Skip to content
Snippets Groups Projects
Unverified Commit 7f500041 authored by Paweł Krupa's avatar Paweł Krupa Committed by GitHub
Browse files

Merge pull request #793 from kakkoyun/ksonnet_no_more_15

Remove ksonnet from node-exporter/node-exporter.libsonnet
parents 2cc09fb2 5005f4ac
No related branches found
No related tags found
No related merge requests found
local k = import 'github.com/ksonnet/ksonnet-lib/ksonnet.beta.4/k.libsonnet';
{ {
_config+:: { _config+:: {
namespace: 'default', namespace: 'default',
versions+:: { nodeExporter: 'v1.0.1' },
versions+:: { imageRepos+:: { nodeExporter: 'quay.io/prometheus/node-exporter' },
nodeExporter: 'v1.0.1',
},
imageRepos+:: {
nodeExporter: 'quay.io/prometheus/node-exporter',
},
nodeExporter+:: { nodeExporter+:: {
listenAddress: '127.0.0.1', listenAddress: '127.0.0.1',
...@@ -28,76 +20,49 @@ local k = import 'github.com/ksonnet/ksonnet-lib/ksonnet.beta.4/k.libsonnet'; ...@@ -28,76 +20,49 @@ local k = import 'github.com/ksonnet/ksonnet-lib/ksonnet.beta.4/k.libsonnet';
}, },
nodeExporter+:: { nodeExporter+:: {
clusterRoleBinding: clusterRoleBinding: {
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding; apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
clusterRoleBinding.new() + metadata: {
clusterRoleBinding.mixin.metadata.withName('node-exporter') + name: 'node-exporter',
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') + },
clusterRoleBinding.mixin.roleRef.withName('node-exporter') + roleRef: {
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) + apiGroup: 'rbac.authorization.k8s.io',
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'node-exporter', namespace: $._config.namespace }]), kind: 'ClusterRole',
name: 'node-exporter',
clusterRole: },
local clusterRole = k.rbac.v1.clusterRole; subjects: [{
local policyRule = clusterRole.rulesType; kind: 'ServiceAccount',
name: 'node-exporter',
local authenticationRole = policyRule.new() + namespace: $._config.namespace,
policyRule.withApiGroups(['authentication.k8s.io']) + }],
policyRule.withResources([ },
'tokenreviews',
]) +
policyRule.withVerbs(['create']);
local authorizationRole = policyRule.new() +
policyRule.withApiGroups(['authorization.k8s.io']) +
policyRule.withResources([
'subjectaccessreviews',
]) +
policyRule.withVerbs(['create']);
local rules = [authenticationRole, authorizationRole];
clusterRole.new() + clusterRole: {
clusterRole.mixin.metadata.withName('node-exporter') + apiVersion: 'rbac.authorization.k8s.io/v1',
clusterRole.withRules(rules), kind: 'ClusterRole',
metadata: {
name: 'node-exporter',
},
rules: [
{
apiGroups: ['authentication.k8s.io'],
resources: ['tokenreviews'],
verbs: ['create'],
},
{
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
},
],
},
daemonset: daemonset:
local daemonset = k.apps.v1.daemonSet; local nodeExporter = {
local container = daemonset.mixin.spec.template.spec.containersType; name: 'node-exporter',
local volume = daemonset.mixin.spec.template.spec.volumesType; image: $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter,
local containerPort = container.portsType; args: [
local containerVolumeMount = container.volumeMountsType;
local podSelector = daemonset.mixin.spec.template.spec.selectorType;
local toleration = daemonset.mixin.spec.template.spec.tolerationsType;
local containerEnv = container.envType;
local podLabels = $._config.nodeExporter.labels;
local selectorLabels = $._config.nodeExporter.selectorLabels;
local existsToleration = toleration.new() +
toleration.withOperator('Exists');
local procVolumeName = 'proc';
local procVolume = volume.fromHostPath(procVolumeName, '/proc');
local procVolumeMount = containerVolumeMount.new(procVolumeName, '/host/proc').
withMountPropagation('HostToContainer').
withReadOnly(true);
local sysVolumeName = 'sys';
local sysVolume = volume.fromHostPath(sysVolumeName, '/sys');
local sysVolumeMount = containerVolumeMount.new(sysVolumeName, '/host/sys').
withMountPropagation('HostToContainer').
withReadOnly(true);
local rootVolumeName = 'root';
local rootVolume = volume.fromHostPath(rootVolumeName, '/');
local rootVolumeMount = containerVolumeMount.new(rootVolumeName, '/host/root').
withMountPropagation('HostToContainer').
withReadOnly(true);
local nodeExporter =
container.new('node-exporter', $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter) +
container.withArgs([
'--web.listen-address=' + std.join(':', [$._config.nodeExporter.listenAddress, std.toString($._config.nodeExporter.port)]), '--web.listen-address=' + std.join(':', [$._config.nodeExporter.listenAddress, std.toString($._config.nodeExporter.port)]),
'--path.procfs=/host/proc', '--path.procfs=/host/proc',
'--path.sysfs=/host/sys', '--path.sysfs=/host/sys',
...@@ -105,20 +70,27 @@ local k = import 'github.com/ksonnet/ksonnet-lib/ksonnet.beta.4/k.libsonnet'; ...@@ -105,20 +70,27 @@ local k = import 'github.com/ksonnet/ksonnet-lib/ksonnet.beta.4/k.libsonnet';
'--no-collector.wifi', '--no-collector.wifi',
'--no-collector.hwmon', '--no-collector.hwmon',
'--collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)', '--collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)',
]) + ],
container.withVolumeMounts([procVolumeMount, sysVolumeMount, rootVolumeMount]) + volumeMounts: [
container.mixin.resources.withRequests($._config.resources['node-exporter'].requests) + { name: 'proc', mountPath: '/host/proc', mountPropagation: 'HostToContainer', readOnly: true },
container.mixin.resources.withLimits($._config.resources['node-exporter'].limits); { name: 'sys', mountPath: '/host/sys', mountPropagation: 'HostToContainer', readOnly: true },
{ name: 'root', mountPath: '/host/root', mountPropagation: 'HostToContainer', readOnly: true },
local ip = containerEnv.fromFieldPath('IP', 'status.podIP'); ],
local proxy = resources: $._config.resources['node-exporter'],
container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) + };
container.withArgs([
local proxy = {
name: 'kube-rbac-proxy',
image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
args: [
'--logtostderr', '--logtostderr',
'--secure-listen-address=[$(IP)]:' + $._config.nodeExporter.port, '--secure-listen-address=[$(IP)]:' + $._config.nodeExporter.port,
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites), '--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:' + $._config.nodeExporter.port + '/', '--upstream=http://127.0.0.1:' + $._config.nodeExporter.port + '/',
]) + ],
env: [
{ name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } },
],
// Keep `hostPort` here, rather than in the node-exporter container // Keep `hostPort` here, rather than in the node-exporter container
// because Kubernetes mandates that if you define a `hostPort` then // because Kubernetes mandates that if you define a `hostPort` then
// `containerPort` must match. In our case, we are splitting the // `containerPort` must match. In our case, we are splitting the
...@@ -127,82 +99,109 @@ local k = import 'github.com/ksonnet/ksonnet-lib/ksonnet.beta.4/k.libsonnet'; ...@@ -127,82 +99,109 @@ local k = import 'github.com/ksonnet/ksonnet-lib/ksonnet.beta.4/k.libsonnet';
// used by the service is tied to the proxy container. We *could* // used by the service is tied to the proxy container. We *could*
// forgo declaring the host port, however it is important to declare // forgo declaring the host port, however it is important to declare
// it so that the scheduler can decide if the pod is schedulable. // it so that the scheduler can decide if the pod is schedulable.
