rancher-charts/charts/rancher-monitoring/100.1.0+up19.0.3/charts/kubeAdmProxy
Arvind Iyengar 18f0a74a13
make standardize
2022-01-06 11:08:03 -08:00
..
templates make standardize 2022-01-06 11:08:03 -08:00
.helmignore make standardize 2022-01-06 11:08:03 -08:00
Chart.yaml make standardize 2022-01-06 11:08:03 -08:00
README.md make standardize 2022-01-06 11:08:03 -08:00
values.yaml make standardize 2022-01-06 11:08:03 -08:00

README.md

rancher-pushprox

A Rancher chart based on Rancher PushProx that sets up a Deployment of a PushProx proxy and a DaemonSet of PushProx clients on a Kubernetes cluster.

Installs rancher-pushprox to create PushProx clients that can access their host's network and register with a PushProx proxy. A Prometheus Operator ServiceMonitor CR is also included that is configured to scrape the metrics from each of the clients through the proxy.

Using an instance of this chart is suitable for the following scenarios:

  • You need to scrape metrics from a port that should not be accessible outside of the host (e.g. scraping etcd metrics in a hardened cluster)
  • You need to scrape metrics on a host that are not exposed outside of 127.0.0.1 (e.g. scraping kube-proxy metrics)
  • You need to scrape metrics through HTTPS using certs hosted directly on hostPath
  • You need to scrape metrics from Kubernetes components that require authorization via a service account (e.g. permissions to make request to /metrics)
  • You need to scrape metrics without access to cacerts (i.e. enable insecureSkipVerify)

The clients and proxy are created based on a Rancher fork of the prometheus-community/PushProx project.

Configuration

The following tables list the configurable parameters of the rancher-pushprox chart and their default values.

General

Required

Parameter Description Example
component The component that is being monitored kube-etcd
metricsPort The port on the host that contains the metrics you want to scrape (e.g. http://<HOST_IP>:<metricsPort>/metrics) 2379
namespaceOverride The namespace to install the chart ""

Optional

Parameter Description Default
serviceMonitor.enabled Deploys a Prometheus Operator ServiceMonitor CR that is configured to scrape metrics on the hosts that the clients are deployed on via the proxy. Also deploys a Service that points to all pods with the expected client name that exposes the metricsPort selected true
serviceMonitor.endpoints A list of endpoints that will be added to the ServiceMonitor based on the Endpoint spec [{port: metrics}]
clients.enabled Deploys a DaemonSet of clients that are each capable of scraping endpoints on the hostNetwork it is deployed on true
clients.port The port where the client will publish PushProx client-specific metrics. If deploying multiple clients onto the same node, the clients should not have conflicting ports 9369
clients.proxyUrl Overrides the default proxyUrl setting of http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}" with the proxyUrl specified ""
clients.useLocalhost Sets a flag on each client deployment to redirect scrapes directed to HOST_IP to 127.0.0.1 false
clients.https.enabled Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host false
clients.https.useServiceAccountCredentials If set to true, the client will create a service account with permissions to scrape /metrics endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API false
clients.https.insecureSkipVerify If set to true, the client will disable SSL security checks false
clients.https.certDir A hostPath where TLS certs can be found. This path is mounted as a volume on an initContainer which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if clients.https.enabled is set ""
clients.https.certFile The path to the TLS cert file located within clients.https.certDir. Required and only used if clients.https.enabled is set ""
clients.https.keyFile The path to the TLS key file located within clients.https.certDir. Required and only used if clients.https.enabled is set ""
clients.https.caCertFile The path to the TLS cacert file located within clients.https.certDir. Required and only used if clients.https.enabled is set ""
clients.rbac.additionalRules Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true []
clients.deployment.enabled Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) false
clients.deployment.replicas The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if client.deployment.enable is set 0
clients.deployment.affinity The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if client.deployment.enable is set {}
clients.resources Set resource limits and requests for the client container {}
clients.nodeSelector Select which nodes to deploy the clients on {}
clients.tolerations Specify tolerations for clients []
proxy.enabled Deploys the proxy that each client will register with true
proxy.port The port exposed by the proxy that each client will register with to allow metrics to be scraped from the host 8080
proxy.resources Set resource limits and requests for the proxy container {}
proxy.nodeSelector Select which nodes the proxy can be deployed on {}
proxy.tolerations Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node []

Tip: The filepaths set in clients.https.<cert|key|caCert>File can include wildcard characters.

See rancher-monitoring for examples of how this chart can be used.