From 310f471cf6bc160c07018fbe1441ef414b63d1ef Mon Sep 17 00:00:00 2001
From: Max Leonard Inden <IndenML@gmail.com>
Date: Mon, 19 Mar 2018 17:03:42 +0100
Subject: [PATCH] contrib/kube: Add rbac role to discover prometheus

The current example-app setup in the kube-prometheus project is able to
discover scraping targets in the default namespace. It is not able to
discover the configured Alertmanager in the monitoring namespace.

This patch adds an alertmanager-discovery rbac role, to permit the
above described action. In addition it does the following cleanups:

- Remove kubeconfig configuration in deploy and teardown script. kubectl
chooses .kube/config whenever KUBECONFIG is not set by default

- Remove namespace specification option via NAMESPACE env var. In most
of the manifests the metadata/namespace was hardcoded anyways, in
addition in the promtheus frontend role binding the service account
namespace is hardcoded to default as well.

- Instead of `kubectl {apply,delete}` individual manifests, the deploy
and teardown shell scripts {apply,delete} on the entire folder.
---
 hack/example-service-monitoring/deploy          | 17 +----------------
 hack/example-service-monitoring/teardown        | 11 +----------
 manifests/examples/example-app/example-app.yaml |  2 ++
 ...end-alertmanager-discovery-role-binding.yaml | 13 +++++++++++++
 ...us-frontend-alertmanager-discovery-role.yaml | 12 ++++++++++++
 .../prometheus-frontend-service-account.yaml    |  1 +
 .../example-app/prometheus-frontend-svc.yaml    |  1 +
 .../example-app/servicemonitor-frontend.yaml    |  3 ++-
 8 files changed, 33 insertions(+), 27 deletions(-)
 create mode 100644 manifests/examples/example-app/prometheus-frontend-alertmanager-discovery-role-binding.yaml
 create mode 100644 manifests/examples/example-app/prometheus-frontend-alertmanager-discovery-role.yaml

diff --git a/hack/example-service-monitoring/deploy b/hack/example-service-monitoring/deploy
index ba922b84..18b0ef6a 100755
--- a/hack/example-service-monitoring/deploy
+++ b/hack/example-service-monitoring/deploy
@@ -1,18 +1,3 @@
 #!/usr/bin/env bash
 
-if [ -z "${KUBECONFIG}" ]; then
-    KUBECONFIG=~/.kube/config
-fi
-
-if [ -z "${NAMESPACE}" ]; then
-    NAMESPACE=default
-fi
-
-kubectl --namespace "$NAMESPACE" --kubeconfig="$KUBECONFIG" apply -f manifests/examples/example-app/prometheus-frontend-service-account.yaml
-kubectl --namespace "$NAMESPACE" --kubeconfig="$KUBECONFIG" apply -f manifests/examples/example-app/prometheus-frontend-role.yaml
-kubectl --namespace "$NAMESPACE" --kubeconfig="$KUBECONFIG" apply -f manifests/examples/example-app/prometheus-frontend-role-binding.yaml
-kubectl --namespace "$NAMESPACE" --kubeconfig="$KUBECONFIG" apply -f manifests/examples/example-app/prometheus-frontend-svc.yaml
-kubectl --namespace "$NAMESPACE" --kubeconfig="$KUBECONFIG" apply -f manifests/examples/example-app/example-app.yaml
-kubectl --namespace "$NAMESPACE" --kubeconfig="$KUBECONFIG" apply -f manifests/examples/example-app/prometheus-frontend.yaml
-kubectl --namespace "$NAMESPACE" --kubeconfig="$KUBECONFIG" apply -f manifests/examples/example-app/servicemonitor-frontend.yaml
-
+kubectl apply -f manifests/examples/example-app
diff --git a/hack/example-service-monitoring/teardown b/hack/example-service-monitoring/teardown
index a631fe3e..a5fc1760 100755
--- a/hack/example-service-monitoring/teardown
+++ b/hack/example-service-monitoring/teardown
@@ -1,12 +1,3 @@
 #!/usr/bin/env bash
 
-if [ -z "${KUBECONFIG}" ]; then
-    KUBECONFIG=~/.kube/config
-fi
-
-if [ -z "${NAMESPACE}" ]; then
-    NAMESPACE=default
-fi
-
-kubectl --namespace "$NAMESPACE" --kubeconfig="$KUBECONFIG" delete -f manifests/examples/example-app
-
+kubectl delete -f manifests/examples/example-app
diff --git a/manifests/examples/example-app/example-app.yaml b/manifests/examples/example-app/example-app.yaml
index adb6602b..0262fd3c 100644
--- a/manifests/examples/example-app/example-app.yaml
+++ b/manifests/examples/example-app/example-app.yaml
@@ -4,6 +4,7 @@ metadata:
   name: example-app
   labels:
     tier: frontend
+  namespace: default
 spec: 
   selector: 
     app: example-app 
@@ -17,6 +18,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: example-app
+  namespace: default
 spec:
   replicas: 4
   template:
diff --git a/manifests/examples/example-app/prometheus-frontend-alertmanager-discovery-role-binding.yaml b/manifests/examples/example-app/prometheus-frontend-alertmanager-discovery-role-binding.yaml
new file mode 100644
index 00000000..09b3f5e4
--- /dev/null
+++ b/manifests/examples/example-app/prometheus-frontend-alertmanager-discovery-role-binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: prometheus-frontend
+  namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: alertmanager-discovery
+subjects:
+- kind: ServiceAccount
+  name: prometheus-frontend
+  namespace: default
diff --git a/manifests/examples/example-app/prometheus-frontend-alertmanager-discovery-role.yaml b/manifests/examples/example-app/prometheus-frontend-alertmanager-discovery-role.yaml
new file mode 100644
index 00000000..84319cdd
--- /dev/null
+++ b/manifests/examples/example-app/prometheus-frontend-alertmanager-discovery-role.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: alertmanager-discovery
+  namespace: monitoring
+rules:
+- apiGroups: [""]
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs: ["list", "watch"]
diff --git a/manifests/examples/example-app/prometheus-frontend-service-account.yaml b/manifests/examples/example-app/prometheus-frontend-service-account.yaml
index abd3e0df..4dd7c26b 100644
--- a/manifests/examples/example-app/prometheus-frontend-service-account.yaml
+++ b/manifests/examples/example-app/prometheus-frontend-service-account.yaml
@@ -2,3 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: prometheus-frontend
+  namespace: default
diff --git a/manifests/examples/example-app/prometheus-frontend-svc.yaml b/manifests/examples/example-app/prometheus-frontend-svc.yaml
index 6a269155..7002e8f1 100644
--- a/manifests/examples/example-app/prometheus-frontend-svc.yaml
+++ b/manifests/examples/example-app/prometheus-frontend-svc.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: prometheus-frontend
+  namespace: default
 spec:
   type: NodePort
   ports:
diff --git a/manifests/examples/example-app/servicemonitor-frontend.yaml b/manifests/examples/example-app/servicemonitor-frontend.yaml
index cc3d42fa..709ab2cb 100644
--- a/manifests/examples/example-app/servicemonitor-frontend.yaml
+++ b/manifests/examples/example-app/servicemonitor-frontend.yaml
@@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: frontend
+  namespace: default
   labels:
     tier: frontend
 spec:
@@ -10,4 +11,4 @@ spec:
       tier: frontend
   endpoints:
   - port: web
-    interval: 10s
\ No newline at end of file
+    interval: 10s
-- 
GitLab