container.withPorts(containerPort.new($._config.nodeExporter.port) + containerPort.withHostPort($._config.nodeExporter.port) + containerPort.withName('https')) + ports: [
container.mixin.resources.withRequests($._config.resources['kube-rbac-proxy'].requests) + { name: 'https', containerPort: $._config.nodeExporter.port, hostPort: $._config.nodeExporter.port },
container.mixin.resources.withLimits($._config.resources['kube-rbac-proxy'].limits) + ],
container.withEnv([ip]); resources: $._config.resources['kube-rbac-proxy'],
};
local c = [nodeExporter, proxy];
daemonset.new() +
daemonset.mixin.metadata.withName('node-exporter') +
daemonset.mixin.metadata.withNamespace($._config.namespace) +
daemonset.mixin.metadata.withLabels(podLabels) +
daemonset.mixin.spec.selector.withMatchLabels(selectorLabels) +
daemonset.mixin.spec.updateStrategy.rollingUpdate.withMaxUnavailable('10%') +
daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
daemonset.mixin.spec.template.spec.withTolerations([existsToleration]) +
daemonset.mixin.spec.template.spec.withNodeSelector({ 'kubernetes.io/os': 'linux' }) +
daemonset.mixin.spec.template.spec.withContainers(c) +
daemonset.mixin.spec.template.spec.withVolumes([procVolume, sysVolume, rootVolume]) +
daemonset.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
daemonset.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
daemonset.mixin.spec.template.spec.withServiceAccountName('node-exporter') +
daemonset.mixin.spec.template.spec.withHostPid(true) +
daemonset.mixin.spec.template.spec.withHostNetwork(true),
serviceAccount:
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new('node-exporter') +
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
serviceMonitor:
{ {
apiVersion: 'monitoring.coreos.com/v1', apiVersion: 'apps/v1',
kind: 'ServiceMonitor', kind: 'DaemonSet',
metadata: { metadata: {
name: 'node-exporter', name: 'node-exporter',
namespace: $._config.namespace, namespace: $._config.namespace,
labels: $._config.nodeExporter.labels, labels: $._config.nodeExporter.labels,
}, },
spec: { spec: {
jobLabel: 'app.kubernetes.io/name', selector: { matchLabels: $._config.nodeExporter.selectorLabels },
selector: { updateStrategy: {
matchLabels: $._config.nodeExporter.selectorLabels, type: 'RollingUpdate',
rollingUpdate: { maxUnavailable: '10%' },
}, },
endpoints: [ template: {
{ metadata: { labels: $._config.nodeExporter.labels },
port: 'https', spec: {
scheme: 'https', nodeSelector: { 'kubernetes.io/os': 'linux' },
interval: '15s', tolerations: [{
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token', operator: 'Exists',
relabelings: [ }],
{ containers: [nodeExporter, proxy],
action: 'replace', volumes: [
regex: '(.*)', { name: 'proc', hostPath: { path: '/proc' } },
replacement: '$1', { name: 'sys', hostPath: { path: '/sys' } },
sourceLabels: ['__meta_kubernetes_pod_node_name'], { name: 'root', hostPath: { path: '/' } },
targetLabel: 'instance',
},
], ],
tlsConfig: { serviceAccountName: 'node-exporter',
insecureSkipVerify: true, securityContext: {
runAsUser: 65534,
runAsNonRoot: true,
}, },
hostPID: true,
hostNetwork: true,
}, },
], },
}, },
}, },
service: serviceAccount: {
local service = k.core.v1.service; apiVersion: 'v1',
local servicePort = k.core.v1.service.mixin.spec.portsType; kind: 'ServiceAccount',
metadata: {
name: 'node-exporter',
namespace: $._config.namespace,
},
},
local nodeExporterPort = servicePort.newNamed('https', $._config.nodeExporter.port, 'https'); serviceMonitor: {
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'node-exporter',
namespace: $._config.namespace,
labels: $._config.nodeExporter.labels,
},
spec: {
jobLabel: 'app.kubernetes.io/name',
selector: {
matchLabels: $._config.nodeExporter.selectorLabels,
},
endpoints: [{
port: 'https',
scheme: 'https',
interval: '15s',
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
relabelings: [
{
action: 'replace',
regex: '(.*)',
replacement: '$1',
sourceLabels: ['__meta_kubernetes_pod_node_name'],
targetLabel: 'instance',
},
],
tlsConfig: {
insecureSkipVerify: true,
},
}],
},
},
service.new('node-exporter', $._config.nodeExporter.selectorLabels, nodeExporterPort) + service: {
service.mixin.metadata.withNamespace($._config.namespace) + apiVersion: 'v1',
service.mixin.metadata.withLabels($._config.nodeExporter.labels) + kind: 'Service',
service.mixin.spec.withClusterIp('None'), metadata: {
name: 'node-exporter',
namespace: $._config.namespace,
labels: $._config.nodeExporter.labels,
},
spec: {
ports: [
{ name: 'https', targetPort: 'https', port: $._config.nodeExporter.port },
],
selector: $._config.nodeExporter.selectorLabels,
clusterIP: 'None',
},
},
}, },
} }
...@@ -93,3 +93,4 @@ spec: ...@@ -93,3 +93,4 @@ spec:
updateStrategy: updateStrategy:
rollingUpdate: rollingUpdate:
maxUnavailable: 10% maxUnavailable: 10%
type: RollingUpdate
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment