Skip to content
Snippets Groups Projects
Commit eda90b68 authored by PÁLFALVI Tamás's avatar PÁLFALVI Tamás
Browse files

put blackbox-exporter behind kube-rbac-proxy

parent 97aaa1f5
No related branches found
No related tags found
No related merge requests found
...@@ -19,7 +19,8 @@ The `prometheus-operator` defines a `Probe` resource type that can be used to de ...@@ -19,7 +19,8 @@ The `prometheus-operator` defines a `Probe` resource type that can be used to de
* `_config.versions.configmapReloader`: the tag of the ConfigMap reloader image to deploy. Defaults to the version `kube-prometheus` was tested with. * `_config.versions.configmapReloader`: the tag of the ConfigMap reloader image to deploy. Defaults to the version `kube-prometheus` was tested with.
* `_config.resources.blackbox-exporter.requests`: the requested resources; this is used for each container. Defaults to `10m` CPU and `20Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details. * `_config.resources.blackbox-exporter.requests`: the requested resources; this is used for each container. Defaults to `10m` CPU and `20Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
* `_config.resources.blackbox-exporter.limits`: the resource limits; this is used for each container. Defaults to `20m` CPU and `40Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details. * `_config.resources.blackbox-exporter.limits`: the resource limits; this is used for each container. Defaults to `20m` CPU and `40Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
* `_config.blackboxExporter.port`: the port of the exporter. Defaults to `9115`. * `_config.blackboxExporter.port`: the exposed HTTPS port of the exporter. This is where Prometheus should send the probe requests. Defaults to `9115`.
* `_config.blackboxExporter.internalPort`: the internal plaintext port of the exporter. Not accessible from outside the pod. Defaults to `19115`.
* `_config.blackboxExporter.replicas`: the number of exporter replicas to be deployed. Defaults to `1`. * `_config.blackboxExporter.replicas`: the number of exporter replicas to be deployed. Defaults to `1`.
* `_config.blackboxExporter.matchLabels`: map of the labels to be used to select resources belonging to the instance deployed. Defaults to `{ 'app.kubernetes.io/name': 'blackbox-exporter' }` * `_config.blackboxExporter.matchLabels`: map of the labels to be used to select resources belonging to the instance deployed. Defaults to `{ 'app.kubernetes.io/name': 'blackbox-exporter' }`
* `_config.blackboxExporter.assignLabels`: map of the labels applied to components of the instance deployed. Defaults to all the labels included in the `matchLabels` option, and additionally `app.kubernetes.io/version` is set to the version of the blackbox exporter. * `_config.blackboxExporter.assignLabels`: map of the labels applied to components of the instance deployed. Defaults to all the labels included in the `matchLabels` option, and additionally `app.kubernetes.io/version` is set to the version of the blackbox exporter.
......
local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet';
{ {
_config+:: { _config+:: {
namespace: 'default', namespace: 'default',
...@@ -21,6 +23,7 @@ ...@@ -21,6 +23,7 @@
blackboxExporter: { blackboxExporter: {
port: 9115, port: 9115,
internalPort: 19115,
replicas: 1, replicas: 1,
matchLabels: { matchLabels: {
'app.kubernetes.io/name': 'blackbox-exporter', 'app.kubernetes.io/name': 'blackbox-exporter',
...@@ -121,9 +124,13 @@ ...@@ -121,9 +124,13 @@
{ {
name: 'blackbox-exporter', name: 'blackbox-exporter',
image: $._config.imageRepos.blackboxExporter + ':' + $._config.versions.blackboxExporter, image: $._config.imageRepos.blackboxExporter + ':' + $._config.versions.blackboxExporter,
args: [
'--config.file=/etc/blackbox_exporter/config.yml',
'--web.listen-address=:%d' % bb.internalPort,
],
ports: [{ ports: [{
name: 'http', name: 'http',
containerPort: bb.port, containerPort: bb.internalPort,
}], }],
resources: { resources: {
requests: $._config.resources['blackbox-exporter'].requests, requests: $._config.resources['blackbox-exporter'].requests,
...@@ -146,7 +153,7 @@ ...@@ -146,7 +153,7 @@
name: 'module-configmap-reloader', name: 'module-configmap-reloader',
image: $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader, image: $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader,
args: [ args: [
'--webhook-url=http://localhost:' + bb.port + '/-/reload', '--webhook-url=http://localhost:%d/-/reload' % bb.internalPort,
'--volume-dir=/etc/blackbox_exporter/', '--volume-dir=/etc/blackbox_exporter/',
], ],
resources: { resources: {
...@@ -208,5 +215,18 @@ ...@@ -208,5 +215,18 @@
}, },
}, },
}, },
} +
(kubeRbacProxyContainer {
config+:: {
kubeRbacProxy: {
image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
name: 'kube-rbac-proxy',
securePortName: 'https',
securePort: bb.port,
secureListenAddress: ':%d' % self.securePort,
upstream: 'http://127.0.0.1:%d/' % bb.internalPort,
tlsCipherSuites: $._config.tlsCipherSuites,
},
}, },
}).deploymentMixin,
} }
...@@ -18,10 +18,13 @@ spec: ...@@ -18,10 +18,13 @@ spec:
app.kubernetes.io/version: v0.18.0 app.kubernetes.io/version: v0.18.0
spec: spec:
containers: containers:
- image: quay.io/prometheus/blackbox-exporter:v0.18.0 - args:
- --config.file=/etc/blackbox_exporter/config.yml
- --web.listen-address=:19115
image: quay.io/prometheus/blackbox-exporter:v0.18.0
name: blackbox-exporter name: blackbox-exporter
ports: ports:
- containerPort: 9115 - containerPort: 19115
name: http name: http
resources: resources:
limits: limits:
...@@ -38,7 +41,7 @@ spec: ...@@ -38,7 +41,7 @@ spec:
name: config name: config
readOnly: true readOnly: true
- args: - args:
- --webhook-url=http://localhost:9115/-/reload - --webhook-url=http://localhost:19115/-/reload
- --volume-dir=/etc/blackbox_exporter/ - --volume-dir=/etc/blackbox_exporter/
image: jimmidyson/configmap-reload:v0.4.0 image: jimmidyson/configmap-reload:v0.4.0
name: module-configmap-reloader name: module-configmap-reloader
...@@ -58,6 +61,18 @@ spec: ...@@ -58,6 +61,18 @@ spec:
- mountPath: /etc/blackbox_exporter/ - mountPath: /etc/blackbox_exporter/
name: config name: config
readOnly: true readOnly: true
- args:
- --logtostderr
- --secure-listen-address=:9115
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- --upstream=http://127.0.0.1:19115/
image: quay.io/brancz/kube-rbac-proxy:v0.8.0
name: kube-rbac-proxy
ports:
- containerPort: 9115
name: https
securityContext:
runAsUser: 65534
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
serviceAccountName: blackbox-exporter serviceAccountName: blackbox-exporter
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment