Mirrors/rpi.carlosedp.cluster-monitoring
1
0
Fork 0
mirror of https://github.com/carlosedp/cluster-monitoring.git synced 2024-11-20 19:07:17 +01:00
Code Issues Projects Releases Wiki Activity

Issue #11 - Add ServiceAccount and TLS params to arm-exporter (#12)

Browse Source 
Issue #11 - Add ServiceAccount and TLS params to arm-exporter
This commit is contained in:
Carlos Eduardo 2019-05-03 13:52:47 -03:00 committed by GitHub
commit 25b391a68a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 168 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Readme.md
View File

@ -21,7 +21,7 @@ Components included in this package:
* Grafana * Grafana
* SMTP relay to Gmail for Grafana notifications * SMTP relay to Gmail for Grafana notifications
There are additional modules (enabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`. There are additional modules (disabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
The additional modules are: The additional modules are:
@ -33,6 +33,8 @@ The additional modules are:
There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus. There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.
After changing these parameters, rebuild the manifests with `make`.
## Quickstart ## Quickstart
The repository already provides a set of compiled manifests to be applied into the cluster. The deployment can be customized thru the jsonnet files. The repository already provides a set of compiled manifests to be applied into the cluster. The deployment can be customized thru the jsonnet files.

42
arm_exporter.jsonnet
View File

@ -14,6 +14,46 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
}, },
armExporter+:: { armExporter+:: {
clusterRoleBinding:
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName('arm-exporter') +
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
clusterRoleBinding.mixin.roleRef.withName('arm-exporter') +
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'arm-exporter', namespace: $._config.namespace }]),
clusterRole:
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local authenticationRole = policyRule.new() +
policyRule.withApiGroups(['authentication.k8s.io']) +
policyRule.withResources([
'tokenreviews',
]) +
policyRule.withVerbs(['create']);
local authorizationRole = policyRule.new() +
policyRule.withApiGroups(['authorization.k8s.io']) +
policyRule.withResources([
'subjectaccessreviews',
]) +
policyRule.withVerbs(['create']);
local rules = [authenticationRole, authorizationRole];
clusterRole.new() +
clusterRole.mixin.metadata.withName('arm-exporter') +
clusterRole.withRules(rules),
serviceAccount:
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new('arm-exporter') +
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
daemonset: daemonset:
local daemonset = k.apps.v1beta2.daemonSet; local daemonset = k.apps.v1beta2.daemonSet;
local container = daemonset.mixin.spec.template.spec.containersType; local container = daemonset.mixin.spec.template.spec.containersType;
@ -37,6 +77,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.withArgs([ container.withArgs([
'--secure-listen-address=$(IP):9243', '--secure-listen-address=$(IP):9243',
'--upstream=http://127.0.0.1:9243/', '--upstream=http://127.0.0.1:9243/',
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
]) + ]) +
container.withPorts(containerPort.new(9243) + containerPort.withHostPort(9243) + containerPort.withName('https')) + container.withPorts(containerPort.new(9243) + containerPort.withHostPort(9243) + containerPort.withName('https')) +
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) + container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
@ -51,6 +92,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
daemonset.mixin.spec.selector.withMatchLabels(podLabels) + daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
daemonset.mixin.spec.template.metadata.withLabels(podLabels) + daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/arch': 'arm64' }) + daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/arch': 'arm64' }) +
daemonset.mixin.spec.template.spec.withServiceAccountName('arm-exporter') +
daemonset.mixin.spec.template.spec.withContainers(c), daemonset.mixin.spec.template.spec.withContainers(c),
serviceMonitor: serviceMonitor:
{ {

17
manifests/arm-exporter-clusterRole.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: arm-exporter
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

12
manifests/arm-exporter-clusterRoleBinding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: arm-exporter
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: arm-exporter
subjects:
- kind: ServiceAccount
name: arm-exporter
namespace: monitoring

54
manifests/arm-exporter-daemonset.yaml Normal file
View File

@ -0,0 +1,54 @@
apiVersion: apps/v1beta2
kind: DaemonSet
metadata:
labels:
k8s-app: arm-exporter
name: arm-exporter
namespace: monitoring
spec:
selector:
matchLabels:
k8s-app: arm-exporter
template:
metadata:
labels:
k8s-app: arm-exporter
spec:
containers:
- command:
- /bin/rpi_exporter
- --web.listen-address=127.0.0.1:9243
image: carlosedp/arm_exporter:latest
name: arm-exporter
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 50m
memory: 50Mi
- args:
- --secure-listen-address=$(IP):9243
- --upstream=http://127.0.0.1:9243/
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
env:
- name: IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: carlosedp/kube-rbac-proxy:v0.4.1
name: kube-rbac-proxy
ports:
- containerPort: 9243
hostPort: 9243
name: https
resources:
limits:
cpu: 20m
memory: 40Mi
requests:
cpu: 10m
memory: 20Mi
nodeSelector:
beta.kubernetes.io/arch: arm64
serviceAccountName: arm-exporter

15
manifests/arm-exporter-service.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: arm-exporter
name: arm-exporter
namespace: monitoring
spec:
clusterIP: None
ports:
- name: https
port: 9243
targetPort: https
selector:
k8s-app: arm-exporter

5
manifests/arm-exporter-serviceAccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: arm-exporter
namespace: monitoring

19
manifests/arm-exporter-serviceMonitor.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
k8s-app: arm-exporter
name: arm-exporter
namespace: monitoring
spec:
endpoints:
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
port: https
scheme: https
tlsConfig:
insecureSkipVerify: true
jobLabel: k8s-app
selector:
matchLabels:
k8s-app: arm-exporter

2
vars.jsonnet
View File

@ -1,7 +1,7 @@
{ {
// Enable or disable additional modules // Enable or disable additional modules
installModules: { installModules: {
'arm-exporter': false, 'arm-exporter': true,
metallb: false, metallb: false,
traefik: false, traefik: false,
'ups-exporter': false, 'ups-exporter': false,