diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 68da316363f34abdbebd7381f1d63a33a7291f48..e9edf2a6d427c46db4e43530ea7bacee23c78d3b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -20,6 +20,18 @@ jobs:
with:
go-version: ${{ env.golang-version }}
- run: make --always-make generate && git diff --exit-code
+ lint:
+ runs-on: ubuntu-latest
+ name: Jsonnet linter
+ steps:
+ - uses: actions/checkout@v2
+ - run: make --always-make lint
+ fmt:
+ runs-on: ubuntu-latest
+ name: Jsonnet formatter
+ steps:
+ - uses: actions/checkout@v2
+ - run: make --always-make fmt && git diff --exit-code
unit-tests:
runs-on: ubuntu-latest
name: Unit tests
diff --git a/Makefile b/Makefile
index 754ba59a0a082be06cf11250f5b821ab9dbe1da8..198e17887b68d00f48554fe44df3f6aebaaef2db 100644
--- a/Makefile
+++ b/Makefile
@@ -6,8 +6,9 @@ EMBEDMD_BIN=$(BIN_DIR)/embedmd
JB_BIN=$(BIN_DIR)/jb
GOJSONTOYAML_BIN=$(BIN_DIR)/gojsontoyaml
JSONNET_BIN=$(BIN_DIR)/jsonnet
+JSONNETLINT_BIN=$(BIN_DIR)/jsonnet-lint
JSONNETFMT_BIN=$(BIN_DIR)/jsonnetfmt
-TOOLING=$(EMBEDMD_BIN) $(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETFMT_BIN)
+TOOLING=$(EMBEDMD_BIN) $(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETLINT_BIN) $(JSONNETFMT_BIN)
JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s
@@ -36,6 +37,11 @@ fmt: $(JSONNETFMT_BIN)
find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
xargs -n 1 -- $(JSONNETFMT_BIN) $(JSONNETFMT_ARGS) -i
+.PHONY: lint
+lint: $(JSONNETLINT_BIN) vendor
+ find jsonnet/ -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
+ xargs -n 1 -- $(JSONNETLINT_BIN) -J vendor
+
.PHONY: test
test: $(JB_BIN)
$(JB_BIN) install
diff --git a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
index 4b091e9ae6e3d92c20317ed597ecd1e85b585f45..2fee6e1ecc2e4a8eb42d67b55424af7acf0b6873 100644
--- a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
+++ b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
@@ -58,8 +58,6 @@ local defaults = {
};
-
-
function(params) {
local am = self,
config:: defaults + params,
diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
index 769b1beed50afa1989782f2d732f83046be9d9e4..ce421209e7235ec12f158de362d5e435325d37c1 100644
--- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
@@ -92,191 +92,191 @@ function(params) {
// Safety check
assert std.isObject(bb.config.resources),
- configuration: {
- apiVersion: 'v1',
- kind: 'ConfigMap',
- metadata: {
- name: 'blackbox-exporter-configuration',
- namespace: bb.config.namespace,
- labels: bb.config.commonLabels,
- },
- data: {
- 'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
- },
- },
+ configuration: {
+ apiVersion: 'v1',
+ kind: 'ConfigMap',
+ metadata: {
+ name: 'blackbox-exporter-configuration',
+ namespace: bb.config.namespace,
+ labels: bb.config.commonLabels,
+ },
+ data: {
+ 'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
+ },
+ },
- serviceAccount: {
- apiVersion: 'v1',
- kind: 'ServiceAccount',
- metadata: {
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- },
- },
+ serviceAccount: {
+ apiVersion: 'v1',
+ kind: 'ServiceAccount',
+ metadata: {
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ },
+ },
- clusterRole: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRole',
- metadata: {
- name: 'blackbox-exporter',
- },
- rules: [
- {
- apiGroups: ['authentication.k8s.io'],
- resources: ['tokenreviews'],
- verbs: ['create'],
- },
- {
- apiGroups: ['authorization.k8s.io'],
- resources: ['subjectaccessreviews'],
- verbs: ['create'],
- },
- ],
+ clusterRole: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: 'blackbox-exporter',
+ },
+ rules: [
+ {
+ apiGroups: ['authentication.k8s.io'],
+ resources: ['tokenreviews'],
+ verbs: ['create'],
},
-
- clusterRoleBinding: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRoleBinding',
- metadata: {
- name: 'blackbox-exporter',
- },
- roleRef: {
- apiGroup: 'rbac.authorization.k8s.io',
- kind: 'ClusterRole',
- name: 'blackbox-exporter',
