From 732a650b5196ee6a64a531a3f6198bd49cbdb7eb Mon Sep 17 00:00:00 2001
From: CarlosEDP <me@carlosedp.com>
Date: Tue, 23 Apr 2019 12:03:34 -0300
Subject: [PATCH] Fix issue #11. Arm-exporter didn't have a ServiceAccount and
 TLS params

---
 Readme.md                                     |  4 +-
 arm_exporter.jsonnet                          | 42 +++++++++++++++
 manifests/arm-exporter-clusterRole.yaml       | 17 ++++++
 .../arm-exporter-clusterRoleBinding.yaml      | 12 +++++
 manifests/arm-exporter-daemonset.yaml         | 54 +++++++++++++++++++
 manifests/arm-exporter-service.yaml           | 15 ++++++
 manifests/arm-exporter-serviceAccount.yaml    |  5 ++
 manifests/arm-exporter-serviceMonitor.yaml    | 19 +++++++
 vars.jsonnet                                  |  2 +-
 9 files changed, 168 insertions(+), 2 deletions(-)
 create mode 100644 manifests/arm-exporter-clusterRole.yaml
 create mode 100644 manifests/arm-exporter-clusterRoleBinding.yaml
 create mode 100644 manifests/arm-exporter-daemonset.yaml
 create mode 100644 manifests/arm-exporter-service.yaml
 create mode 100644 manifests/arm-exporter-serviceAccount.yaml
 create mode 100644 manifests/arm-exporter-serviceMonitor.yaml

diff --git a/Readme.md b/Readme.md
index 51afae4..d8a0b79 100644
--- a/Readme.md
+++ b/Readme.md
@@ -21,7 +21,7 @@ Components included in this package:
 * Grafana
 * SMTP relay to Gmail for Grafana notifications
 
-There are additional modules (enabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
+There are additional modules (disabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
 
 The additional modules are:
 
@@ -33,6 +33,8 @@ The additional modules are:
 
 There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.
 
+After changing these parameters, rebuild the manifests with `make`.
+
 ## Quickstart
 
 The repository already provides a set of compiled manifests to be applied into the cluster. The deployment can be customized thru the jsonnet files.
diff --git a/arm_exporter.jsonnet b/arm_exporter.jsonnet
index 42bd4df..7232b22 100644
--- a/arm_exporter.jsonnet
+++ b/arm_exporter.jsonnet
@@ -14,6 +14,46 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
   },
 
