From fe548a1091cbd042d1551396746db9ff89f0ec76 Mon Sep 17 00:00:00 2001 From: Sheogorath <sheogorath@shivering-isles.com> Date: Fri, 15 Dec 2023 00:06:46 +0100 Subject: [PATCH] feat(unpoller): Add unpoller to infrastructure This patch adds an unpoller deployment to the infrastrcuture which should allow to monitor the unifi infrastructure from the Kubernetes cluster. The next step, once metrics are collected is to add dashboards and define alerts. But one step after the other. References: https://unpoller.com/ --- apps/k8s01/unpoller/deployment.yaml | 47 +++++++++++++++++++ apps/k8s01/unpoller/kustomization.yaml | 12 +++++ apps/k8s01/unpoller/namespace.yaml | 11 +++++ apps/k8s01/unpoller/networkpolicy.yaml | 12 +++++ apps/k8s01/unpoller/podmonitor.yaml | 14 ++++++ apps/k8s01/unpoller/secret.yaml | 65 ++++++++++++++++++++++++++ 6 files changed, 161 insertions(+) create mode 100644 apps/k8s01/unpoller/deployment.yaml create mode 100644 apps/k8s01/unpoller/kustomization.yaml create mode 100644 apps/k8s01/unpoller/namespace.yaml create mode 100644 apps/k8s01/unpoller/networkpolicy.yaml create mode 100644 apps/k8s01/unpoller/podmonitor.yaml create mode 100644 apps/k8s01/unpoller/secret.yaml diff --git a/apps/k8s01/unpoller/deployment.yaml b/apps/k8s01/unpoller/deployment.yaml new file mode 100644 index 000000000..0c0d2730d --- /dev/null +++ b/apps/k8s01/unpoller/deployment.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: unpoller + namespace: unpoller + labels: + app.kubernetes.io/name: unpoller +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: unpoller + template: + metadata: + labels: + app.kubernetes.io/name: unpoller + spec: + containers: + - name: unpoller + image: ghcr.io/unpoller/unpoller:v2.9.4 + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: "1" + memory: 128Mi + envFrom: + - secretRef: unpoller + optional: false + ports: + - name: exporter + containerPort: 9130 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 7067 + runAsGroup: 7067 + fsGroup: 7067 + seccompProfile: + type: "RuntimeDefault" \ No newline at end of file diff --git a/apps/k8s01/unpoller/kustomization.yaml b/apps/k8s01/unpoller/kustomization.yaml new file mode 100644 index 000000000..df8224ca0 --- /dev/null +++ b/apps/k8s01/unpoller/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: unpoller +resources: + - namespace.yaml + - deployment.yaml + - podmonitor.yaml + - secret.yaml + - ../../../shared/resourcequotas/default.yaml + - ../../../shared/networkpolicies/allow-from-monitoring.yaml +patchesStrategicMerge: + - networkpolicy.yaml \ No newline at end of file diff --git a/apps/k8s01/unpoller/namespace.yaml b/apps/k8s01/unpoller/namespace.yaml new file mode 100644 index 000000000..642282663 --- /dev/null +++ b/apps/k8s01/unpoller/namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: unpoller + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/audit-version: v1.27 + pod-security.kubernetes.io/enforce-version: v1.26 + pod-security.kubernetes.io/warn-version: v1.27 diff --git a/apps/k8s01/unpoller/networkpolicy.yaml b/apps/k8s01/unpoller/networkpolicy.yaml new file mode 100644 index 000000000..f5f5bdedb --- /dev/null +++ b/apps/k8s01/unpoller/networkpolicy.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-monitoring +spec: + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - unpoller diff --git a/apps/k8s01/unpoller/podmonitor.yaml b/apps/k8s01/unpoller/podmonitor.yaml new file mode 100644 index 000000000..fc805a3f1 --- /dev/null +++ b/apps/k8s01/unpoller/podmonitor.