- },
- subjects: [{
- kind: 'ServiceAccount',
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- }],
+ {
+ apiGroups: ['authorization.k8s.io'],
+ resources: ['subjectaccessreviews'],
+ verbs: ['create'],
},
+ ],
+ },
- deployment:
- local blackboxExporter = {
- name: 'blackbox-exporter',
- image: bb.config.image,
- args: [
- '--config.file=/etc/blackbox_exporter/config.yml',
- '--web.listen-address=:%d' % bb.config.internalPort,
- ],
- ports: [{
- name: 'http',
- containerPort: bb.config.internalPort,
- }],
- resources: bb.config.resources,
- securityContext: if bb.config.privileged then {
- runAsNonRoot: false,
- capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
- } else {
- runAsNonRoot: true,
- runAsUser: 65534,
- },
- volumeMounts: [{
- mountPath: '/etc/blackbox_exporter/',
- name: 'config',
- readOnly: true,
- }],
- };
+ clusterRoleBinding: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRoleBinding',
+ metadata: {
+ name: 'blackbox-exporter',
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'ClusterRole',
+ name: 'blackbox-exporter',
+ },
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ }],
+ },
+
+ deployment:
+ local blackboxExporter = {
+ name: 'blackbox-exporter',
+ image: bb.config.image,
+ args: [
+ '--config.file=/etc/blackbox_exporter/config.yml',
+ '--web.listen-address=:%d' % bb.config.internalPort,
+ ],
+ ports: [{
+ name: 'http',
+ containerPort: bb.config.internalPort,
+ }],
+ resources: bb.config.resources,
+ securityContext: if bb.config.privileged then {
+ runAsNonRoot: false,
+ capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
+ } else {
+ runAsNonRoot: true,
+ runAsUser: 65534,
+ },
+ volumeMounts: [{
+ mountPath: '/etc/blackbox_exporter/',
+ name: 'config',
+ readOnly: true,
+ }],
+ };
- local reloader = {
- name: 'module-configmap-reloader',
- image: bb.config.configmapReloaderImage,
- args: [
- '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
- '--volume-dir=/etc/blackbox_exporter/',
- ],
- resources: bb.config.resources,
- securityContext: { runAsNonRoot: true, runAsUser: 65534 },
- terminationMessagePath: '/dev/termination-log',
- terminationMessagePolicy: 'FallbackToLogsOnError',
- volumeMounts: [{
- mountPath: '/etc/blackbox_exporter/',
- name: 'config',
- readOnly: true,
- }],
- };
+ local reloader = {
+ name: 'module-configmap-reloader',
+ image: bb.config.configmapReloaderImage,
+ args: [
+ '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
+ '--volume-dir=/etc/blackbox_exporter/',
+ ],
+ resources: bb.config.resources,
+ securityContext: { runAsNonRoot: true, runAsUser: 65534 },
+ terminationMessagePath: '/dev/termination-log',
+ terminationMessagePolicy: 'FallbackToLogsOnError',
+ volumeMounts: [{
+ mountPath: '/etc/blackbox_exporter/',
+ name: 'config',
+ readOnly: true,
+ }],
+ };
- local kubeRbacProxy = krp({
- name: 'kube-rbac-proxy',
- upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
- secureListenAddress: ':' + bb.config.port,
- ports: [
- { name: 'https', containerPort: bb.config.port },
- ],
- });
+ local kubeRbacProxy = krp({
+ name: 'kube-rbac-proxy',
+ upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
+ secureListenAddress: ':' + bb.config.port,
+ ports: [
+ { name: 'https', containerPort: bb.config.port },
+ ],
+ });
- {
- apiVersion: 'apps/v1',
- kind: 'Deployment',
- metadata: {
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- labels: bb.config.commonLabels,
- },
+ {
+ apiVersion: 'apps/v1',
+ kind: 'Deployment',
+ metadata: {
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ labels: bb.config.commonLabels,
+ },
+ spec: {
+ replicas: bb.config.replicas,
+ selector: { matchLabels: bb.config.selectorLabels },
+ template: {
+ metadata: { labels: bb.config.commonLabels },
spec: {
- replicas: bb.config.replicas,
- selector: { matchLabels: bb.config.selectorLabels },
- template: {
- metadata: { labels: bb.config.commonLabels },
- spec: {
