mirror of
https://github.com/carlosedp/cluster-monitoring.git
synced 2024-11-20 19:07:17 +01:00
Issue #11 - Add ServiceAccount and TLS params to arm-exporter
This commit is contained in:
commit
25b391a68a
@ -21,7 +21,7 @@ Components included in this package:
|
||||
* Grafana
|
||||
* SMTP relay to Gmail for Grafana notifications
|
||||
|
||||
There are additional modules (enabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
|
||||
There are additional modules (disabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
|
||||
|
||||
The additional modules are:
|
||||
|
||||
@ -33,6 +33,8 @@ The additional modules are:
|
||||
|
||||
There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.
|
||||
|
||||
After changing these parameters, rebuild the manifests with `make`.
|
||||
|
||||
## Quickstart
|
||||
|
||||
The repository already provides a set of compiled manifests to be applied into the cluster. The deployment can be customized thru the jsonnet files.
|
||||
|
@ -14,6 +14,46 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
||||
},
|
||||
|
||||
armExporter+:: {
|
||||
clusterRoleBinding:
|
||||
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
|
||||
|
||||
clusterRoleBinding.new() +
|
||||
clusterRoleBinding.mixin.metadata.withName('arm-exporter') +
|
||||
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
|
||||
clusterRoleBinding.mixin.roleRef.withName('arm-exporter') +
|
||||
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
|
||||
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'arm-exporter', namespace: $._config.namespace }]),
|
||||
|
||||
clusterRole:
|
||||
local clusterRole = k.rbac.v1.clusterRole;
|
||||
local policyRule = clusterRole.rulesType;
|
||||
|
||||
local authenticationRole = policyRule.new() +
|
||||
policyRule.withApiGroups(['authentication.k8s.io']) +
|
||||
policyRule.withResources([
|
||||
'tokenreviews',
|
||||
]) +
|
||||
policyRule.withVerbs(['create']);
|
||||
|
||||
local authorizationRole = policyRule.new() +
|
||||
policyRule.withApiGroups(['authorization.k8s.io']) +
|
||||
policyRule.withResources([
|
||||
'subjectaccessreviews',
|
||||
]) +
|
||||
policyRule.withVerbs(['create']);
|
||||
|
||||
local rules = [authenticationRole, authorizationRole];
|
||||
|
||||
clusterRole.new() +
|
||||
clusterRole.mixin.metadata.withName('arm-exporter') +
|
||||
clusterRole.withRules(rules),
|
||||
|
||||
serviceAccount:
|
||||
local serviceAccount = k.core.v1.serviceAccount;
|
||||
|
||||
serviceAccount.new('arm-exporter') +
|
||||
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
|
||||
|
||||
daemonset:
|
||||
local daemonset = k.apps.v1beta2.daemonSet;
|
||||
local container = daemonset.mixin.spec.template.spec.containersType;
|
||||
@ -37,6 +77,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
||||
container.withArgs([
|
||||
'--secure-listen-address=$(IP):9243',
|
||||
'--upstream=http://127.0.0.1:9243/',
|
||||
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
|
||||
]) +
|
||||
container.withPorts(containerPort.new(9243) + containerPort.withHostPort(9243) + containerPort.withName('https')) +
|
||||
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
|
||||
@ -51,6 +92,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
||||
daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
|
||||
daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
|
||||
daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/arch': 'arm64' }) +
|
||||
daemonset.mixin.spec.template.spec.withServiceAccountName('arm-exporter') +
|
||||
daemonset.mixin.spec.template.spec.withContainers(c),
|
||||
serviceMonitor:
|
||||
{
|
||||
|
17
manifests/arm-exporter-clusterRole.yaml
Normal file
17
manifests/arm-exporter-clusterRole.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: arm-exporter
|
||||
rules:
|
||||
- apiGroups:
|
||||
- authentication.k8s.io
|
||||
resources:
|
||||
- tokenreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- authorization.k8s.io
|
||||
resources:
|
||||
- subjectaccessreviews
|
||||
verbs:
|
||||
- create
|
12
manifests/arm-exporter-clusterRoleBinding.yaml
Normal file
12
manifests/arm-exporter-clusterRoleBinding.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: arm-exporter
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: arm-exporter
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: arm-exporter
|
||||
namespace: monitoring
|
54
manifests/arm-exporter-daemonset.yaml
Normal file
54
manifests/arm-exporter-daemonset.yaml
Normal file
@ -0,0 +1,54 @@
|
||||
apiVersion: apps/v1beta2
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: arm-exporter
|
||||
name: arm-exporter
|
||||
namespace: monitoring
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: arm-exporter
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: arm-exporter
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- /bin/rpi_exporter
|
||||
- --web.listen-address=127.0.0.1:9243
|
||||
image: carlosedp/arm_exporter:latest
|
||||
name: arm-exporter
|
||||
resources:
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 50Mi
|
||||
- args:
|
||||
- --secure-listen-address=$(IP):9243
|
||||
- --upstream=http://127.0.0.1:9243/
|
||||
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
env:
|
||||
- name: IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
image: carlosedp/kube-rbac-proxy:v0.4.1
|
||||
name: kube-rbac-proxy
|
||||
ports:
|
||||
- containerPort: 9243
|
||||
hostPort: 9243
|
||||
name: https
|
||||
resources:
|
||||
limits:
|
||||
cpu: 20m
|
||||
memory: 40Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
nodeSelector:
|
||||
beta.kubernetes.io/arch: arm64
|
||||
serviceAccountName: arm-exporter
|
15
manifests/arm-exporter-service.yaml
Normal file
15
manifests/arm-exporter-service.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: arm-exporter
|
||||
name: arm-exporter
|
||||
namespace: monitoring
|
||||
spec:
|
||||
clusterIP: None
|
||||
ports:
|
||||
- name: https
|
||||
port: 9243
|
||||
targetPort: https
|
||||
selector:
|
||||
k8s-app: arm-exporter
|
5
manifests/arm-exporter-serviceAccount.yaml
Normal file
5
manifests/arm-exporter-serviceAccount.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: arm-exporter
|
||||
namespace: monitoring
|
19
manifests/arm-exporter-serviceMonitor.yaml
Normal file
19
manifests/arm-exporter-serviceMonitor.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: arm-exporter
|
||||
name: arm-exporter
|
||||
namespace: monitoring
|
||||
spec:
|
||||
endpoints:
|
||||
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
interval: 30s
|
||||
port: https
|
||||
scheme: https
|
||||
tlsConfig:
|
||||
insecureSkipVerify: true
|
||||
jobLabel: k8s-app
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: arm-exporter
|
@ -1,7 +1,7 @@
|
||||
{
|
||||
// Enable or disable additional modules
|
||||
installModules: {
|
||||
'arm-exporter': false,
|
||||
'arm-exporter': true,
|
||||
metallb: false,
|
||||
traefik: false,
|
||||
'ups-exporter': false,
|
||||
|
Loading…
Reference in New Issue
Block a user