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: unpoller + namespace: unpoller + labels: + app.kubernetes.io/name: unpoller +spec: + selector: + matchLabels: + app.kubernetes.io/name: unpoller + podMetricsEndpoints: + - port: exporter \ No newline at end of file diff --git a/apps/k8s01/unpoller/secret.yaml b/apps/k8s01/unpoller/secret.yaml new file mode 100644 index 000000000..6698e2647 --- /dev/null +++ b/apps/k8s01/unpoller/secret.yaml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: Secret +metadata: + name: unpoller + namespace: unpoller + labels: + app.kubernetes.io/name: unpoller +stringData: + UP_INFLUXDB_DISABLE: ENC[AES256_GCM,data:GrtLpg==,iv:V2Oyf5/goHmXzraMq1jW02ILexmIiLuWb7I2Vs120Yg=,tag:NUkALMSphJeiKXgYJrx8ow==,type:str] + UP_UNIFI_DEFAULT_VERIFY_SSL: ENC[AES256_GCM,data:7IjaZw==,iv:D+bK8OJDnpLm9UqJM3dShy3NjKz7gJXELEETRSQ0ML4=,tag:pXePhFmaEgZV6pjzkfijLA==,type:str] + UP_UNIFI_DEFAULT_URL: ENC[AES256_GCM,data:lwXt9gezxmMXVIV4hhHb+fAAUcCMQxl2ukah75i3AKXeFKjQzuo1,iv:BTp5QzuY4BcaSHDInS4cK/fkUBxLjfcAHxvKOHO3tUM=,tag:fanjdhFnbYJ+PjGNLAGSLw==,type:str] + UP_UNIFI_DEFAULT_USER: ENC[AES256_GCM,data:qlGyV2H4Puw=,iv:RPJ6QhKfcKfcLp1JJOCrRS2ZgY4iTnMEN+Xz7X6ZlRA=,tag:oO6YZTYXiQimHyT1bV+YNA==,type:str] + UP_UNIFI_DEFAULT_PASS: ENC[AES256_GCM,data:BTxto5YthceS4JHRhYHpAjS6JRGvoq1QCoc9Uhbbdykbl3+bchwn7Q==,iv:Rvw4E9JXpY9gz6WK20fe82Xpt3qhygmGYj0KHjmSrhI=,tag:ca44+V1qPj+2pRWsUcP+Rw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-12-14T23:06:10Z" + mac: ENC[AES256_GCM,data:Jy22qBWdn9UPleoxff2LEdXSzS0UBRWTafir9Sohb+cyiAgCQ2AUHkdoee1eBc6J1A6QEOGWkLrTPYZSF+f3FoPNQFnxEA5qHe0JdLspeO2mARBYCwh3Fj6aVTKwUtaa7wUgfJOnJUrdJmrxANcx5hc2zKlTf3Wz7nbYDS5vP04=,iv:0RabEjNsF3xUEFl/zAdfhm25cXViq2ZLbbufxHRgH0U=,tag:bAKb2gjl3w5nDW/OJEhOdQ==,type:str] + pgp: + - created_at: "2023-12-14T23:06:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcAQ//ZTChXz3XiVHA+PTtmYJWQX7b4Tu4DBlr53XRldUkxLJ1 + Qbo45jCfKnjjdeKFTbZ1D8sIh1Nx61GatUQZUCIZJ67zJnXmYyG3pSZ5bg95zIEF + lK+qN4nI0OevQblH9bZrO9DvRxxYP1s2F/C+fToq9FqbzmzrdL4CTn0gV52PMVGK + MgtwOhskjvDCjZzWkHPMYrn1QEDXlF+LRdrSNBSjveExWmyJbU6l46Vsi58F9DSM + M2puHE97zX0Wil4MZ5Tu8wsTqv6RGtAeHabAqFP+2+0wpEX3s2E+4FbfDXEWQaWC + WPM2NlWQMNFK9vPzFF5rzlMEG0dZ+ldUYFhcGqfKrRthf9D42JsK2vgaPzQcj01J + HxCmvoFQcVTn+6RqxrOhG0GS9Wn0HDE4fT/WaRTgqxhMTvR9fzXAR73KewZAXJjk + 8A/3lQSTzRM70RiDPNT7EuuOioEBrMs0Ma0oLa5ozr3bEd0zeq4DCer1rgMDT+1C + gAcfahg9fA7s+3bR2yu9ZqI4NIMsaHXV/IxJ7u0wSxusy3Lwm0/U3ccjYT+bW0it + yQeJr+4cxi2pBeT8SdgXnSTQtVWWk5lV3DGgrZwC6rnethSguCakO7iuotDwHDCe + y+BX/X4j+LebxZ/yh+yAWQmg3WwSRSTgeBPRZev+7GWuxpeNXOQUc6f+SnNUNfnS + UQFZp2cJhke+FzS7qt4HAsxxJpWRl259hN4zKhfhKauyhOsnKMZDhZqvQSLJO1fD + sqOrrFhg1lIHTKlHPPHHImJj2PgA4+4Lx4QyuPnFRc0j9w== + =sqer + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2023-12-14T23:06:09Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPARAArkN/49Xrq0PPuBZf09rp33veB3/BtMd2rPdHClLhtVBi + Zq7s3txTf1fGp4fxXWWn0/yLHzUH5E46BC5gyX+ciyaeQ0rVrXDg76JtGo6r8Eo9 + 4y9IzUGN4GEE/bGhQAOt2Ci86WPGnJjdUkCGUB8tyR5pBp1e8po0LDqzg6FIing9 + YDIrh+ek86niVemqHOomPDQpRds5joqDIkkpnfihWvp+y7Mig0oh/Gug18UCjB1q + p40YFc2nb7s90oDuKKf+W9in45OQIbnneXgTkgxWORKQ3hRSBUYdqcVQH65h4KZJ + 9AcXSmVnAiNoXJRJ5ZzGnJRs4Aj12g78nMnCG60p2uHC2ya5gCg9gCpDrcP+H+Qe + Up0T5+yj7IHmjUIt+sZRR3CijAwAwnPC782eoj0FHCfhDSWc+hFya/WHdV/o1CQG + qtLwI02pLSeHlKjnSQw/T8hrmfxl1XX+UVtJ/0kCjJn5OTp5XCiWiRUc7nWNJx18 + 9vUSMRXS8k7WqSZOLon++07tBF9jfrWl/iuOOdHKTVexcs0HJCEPyB1oqeM2sVt3 + qYgW0k4gkVB1NW/W1ZcDoAcG5qqt4GfoTeWO12t3IFY3vQOiwRxn+1Poq4OHSufZ + rjZRhb7TA6BaIlWuBsyGhu9GNrRJPfjMjEWGnH8YqZ/I1fZZkam7Z6mud0A8EufU + aAEJAhAx/pV+k19CprasjNM12QfEdZvQ66KDr+v29u9er80FM7xN1yWyteeiZG2Q + wFfw+PMRHsWImVn+wTgP00hX67E8uyjuVVQgCW+t+e5JHWg5LVdyksM4rSaZSJmK + d+5XwUu9H5RS + =RQ6l + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$ + version: 3.7.3 -- GitLab