From f2540537cb6005f3a00c359b934aee1d13bd55a1 Mon Sep 17 00:00:00 2001
From: Lili Cosic <cosiclili@gmail.com>
Date: Mon, 2 Mar 2020 13:51:30 +0100
Subject: [PATCH] jsonnet/kube-prometheus: Add back kube-rbac-proxy containers
to
kube-state-metrics. These were removed by accident when migrating to
using upstream libsonnet.
---
.../kube-rbac-proxy/container.libsonnet | 90 ++++++++++++
.../kube-state-metrics.libsonnet | 132 ++++++++++++++----
2 files changed, 195 insertions(+), 27 deletions(-)
create mode 100644 jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
new file mode 100644
index 00000000..8f70486c
--- /dev/null
+++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
@@ -0,0 +1,90 @@
+local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
+local deployment = k.apps.v1.deployment;
+local container = deployment.mixin.spec.template.spec.containersType;
+local containerPort = container.portsType;
+
+{
+ local krp = self,
+ config+:: {
+ kubeRbacProxy: {
+ image: error 'must provide image',
+ name: error 'must provide name',
+ securePortName: error 'must provide securePortName',
+ securePort: error 'must provide securePort',
+ secureListenAddress: error 'must provide secureListenAddress',
+ upstream: error 'must provide upstream',
+ tlsCipherSuites: error 'must provide tlsCipherSuites',
+ },
+ },
+
+ specMixin:: {
+ local sm = self,
+ config+:: {
+ kubeRbacProxy: {
+ image: error 'must provide image',
+ name: error 'must provide name',
+ securePortName: error 'must provide securePortName',
+ securePort: error 'must provide securePort',
+ secureListenAddress: error 'must provide secureListenAddress',
+ upstream: error 'must provide upstream',
+ tlsCipherSuites: error 'must provide tlsCipherSuites',
+ },
+ },
+ spec+: {
+ template+: {
+ spec+: {
+ containers+: [
+ container.new(krp.config.kubeRbacProxy.name, krp.config.kubeRbacProxy.image) +
+ container.withArgs([
+ '--logtostderr',
+ '--secure-listen-address=' + krp.config.kubeRbacProxy.secureListenAddress,
+ '--tls-cipher-suites=' + std.join(',', krp.config.kubeRbacProxy.tlsCipherSuites),
+ '--upstream=' + krp.config.kubeRbacProxy.upstream,
+ ]) +
+ container.withPorts(containerPort.newNamed(krp.config.kubeRbacProxy.securePort, krp.config.kubeRbacProxy.securePortName)),
+ ],
+ },
+ },
+ },
+ },
+
+ deploymentMixin:: {
+ local dm = self,
+ config+:: {
+ kubeRbacProxy: {
+ image: error 'must provide image',
+ name: error 'must provide name',
+ securePortName: error 'must provide securePortName',
+ securePort: error 'must provide securePort',
+ secureListenAddress: error 'must provide secureListenAddress',
+ upstream: error 'must provide upstream',
+ tlsCipherSuites: error 'must provide tlsCipherSuites',
+ },
+ },
+ deployment+: krp.specMixin {
+ config+:: {
+ kubeRbacProxy+: dm.config.kubeRbacProxy,
+ },
+ },
+ },
+
+ statefulSetMixin:: {
+ local sm = self,
+ config+:: {
+ kubeRbacProxy: {
+ image: error 'must provide image',
+ name: error 'must provide name',
+ securePortName: error 'must provide securePortName',
+ securePort: error 'must provide securePort',
+ secureListenAddress: error 'must provide secureListenAddress',
+ upstream: error 'must provide upstream',
+ tlsCipherSuites: error 'must provide tlsCipherSuites',
+ },
+ },
+ statefulSet+: krp.specMixin {
+ config+:: {
+ kubeRbacProxy+: sm.config.kubeRbacProxy,
+ },
+ },
+ },
+}
