Issue #11 - Add ServiceAccount and TLS params to arm-exporter (#12)

Issue #11 - Add ServiceAccount and TLS params to arm-exporter
This commit is contained in:
Carlos Eduardo 2019-05-03 13:52:47 -03:00 committed by GitHub
commit 25b391a68a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 168 additions and 2 deletions

View File

@ -21,7 +21,7 @@ Components included in this package:
* Grafana
* SMTP relay to Gmail for Grafana notifications
There are additional modules (enabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
There are additional modules (disabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
The additional modules are:
@ -33,6 +33,8 @@ The additional modules are:
There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.
After changing these parameters, rebuild the manifests with `make`.
## Quickstart
The repository already provides a set of compiled manifests to be applied into the cluster. The deployment can be customized thru the jsonnet files.

View File

@ -14,6 +14,46 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
},
armExporter+:: {
clusterRoleBinding:
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName('arm-exporter') +
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
clusterRoleBinding.mixin.roleRef.withName('arm-exporter') +
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'arm-exporter', namespace: $._config.namespace }]),
clusterRole:
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local authenticationRole = policyRule.new() +
policyRule.withApiGroups(['authentication.k8s.io']) +
policyRule.withResources([
'tokenreviews',
]) +
policyRule.withVerbs(['create']);
local authorizationRole = policyRule.new() +
policyRule.withApiGroups(['authorization.k8s.io']) +
policyRule.withResources([
'subjectaccessreviews',
]) +
policyRule.withVerbs(['create']);
local rules = [authenticationRole, authorizationRole];
clusterRole.new() +
clusterRole.mixin.metadata.withName('arm-exporter') +
clusterRole.withRules(rules),
serviceAccount:
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new('arm-exporter') +
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
daemonset:
local daemonset = k.apps.v1beta2.daemonSet;
local container = daemonset.mixin.spec.template.spec.containersType;
@ -37,6 +77,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.withArgs([
'--secure-listen-address=$(IP):9243',
'--upstream=http://127.0.0.1:9243/',
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
]) +
container.withPorts(containerPort.new(9243) + containerPort.withHostPort(9243) + containerPort.withName('https')) +
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
@ -51,6 +92,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/arch': 'arm64' }) +
daemonset.mixin.spec.template.spec.withServiceAccountName('arm-exporter') +
daemonset.mixin.spec.template.spec.withContainers(c),
serviceMonitor:
{

View File

@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: arm-exporter
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: arm-exporter
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: arm-exporter
subjects:
- kind: ServiceAccount
name: arm-exporter
namespace: monitoring

View File

@ -0,0 +1,54 @@
apiVersion: apps/v1beta2
kind: DaemonSet
metadata:
labels:
k8s-app: arm-exporter
name: arm-exporter
namespace: monitoring
spec:
selector:
matchLabels:
k8s-app: arm-exporter
template:
metadata:
labels:
k8s-app: arm-exporter
spec:
containers:
- command:
- /bin/rpi_exporter
- --web.listen-address=127.0.0.1:9243
image: carlosedp/arm_exporter:latest
name: arm-exporter
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 50m
memory: 50Mi
- args:
- --secure-listen-address=$(IP):9243
- --upstream=http://127.0.0.1:9243/
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
env:
- name: IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: carlosedp/kube-rbac-proxy:v0.4.1
name: kube-rbac-proxy
ports:
- containerPort: 9243
hostPort: 9243
name: https
resources:
limits:
cpu: 20m
memory: 40Mi
requests:
cpu: 10m
memory: 20Mi
nodeSelector:
beta.kubernetes.io/arch: arm64
serviceAccountName: arm-exporter

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: arm-exporter
name: arm-exporter
namespace: monitoring
spec:
clusterIP: None
ports:
- name: https
port: 9243
targetPort: https
selector:
k8s-app: arm-exporter

View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: arm-exporter
namespace: monitoring

View File

@ -0,0 +1,19 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
k8s-app: arm-exporter
name: arm-exporter
namespace: monitoring
spec:
endpoints:
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
port: https
scheme: https
tlsConfig:
insecureSkipVerify: true
jobLabel: k8s-app
selector:
matchLabels:
k8s-app: arm-exporter

View File

@ -1,7 +1,7 @@
{
// Enable or disable additional modules
installModules: {
'arm-exporter': false,
'arm-exporter': true,
metallb: false,
traefik: false,
'ups-exporter': false,