easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #427 from lilic/fix-ksm

Browse Source 
jsonnet/kube-prometheus: Add back kube-rbac-proxy containers to
This commit is contained in:
Lili Cosic
2020-03-03 16:01:05 +01:00
committed by GitHub
parent 60dcc3a86b 298f216847
commit 50eee211dd
5 changed files with 241 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet Normal file
View File

@@ -0,0 +1,90 @@
local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
local deployment = k.apps.v1.deployment;
local container = deployment.mixin.spec.template.spec.containersType;
local containerPort = container.portsType;
{
local krp = self,
config+:: {
kubeRbacProxy: {
image: error 'must provide image',
name: error 'must provide name',
securePortName: error 'must provide securePortName',
securePort: error 'must provide securePort',
secureListenAddress: error 'must provide secureListenAddress',
upstream: error 'must provide upstream',
tlsCipherSuites: error 'must provide tlsCipherSuites',
},
},
specMixin:: {
local sm = self,
config+:: {
kubeRbacProxy: {
image: error 'must provide image',
name: error 'must provide name',
securePortName: error 'must provide securePortName',
securePort: error 'must provide securePort',
secureListenAddress: error 'must provide secureListenAddress',
upstream: error 'must provide upstream',
tlsCipherSuites: error 'must provide tlsCipherSuites',
},
},
spec+: {
template+: {
spec+: {
containers+: [
container.new(krp.config.kubeRbacProxy.name, krp.config.kubeRbacProxy.image) +
container.withArgs([
'--logtostderr',
'--secure-listen-address=' + krp.config.kubeRbacProxy.secureListenAddress,
'--tls-cipher-suites=' + std.join(',', krp.config.kubeRbacProxy.tlsCipherSuites),
'--upstream=' + krp.config.kubeRbacProxy.upstream,
]) +
container.withPorts(containerPort.newNamed(krp.config.kubeRbacProxy.securePort, krp.config.kubeRbacProxy.securePortName)),
],
},
},
},
},
deploymentMixin:: {
local dm = self,
config+:: {
kubeRbacProxy: {
image: error 'must provide image',
name: error 'must provide name',
securePortName: error 'must provide securePortName',
securePort: error 'must provide securePort',
secureListenAddress: error 'must provide secureListenAddress',
upstream: error 'must provide upstream',
tlsCipherSuites: error 'must provide tlsCipherSuites',
},
},
deployment+: krp.specMixin {
config+:: {
kubeRbacProxy+: dm.config.kubeRbacProxy,
},
},
},
statefulSetMixin:: {
local sm = self,
config+:: {
kubeRbacProxy: {
image: error 'must provide image',
name: error 'must provide name',
securePortName: error 'must provide securePortName',
securePort: error 'must provide securePort',
secureListenAddress: error 'must provide secureListenAddress',
upstream: error 'must provide upstream',
tlsCipherSuites: error 'must provide tlsCipherSuites',
},
},
statefulSet+: krp.specMixin {
config+:: {
kubeRbacProxy+: sm.config.kubeRbacProxy,
},
},
},
}

98
jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
View File

@@ -1,4 +1,10 @@
{ {
_config+:: {
kubeStateMetrics+:: {
scrapeInterval: '30s',
scrapeTimeout: '30s',
},
},
kubeStateMetrics+:: (import 'kube-state-metrics/kube-state-metrics.libsonnet') + kubeStateMetrics+:: (import 'kube-state-metrics/kube-state-metrics.libsonnet') +
{ {
local ksm = self, local ksm = self,
@@ -6,38 +12,110 @@
namespace:: 'monitoring', namespace:: 'monitoring',
version:: '1.9.4', //$._config.versions.kubeStateMetrics, version:: '1.9.4', //$._config.versions.kubeStateMetrics,
image:: 'quay.io/coreos/kube-state-metrics:v' + ksm.version, image:: 'quay.io/coreos/kube-state-metrics:v' + ksm.version,
serviceMonitor: { service+: {
spec+: {
ports: [
{
name: 'https-main',
port: 8443,
targetPort: 'https-main',
},
{
name: 'https-self',
port: 9443,
targetPort: 'https-self',
},
],
},
},
deployment+: {
spec+: {
template+: {
spec+: {
containers: std.map(function(c) c {
ports: null,
args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
}, super.containers),
},
},
},
},
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1', apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor', kind: 'ServiceMonitor',
metadata: { metadata: {
name: ksm.name, name: 'kube-state-metrics',
namespace: ksm.namespace, namespace: $._config.namespace,
labels: ksm.commonLabels, labels: {
'app.kubernetes.io/name': 'kube-state-metrics',
'app.kubernetes.io/version': ksm.version,
},
}, },
spec: { spec: {
jobLabel: 'app.kubernetes.io/name', jobLabel: 'app.kubernetes.io/name',
selector: { selector: {
matchLabels: ksm.commonLabels, matchLabels: {
'app.kubernetes.io/name': 'kube-state-metrics',
},
}, },
endpoints: [ endpoints: [
{ {
port: 'http-metrics', port: 'https-main',
interval: '30s', scheme: 'https',
scrapeTimeout: '30s', interval: $._config.kubeStateMetrics.scrapeInterval,
scrapeTimeout: $._config.kubeStateMetrics.scrapeTimeout,
honorLabels: true, honorLabels: true,
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
relabelings: [ relabelings: [
{ {
regex: '(pod|service|endpoint|namespace)', regex: '(pod|service|endpoint|namespace)',
action: 'labeldrop', action: 'labeldrop',
}, },
], ],
tlsConfig: {
insecureSkipVerify: true,
},
}, },
{ {
port: 'telemetry', port: 'https-self',
interval: '30s', scheme: 'https',
interval: $._config.kubeStateMetrics.scrapeInterval,
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
tlsConfig: {
insecureSkipVerify: true,
},
}, },
], ],
}, },
}, },
} +
((import 'kube-prometheus/kube-rbac-proxy/container.libsonnet') {
config+:: {
kubeRbacProxy: {
local cfg = self,
image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
name: 'kube-rbac-proxy-main',
securePortName: 'https-main',
securePort: 8443,
secureListenAddress: ':%d' % self.securePort,
upstream: 'http://127.0.0.1:8081/',
tlsCipherSuites: $._config.tlsCipherSuites,
}, },
},
}).deploymentMixin +
((import 'kube-prometheus/kube-rbac-proxy/container.libsonnet') {
config+:: {
kubeRbacProxy: {
local cfg = self,
image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
name: 'kube-rbac-proxy-self',
securePortName: 'https-self',
securePort: 9443,
secureListenAddress: ':%d' % self.securePort,
upstream: 'http://127.0.0.1:8082/',
tlsCipherSuites: $._config.tlsCipherSuites,
},
},
}).deploymentMixin,
} }

33
manifests/kube-state-metrics-deployment.yaml
View File

@@ -18,7 +18,12 @@ spec:
app.kubernetes.io/version: v1.9.4 app.kubernetes.io/version: v1.9.4
spec: spec:
containers: containers:
- image: quay.io/coreos/kube-state-metrics:v1.9.4 - args:
- --host=127.0.0.1
- --port=8081
- --telemetry-host=127.0.0.1
- --telemetry-port=8082
image: quay.io/coreos/kube-state-metrics:v1.9.4
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
@@ -26,11 +31,7 @@ spec:
initialDelaySeconds: 5 initialDelaySeconds: 5
timeoutSeconds: 5 timeoutSeconds: 5
name: kube-state-metrics name: kube-state-metrics
ports: ports: null
- containerPort: 8080
name: http-metrics
- containerPort: 8081
name: telemetry
readinessProbe: readinessProbe:
httpGet: httpGet:
path: / path: /
@@ -39,6 +40,26 @@ spec:
timeoutSeconds: 5 timeoutSeconds: 5
securityContext: securityContext:
runAsUser: 65534 runAsUser: 65534
- args:
- --logtostderr
- --secure-listen-address=:8443
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- --upstream=http://127.0.0.1:8081/
image: quay.io/coreos/kube-rbac-proxy:v0.4.1
name: kube-rbac-proxy-main
ports:
- containerPort: 8443
name: https-main
- args:
- --logtostderr
- --secure-listen-address=:9443
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- --upstream=http://127.0.0.1:8082/
image: quay.io/coreos/kube-rbac-proxy:v0.4.1
name: kube-rbac-proxy-self
ports:
- containerPort: 9443
name: https-self
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
serviceAccountName: kube-state-metrics serviceAccountName: kube-state-metrics

12
manifests/kube-state-metrics-service.yaml
View File

@@ -9,11 +9,11 @@ metadata:
spec: spec:
clusterIP: None clusterIP: None
ports: ports:
- name: http-metrics - name: https-main
port: 8080 port: 8443
targetPort: http-metrics targetPort: https-main
- name: telemetry - name: https-self
port: 8081 port: 9443
targetPort: telemetry targetPort: https-self
selector: selector:
app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/name: kube-state-metrics

19
manifests/kube-state-metrics-serviceMonitor.yaml
View File

@@ -3,22 +3,29 @@ kind: ServiceMonitor
metadata: metadata:
labels: labels:
app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/name: kube-state-metrics
app.kubernetes.io/version: v1.9.4 app.kubernetes.io/version: 1.9.4
name: kube-state-metrics name: kube-state-metrics
namespace: monitoring namespace: monitoring
spec: spec:
endpoints: endpoints:
- honorLabels: true - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
honorLabels: true
interval: 30s interval: 30s
port: http-metrics port: https-main
relabelings: relabelings:
- action: labeldrop - action: labeldrop
regex: (pod|service|endpoint|namespace) regex: (pod|service|endpoint|namespace)
scheme: https
scrapeTimeout: 30s scrapeTimeout: 30s
- interval: 30s tlsConfig:
port: telemetry insecureSkipVerify: true
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
port: https-self
scheme: https
tlsConfig:
insecureSkipVerify: true
jobLabel: app.kubernetes.io/name jobLabel: app.kubernetes.io/name
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/name: kube-state-metrics
app.kubernetes.io/version: v1.9.4