mirror of https://git.rancher.io/charts
make charts && make validate
parent
3a699797bf
commit
f149c9f184
Binary file not shown.
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: hardenedKubelet
|
name: hardenedKubelet
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: hardenedNodeExporter
|
name: hardenedNodeExporter
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: k3sServer
|
name: k3sServer
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: kubeAdmControllerManager
|
name: kubeAdmControllerManager
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: kubeAdmEtcd
|
name: kubeAdmEtcd
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: kubeAdmProxy
|
name: kubeAdmProxy
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: kubeAdmScheduler
|
name: kubeAdmScheduler
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: rke2ControllerManager
|
name: rke2ControllerManager
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: rke2Etcd
|
name: rke2Etcd
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: rke2IngressNginx
|
name: rke2IngressNginx
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: rke2Proxy
|
name: rke2Proxy
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: rke2Scheduler
|
name: rke2Scheduler
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: rkeControllerManager
|
name: rkeControllerManager
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: rkeEtcd
|
name: rkeEtcd
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
|
@ -55,15 +55,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
|
||||||
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
|
||||||
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
|
||||||
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
||||||
| `clients.https.forceHTTPSScheme` | Forces scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
|
|
||||||
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.enabled` | If set to true, the client will use service account credentials mounted at the configured path `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath`. This requires permissions to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath` | This is a volume mount on the pod with permissions to scrape `/metrics` endpoint of Kubernetes components | `"/var/run/secrets/kubernetes.io/serviceaccount/token"` |
|
|
||||||
| `clients.https.authenticationMethod.bearerTokenSecret.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components. This method is deprecated by the prometheus operator and may be removed in a future release | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.enabled` | If set to true, the client will use service account credentials to scrape `/metrics` endpoint of Kubernetes components | `false` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.type` | If set, the client will use this type of authorization in its client requests for metrics | `"bearer"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.key` | If set, the client will use this key in the secret created by `clients.https.useServiceAccountCredentials` for authorization in its client requests for metrics | `"token"` |
|
|
||||||
| `clients.https.authenticationMethod.authorization.credentials.optional` | If set to false, the client will fail if the key in the secret created by `clients.https.useServiceAccountCredentials` does not exist | `false` |
|
|
||||||
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
|
||||||
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
|
||||||
|
|
|
@ -68,10 +68,6 @@ provider: kubernetes
|
||||||
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "pushProxy.client.serviceAccountTokenName" -}}
|
|
||||||
{{- printf "pushprox-%s-client-service-account-token" (required ".Values.component is required" .Values.component) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "pushProxy.client.labels" -}}
|
{{- define "pushProxy.client.labels" -}}
|
||||||
k8s-app: {{ template "pushProxy.client.name" . }}
|
k8s-app: {{ template "pushProxy.client.name" . }}
|
||||||
{{ template "pushProxy.commonLabels" . }}
|
{{ template "pushProxy.commonLabels" . }}
|
||||||
|
@ -102,11 +98,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
{{- define "pushProxy.serviceMonitor.endpoints" -}}
|
||||||
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
|
||||||
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
{{- $useHTTPS := .Values.clients.https.enabled -}}
|
||||||
{{- $forceHTTPSScheme := .Values.clients.https.forceHTTPSScheme -}}
|
|
||||||
{{- $insecureSkipVerify := .Values.clients.https.insecureSkipVerify -}}
|
|
||||||
{{- $useServiceAccountCredentials := .Values.clients.https.useServiceAccountCredentials -}}
|
|
||||||
{{- $serviceAccountTokenName := (include "pushProxy.client.serviceAccountTokenName" . ) -}}
|
|
||||||
{{- $metricRelabelings := list }}
|
|
||||||
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
{{- $endpoints := .Values.serviceMonitor.endpoints }}
|
||||||
{{- range $endpoints }}
|
{{- range $endpoints }}
|
||||||
{{- if $.Values.proxy.enabled }}
|
{{- if $.Values.proxy.enabled }}
|
||||||
|
@ -126,14 +117,8 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
{{- $_ := set $clusterNameRelabel "targetLabel" "cluster_name" }}
|
||||||
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
{{- $_ := set $clusterNameRelabel "replacement" $.Values.global.cattle.clusterName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterNameRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterNameRelabel)) ($metricRelabelings) }}
|
{{- $metricRelabelings := append (list ($clusterNameRelabel)) ($clusterIdRelabel) }}
|
||||||
{{- $metricRelabelings := gt (len (keys $clusterIdRelabel)) 0 | ternary (append ($metricRelabelings) ($clusterIdRelabel)) ($metricRelabelings) }}
|
|
||||||
{{- if not (empty $metricRelabelings) }}
|
|
||||||
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
{{- $_ := set . "metricRelabelings" ($metricRelabelings)}}
|
||||||
{{- end }}
|
|
||||||
{{- if $forceHTTPSScheme -}}
|
|
||||||
