _ "github.com/campoy/embedmd" _ "github.com/google/go-jsonnet/cmd/jsonnet" + _ "github.com/google/go-jsonnet/cmd/jsonnet-lint" _ "github.com/google/go-jsonnet/cmd/jsonnetfmt" _ "github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb" ) From 48579a967903d0385528038283bb497d236d6dc9 Mon Sep 17 00:00:00 2001 From: paulfantom Date: Tue, 12 Jan 2021 13:33:13 +0100 Subject: [PATCH 2/4] .github/workflows: run fmt and lint in CI --- .github/workflows/ci.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 68da3163..e9edf2a6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,6 +20,18 @@ jobs: with: go-version: ${{ env.golang-version }} - run: make --always-make generate && git diff --exit-code + lint: + runs-on: ubuntu-latest + name: Jsonnet linter + steps: + - uses: actions/checkout@v2 + - run: make --always-make lint + fmt: + runs-on: ubuntu-latest + name: Jsonnet formatter + steps: + - uses: actions/checkout@v2 + - run: make --always-make fmt && git diff --exit-code unit-tests: runs-on: ubuntu-latest name: Unit tests From b5ab602911fde97ae20727e63fd658d42c9f8a1f Mon Sep 17 00:00:00 2001 From: paulfantom Date: Tue, 12 Jan 2021 15:21:56 +0100 Subject: [PATCH 3/4] jsonnet: lint --- jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet | 2 -- jsonnet/kube-prometheus/kube-prometheus.libsonnet | 1 - jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet | 1 - .../kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet | 1 - 4 files changed, 5 deletions(-) diff --git a/jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet b/jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet index 9005402e..63582362 100644 --- a/jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet +++ b/jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet @@ -30,8 +30,6 @@ }, prometheus+:: { - local p = self, - prometheus+: { spec+: antiaffinity('prometheus', [$._config.prometheus.name], $._config.namespace), diff --git a/jsonnet/kube-prometheus/kube-prometheus.libsonnet b/jsonnet/kube-prometheus/kube-prometheus.libsonnet index 0183b286..044d27fc 100644 --- a/jsonnet/kube-prometheus/kube-prometheus.libsonnet +++ b/jsonnet/kube-prometheus/kube-prometheus.libsonnet @@ -100,7 +100,6 @@ local prometheusAdapter = import './prometheus-adapter/prometheus-adapter.libson (kubeRbacProxyContainer { config+:: { kubeRbacProxy: { - local cfg = self, image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy, name: 'kube-rbac-proxy', securePortName: 'https', diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet index a142b4b6..a5db87fe 100644 --- a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet +++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet @@ -1,5 +1,4 @@ local defaults = { - local defaults = self, namespace: error 'must provide namespace', image: 'quay.io/brancz/kube-rbac-proxy:v0.8.0', ports: error 'must provide ports', diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet index 795463a7..5122e837 100644 --- a/jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet +++ b/jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet @@ -16,7 +16,6 @@ }, specMixin:: { - local sm = self, config+:: { kubeRbacProxy: { image: error 'must provide image', From d00a923299a09952107f44c2a6ce248c7a818d21 Mon Sep 17 00:00:00 2001 From: paulfantom Date: Tue, 12 Jan 2021 16:03:13 +0100 Subject: [PATCH 4/4] jsonnet: format --- .../alertmanager/alertmanager.libsonnet | 2 - .../blackbox-exporter.libsonnet | 356 +++++++++--------- .../kube-rbac-proxy/container.libsonnet | 78 ++-- .../kube-state-metrics.libsonnet | 4 +- .../node-exporter/node-exporter.libsonnet | 7 +- .../prometheus-adapter.libsonnet | 204 +++++----- 6 files changed, 325 insertions(+), 326 deletions(-) diff --git a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet index 4b091e9a..2fee6e1e 100644 --- a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet +++ b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet @@ -58,8 +58,6 @@ local defaults = { }; - - function(params) { local am = self, config:: defaults + params, diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet index 769b1bee..ce421209 100644 --- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet @@ -92,191 +92,191 @@ function(params) { // Safety check assert std.isObject(bb.config.resources), - configuration: { - apiVersion: 'v1', - kind: 'ConfigMap', - metadata: { - name: 'blackbox-exporter-configuration', - namespace: bb.config.namespace, - labels: bb.config.commonLabels, - }, - data: { - 'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }), - }, + configuration: { + apiVersion: 'v1', + kind: 'ConfigMap', + metadata: { + name: 'blackbox-exporter-configuration', + namespace: bb.config.namespace, + labels: bb.config.commonLabels, + }, + data: { + 'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }), + }, + }, + + serviceAccount: { + apiVersion: 'v1', + kind: 'ServiceAccount', + metadata: { + name: 'blackbox-exporter', + namespace: bb.config.namespace, + }, + }, + + clusterRole: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRole', + metadata: { + name: 'blackbox-exporter', + }, + rules: [ + { + apiGroups: ['authentication.k8s.io'], + resources: ['tokenreviews'], + verbs: ['create'], }, - - serviceAccount: { - apiVersion: 'v1', - kind: 'ServiceAccount', - metadata: { - name: 'blackbox-exporter', - namespace: bb.config.namespace, - }, + { + apiGroups: ['authorization.k8s.io'], + resources: ['subjectaccessreviews'], + verbs: ['create'], }, + ], + }, - clusterRole: { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'ClusterRole', - metadata: { - name: 'blackbox-exporter', - }, - rules: [ - { - apiGroups: ['authentication.k8s.io'], - resources: ['tokenreviews'], - verbs: ['create'], - }, - { - apiGroups: ['authorization.k8s.io'], - resources: ['subjectaccessreviews'], - verbs: ['create'], - }, - ], + clusterRoleBinding: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRoleBinding', + metadata: { + name: 'blackbox-exporter', + }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: 'blackbox-exporter', + }, + subjects: [{ + kind: 'ServiceAccount', + name: 'blackbox-exporter', + namespace: bb.config.namespace, + }], + }, + + deployment: + local blackboxExporter = { + name: 'blackbox-exporter', + image: bb.config.image, + args: [ + '--config.file=/etc/blackbox_exporter/config.yml', + '--web.listen-address=:%d' % bb.config.internalPort, + ], + ports: [{ + name: 'http', + containerPort: bb.config.internalPort, + }], + resources: bb.config.resources, + securityContext: if bb.config.privileged then { + runAsNonRoot: false, + capabilities: { drop: ['ALL'], add: ['NET_RAW'] }, + } else { + runAsNonRoot: true, + runAsUser: 65534, }, + volumeMounts: [{ + mountPath: '/etc/blackbox_exporter/', + name: 'config', + readOnly: true, + }], + }; - clusterRoleBinding: { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'ClusterRoleBinding', - metadata: { - name: 'blackbox-exporter', - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'ClusterRole', - name: 'blackbox-exporter', - }, - subjects: [{ - kind: 'ServiceAccount', - name: 'blackbox-exporter', - namespace: bb.config.namespace, - }], + local reloader = { + name: 'module-configmap-reloader', + image: bb.config.configmapReloaderImage, + args: [ + '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort, + '--volume-dir=/etc/blackbox_exporter/', + ], + resources: bb.config.resources, + securityContext: { runAsNonRoot: true, runAsUser: 65534 }, + terminationMessagePath: '/dev/termination-log', + terminationMessagePolicy: 'FallbackToLogsOnError', + volumeMounts: [{ + mountPath: '/etc/blackbox_exporter/', + name: 'config', + readOnly: true, + }], + }; + + local kubeRbacProxy = krp({ + name: 'kube-rbac-proxy', + upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/', + secureListenAddress: ':' + bb.config.port, + ports: [ + { name: 'https', containerPort: bb.config.port }, + ], + }); + + { + apiVersion: 'apps/v1', + kind: 'Deployment', + metadata: { + name: 'blackbox-exporter', + namespace: bb.config.namespace, + labels: bb.config.commonLabels, }, - - deployment: - local blackboxExporter = { - name: 'blackbox-exporter', - image: bb.config.image, - args: [ - '--config.file=/etc/blackbox_exporter/config.yml', - '--web.listen-address=:%d' % bb.config.internalPort, - ], - ports: [{ - name: 'http', - containerPort: bb.config.internalPort, - }], - resources: bb.config.resources, - securityContext: if bb.config.privileged then { - runAsNonRoot: false, - capabilities: { drop: ['ALL'], add: ['NET_RAW'] }, - } else { - runAsNonRoot: true, - runAsUser: 65534, - }, - volumeMounts: [{ - mountPath: '/etc/blackbox_exporter/', - name: 'config', - readOnly: true, - }], - }; - - local reloader = { - name: 'module-configmap-reloader', - image: bb.config.configmapReloaderImage, - args: [ - '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort, - '--volume-dir=/etc/blackbox_exporter/', - ], - resources: bb.config.resources, - securityContext: { runAsNonRoot: true, runAsUser: 65534 }, - terminationMessagePath: '/dev/termination-log', - terminationMessagePolicy: 'FallbackToLogsOnError', - volumeMounts: [{ - mountPath: '/etc/blackbox_exporter/', - name: 'config', - readOnly: true, - }], - }; - - local kubeRbacProxy = krp({ - name: 'kube-rbac-proxy', - upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/', - secureListenAddress: ':' + bb.config.port, - ports: [ - { name: 'https', containerPort: bb.config.port }, - ], - }); - - { - apiVersion: 'apps/v1', - kind: 'Deployment', - metadata: { - name: 'blackbox-exporter', - namespace: bb.config.namespace, - labels: bb.config.commonLabels, - }, + spec: { + replicas: bb.config.replicas, + selector: { matchLabels: bb.config.selectorLabels }, + template: { + metadata: { labels: bb.config.commonLabels }, spec: { - replicas: bb.config.replicas, - selector: { matchLabels: bb.config.selectorLabels }, - template: { - metadata: { labels: bb.config.commonLabels }, - spec: { - containers: [blackboxExporter, reloader, kubeRbacProxy], - nodeSelector: { 'kubernetes.io/os': 'linux' }, - serviceAccountName: 'blackbox-exporter', - volumes: [{ - name: 'config', - configMap: { name: 'blackbox-exporter-configuration' }, - }], - }, - }, - }, - }, - - service: { - apiVersion: 'v1', - kind: 'Service', - metadata: { - name: 'blackbox-exporter', - namespace: bb.config.namespace, - labels: bb.config.commonLabels, - }, - spec: { - ports: [{ - name: 'https', - port: bb.config.port, - targetPort: 'https', - }, { - name: 'probe', - port: bb.config.internalPort, - targetPort: 'http', - }], - selector: bb.config.selectorLabels, - }, - }, - - serviceMonitor: - { - apiVersion: 'monitoring.coreos.com/v1', - kind: 'ServiceMonitor', - metadata: { - name: 'blackbox-exporter', - namespace: bb.config.namespace, - labels: bb.config.commonLabels, - }, - spec: { - endpoints: [{ - bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token', - interval: '30s', - path: '/metrics', - port: 'https', - scheme: 'https', - tlsConfig: { - insecureSkipVerify: true, - }, + containers: [blackboxExporter, reloader, kubeRbacProxy], + nodeSelector: { 'kubernetes.io/os': 'linux' }, + serviceAccountName: 'blackbox-exporter', + volumes: [{ + name: 'config', + configMap: { name: 'blackbox-exporter-configuration' }, }], - selector: { - matchLabels: bb.config.selectorLabels, - }, }, }, - } + }, + }, + + service: { + apiVersion: 'v1', + kind: 'Service', + metadata: { + name: 'blackbox-exporter', + namespace: bb.config.namespace, + labels: bb.config.commonLabels, + }, + spec: { + ports: [{ + name: 'https', + port: bb.config.port, + targetPort: 'https', + }, { + name: 'probe', + port: bb.config.internalPort, + targetPort: 'http', + }], + selector: bb.config.selectorLabels, + }, + }, + + serviceMonitor: + { + apiVersion: 'monitoring.coreos.com/v1', + kind: 'ServiceMonitor', + metadata: { + name: 'blackbox-exporter', + namespace: bb.config.namespace, + labels: bb.config.commonLabels, + }, + spec: { + endpoints: [{ + bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token', + interval: '30s', + path: '/metrics', + port: 'https', + scheme: 'https', + tlsConfig: { + insecureSkipVerify: true, + }, + }], + selector: { + matchLabels: bb.config.selectorLabels, + }, + }, + }, +} diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet index a5db87fe..bc4bf7ff 100644 --- a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet +++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet @@ -9,33 +9,33 @@ local defaults = { limits: { cpu: '20m', memory: '40Mi' }, }, tlsCipherSuites: [ - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721 - 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721 + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721 + 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721 - // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 - // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661 - // 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2 - // 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2 - // 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 - // 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2 - // 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2 - // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 - // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2 - // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2 - // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 - // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661 - // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2 - // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2 - // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 - // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 + // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 + // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661 + // 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2 + // 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2 + // 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 + // 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2 + // 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2 + // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 + // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2 + // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2 + // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 + // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661 + // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2 + // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2 + // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 + // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 - // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go + // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305', - 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305', - ], + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305', + 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305', + ], }; @@ -45,19 +45,19 @@ function(params) { // Safety check assert std.isObject(krp.config.resources), - name: krp.config.name, - image: krp.config.image, - args: [ - '--logtostderr', - '--secure-listen-address=' + krp.config.secureListenAddress, - '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites), - '--upstream=' + krp.config.upstream, - ], - resources: krp.config.resources, - ports: krp.config.ports, - securityContext: { - runAsUser: 65532, - runAsGroup: 65532, - runAsNonRoot: true, - }, + name: krp.config.name, + image: krp.config.image, + args: [ + '--logtostderr', + '--secure-listen-address=' + krp.config.secureListenAddress, + '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites), + '--upstream=' + krp.config.upstream, + ], + resources: krp.config.resources, + ports: krp.config.ports, + securityContext: { + runAsUser: 65532, + runAsGroup: 65532, + runAsNonRoot: true, + }, } diff --git a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet index 8b602f7e..037d023b 100644 --- a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet +++ b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet @@ -60,7 +60,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- upstream: 'http://127.0.0.1:8081/', secureListenAddress: ':8443', ports: [ - { name: 'https-main', containerPort: 8443, }, + { name: 'https-main', containerPort: 8443 }, ], }), @@ -69,7 +69,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- upstream: 'http://127.0.0.1:8082/', secureListenAddress: ':9443', ports: [ - { name: 'https-self', containerPort: 9443, }, + { name: 'https-self', containerPort: 9443 }, ], }), diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet index 63ec53b9..bb16fc41 100644 --- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet +++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet @@ -67,8 +67,9 @@ function(params) { apiGroups: ['authorization.k8s.io'], resources: ['subjectaccessreviews'], verbs: ['create'], - }], - }, + }, + ], + }, serviceAccount: { apiVersion: 'v1', @@ -169,7 +170,7 @@ function(params) { }) + { env: [ { name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } }, - ] + ], }; { diff --git a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet index 4dceb06f..4b2ac39f 100644 --- a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet +++ b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet @@ -186,117 +186,117 @@ function(params) { }, }, - serviceAccount: { - apiVersion: 'v1', + serviceAccount: { + apiVersion: 'v1', + kind: 'ServiceAccount', + metadata: { + name: pa.config.name, + namespace: pa.config.namespace, + labels: pa.config.commonLabels, + }, + }, + + clusterRole: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRole', + metadata: { + name: pa.config.name, + labels: pa.config.commonLabels, + }, + rules: [{ + apiGroups: [''], + resources: ['nodes', 'namespaces', 'pods', 'services'], + verbs: ['get', 'list', 'watch'], + }], + }, + + clusterRoleBinding: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRoleBinding', + metadata: { + name: pa.config.name, + labels: pa.config.commonLabels, + }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: $.clusterRole.metadata.name, + }, + subjects: [{ kind: 'ServiceAccount', - metadata: { - name: pa.config.name, - namespace: pa.config.namespace, - labels: pa.config.commonLabels, - }, - }, + name: $.serviceAccount.metadata.name, + namespace: pa.config.namespace, + }], + }, - clusterRole: { - apiVersion: 'rbac.authorization.k8s.io/v1', + clusterRoleBindingDelegator: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRoleBinding', + metadata: { + name: 'resource-metrics:system:auth-delegator', + labels: pa.config.commonLabels, + }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', kind: 'ClusterRole', - metadata: { - name: pa.config.name, - labels: pa.config.commonLabels, - }, - rules: [{ - apiGroups: [''], - resources: ['nodes', 'namespaces', 'pods', 'services'], - verbs: ['get', 'list', 'watch'], - }], + name: 'system:auth-delegator', }, + subjects: [{ + kind: 'ServiceAccount', + name: $.serviceAccount.metadata.name, + namespace: pa.config.namespace, + }], + }, - clusterRoleBinding: { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'ClusterRoleBinding', - metadata: { - name: pa.config.name, - labels: pa.config.commonLabels, - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'ClusterRole', - name: $.clusterRole.metadata.name, - }, - subjects: [{ - kind: 'ServiceAccount', - name: $.serviceAccount.metadata.name, - namespace: pa.config.namespace, - }], + clusterRoleServerResources: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRole', + metadata: { + name: 'resource-metrics-server-resources', + labels: pa.config.commonLabels, }, + rules: [{ + apiGroups: ['metrics.k8s.io'], + resources: ['*'], + verbs: ['*'], + }], + }, - clusterRoleBindingDelegator: { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'ClusterRoleBinding', - metadata: { - name: 'resource-metrics:system:auth-delegator', - labels: pa.config.commonLabels, - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'ClusterRole', - name: 'system:auth-delegator', - }, - subjects: [{ - kind: 'ServiceAccount', - name: $.serviceAccount.metadata.name, - namespace: pa.config.namespace, - }], + clusterRoleAggregatedMetricsReader: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRole', + metadata: { + name: 'system:aggregated-metrics-reader', + labels: { + 'rbac.authorization.k8s.io/aggregate-to-admin': 'true', + 'rbac.authorization.k8s.io/aggregate-to-edit': 'true', + 'rbac.authorization.k8s.io/aggregate-to-view': 'true', + } + pa.config.commonLabels, }, + rules: [{ + apiGroups: ['metrics.k8s.io'], + resources: ['pods', 'nodes'], + verbs: ['get', 'list', 'watch'], + }], + }, - clusterRoleServerResources: { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'ClusterRole', - metadata: { - name: 'resource-metrics-server-resources', - labels: pa.config.commonLabels, - }, - rules: [{ - apiGroups: ['metrics.k8s.io'], - resources: ['*'], - verbs: ['*'], - }], + roleBindingAuthReader: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'RoleBinding', + metadata: { + name: 'resource-metrics-auth-reader', + namespace: 'kube-system', + labels: pa.config.commonLabels, }, - - clusterRoleAggregatedMetricsReader: { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'ClusterRole', - metadata: { - name: 'system:aggregated-metrics-reader', - labels: { - 'rbac.authorization.k8s.io/aggregate-to-admin': 'true', - 'rbac.authorization.k8s.io/aggregate-to-edit': 'true', - 'rbac.authorization.k8s.io/aggregate-to-view': 'true', - } + pa.config.commonLabels, - }, - rules: [{ - apiGroups: ['metrics.k8s.io'], - resources: ['pods', 'nodes'], - verbs: ['get', 'list', 'watch'], - }], - }, - - roleBindingAuthReader: { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'RoleBinding', - metadata: { - name: 'resource-metrics-auth-reader', - namespace: 'kube-system', - labels: pa.config.commonLabels, - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'Role', - name: 'extension-apiserver-authentication-reader', - }, - subjects: [{ - kind: 'ServiceAccount', - name: $.serviceAccount.metadata.name, - namespace: pa.config.namespace, - }], + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'Role', + name: 'extension-apiserver-authentication-reader', }, + subjects: [{ + kind: 'ServiceAccount', + name: $.serviceAccount.metadata.name, + namespace: pa.config.namespace, + }], + }, }