mirror of
https://github.com/carlosedp/cluster-monitoring.git
synced 2024-11-20 19:07:17 +01:00
Fix issue #11. Arm-exporter didn't have a ServiceAccount and TLS params
This commit is contained in:
parent
88c16b9702
commit
732a650b51
@ -21,7 +21,7 @@ Components included in this package:
|
|||||||
* Grafana
|
* Grafana
|
||||||
* SMTP relay to Gmail for Grafana notifications
|
* SMTP relay to Gmail for Grafana notifications
|
||||||
|
|
||||||
There are additional modules (enabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
|
There are additional modules (disabled by default) to monitor other components of the infra-structure. These can be disabled on `vars.jsonnet` file by setting the module in `installModules` to `false`.
|
||||||
|
|
||||||
The additional modules are:
|
The additional modules are:
|
||||||
|
|
||||||
@ -33,6 +33,8 @@ The additional modules are:
|
|||||||
|
|
||||||
There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.
|
There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.
|
||||||
|
|
||||||
|
After changing these parameters, rebuild the manifests with `make`.
|
||||||
|
|
||||||
## Quickstart
|
## Quickstart
|
||||||
|
|
||||||
The repository already provides a set of compiled manifests to be applied into the cluster. The deployment can be customized thru the jsonnet files.
|
The repository already provides a set of compiled manifests to be applied into the cluster. The deployment can be customized thru the jsonnet files.
|
||||||
|
@ -14,6 +14,46 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
|||||||
},
|
},
|
||||||
|
|
||||||
armExporter+:: {
|
armExporter+:: {
|
||||||
|
clusterRoleBinding:
|
||||||
|
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
|
||||||
|
|
||||||
|
clusterRoleBinding.new() +
|
||||||
|
clusterRoleBinding.mixin.metadata.withName('arm-exporter') +
|
||||||
|
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
|
||||||
|
clusterRoleBinding.mixin.roleRef.withName('arm-exporter') +
|
||||||
|
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
|
||||||
|
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'arm-exporter', namespace: $._config.namespace }]),
|
||||||
|
|
||||||
|
clusterRole:
|
||||||
|
local clusterRole = k.rbac.v1.clusterRole;
|
||||||
|
local policyRule = clusterRole.rulesType;
|
||||||
|
|
||||||
|
local authenticationRole = policyRule.new() +
|
||||||
|
policyRule.withApiGroups(['authentication.k8s.io']) +
|
||||||
|
policyRule.withResources([
|
||||||
|
'tokenreviews',
|
||||||
|
]) +
|
||||||
|
policyRule.withVerbs(['create']);
|
||||||
|
|
||||||
|
local authorizationRole = policyRule.new() +
|
||||||
|
policyRule.withApiGroups(['authorization.k8s.io']) +
|
||||||
|
policyRule.withResources([
|
||||||
|
'subjectaccessreviews',
|
||||||
|
]) +
|
||||||
|
policyRule.withVerbs(['create']);
|
||||||
|
|
||||||
|
local rules = [authenticationRole, authorizationRole];
|
||||||
|
|
||||||
|
clusterRole.new() +
|
||||||
|
clusterRole.mixin.metadata.withName('arm-exporter') +
|
||||||
|
clusterRole.withRules(rules),
|
||||||
|
|
||||||
|
serviceAccount:
|
||||||
|
local serviceAccount = k.core.v1.serviceAccount;
|
||||||
|
|
||||||
|
serviceAccount.new('arm-exporter') +
|
||||||
|
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
|
||||||
|
|
||||||
daemonset:
|
daemonset:
|
||||||
local daemonset = k.apps.v1beta2.daemonSet;
|
local daemonset = k.apps.v1beta2.daemonSet;
|
||||||
local container = daemonset.mixin.spec.template.spec.containersType;
|
local container = daemonset.mixin.spec.template.spec.containersType;
|
||||||
@ -37,6 +77,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
|||||||
container.withArgs([
|
container.withArgs([
|
||||||
'--secure-listen-address=$(IP):9243',
|
'--secure-listen-address=$(IP):9243',
|
||||||
'--upstream=http://127.0.0.1:9243/',
|
'--upstream=http://127.0.0.1:9243/',
|
||||||
|
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
|
||||||
]) +
|
]) +
|
||||||
container.withPorts(containerPort.new(9243) + containerPort.withHostPort(9243) + containerPort.withName('https')) +
|
container.withPorts(containerPort.new(9243) + containerPort.withHostPort(9243) + containerPort.withName('https')) +
|
||||||
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
|
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
|
||||||
@ -51,6 +92,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
|||||||
daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
|
daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
|
||||||
daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
|
daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
|
||||||
daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/arch': 'arm64' }) +
|
daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/arch': 'arm64' }) +
|
||||||
|
daemonset.mixin.spec.template.spec.withServiceAccountName('arm-exporter') +
|
||||||
daemonset.mixin.spec.template.spec.withContainers(c),
|
daemonset.mixin.spec.template.spec.withContainers(c),
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
{
|
{
|
||||||
|
17
manifests/arm-exporter-clusterRole.yaml
Normal file
17
manifests/arm-exporter-clusterRole.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: arm-exporter
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- authentication.k8s.io
|
||||||
|
resources:
|
||||||
|
- tokenreviews
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- apiGroups:
|
||||||
|
- authorization.k8s.io
|
||||||
|
resources:
|
||||||
|
- subjectaccessreviews
|
||||||
|
verbs:
|
||||||
|
- create
|
12
manifests/arm-exporter-clusterRoleBinding.yaml
Normal file
12
manifests/arm-exporter-clusterRoleBinding.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: arm-exporter
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: arm-exporter
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: arm-exporter
|
||||||
|
namespace: monitoring
|
54
manifests/arm-exporter-daemonset.yaml
Normal file
54
manifests/arm-exporter-daemonset.yaml
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
apiVersion: apps/v1beta2
|
||||||
|
kind: DaemonSet
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
k8s-app: arm-exporter
|
||||||
|
name: arm-exporter
|
||||||
|
namespace: monitoring
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
k8s-app: arm-exporter
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
k8s-app: arm-exporter
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- command:
|
||||||
|
- /bin/rpi_exporter
|
||||||
|
- --web.listen-address=127.0.0.1:9243
|
||||||
|
image: carlosedp/arm_exporter:latest
|
||||||
|
name: arm-exporter
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 100Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 50Mi
|
||||||
|
- args:
|
||||||
|
- --secure-listen-address=$(IP):9243
|
||||||
|
- --upstream=http://127.0.0.1:9243/
|
||||||
|
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
env:
|
||||||
|
- name: IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.podIP
|
||||||
|
image: carlosedp/kube-rbac-proxy:v0.4.1
|
||||||
|
name: kube-rbac-proxy
|
||||||
|
ports:
|
||||||
|
- containerPort: 9243
|
||||||
|
hostPort: 9243
|
||||||
|
name: https
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 20m
|
||||||
|
memory: 40Mi
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 20Mi
|
||||||
|
nodeSelector:
|
||||||
|
beta.kubernetes.io/arch: arm64
|
||||||
|
serviceAccountName: arm-exporter
|
15
manifests/arm-exporter-service.yaml
Normal file
15
manifests/arm-exporter-service.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
k8s-app: arm-exporter
|
||||||
|
name: arm-exporter
|
||||||
|
namespace: monitoring
|
||||||
|
spec:
|
||||||
|
clusterIP: None
|
||||||
|
ports:
|
||||||
|
- name: https
|
||||||
|
port: 9243
|
||||||
|
targetPort: https
|
||||||
|
selector:
|
||||||
|
k8s-app: arm-exporter
|
5
manifests/arm-exporter-serviceAccount.yaml
Normal file
5
manifests/arm-exporter-serviceAccount.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: arm-exporter
|
||||||
|
namespace: monitoring
|
19
manifests/arm-exporter-serviceMonitor.yaml
Normal file
19
manifests/arm-exporter-serviceMonitor.yaml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: ServiceMonitor
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
k8s-app: arm-exporter
|
||||||
|
name: arm-exporter
|
||||||
|
namespace: monitoring
|
||||||
|
spec:
|
||||||
|
endpoints:
|
||||||
|
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||||
|
interval: 30s
|
||||||
|
port: https
|
||||||
|
scheme: https
|
||||||
|
tlsConfig:
|
||||||
|
insecureSkipVerify: true
|
||||||
|
jobLabel: k8s-app
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
k8s-app: arm-exporter
|
@ -1,7 +1,7 @@
|
|||||||
{
|
{
|
||||||
// Enable or disable additional modules
|
// Enable or disable additional modules
|
||||||
installModules: {
|
installModules: {
|
||||||
'arm-exporter': false,
|
'arm-exporter': true,
|
||||||
metallb: false,
|
metallb: false,
|
||||||
traefik: false,
|
traefik: false,
|
||||||
'ups-exporter': false,
|
'ups-exporter': false,
|
||||||
|
Loading…
Reference in New Issue
Block a user