   armExporter+:: {
+    clusterRoleBinding:
+      local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
+
+      clusterRoleBinding.new() +
+      clusterRoleBinding.mixin.metadata.withName('arm-exporter') +
+      clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
+      clusterRoleBinding.mixin.roleRef.withName('arm-exporter') +
+      clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
+      clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'arm-exporter', namespace: $._config.namespace }]),
+
+    clusterRole:
+      local clusterRole = k.rbac.v1.clusterRole;
+      local policyRule = clusterRole.rulesType;
+
+      local authenticationRole = policyRule.new() +
+                                 policyRule.withApiGroups(['authentication.k8s.io']) +
+                                 policyRule.withResources([
+                                   'tokenreviews',
+                                 ]) +
+                                 policyRule.withVerbs(['create']);
+
+      local authorizationRole = policyRule.new() +
+                                policyRule.withApiGroups(['authorization.k8s.io']) +
+                                policyRule.withResources([
+                                  'subjectaccessreviews',
+                                ]) +
+                                policyRule.withVerbs(['create']);
+
+      local rules = [authenticationRole, authorizationRole];
+
+      clusterRole.new() +
+      clusterRole.mixin.metadata.withName('arm-exporter') +
+      clusterRole.withRules(rules),
+
+    serviceAccount:
+      local serviceAccount = k.core.v1.serviceAccount;
+
+      serviceAccount.new('arm-exporter') +
+      serviceAccount.mixin.metadata.withNamespace($._config.namespace),
+
     daemonset:
       local daemonset = k.apps.v1beta2.daemonSet;
       local container = daemonset.mixin.spec.template.spec.containersType;
@@ -37,6 +77,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
         container.withArgs([
           '--secure-listen-address=$(IP):9243',
           '--upstream=http://127.0.0.1:9243/',
+          '--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
         ]) +
         container.withPorts(containerPort.new(9243) + containerPort.withHostPort(9243) + containerPort.withName('https')) +
         container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
@@ -51,6 +92,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
       daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
       daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/arch': 'arm64' }) +
+      daemonset.mixin.spec.template.spec.withServiceAccountName('arm-exporter') +
       daemonset.mixin.spec.template.spec.withContainers(c),
     serviceMonitor:
       {
diff --git a/manifests/arm-exporter-clusterRole.yaml b/manifests/arm-exporter-clusterRole.yaml
new file mode 100644
index 0000000..ab8f48f
--- /dev/null
+++ b/manifests/arm-exporter-clusterRole.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: arm-exporter
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
diff --git a/manifests/arm-exporter-clusterRoleBinding.yaml b/manifests/arm-exporter-clusterRoleBinding.yaml
new file mode 100644
index 0000000..0dfb6dc
--- /dev/null
+++ b/manifests/arm-exporter-clusterRoleBinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: arm-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: arm-exporter
+subjects:
+- kind: ServiceAccount
+  name: arm-exporter
+  namespace: monitoring
diff --git a/manifests/arm-exporter-daemonset.yaml b/manifests/arm-exporter-daemonset.yaml
new file mode 100644
index 0000000..6b1147b
--- /dev/null
+++ b/manifests/arm-exporter-daemonset.yaml
@@ -0,0 +1,54 @@
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: arm-exporter
+  name: arm-exporter
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      k8s-app: arm-exporter
+  template:
+    metadata:
+      labels:
+        k8s-app: arm-exporter
+    spec:
+      containers:
+      - command:
+        - /bin/rpi_exporter
+        - --web.listen-address=127.0.0.1:9243
+        image: carlosedp/arm_exporter:latest
+        name: arm-exporter
+        resources:
+          limits:
+            cpu: 100m
+            memory: 100Mi
+          requests:
+            cpu: 50m
+            memory: 50Mi
+      - args:
+        - --secure-listen-address=$(IP):9243
+        - --upstream=http://127.0.0.1:9243/
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        env:
+        - name: IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: carlosedp/kube-rbac-proxy:v0.4.1
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 9243
+          hostPort: 9243
+          name: https
+        resources:
+          limits:
+            cpu: 20m
+            memory: 40Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+      nodeSelector:
+        beta.kubernetes.io/arch: arm64
+      serviceAccountName: arm-exporter
diff --git a/manifests/arm-exporter-service.yaml b/manifests/arm-exporter-service.yaml
new file mode 100644
index 0000000..d83042f
--- /dev/null
+++ b/manifests/arm-exporter-service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: arm-exporter
+  name: arm-exporter
+  namespace: monitoring
+spec:
+  clusterIP: None
+  ports:
+  - name: https
+    port: 9243
+    targetPort: https
+  selector:
+    k8s-app: arm-exporter
diff --git a/manifests/arm-exporter-serviceAccount.yaml b/manifests/arm-exporter-serviceAccount.yaml
new file mode 100644
index 0000000..42e52a0
--- /dev/null
+++ b/manifests/arm-exporter-serviceAccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: arm-exporter
+  namespace: monitoring
diff --git a/manifests/arm-exporter-serviceMonitor.yaml b/manifests/arm-exporter-serviceMonitor.yaml
new file mode 100644
index 0000000..a92a2a1
--- /dev/null
+++ b/manifests/arm-exporter-serviceMonitor.yaml
@@ -0,0 +1,19 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    k8s-app: arm-exporter
+  name: arm-exporter
+  namespace: monitoring
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
+    port: https
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
+  jobLabel: k8s-app
+  selector:
+    matchLabels:
+      k8s-app: arm-exporter
diff --git a/vars.jsonnet b/vars.jsonnet
index 145b502..c9014a1 100644
--- a/vars.jsonnet
+++ b/vars.jsonnet
@@ -1,7 +1,7 @@
 {
   // Enable or disable additional modules
   installModules: {
-    'arm-exporter': false,
+    'arm-exporter': true,
     metallb: false,
     traefik: false,
     'ups-exporter': false,