- containers: [blackboxExporter, reloader, kubeRbacProxy],
- nodeSelector: { 'kubernetes.io/os': 'linux' },
- serviceAccountName: 'blackbox-exporter',
- volumes: [{
- name: 'config',
- configMap: { name: 'blackbox-exporter-configuration' },
- }],
- },
- },
+ containers: [blackboxExporter, reloader, kubeRbacProxy],
+ nodeSelector: { 'kubernetes.io/os': 'linux' },
+ serviceAccountName: 'blackbox-exporter',
+ volumes: [{
+ name: 'config',
+ configMap: { name: 'blackbox-exporter-configuration' },
+ }],
},
},
-
- service: {
- apiVersion: 'v1',
- kind: 'Service',
- metadata: {
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- labels: bb.config.commonLabels,
- },
- spec: {
- ports: [{
- name: 'https',
- port: bb.config.port,
- targetPort: 'https',
- }, {
- name: 'probe',
- port: bb.config.internalPort,
- targetPort: 'http',
- }],
- selector: bb.config.selectorLabels,
- },
},
+ },
- serviceMonitor:
- {
- apiVersion: 'monitoring.coreos.com/v1',
- kind: 'ServiceMonitor',
- metadata: {
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- labels: bb.config.commonLabels,
- },
- spec: {
- endpoints: [{
- bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
- interval: '30s',
- path: '/metrics',
- port: 'https',
- scheme: 'https',
- tlsConfig: {
- insecureSkipVerify: true,
- },
- }],
- selector: {
- matchLabels: bb.config.selectorLabels,
- },
+ service: {
+ apiVersion: 'v1',
+ kind: 'Service',
+ metadata: {
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ labels: bb.config.commonLabels,
+ },
+ spec: {
+ ports: [{
+ name: 'https',
+ port: bb.config.port,
+ targetPort: 'https',
+ }, {
+ name: 'probe',
+ port: bb.config.internalPort,
+ targetPort: 'http',
+ }],
+ selector: bb.config.selectorLabels,
+ },
+ },
+
+ serviceMonitor:
+ {
+ apiVersion: 'monitoring.coreos.com/v1',
+ kind: 'ServiceMonitor',
+ metadata: {
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ labels: bb.config.commonLabels,
+ },
+ spec: {
+ endpoints: [{
+ bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
+ interval: '30s',
+ path: '/metrics',
+ port: 'https',
+ scheme: 'https',
+ tlsConfig: {
+ insecureSkipVerify: true,
},
+ }],
+ selector: {
+ matchLabels: bb.config.selectorLabels,
},
- }
+ },
+ },
+}
diff --git a/jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet b/jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet
index 9005402e946fe47ac2973561ebf2f13ab7ce00fa..6358236206fb982e1e8c58d65acd2bf072a10c32 100644
--- a/jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet
+++ b/jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet
@@ -30,8 +30,6 @@
},
prometheus+:: {
- local p = self,
-
prometheus+: {
spec+:
antiaffinity('prometheus', [$._config.prometheus.name], $._config.namespace),
diff --git a/jsonnet/kube-prometheus/kube-prometheus.libsonnet b/jsonnet/kube-prometheus/kube-prometheus.libsonnet
index 0183b28625917c6c0e139b2d69e79d69d9dec04a..044d27fcb470652942464953ef1f4c6acee7d684 100644
--- a/jsonnet/kube-prometheus/kube-prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/kube-prometheus.libsonnet
@@ -100,7 +100,6 @@ local prometheusAdapter = import './prometheus-adapter/prometheus-adapter.libson
(kubeRbacProxyContainer {
config+:: {
kubeRbacProxy: {
- local cfg = self,
image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
name: 'kube-rbac-proxy',
securePortName: 'https',
diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
index a142b4b62821cedfc3795f01fe574c49f8f77c1a..bc4bf7ffbe9250497313c03d1b8a62d236421f5b 100644
--- a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
+++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
@@ -1,5 +1,4 @@
local defaults = {
- local defaults = self,
namespace: error 'must provide namespace',
image: 'quay.io/brancz/kube-rbac-proxy:v0.8.0',
ports: error 'must provide ports',
@@ -10,33 +9,33 @@ local defaults = {
limits: { cpu: '20m', memory: '40Mi' },
},
tlsCipherSuites: [
- 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
- 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
+ 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
+ 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
- // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
- // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
- // 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
- // 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
- // 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
- // 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
- // 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
- // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
- // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
- // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
- // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
- // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
- // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
- // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
- // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
- // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+ // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+ // 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
+ // 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
+ // 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+ // 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
+ // 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
+ // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
+ // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
+ // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+ // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
+ // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
+ // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+ // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
- // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
+ // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
- 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
- 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
- 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
- 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
- ],
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
+ 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
+ ],
};
@@ -46,19 +45,19 @@ function(params) {
// Safety check
assert std.isObject(krp.config.resources),
- name: krp.config.name,
- image: krp.config.image,
- args: [
- '--logtostderr',
- '--secure-listen-address=' + krp.config.secureListenAddress,
- '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
- '--upstream=' + krp.config.upstream,
- ],
- resources: krp.config.resources,
- ports: krp.config.ports,
- securityContext: {
- runAsUser: 65532,
- runAsGroup: 65532,
- runAsNonRoot: true,
- },
+ name: krp.config.name,
+ image: krp.config.image,
+ args: [
+ '--logtostderr',
+ '--secure-listen-address=' + krp.config.secureListenAddress,
+ '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
+ '--upstream=' + krp.config.upstream,
+ ],
+ resources: krp.config.resources,
+ ports: krp.config.ports,
+ securityContext: {
+ runAsUser: 65532,
+ runAsGroup: 65532,
+ runAsNonRoot: true,
+ },
}
diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet
index 795463a7192845ed0d490aadc0d4f5d75c4bd910..5122e837ce322c005e715e332c7e3ab1cc04932e 100644
--- a/jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet
+++ b/jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet
@@ -16,7 +16,6 @@
},
specMixin:: {
- local sm = self,
config+:: {
kubeRbacProxy: {
image: error 'must provide image',
diff --git a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
index 8b602f7ed78469281ab0080b354507d72fcb4375..037d023b9c3c44042c0a5b07fb4da1f440ac4fe1 100644
--- a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
@@ -60,7 +60,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8081/',
secureListenAddress: ':8443',
ports: [
- { name: 'https-main', containerPort: 8443, },
+ { name: 'https-main', containerPort: 8443 },
],
}),
@@ -69,7 +69,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8082/',
secureListenAddress: ':9443',
ports: [
- { name: 'https-self', containerPort: 9443, },
+ { name: 'https-self', containerPort: 9443 },
],
}),
diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
index 63ec53b9dce8aa7ce71e12449cd6c1b4a7f06537..bb16fc41fc5556d87c8872fb9c43f175fbef89ae 100644
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -67,8 +67,9 @@ function(params) {
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
- }],
- },
+ },
+ ],
+ },
serviceAccount: {
apiVersion: 'v1',
@@ -169,7 +170,7 @@ function(params) {
}) + {
env: [
{ name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } },
- ]
+ ],
};
{
diff --git a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
index 4dceb06f396f8c6a3a23a9ea3eb4ea93f244fd42..4b2ac39f536589b540fd74989dc9301887270a66 100644
--- a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
@@ -186,117 +186,117 @@ function(params) {
},
},
- serviceAccount: {
- apiVersion: 'v1',
- kind: 'ServiceAccount',
- metadata: {
- name: pa.config.name,
- namespace: pa.config.namespace,
- labels: pa.config.commonLabels,
- },
+ serviceAccount: {
+ apiVersion: 'v1',
+ kind: 'ServiceAccount',
+ metadata: {
+ name: pa.config.name,
+ namespace: pa.config.namespace,
+ labels: pa.config.commonLabels,
},
+ },
- clusterRole: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRole',
- metadata: {
- name: pa.config.name,
- labels: pa.config.commonLabels,
- },
- rules: [{
- apiGroups: [''],
- resources: ['nodes', 'namespaces', 'pods', 'services'],
- verbs: ['get', 'list', 'watch'],
- }],
+ clusterRole: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: pa.config.name,
+ labels: pa.config.commonLabels,
},
+ rules: [{
+ apiGroups: [''],
+ resources: ['nodes', 'namespaces', 'pods', 'services'],
+ verbs: ['get', 'list', 'watch'],
+ }],
+ },
- clusterRoleBinding: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRoleBinding',
- metadata: {
- name: pa.config.name,
- labels: pa.config.commonLabels,
- },
- roleRef: {
- apiGroup: 'rbac.authorization.k8s.io',
- kind: 'ClusterRole',
- name: $.clusterRole.metadata.name,
- },
- subjects: [{
- kind: 'ServiceAccount',
- name: $.serviceAccount.metadata.name,
- namespace: pa.config.namespace,
- }],
+ clusterRoleBinding: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRoleBinding',
+ metadata: {
+ name: pa.config.name,
+ labels: pa.config.commonLabels,
},
-
- clusterRoleBindingDelegator: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRoleBinding',
- metadata: {
- name: 'resource-metrics:system:auth-delegator',
- labels: pa.config.commonLabels,
- },
- roleRef: {
- apiGroup: 'rbac.authorization.k8s.io',
- kind: 'ClusterRole',
- name: 'system:auth-delegator',
- },
- subjects: [{
- kind: 'ServiceAccount',
- name: $.serviceAccount.metadata.name,
- namespace: pa.config.namespace,
- }],
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'ClusterRole',
+ name: $.clusterRole.metadata.name,
},
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: $.serviceAccount.metadata.name,
+ namespace: pa.config.namespace,
+ }],
+ },
- clusterRoleServerResources: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
+ clusterRoleBindingDelegator: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRoleBinding',
+ metadata: {
+ name: 'resource-metrics:system:auth-delegator',
+ labels: pa.config.commonLabels,
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
- metadata: {
- name: 'resource-metrics-server-resources',
- labels: pa.config.commonLabels,
- },
- rules: [{
- apiGroups: ['metrics.k8s.io'],
- resources: ['*'],
- verbs: ['*'],
- }],
+ name: 'system:auth-delegator',
},
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: $.serviceAccount.metadata.name,
+ namespace: pa.config.namespace,
+ }],
+ },
- clusterRoleAggregatedMetricsReader: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRole',
- metadata: {
- name: 'system:aggregated-metrics-reader',
- labels: {
- 'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
- 'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
- 'rbac.authorization.k8s.io/aggregate-to-view': 'true',
- } + pa.config.commonLabels,
- },
- rules: [{
- apiGroups: ['metrics.k8s.io'],
- resources: ['pods', 'nodes'],
- verbs: ['get', 'list', 'watch'],
- }],
+ clusterRoleServerResources: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: 'resource-metrics-server-resources',
+ labels: pa.config.commonLabels,
},
+ rules: [{
+ apiGroups: ['metrics.k8s.io'],
+ resources: ['*'],
+ verbs: ['*'],
+ }],
+ },
- roleBindingAuthReader: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'RoleBinding',
- metadata: {
- name: 'resource-metrics-auth-reader',
- namespace: 'kube-system',
- labels: pa.config.commonLabels,
- },
- roleRef: {
- apiGroup: 'rbac.authorization.k8s.io',
- kind: 'Role',
- name: 'extension-apiserver-authentication-reader',
- },
- subjects: [{
- kind: 'ServiceAccount',
- name: $.serviceAccount.metadata.name,
- namespace: pa.config.namespace,
- }],
+ clusterRoleAggregatedMetricsReader: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: 'system:aggregated-metrics-reader',
+ labels: {
+ 'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
+ 'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
+ 'rbac.authorization.k8s.io/aggregate-to-view': 'true',
+ } + pa.config.commonLabels,
},
+ rules: [{
+ apiGroups: ['metrics.k8s.io'],
+ resources: ['pods', 'nodes'],
+ verbs: ['get', 'list', 'watch'],
+ }],
+ },
+
+ roleBindingAuthReader: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'RoleBinding',
+ metadata: {
+ name: 'resource-metrics-auth-reader',
+ namespace: 'kube-system',
+ labels: pa.config.commonLabels,
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'Role',
+ name: 'extension-apiserver-authentication-reader',
+ },
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: $.serviceAccount.metadata.name,
+ namespace: pa.config.namespace,
+ }],
+ },
}
diff --git a/scripts/go.mod b/scripts/go.mod
index 59363cbae61097ec6f805fd244e0ecda7cf3fe47..9c6c10c82a6cd157440303d1494e3a6da4037d16 100644
--- a/scripts/go.mod
+++ b/scripts/go.mod
@@ -5,6 +5,6 @@ go 1.15
require (
github.com/brancz/gojsontoyaml v0.0.0-20200602132005-3697ded27e8c
github.com/campoy/embedmd v1.0.0
- github.com/google/go-jsonnet v0.17.0
+ github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6 // 7 commits after 0.17.0. Needed by jsonnet linter
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0
)
diff --git a/scripts/go.sum b/scripts/go.sum
index 1e2cedbd87148cbeb7df99d15ce71c88c7d95c16..08d4558791ea7195d380b19c0b00ebed5a1440cf 100644
--- a/scripts/go.sum
+++ b/scripts/go.sum
@@ -16,6 +16,8 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/google/go-jsonnet v0.17.0 h1:/9NIEfhK1NQRKl3sP2536b2+x5HnZMdql7x3yK/l8JY=
github.com/google/go-jsonnet v0.17.0/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw=
+github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6 h1:91EupyycmO5ctzKuWEZ9nX0Cal1NveMiWcXxmRtLyLQ=
+github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw=
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0 h1:4BKZ6LDqPc2wJDmaKnmYD/vDjUptJtnUpai802MibFc=
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0/go.mod h1:/by7P/OoohkI3q4CgSFqcoFsVY+IaNbzOVDknEsKDeU=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
diff --git a/scripts/tools.go b/scripts/tools.go
index b6cba4f29006323743b508f4c57349140e4fefba..d5b67e321388515dab70b5d6a08b160e70f87ad9 100644
--- a/scripts/tools.go
+++ b/scripts/tools.go
@@ -8,6 +8,7 @@ import (
_ "github.com/brancz/gojsontoyaml"
_ "github.com/campoy/embedmd"
_ "github.com/google/go-jsonnet/cmd/jsonnet"
+ _ "github.com/google/go-jsonnet/cmd/jsonnet-lint"
_ "github.com/google/go-jsonnet/cmd/jsonnetfmt"
_ "github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb"
)