easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

jsonnet: format

Browse Source
This commit is contained in:
paulfantom
2021-01-12 16:03:13 +01:00
parent b5ab602911
commit d00a923299
6 changed files with 325 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
View File

@@ -58,8 +58,6 @@ local defaults = {
};
function(params) {
local am = self,
config:: defaults + params,

356
jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
View File

@@ -92,191 +92,191 @@ function(params) {
// Safety check
assert std.isObject(bb.config.resources),
configuration: {
apiVersion: 'v1',
kind: 'ConfigMap',
metadata: {
name: 'blackbox-exporter-configuration',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
data: {
'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
},
configuration: {
apiVersion: 'v1',
kind: 'ConfigMap',
metadata: {
name: 'blackbox-exporter-configuration',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
data: {
'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
},
},
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
},
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'blackbox-exporter',
},
rules: [
{
apiGroups: ['authentication.k8s.io'],
resources: ['tokenreviews'],
verbs: ['create'],
},
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
},
{
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
},
],
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'blackbox-exporter',
},
rules: [
{
apiGroups: ['authentication.k8s.io'],
resources: ['tokenreviews'],
verbs: ['create'],
},
{
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
},
],
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'blackbox-exporter',
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: 'blackbox-exporter',
},
subjects: [{
kind: 'ServiceAccount',
name: 'blackbox-exporter',
namespace: bb.config.namespace,
}],
},
deployment:
local blackboxExporter = {
name: 'blackbox-exporter',
image: bb.config.image,
args: [
'--config.file=/etc/blackbox_exporter/config.yml',
'--web.listen-address=:%d' % bb.config.internalPort,
],
ports: [{
name: 'http',
containerPort: bb.config.internalPort,
}],
resources: bb.config.resources,
securityContext: if bb.config.privileged then {
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
} else {
runAsNonRoot: true,
runAsUser: 65534,
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'blackbox-exporter',
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: 'blackbox-exporter',
},
subjects: [{
kind: 'ServiceAccount',
name: 'blackbox-exporter',
namespace: bb.config.namespace,
}],
local reloader = {
name: 'module-configmap-reloader',
image: bb.config.configmapReloaderImage,
args: [
'--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
'--volume-dir=/etc/blackbox_exporter/',
],
resources: bb.config.resources,
securityContext: { runAsNonRoot: true, runAsUser: 65534 },
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
local kubeRbacProxy = krp({
name: 'kube-rbac-proxy',
upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
secureListenAddress: ':' + bb.config.port,
ports: [
{ name: 'https', containerPort: bb.config.port },
],
});
{
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
deployment:
local blackboxExporter = {
name: 'blackbox-exporter',
image: bb.config.image,
args: [
'--config.file=/etc/blackbox_exporter/config.yml',
'--web.listen-address=:%d' % bb.config.internalPort,
],
ports: [{
name: 'http',
containerPort: bb.config.internalPort,
}],
resources: bb.config.resources,
securityContext: if bb.config.privileged then {
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
} else {
runAsNonRoot: true,
runAsUser: 65534,
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
local reloader = {
name: 'module-configmap-reloader',
image: bb.config.configmapReloaderImage,
args: [
'--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
'--volume-dir=/etc/blackbox_exporter/',
],
resources: bb.config.resources,
securityContext: { runAsNonRoot: true, runAsUser: 65534 },
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
local kubeRbacProxy = krp({
name: 'kube-rbac-proxy',
upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
secureListenAddress: ':' + bb.config.port,
ports: [
{ name: 'https', containerPort: bb.config.port },
],
});
{
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
replicas: bb.config.replicas,
selector: { matchLabels: bb.config.selectorLabels },
template: {
metadata: { labels: bb.config.commonLabels },
spec: {
replicas: bb.config.replicas,
selector: { matchLabels: bb.config.selectorLabels },
template: {
metadata: { labels: bb.config.commonLabels },
spec: {
containers: [blackboxExporter, reloader, kubeRbacProxy],
nodeSelector: { 'kubernetes.io/os': 'linux' },
serviceAccountName: 'blackbox-exporter',
volumes: [{
name: 'config',
configMap: { name: 'blackbox-exporter-configuration' },
}],
},
},
},
},
service: {
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
ports: [{
name: 'https',
port: bb.config.port,
targetPort: 'https',
}, {
name: 'probe',
port: bb.config.internalPort,
targetPort: 'http',
}],
selector: bb.config.selectorLabels,
},
},
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
endpoints: [{
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
interval: '30s',
path: '/metrics',
port: 'https',
scheme: 'https',
tlsConfig: {
insecureSkipVerify: true,
},
containers: [blackboxExporter, reloader, kubeRbacProxy],
nodeSelector: { 'kubernetes.io/os': 'linux' },
serviceAccountName: 'blackbox-exporter',
volumes: [{
name: 'config',
configMap: { name: 'blackbox-exporter-configuration' },
}],
selector: {
matchLabels: bb.config.selectorLabels,
},
},
},
}
},
},
service: {
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
ports: [{
name: 'https',
port: bb.config.port,
targetPort: 'https',
}, {
name: 'probe',
port: bb.config.internalPort,
targetPort: 'http',
}],
selector: bb.config.selectorLabels,
},
},
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
endpoints: [{
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
interval: '30s',
path: '/metrics',
port: 'https',
scheme: 'https',
tlsConfig: {
insecureSkipVerify: true,
},
}],
selector: {
matchLabels: bb.config.selectorLabels,
},
},
},
}

78
jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
View File

@@ -9,33 +9,33 @@ local defaults = {
limits: { cpu: '20m', memory: '40Mi' },
},
tlsCipherSuites: [
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
// 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
// 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
// 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
// disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
],
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
],
};
@@ -45,19 +45,19 @@ function(params) {
// Safety check
assert std.isObject(krp.config.resources),
name: krp.config.name,
image: krp.config.image,
args: [
'--logtostderr',
'--secure-listen-address=' + krp.config.secureListenAddress,
'--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
'--upstream=' + krp.config.upstream,
],
resources: krp.config.resources,
ports: krp.config.ports,
securityContext: {
runAsUser: 65532,
runAsGroup: 65532,
runAsNonRoot: true,
},
name: krp.config.name,
image: krp.config.image,
args: [
'--logtostderr',
'--secure-listen-address=' + krp.config.secureListenAddress,
'--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
'--upstream=' + krp.config.upstream,
],
resources: krp.config.resources,
ports: krp.config.ports,
securityContext: {
runAsUser: 65532,
runAsGroup: 65532,
runAsNonRoot: true,
},
}

4
jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
View File

@@ -60,7 +60,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8081/',
secureListenAddress: ':8443',
ports: [
{ name: 'https-main', containerPort: 8443, },
{ name: 'https-main', containerPort: 8443 },
],
}),
@@ -69,7 +69,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8082/',
secureListenAddress: ':9443',
ports: [
{ name: 'https-self', containerPort: 9443, },
{ name: 'https-self', containerPort: 9443 },
],
}),

7
jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
View File

@@ -67,8 +67,9 @@ function(params) {
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
}],
},
},
],
},
serviceAccount: {
apiVersion: 'v1',
@@ -169,7 +170,7 @@ function(params) {
}) + {
env: [
{ name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } },
]
],
};
{

204
jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
View File

@@ -186,117 +186,117 @@ function(params) {
},
},
serviceAccount: {
apiVersion: 'v1',
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: pa.config.name,
namespace: pa.config.namespace,
labels: pa.config.commonLabels,
},
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: [''],
resources: ['nodes', 'namespaces', 'pods', 'services'],
verbs: ['get', 'list', 'watch'],
}],
},
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: $.clusterRole.metadata.name,
},
subjects: [{
kind: 'ServiceAccount',
metadata: {
name: pa.config.name,
namespace: pa.config.namespace,
labels: pa.config.commonLabels,
},
},
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
clusterRoleBindingDelegator: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'resource-metrics:system:auth-delegator',
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: [''],
resources: ['nodes', 'namespaces', 'pods', 'services'],
verbs: ['get', 'list', 'watch'],
}],
name: 'system:auth-delegator',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
},
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: $.clusterRole.metadata.name,
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
clusterRoleServerResources: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'resource-metrics-server-resources',
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['*'],
verbs: ['*'],
}],
},
clusterRoleBindingDelegator: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'resource-metrics:system:auth-delegator',
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: 'system:auth-delegator',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
clusterRoleAggregatedMetricsReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'system:aggregated-metrics-reader',
labels: {
'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
'rbac.authorization.k8s.io/aggregate-to-view': 'true',
} + pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['pods', 'nodes'],
verbs: ['get', 'list', 'watch'],
}],
},
clusterRoleServerResources: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'resource-metrics-server-resources',
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['*'],
verbs: ['*'],
}],
roleBindingAuthReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'RoleBinding',
metadata: {
name: 'resource-metrics-auth-reader',
namespace: 'kube-system',
labels: pa.config.commonLabels,
},
clusterRoleAggregatedMetricsReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'system:aggregated-metrics-reader',
labels: {
'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
'rbac.authorization.k8s.io/aggregate-to-view': 'true',
} + pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['pods', 'nodes'],
verbs: ['get', 'list', 'watch'],
}],
},
roleBindingAuthReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'RoleBinding',
metadata: {
name: 'resource-metrics-auth-reader',
namespace: 'kube-system',
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'Role',
name: 'extension-apiserver-authentication-reader',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'Role',
name: 'extension-apiserver-authentication-reader',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
},
}