Issue #11 - Add ServiceAccount and TLS params to arm-exporter (#12)

Issue #11 - Add ServiceAccount and TLS params to arm-exporter
2025-10-26 10:23:04 +01:00 · 2019-05-03 13:52:47 -03:00 · 2019-05-03 13:52:47 -03:00 · 25b391a68a
commit 25b391a68a
parent 88c16b9702 732a650b51
9 changed files with 168 additions and 2 deletions
--- a/Readme.md
+++ b/Readme.md
@ -21,7 +21,7 @@ Components included in this package:
 * Grafana
 * SMTP relay to Gmail for Grafana notifications

-There are additional modules (enabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
+There are additional modules (disabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.

 The additional modules are:

@ -33,6 +33,8 @@ The additional modules are:

 There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.

+After changing these parameters, rebuild the manifests with `make`.
+
 ## Quickstart

 The repository already provides a set of compiled manifests to be applied into the cluster. The deployment can be customized thru the jsonnet files.
--- a/arm_exporter.jsonnet
+++ b/arm_exporter.jsonnet
@ -14,6 +14,46 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
  },

  armExporter+:: {
+    clusterRoleBinding:
+      local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
+
+      clusterRoleBinding.new() +
+      clusterRoleBinding.mixin.metadata.withName('arm-exporter') +
+      clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
+      clusterRoleBinding.mixin.roleRef.withName('arm-exporter') +
+      clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
+      clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'arm-exporter', namespace: $._config.namespace }]),
+
+    clusterRole:
+      local clusterRole = k.rbac.v1.clusterRole;
+      local policyRule = clusterRole.rulesType;
+
+      local authenticationRole = policyRule.new() +
+                                 policyRule.withApiGroups(['authentication.k8s.io']) +
+                                 policyRule.withResources([
+                                   'tokenreviews',
+                                 ]) +
+                                 policyRule.withVerbs(['create']);
+
+      local authorizationRole = policyRule.new() +
+                                policyRule.withApiGroups(['authorization.k8s.io']) +
+                                policyRule.withResources([
+                                  'subjectaccessreviews',
+                                ]) +
+                                policyRule.withVerbs(['create']);
+
+      local rules = [authenticationRole, authorizationRole];
+
+      clusterRole.new() +
+      clusterRole.mixin.metadata.withName('arm-exporter') +
+      clusterRole.withRules(rules),
+
+    serviceAccount:
+      local serviceAccount = k.core.v1.serviceAccount;
+
+      serviceAccount.new('arm-exporter') +
+      serviceAccount.mixin.metadata.withNamespace($._config.namespace),
+
    daemonset:
      local daemonset = k.apps.v1beta2.daemonSet;
      local container = daemonset.mixin.spec.template.spec.containersType;
@ -37,6 +77,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
        container.withArgs([
          '--secure-listen-address=$(IP):9243',
          '--upstream=http://127.0.0.1:9243/',
+          '--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
        ]) +
        container.withPorts(containerPort.new(9243) + containerPort.withHostPort(9243) + containerPort.withName('https')) +
        container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
@ -51,6 +92,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
      daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
      daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
      daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/arch': 'arm64' }) +
+      daemonset.mixin.spec.template.spec.withServiceAccountName('arm-exporter') +
      daemonset.mixin.spec.template.spec.withContainers(c),
    serviceMonitor:
      {
--- a/manifests/arm-exporter-clusterRole.yaml
+++ b/manifests/arm-exporter-clusterRole.yaml
@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: arm-exporter
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
--- a/manifests/arm-exporter-clusterRoleBinding.yaml
+++ b/manifests/arm-exporter-clusterRoleBinding.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: arm-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: arm-exporter
+subjects:
+- kind: ServiceAccount
+  name: arm-exporter
+  namespace: monitoring
--- a/manifests/arm-exporter-daemonset.yaml
+++ b/manifests/arm-exporter-daemonset.yaml
@ -0,0 +1,54 @@
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: arm-exporter
+  name: arm-exporter
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      k8s-app: arm-exporter
+  template:
+    metadata:
+      labels:
+        k8s-app: arm-exporter
+    spec:
+      containers:
+      - command:
+        - /bin/rpi_exporter
+        - --web.listen-address=127.0.0.1:9243
+        image: carlosedp/arm_exporter:latest
+        name: arm-exporter
+        resources:
+          limits:
+            cpu: 100m
+            memory: 100Mi
+          requests:
+            cpu: 50m
+            memory: 50Mi
+      - args:
+        - --secure-listen-address=$(IP):9243
+        - --upstream=http://127.0.0.1:9243/
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        env:
+        - name: IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: carlosedp/kube-rbac-proxy:v0.4.1
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 9243
+          hostPort: 9243
+          name: https
+        resources:
+          limits:
+            cpu: 20m
+            memory: 40Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+      nodeSelector:
+        beta.kubernetes.io/arch: arm64
+      serviceAccountName: arm-exporter
--- a/manifests/arm-exporter-service.yaml
+++ b/manifests/arm-exporter-service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: arm-exporter
+  name: arm-exporter
+  namespace: monitoring
+spec:
+  clusterIP: None
+  ports:
+  - name: https
+    port: 9243
+    targetPort: https
+  selector:
+    k8s-app: arm-exporter
--- a/manifests/arm-exporter-serviceAccount.yaml
+++ b/manifests/arm-exporter-serviceAccount.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: arm-exporter
+  namespace: monitoring
--- a/manifests/arm-exporter-serviceMonitor.yaml
+++ b/manifests/arm-exporter-serviceMonitor.yaml
@ -0,0 +1,19 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    k8s-app: arm-exporter
+  name: arm-exporter
+  namespace: monitoring
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
+    port: https
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
+  jobLabel: k8s-app
+  selector:
+    matchLabels:
+      k8s-app: arm-exporter
--- a/vars.jsonnet
+++ b/vars.jsonnet
@ -1,7 +1,7 @@
 {
  // Enable or disable additional modules
  installModules: {
-    'arm-exporter': false,
+    'arm-exporter': true,
    metallb: false,
    traefik: false,
    'ups-exporter': false,