diff --git a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
index 3cde3aa1..ee75fa46 100644
--- a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
@@ -1,4 +1,10 @@
{
+ _config+:: {
+ kubeStateMetrics+:: {
+ scrapeInterval: '30s',
+ scrapeTimeout: '30s',
+ },
+ },
kubeStateMetrics+:: (import 'kube-state-metrics/kube-state-metrics.libsonnet') +
{
local ksm = self,
@@ -6,38 +12,110 @@
namespace:: 'monitoring',
version:: '1.9.4', //$._config.versions.kubeStateMetrics,
image:: 'quay.io/coreos/kube-state-metrics:v' + ksm.version,
- serviceMonitor: {
- apiVersion: 'monitoring.coreos.com/v1',
- kind: 'ServiceMonitor',
- metadata: {
- name: ksm.name,
- namespace: ksm.namespace,
- labels: ksm.commonLabels,
- },
- spec: {
- jobLabel: 'app.kubernetes.io/name',
- selector: {
- matchLabels: ksm.commonLabels,
- },
- endpoints: [
+ service+: {
+ spec+: {
+ ports: [
{
- port: 'http-metrics',
- interval: '30s',
- scrapeTimeout: '30s',
- honorLabels: true,
- relabelings: [
- {
- regex: '(pod|service|endpoint|namespace)',
- action: 'labeldrop',
- },
- ],
+ name: 'https-main',
+ port: 8443,
+ targetPort: 'https-main',
},
{
- port: 'telemetry',
- interval: '30s',
+ name: 'https-self',
+ port: 9443,
+ targetPort: 'https-self',
},
],
},
},
- },
+ deployment+: {
+ spec+: {
+ template+: {
+ spec+: {
+ containers: std.map(function(c) c {
+ ports: null,
+ args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
+ }, super.containers),
+ },
+ },
+ },
+ },
+ serviceMonitor:
+ {
+ apiVersion: 'monitoring.coreos.com/v1',
+ kind: 'ServiceMonitor',
+ metadata: {
+ name: 'kube-state-metrics',
+ namespace: $._config.namespace,
+ labels: {
+ 'app.kubernetes.io/name': 'kube-state-metrics',
+ 'app.kubernetes.io/version': ksm.version,
+ },
+ },
+ spec: {
+ jobLabel: 'app.kubernetes.io/name',
+ selector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'kube-state-metrics',
+ },
+ },
+ endpoints: [
+ {
+ port: 'https-main',
+ scheme: 'https',
+ interval: $._config.kubeStateMetrics.scrapeInterval,
+ scrapeTimeout: $._config.kubeStateMetrics.scrapeTimeout,
+ honorLabels: true,
+ bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
+ relabelings: [
+ {
+ regex: '(pod|service|endpoint|namespace)',
+ action: 'labeldrop',
+ },
+ ],
+ tlsConfig: {
+ insecureSkipVerify: true,
+ },
+ },
+ {
+ port: 'https-self',
+ scheme: 'https',
+ interval: $._config.kubeStateMetrics.scrapeInterval,
+ bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
+ tlsConfig: {
+ insecureSkipVerify: true,
+ },
+ },
+ ],
+ },
+ },
+ } +
+ ((import 'kube-prometheus/kube-rbac-proxy/container.libsonnet') {
+ config+:: {
+ kubeRbacProxy: {
+ local cfg = self,
+ image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
+ name: 'kube-rbac-proxy-main',
+ securePortName: 'https-main',
+ securePort: 8443,
+ secureListenAddress: ':%d' % self.securePort,
+ upstream: 'http://127.0.0.1:8081/',
+ tlsCipherSuites: $._config.tlsCipherSuites,
+ },
+ },
+ }).deploymentMixin +
+ ((import 'kube-prometheus/kube-rbac-proxy/container.libsonnet') {
+ config+:: {
+ kubeRbacProxy: {
+ local cfg = self,
+ image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
+ name: 'kube-rbac-proxy-self',
+ securePortName: 'https-self',
+ securePort: 9443,
+ secureListenAddress: ':%d' % self.securePort,
+ upstream: 'http://127.0.0.1:8082/',
+ tlsCipherSuites: $._config.tlsCipherSuites,
+ },
+ },
+ }).deploymentMixin,
}
--
GitLab