{{- $_ := set . "scheme" "https" }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- if $useHTTPS -}}
|
{{- if $useHTTPS -}}
|
||||||
{{- if (hasKey . "params") }}
|
{{- if (hasKey . "params") }}
|
||||||
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
{{- $_ := set (get . "params") "_scheme" (list "https") }}
|
||||||
|
@ -141,26 +126,6 @@ app: {{ template "pushprox.serviceMonitor.name" . }}
|
||||||
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (hasKey . "tlsConfig") }}
|
|
||||||
{{- $_ := set (get . "tlsConfig") "insecureSkipVerify" $insecureSkipVerify }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "tlsConfig" (dict "insecureSkipVerify" $insecureSkipVerify) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenFile.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenFile" $.Values.clients.https.authenticationMethod.bearerTokenFile.bearerTokenFilePath }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.bearerTokenSecret.enabled }}
|
|
||||||
{{- $_ := set . "bearerTokenSecret" $serviceAccountTokenName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.clients.https.authenticationMethod.authorization.enabled }}
|
|
||||||
{{- if (hasKey . "authorization") }}
|
|
||||||
{{- $_ := set (get . "authorization") "type" $.Values.clients.https.authenticationMethod.authorization.type }}
|
|
||||||
{{- $_ := set (get . "authorization") "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional) }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "authorization" (dict "type" $.Values.clients.https.authenticationMethod.authorization.type) }}
|
|
||||||
{{- $_ := set . "authorization" (dict "credentials" (dict "name" $serviceAccountTokenName "key" $.Values.clients.https.authenticationMethod.authorization.credentials.key "optional" $.Values.clients.https.authenticationMethod.authorization.credentials.optional)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- toYaml $endpoints }}
|
{{- toYaml $endpoints }}
|
||||||
{{- end -}}
|
{{- end -}}
|
|
@ -42,18 +42,6 @@ metadata:
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
namespace: {{ include "pushprox.namespace" . }}
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
||||||
---
|
---
|
||||||
{{- if .Values.clients.https.useServiceAccountCredentials }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
metadata:
|
|
||||||
name: {{ template "pushProxy.client.serviceAccountTokenName" . }}
|
|
||||||
namespace: {{ include "pushprox.namespace" . }}
|
|
||||||
labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: {{ template "pushProxy.client.name" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- if .Values.global.cattle.psp.enabled }}
|
{{- if .Values.global.cattle.psp.enabled }}
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
|
|
|
@ -35,10 +35,6 @@ spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
serviceAccountName: {{ template "pushProxy.client.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-client
|
- name: pushprox-client
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
|
||||||
|
|
|
@ -26,10 +26,6 @@ spec:
|
||||||
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
{{ toYaml .Values.proxy.tolerations | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
serviceAccountName: {{ template "pushProxy.proxy.name" . }}
|
||||||
{{- if .Values.global.imagePullSecretName }}
|
|
||||||
imagePullSecrets:
|
|
||||||
- name: {{ .Values.global.imagePullSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: pushprox-proxy
|
- name: pushprox-proxy
|
||||||
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
|
||||||
|
|
|
@ -75,29 +75,9 @@ clients:
|
||||||
https:
|
https:
|
||||||
# Does the client require https to access the metrics?
|
# Does the client require https to access the metrics?
|
||||||
enabled: false
|
enabled: false
|
||||||
# Does the client require requests be sent to http or https?
|
|
||||||
forceHTTPSScheme: false
|
|
||||||
# If set to true, the client will create a service account with adequate permissions and set a flag
|
# If set to true, the client will create a service account with adequate permissions and set a flag
|
||||||
# on the client to use the service account token provided by it to make authorized scrape requests
|
# on the client to use the service account token provided by it to make authorized scrape requests
|
||||||
useServiceAccountCredentials: false
|
useServiceAccountCredentials: false
|
||||||
# Configuration for authentication to metrics via https endpoint
|
|
||||||
authenticationMethod:
|
|
||||||
# Reads token from defined file in container
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenFile:
|
|
||||||
enabled: false
|
|
||||||
bearerTokenFilePath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
# This function is deprecated in the prometheus operator api and may be removed in a future version
|
|
||||||
bearerTokenSecret:
|
|
||||||
enabled: false
|
|
||||||
# Reads token from defined secret in namespace
|
|
||||||
authorization:
|
|
||||||
enabled: false
|
|
||||||
type: "bearer"
|
|
||||||
credentials:
|
|
||||||
key: "token"
|
|
||||||
optional: false
|
|
||||||
# If set to true, the client will disable SSL security checks
|
# If set to true, the client will disable SSL security checks
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
# Directory on host where necessary TLS cert and key to scrape metrics can be found
|
||||||
|
|
|
@ -6,9 +6,9 @@ annotations:
|
||||||
catalog.rancher.io/namespace: cattle-monitoring-system
|
catalog.rancher.io/namespace: cattle-monitoring-system
|
||||||
catalog.rancher.io/release-name: rancher-pushprox
|
catalog.rancher.io/release-name: rancher-pushprox
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: 0.1.1
|
appVersion: 0.1.0
|
||||||
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
|
||||||
clients.
|
clients.
|
||||||
name: rkeIngressNginx
|
name: rkeIngressNginx
|
||||||
type: application
|
type: application
|
||||||
version: 103.0.0
|
version: 0.1.6
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue