TVK 2.10.1 update release make charts output
parent
0d5b797e91
commit
3de93ca45e
Binary file not shown.
|
@ -0,0 +1,23 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
# Helm files
|
||||
OWNERS
|
|
@ -0,0 +1,9 @@
|
|||
load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")
|
||||
|
||||
pkg_tar(
|
||||
name = "helm-tar",
|
||||
files = glob(["**"]),
|
||||
package_dir = "/opt/tvk/k8s-triliovault-operator/",
|
||||
strip_prefix = "./",
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
|
@ -0,0 +1,22 @@
|
|||
annotations:
|
||||
catalog.cattle.io/certified: partner
|
||||
catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator
|
||||
catalog.cattle.io/release-name: k8s-triliovault-operator
|
||||
apiVersion: v2
|
||||
appVersion: 2.10.1
|
||||
dependencies:
|
||||
- condition: observability.enabled
|
||||
name: observability
|
||||
repository: file://./charts/observability
|
||||
description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault
|
||||
Application Lifecycle.
|
||||
home: https://github.com/trilioData/k8s-triliovault-operator
|
||||
icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png
|
||||
kubeVersion: '>=1.19.0-0'
|
||||
maintainers:
|
||||
- email: prafull.ladha@trilio.io
|
||||
name: prafull11
|
||||
name: k8s-triliovault-operator
|
||||
sources:
|
||||
- https://github.com/trilioData/k8s-triliovault-operator
|
||||
version: 2.10.100
|
|
@ -0,0 +1 @@
|
|||
# Placeholder for the License if we decide to provide one
|
|
@ -0,0 +1,202 @@
|
|||
# K8s-TrilioVault-Operator
|
||||
This operator is to manage the lifecycle of TrilioVault Backup/Recovery solution. This operator install, updates and manage the TrilioVault application.
|
||||
|
||||
## Introduction
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Kubernetes 1.19+
|
||||
- PV provisioner support
|
||||
- CSI driver should be installed
|
||||
|
||||
### One Click Installation
|
||||
|
||||
In one click install for upstream operator, a cluster scope TVM custom resource `triliovault-manager` is created.
|
||||
|
||||
```shell script
|
||||
helm repo add trilio-vault-operator https://charts.k8strilio.net/trilio-stable/k8s-triliovault-operator
|
||||
helm install tvm trilio-vault-operator/k8s-triliovault-operator
|
||||
```
|
||||
|
||||
#### One click install with preflight Configuration
|
||||
|
||||
The following table lists the configuration parameter of the upstream operator one click install feature as well as preflight check flags, their default values and usage.
|
||||
|
||||
| Parameter | Description | Default | Example |
|
||||
|--------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|------------|-------------------------|
|
||||
| `installTVK.enabled` | 1 click install feature is enabled | true | |
|
||||
| `installTVK.applicationScope` | scope of TVK application created | Cluster | |
|
||||
| `installTVK.tvkInstanceName` | tvk instance name | "" | "tvk-instance" |
|
||||
| `installTVK.ingressConfig.host` | host of the ingress resource created | "" | |
|
||||
| `installTVK.ingressConfig.tlsSecretName` | tls secret name which contains ingress certs | "" | |
|
||||
| `installTVK.ingressConfig.annotations` | annotations to be added on ingress resource | "" | |
|
||||
| `installTVK.ingressConfig.ingressClass` | ingress class name for the ingress resource | "" | |
|
||||
| `installTVK.ComponentConfiguration.ingressController.enabled` | TVK ingress controller should be deployed | true | |
|
||||
| `installTVK.ComponentConfiguration.ingressController.service.type` | TVK ingress controller service type | "NodePort" | |
|
||||
| `preflight.enabled` | enables preflight check for tvk | false | |
|
||||
| `preflight.storageClass` | Name of storage class to use for preflight checks (Required) | "" | |
|
||||
| `preflight.cleanupOnFailure` | Cleanup the resources on cluster if preflight checks fail (Optional) | false | |
|
||||
| `preflight.imagePullSecret` | Name of the secret for authentication while pulling the images from the local registry (Optional) | "" | |
|
||||
| `preflight.limits` | Pod memory and cpu resource limits for DNS and volume snapshot preflight check (Optional) | "" | "cpu=600m,memory=256Mi" |
|
||||
| `preflight.localRegistry` | Name of the local registry from where the images will be pulled (Optional) | "" | |
|
||||
| `preflight.nodeSelector` | Node selector labels for pods to schedule on a specific nodes of cluster (Optional) | "" | "key=value" |
|
||||
| `preflight.pvcStorageRequest` | PVC storage request for volume snapshot preflight check (Optional) | "" | "2Gi" |
|
||||
| `preflight.requests` | Pod memory and cpu resource requests for DNS and volume snapshot preflight check (Optional) | "" | "cpu=300m,memory=128Mi" |
|
||||
| `preflight.volumeSnapshotClass` | Name of volume snapshot class to use for preflight checks (Optional) | "" | |
|
||||
| `preflight.logLevel` | Log Level for the preflight run (Default: "INFO") | "" | |
|
||||
| `preflight.imageTag` | Image tag to use for the preflight image (Default: latest) | "" | |
|
||||
|
||||
Check the TVM CR configuration by running following command:
|
||||
|
||||
```
|
||||
kubectl get triliovaultmanagers.triliovault.trilio.io triliovault-manager -o yaml
|
||||
```
|
||||
|
||||
Once the operator pod is in running state, the TVK pods getting spawned. Confirm the [TVK pods are up](#Check-TVK-Install).
|
||||
|
||||
#### Note:
|
||||
|
||||
If preflight check is enabled and helm install fails, check pre-install helm hook pod logs for any failure in preflight check. Do the following steps:
|
||||
|
||||
First, run this command:
|
||||
```
|
||||
kubectl get pods -n <helm-release-namespace>
|
||||
```
|
||||
|
||||
The pod name should start with `<helm-release-name>-preflight-job-preinstall-hook`. Check the logs of the pod by the following command:
|
||||
```
|
||||
kubectl logs -f <pod-name> -n <helm-release-namespace>
|
||||
```
|
||||
|
||||
#### The failed preflight job is not cleaned up automatically right after failure. If the user cluster version is 1.21 and above, the job will be cleaned up after 1 hour so user should collect any failure logs within 1 hr of job failure. For cluster version below 1.21, user has to clean up failed preflight job manually.
|
||||
|
||||
To delete the job manually, run the following command:
|
||||
```
|
||||
kubectl delete job -f <job-name> -n <helm-release-namespace>
|
||||
```
|
||||
|
||||
where job name should also start with `<helm-release-name>-preflight-job-preinstall-hook`
|
||||
|
||||
Also, due to a bug at helm side where auto deletion of resources upon failure doesn't work, user needs to clean the following resources left behind to be able to run preflight again, until the bug is fixed from their side, after which this step will be handled automatically. Run the following command to clean up the temporary resources:
|
||||
|
||||
1. Cleanup Service Account:
|
||||
```
|
||||
kubectl delete sa <helm-release-name>-preflight-service-account -n <helm-release-namespace>
|
||||
```
|
||||
2. Cleanup Cluster Role Binding:
|
||||
```
|
||||
kubectl delete clusterrolebinding <helm-release-name>-<helm-release-namespace>-preflight-rolebinding
|
||||
```
|
||||
3. Cleanup Cluster Role:
|
||||
```
|
||||
kubectl delete clusterrole <helm-release-name>-<helm-release-namespace>-preflight-role
|
||||
```
|
||||
|
||||
## Manual Installation
|
||||
|
||||
To install the operator on local setup just run the latest helm charts inside this repo
|
||||
|
||||
```shell script
|
||||
helm repo add trilio-vault-operator https://charts.k8strilio.net/trilio-stable/k8s-triliovault-operator
|
||||
helm install tvm trilio-vault-operator/k8s-triliovault-operator
|
||||
```
|
||||
|
||||
Now, create a TrilioVaultManager CR to install the TrilioVault for Kubernetes. You can provide the custom configurations for the TVK resources as follows:
|
||||
|
||||
```
|
||||
apiVersion: triliovault.trilio.io/v1
|
||||
kind: TrilioVaultManager
|
||||
metadata:
|
||||
labels:
|
||||
triliovault: k8s
|
||||
name: tvk
|
||||
spec:
|
||||
trilioVaultAppVersion: latest
|
||||
applicationScope: Cluster
|
||||
# User can configure tvk instance name
|
||||
tvkInstanceName: tvk-instance
|
||||
# User can configure the ingress hosts, annotations and TLS secret through the ingressConfig section
|
||||
ingressConfig:
|
||||
host: "trilio.co.in"
|
||||
tlsSecretName: "secret-name"
|
||||
# TVK components configuration, currently supports control-plane, web, exporter, web-backend, ingress-controller, admission-webhook.
|
||||
# User can configure resources for all componentes and can configure service type and host for the ingress-controller
|
||||
componentConfiguration:
|
||||
web-backend:
|
||||
resources:
|
||||
requests:
|
||||
memory: "400Mi"
|
||||
cpu: "200m"
|
||||
limits:
|
||||
memory: "2584Mi"
|
||||
cpu: "1000m"
|
||||
ingress-controller:
|
||||
enabled: true
|
||||
service:
|
||||
type: LoadBalancer
|
||||
```
|
||||
|
||||
### Apply the Custom Resource
|
||||
|
||||
Apply `TVM.yaml`:
|
||||
|
||||
```shell
|
||||
kubectl create -f TVM.yaml
|
||||
```
|
||||
|
||||
### Check TVK Install
|
||||
|
||||
Check that the pods were created:
|
||||
|
||||
```
|
||||
kubectl get pods
|
||||
```
|
||||
|
||||
```
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
k8s-triliovault-admission-webhook-6ff5f98c8-qwmfc 1/1 Running 0 81s
|
||||
k8s-triliovault-backend-6f66b6b8d5-gxtmz 1/1 Running 0 81s
|
||||
k8s-triliovault-control-plane-6c464c5d78-ftk6g 1/1 Running 0 81s
|
||||
k8s-triliovault-exporter-59566f97dd-gs4xc 1/1 Running 0 81s
|
||||
k8s-triliovault-ingress-nginx-controller-867c764cd5-qhpx6 1/1 Running 0 18s
|
||||
k8s-triliovault-web-967c8475-m7pc6 1/1 Running 0 81s
|
||||
tvm-k8s-triliovault-operator-66bd7d86d5-dvhzb 1/1 Running 0 6m48s
|
||||
```
|
||||
|
||||
Check that ingress controller service is of type LoadBalancer:
|
||||
```
|
||||
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
|
||||
k8s-triliovault-admission-webhook ClusterIP 10.7.243.24 <none> 443/TCP 129m
|
||||
k8s-triliovault-ingress-nginx-controller LoadBalancer 10.7.246.193 35.203.155.148 80:30362/TCP,443:32327/TCP 129m
|
||||
k8s-triliovault-ingress-nginx-controller-admission ClusterIP 10.7.250.31 <none> 443/TCP 129m
|
||||
k8s-triliovault-web ClusterIP 10.7.254.41 <none> 80/TCP 129m
|
||||
k8s-triliovault-web-backend ClusterIP 10.7.252.146 <none> 80/TCP 129m
|
||||
tvm-k8s-triliovault-operator-webhook-service ClusterIP 10.7.248.163 <none> 443/TCP 130m 123m
|
||||
```
|
||||
|
||||
Check that ingress resources has the host defined by the user:
|
||||
```
|
||||
NAME CLASS HOSTS ADDRESS PORTS AGE
|
||||
k8s-triliovault k8s-triliovault-default-nginx * 35.203.155.148 80 129m
|
||||
```
|
||||
|
||||
You can access the TVK UI by hitting this address in your browser: https://35.203.155.148
|
||||
|
||||
## Delete
|
||||
|
||||
```shell
|
||||
kubectl delete -f TVM.yaml
|
||||
```
|
||||
|
||||
## Uninstall
|
||||
|
||||
To uninstall/delete the operator helm chart :
|
||||
|
||||
```bash
|
||||
helm uninstall tvm
|
||||
```
|
||||
|
||||
## TrilioVaultManager compatibility
|
||||
|
||||
We maintain the version parity between the TrilioVaultManager(upstream operator) and TrilioVault for Kubernetes. Whenever
|
||||
user wants to upgrade to the new version, should use the same version for upstream operator and Triliovault for Kubernetes.
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v2
|
||||
appVersion: 0.1.0
|
||||
dependencies:
|
||||
- name: visualization
|
||||
repository: file://charts/visualization
|
||||
version: ^0.1.0
|
||||
- name: logging
|
||||
repository: file://charts/logging
|
||||
version: ^0.1.0
|
||||
- name: monitoring
|
||||
repository: file://charts/monitoring
|
||||
version: ^0.1.0
|
||||
description: Observability Stack is designed to manage the K8s-TrilioVault Application's
|
||||
Logging, Monitoring and Visualization.
|
||||
icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png
|
||||
kubeVersion: '>=1.19.0-0'
|
||||
maintainers:
|
||||
- email: support@trilio.io
|
||||
name: Trilio
|
||||
name: observability
|
||||
version: 0.1.0
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: v2
|
||||
appVersion: 0.1.0
|
||||
dependencies:
|
||||
- condition: loki.enabled
|
||||
name: loki
|
||||
repository: https://grafana.github.io/helm-charts
|
||||
version: ^2.11.1
|
||||
- condition: promtail.enabled
|
||||
name: promtail
|
||||
repository: https://grafana.github.io/helm-charts
|
||||
version: ^4.2.0
|
||||
description: Logging Stack designed to manage the K8s-TrilioVault Application's Logs.
|
||||
icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png
|
||||
maintainers:
|
||||
- email: support@trilio.io
|
||||
name: Trilio
|
||||
name: logging
|
||||
version: 0.1.0
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
appVersion: v2.5.0
|
||||
description: 'Loki: like Prometheus, but for logs.'
|
||||
home: https://grafana.com/loki
|
||||
icon: https://raw.githubusercontent.com/grafana/loki/master/docs/sources/logo.png
|
||||
kubeVersion: ^1.10.0-0
|
||||
maintainers:
|
||||
- email: support@trilio.io
|
||||
name: Trilio
|
||||
name: loki
|
||||
sources:
|
||||
- https://github.com/grafana/loki
|
||||
version: 2.11.1
|
|
@ -0,0 +1,3 @@
|
|||
Verify the application is working by running these commands:
|
||||
kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ include "loki.fullname" . }} {{ .Values.service.port }}
|
||||
curl http://127.0.0.1:{{ .Values.service.port }}/api/prom/label
|
|
@ -0,0 +1,75 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "loki.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "loki.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "loki.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account
|
||||
*/}}
|
||||
{{- define "loki.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "loki.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the app name of loki clients. Defaults to the same logic as "loki.fullname", and default client expects "promtail".
|
||||
*/}}
|
||||
{{- define "client.name" -}}
|
||||
{{- if .Values.client.name -}}
|
||||
{{- .Values.client.name -}}
|
||||
{{- else if .Values.client.fullnameOverride -}}
|
||||
{{- .Values.client.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default "promtail" .Values.client.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Generate a right Ingress apiVersion
|
||||
*/}}
|
||||
{{- define "ingress.apiVersion" -}}
|
||||
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||
networking.k8s.io/v1
|
||||
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||
networking.k8s.io/v1beta1
|
||||
{{- else -}}
|
||||
extensions/v1
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{{- if or (.Values.useExistingAlertingGroup.enabled) (gt (len .Values.alerting_groups) 0) }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}-alerting-rules
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
data:
|
||||
{{ template "loki.fullname" . }}-alerting-rules.yaml: |-
|
||||
groups:
|
||||
{{- toYaml .Values.alerting_groups | nindent 6 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,55 @@
|
|||
{{- if .Values.ingress.enabled -}}
|
||||
{{- $fullName := include "loki.fullname" . -}}
|
||||
{{- $svcPort := .Values.service.port -}}
|
||||
{{- $apiVersion := include "ingress.apiVersion" . -}}
|
||||
apiVersion: {{ $apiVersion }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
{{- with .Values.ingress.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.ingress.ingressClassName }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.tls }}
|
||||
tls:
|
||||
{{- range .Values.ingress.tls }}
|
||||
- hosts:
|
||||
{{- range .hosts }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
secretName: {{ .secretName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range .Values.ingress.hosts }}
|
||||
- host: {{ .host | quote }}
|
||||
http:
|
||||
paths:
|
||||
{{- range .paths }}
|
||||
- path: {{ . }}
|
||||
{{- if eq $apiVersion "networking.k8s.io/v1" }}
|
||||
pathType: Prefix
|
||||
{{- end }}
|
||||
backend:
|
||||
{{- if eq $apiVersion "networking.k8s.io/v1" }}
|
||||
service:
|
||||
name: {{ $fullName }}
|
||||
port:
|
||||
number: {{ $svcPort }}
|
||||
{{- else }}
|
||||
serviceName: {{ $fullName }}
|
||||
servicePort: {{ $svcPort }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,26 @@
|
|||
{{- if .Values.networkPolicy.enabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
app: {{ template "loki.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: {{ template "client.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
- ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
{{- end }}
|
|
@ -0,0 +1,17 @@
|
|||
{{- if .Values.podDisruptionBudget -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: {{ template "loki.name" . }}
|
||||
{{ toYaml .Values.podDisruptionBudget | indent 2 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,41 @@
|
|||
{{- if .Values.rbac.pspEnabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'persistentVolumeClaim'
|
||||
- 'secret'
|
||||
- 'projected'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAsNonRoot'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: true
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
{{- end }}
|
|
@ -0,0 +1,23 @@
|
|||
{{- if and .Values.serviceMonitor.enabled .Values.serviceMonitor.prometheusRule.enabled -}}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
{{- if .Values.serviceMonitor.prometheusRule.namespace }}
|
||||
namespace: {{ .Values.serviceMonitor.prometheusRule.namespace | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
{{- if .Values.serviceMonitor.prometheusRule.additionalLabels }}
|
||||
{{- toYaml .Values.serviceMonitor.prometheusRule.additionalLabels | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.serviceMonitor.prometheusRule.rules }}
|
||||
groups:
|
||||
- name: {{ template "loki.fullname" . }}
|
||||
rules: {{- toYaml .Values.serviceMonitor.prometheusRule.rules | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
{{- if .Values.rbac.pspEnabled }}
|
||||
rules:
|
||||
- apiGroups: ['extensions']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: [{{ template "loki.fullname" . }}]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "loki.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "loki.serviceAccountName" . }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
{{- if not .Values.config.existingSecret -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
data:
|
||||
loki.yaml: {{ tpl (toYaml .Values.config) . | b64enc}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,26 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}-headless
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
app.kubernetes.io/instance: {{ template "loki.name" . }}
|
||||
{{- include "k8s-triliovault-operator.labels" . | nindent 4 }}
|
||||
variant: headless
|
||||
spec:
|
||||
clusterIP: None
|
||||
ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
protocol: TCP
|
||||
name: http-metrics
|
||||
targetPort: {{ .Values.service.targetPort }}
|
||||
{{- if .Values.extraPorts }}
|
||||
{{ toYaml .Values.extraPorts | indent 4}}
|
||||
{{- end }}
|
||||
selector:
|
||||
app: {{ template "loki.name" . }}
|
||||
release: {{ .Release.Name }}
|
|
@ -0,0 +1,45 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
app.kubernetes.io/instance: {{ template "loki.name" . }}
|
||||
{{- include "k8s-triliovault-operator.labels" . | nindent 4 }}
|
||||
{{- with .Values.service.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- toYaml .Values.service.annotations | nindent 4 }}
|
||||
spec:
|
||||
type: {{ .Values.service.type }}
|
||||
{{- if (and (eq .Values.service.type "ClusterIP") (not (empty .Values.service.clusterIP))) }}
|
||||
clusterIP: {{ .Values.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }}
|
||||
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{- range $cidr := .Values.service.loadBalancerSourceRanges }}
|
||||
- {{ $cidr }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
protocol: TCP
|
||||
name: http-metrics
|
||||
targetPort: {{ .Values.service.targetPort }}
|
||||
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
|
||||
nodePort: {{ .Values.service.nodePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraPorts }}
|
||||
{{ toYaml .Values.extraPorts | indent 4}}
|
||||
{{- end }}
|
||||
selector:
|
||||
app: {{ template "loki.name" . }}
|
||||
release: {{ .Release.Name }}
|
|
@ -0,0 +1,16 @@
|
|||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
annotations:
|
||||
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
|
||||
name: {{ template "loki.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
{{- if .Values.serviceMonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
{{- if .Values.serviceMonitor.additionalLabels }}
|
||||
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceMonitor.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.serviceMonitor.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: {{ template "loki.name" . }}
|
||||
release: {{ .Release.Name | quote }}
|
||||
variant: headless
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace | quote }}
|
||||
endpoints:
|
||||
- port: http-metrics
|
||||
{{- if .Values.serviceMonitor.interval }}
|
||||
interval: {{ .Values.serviceMonitor.interval }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceMonitor.path }}
|
||||
path: {{ .Values.serviceMonitor.path }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,160 @@
|
|||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ template "loki.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
chart: {{ template "loki.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- include "k8s-triliovault-operator.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- toYaml .Values.annotations | nindent 4 }}
|
||||
spec:
|
||||
podManagementPolicy: {{ .Values.podManagementPolicy }}
|
||||
replicas: {{ .Values.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: {{ template "loki.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- include "k8s-triliovault-operator.labels" . | nindent 6 }}
|
||||
serviceName: {{ template "loki.fullname" . }}-headless
|
||||
updateStrategy:
|
||||
{{- toYaml .Values.updateStrategy | nindent 4 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ template "loki.name" . }}
|
||||
name: {{ template "loki.fullname" . }}
|
||||
release: {{ .Release.Name }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- include "k8s-triliovault-operator.labels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if not .Values.config.existingSecret }}
|
||||
checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "loki.serviceAccountName" . }}
|
||||
{{- if .Values.priorityClassName }}
|
||||
priorityClassName: {{ .Values.priorityClassName }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 8 }}
|
||||
initContainers:
|
||||
{{- toYaml .Values.initContainers | nindent 8 }}
|
||||
{{- if .Values.image.pullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.image.pullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
args:
|
||||
- "-config.file=/etc/loki/loki.yaml"
|
||||
{{- range $key, $value := .Values.extraArgs }}
|
||||
- "-{{ $key }}={{ $value }}"
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
{{- if .Values.extraVolumeMounts }}
|
||||
{{ toYaml .Values.extraVolumeMounts | nindent 12}}
|
||||
{{- end }}
|
||||
- name: config
|
||||
mountPath: /etc/loki
|
||||
- name: storage
|
||||
mountPath: "/data"
|
||||
subPath: {{ .Values.persistence.subPath }}
|
||||
{{- if or (.Values.useExistingAlertingGroup.enabled) (gt (len .Values.alerting_groups) 0) }}
|
||||
- name: rules
|
||||
mountPath: /rules/fake
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
containerPort: {{ .Values.config.server.http_listen_port }}
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
{{- toYaml .Values.livenessProbe | nindent 12 }}
|
||||
readinessProbe:
|
||||
{{- toYaml .Values.readinessProbe | nindent 12 }}
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
env:
|
||||
{{- if .Values.env }}
|
||||
{{- toYaml .Values.env | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.tracing.jaegerAgentHost }}
|
||||
- name: JAEGER_AGENT_HOST
|
||||
value: "{{ .Values.tracing.jaegerAgentHost }}"
|
||||
{{- end }}
|
||||
{{- if .Values.extraContainers }}
|
||||
{{ toYaml .Values.extraContainers | indent 8}}
|
||||
{{- end }}
|
||||
nodeSelector:
|
||||
{{- toYaml .Values.nodeSelector | nindent 8 }}
|
||||
affinity:
|
||||
{{- toYaml .Values.affinity | nindent 8 }}
|
||||
tolerations:
|
||||
{{- toYaml .Values.tolerations | nindent 8 }}
|
||||
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir: {}
|
||||
{{- if or (.Values.useExistingAlertingGroup.enabled) (gt (len .Values.alerting_groups) 0) }}
|
||||
- name: rules
|
||||
configMap:
|
||||
{{- if .Values.useExistingAlertingGroup.enabled }}
|
||||
name: {{ .Values.useExistingAlertingGroup.configmapName }}
|
||||
{{- else }}
|
||||
name: {{ template "loki.fullname" . }}-alerting-rules
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: config
|
||||
secret:
|
||||
{{- if .Values.config.existingSecret }}
|
||||
secretName: {{ .Values.config.existingSecret }}
|
||||
{{- else }}
|
||||
secretName: {{ template "loki.fullname" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumes }}
|
||||
{{ toYaml .Values.extraVolumes | indent 8}}
|
||||
{{- end }}
|
||||
{{- if not .Values.persistence.enabled }}
|
||||
- name: storage
|
||||
emptyDir: {}
|
||||
{{- else if .Values.persistence.existingClaim }}
|
||||
- name: storage
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ .Values.persistence.existingClaim }}
|
||||
{{- else }}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: storage
|
||||
annotations:
|
||||
{{- toYaml .Values.persistence.annotations | nindent 8 }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- toYaml .Values.persistence.accessModes | nindent 8 }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.persistence.size | quote }}
|
||||
storageClassName: {{ .Values.persistence.storageClassName }}
|
||||
{{- if .Values.persistence.selector }}
|
||||
selector:
|
||||
{{- toYaml .Values.persistence.selector | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,326 @@
|
|||
image:
|
||||
repository: grafana/loki
|
||||
tag: 2.5.0
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
## Optionally specify an array of imagePullSecrets.
|
||||
## Secrets must be manually created in the namespace.
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
||||
##
|
||||
# pullSecrets:
|
||||
# - myRegistryKeySecretName
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
# For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
|
||||
# See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
|
||||
# ingressClassName: nginx
|
||||
annotations: {}
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts:
|
||||
- host: chart-example.local
|
||||
paths: []
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - chart-example.local
|
||||
|
||||
## Affinity for pod assignment
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
||||
affinity: {}
|
||||
# podAntiAffinity:
|
||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||||
# - labelSelector:
|
||||
# matchExpressions:
|
||||
# - key: app
|
||||
# operator: In
|
||||
# values:
|
||||
# - loki
|
||||
# topologyKey: "kubernetes.io/hostname"
|
||||
|
||||
## StatefulSet annotations
|
||||
annotations: {}
|
||||
|
||||
# enable tracing for debug, need install jaeger and specify right jaeger_agent_host
|
||||
tracing:
|
||||
jaegerAgentHost:
|
||||
|
||||
config:
|
||||
# existingSecret:
|
||||
auth_enabled: false
|
||||
ingester:
|
||||
chunk_idle_period: 3m
|
||||
chunk_block_size: 262144
|
||||
chunk_retain_period: 1m
|
||||
max_transfer_retries: 0
|
||||
wal:
|
||||
dir: /data/loki/wal
|
||||
lifecycler:
|
||||
ring:
|
||||
kvstore:
|
||||
store: inmemory
|
||||
replication_factor: 1
|
||||
|
||||
## Different ring configs can be used. E.g. Consul
|
||||
# ring:
|
||||
# store: consul
|
||||
# replication_factor: 1
|
||||
# consul:
|
||||
# host: "consul:8500"
|
||||
# prefix: ""
|
||||
# http_client_timeout: "20s"
|
||||
# consistent_reads: true
|
||||
limits_config:
|
||||
enforce_metric_name: false
|
||||
reject_old_samples: true
|
||||
reject_old_samples_max_age: 168h
|
||||
max_entries_limit_per_query: 5000
|
||||
max_streams_per_user: 100000
|
||||
schema_config:
|
||||
configs:
|
||||
- from: 2020-10-24
|
||||
store: boltdb-shipper
|
||||
object_store: filesystem
|
||||
schema: v11
|
||||
index:
|
||||
prefix: index_
|
||||
period: 24h
|
||||
server:
|
||||
http_listen_port: 3100
|
||||
storage_config:
|
||||
boltdb_shipper:
|
||||
active_index_directory: /data/loki/boltdb-shipper-active
|
||||
cache_location: /data/loki/boltdb-shipper-cache
|
||||
cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
|
||||
shared_store: filesystem
|
||||
filesystem:
|
||||
directory: /data/loki/chunks
|
||||
chunk_store_config:
|
||||
max_look_back_period: 0s
|
||||
table_manager:
|
||||
retention_deletes_enabled: false
|
||||
retention_period: 0s
|
||||
compactor:
|
||||
working_directory: /data/loki/boltdb-shipper-compactor
|
||||
shared_store: filesystem
|
||||
# Needed for Alerting: https://grafana.com/docs/loki/latest/rules/
|
||||
# This is just a simple example, for more details: https://grafana.com/docs/loki/latest/configuration/#ruler_config
|
||||
# ruler:
|
||||
# storage:
|
||||
# type: local
|
||||
# local:
|
||||
# directory: /rules
|
||||
# rule_path: /tmp/scratch
|
||||
# alertmanager_url: http://alertmanager.svc.namespace:9093
|
||||
# ring:
|
||||
# kvstore:
|
||||
# store: inmemory
|
||||
# enable_api: true
|
||||
|
||||
## Additional Loki container arguments, e.g. log level (debug, info, warn, error)
|
||||
extraArgs: {}
|
||||
# log.level: debug
|
||||
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /ready
|
||||
port: http-metrics
|
||||
initialDelaySeconds: 45
|
||||
|
||||
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
networkPolicy:
|
||||
enabled: false
|
||||
|
||||
## The app name of loki clients
|
||||
client: {}
|
||||
# name:
|
||||
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
|
||||
nodeSelector: {}
|
||||
|
||||
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
|
||||
## If you set enabled as "True", you need :
|
||||
## - create a pv which above 10Gi and has same namespace with loki
|
||||
## - keep storageClassName same with below setting
|
||||
persistence:
|
||||
enabled: false
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
size: 10Gi
|
||||
annotations: {}
|
||||
# selector:
|
||||
# matchLabels:
|
||||
# app.kubernetes.io/name: loki
|
||||
# subPath: ""
|
||||
# existingClaim:
|
||||
|
||||
## Pod Labels
|
||||
podLabels: {}
|
||||
|
||||
## Pod Annotations
|
||||
podAnnotations:
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/port: "http-metrics"
|
||||
|
||||
podManagementPolicy: OrderedReady
|
||||
|
||||
## Assign a PriorityClassName to pods if set
|
||||
# priorityClassName:
|
||||
|
||||
rbac:
|
||||
create: true
|
||||
pspEnabled: false
|
||||
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /ready
|
||||
port: http-metrics
|
||||
initialDelaySeconds: 45
|
||||
|
||||
replicas: 1
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 500Mi
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 256Mi
|
||||
|
||||
securityContext:
|
||||
fsGroup: 10001
|
||||
runAsGroup: 10001
|
||||
runAsNonRoot: true
|
||||
runAsUser: 10001
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
nodePort:
|
||||
port: 3100
|
||||
annotations: {}
|
||||
labels: {}
|
||||
targetPort: http-metrics
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
name:
|
||||
annotations: {}
|
||||
automountServiceAccountToken: true
|
||||
|
||||
terminationGracePeriodSeconds: 4800
|
||||
|
||||
## Tolerations for pod assignment
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
||||
tolerations: []
|
||||
|
||||
# The values to set in the PodDisruptionBudget spec
|
||||
# If not set then a PodDisruptionBudget will not be created
|
||||
podDisruptionBudget: {}
|
||||
# minAvailable: 1
|
||||
# maxUnavailable: 1
|
||||
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
interval: ""
|
||||
additionalLabels: {}
|
||||
annotations: {}
|
||||
# scrapeTimeout: 10s
|
||||
# path: /metrics
|
||||
prometheusRule:
|
||||
enabled: false
|
||||
additionalLabels: {}
|
||||
# namespace:
|
||||
rules: []
|
||||
# Some examples from https://awesome-prometheus-alerts.grep.to/rules.html#loki
|
||||
# - alert: LokiProcessTooManyRestarts
|
||||
# expr: changes(process_start_time_seconds{job=~"loki"}[15m]) > 2
|
||||
# for: 0m
|
||||
# labels:
|
||||
# severity: warning
|
||||
# annotations:
|
||||
# summary: Loki process too many restarts (instance {{ $labels.instance }})
|
||||
# description: "A loki process had too many restarts (target {{ $labels.instance }})\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
|
||||
# - alert: LokiRequestErrors
|
||||
# expr: 100 * sum(rate(loki_request_duration_seconds_count{status_code=~"5.."}[1m])) by (namespace, job, route) / sum(rate(loki_request_duration_seconds_count[1m])) by (namespace, job, route) > 10
|
||||
# for: 15m
|
||||
# labels:
|
||||
# severity: critical
|
||||
# annotations:
|
||||
# summary: Loki request errors (instance {{ $labels.instance }})
|
||||
# description: "The {{ $labels.job }} and {{ $labels.route }} are experiencing errors\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
|
||||
# - alert: LokiRequestPanic
|
||||
# expr: sum(increase(loki_panic_total[10m])) by (namespace, job) > 0
|
||||
# for: 5m
|
||||
# labels:
|
||||
# severity: critical
|
||||
# annotations:
|
||||
# summary: Loki request panic (instance {{ $labels.instance }})
|
||||
# description: "The {{ $labels.job }} is experiencing {{ printf \"%.2f\" $value }}% increase of panics\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
|
||||
# - alert: LokiRequestLatency
|
||||
# expr: (histogram_quantile(0.99, sum(rate(loki_request_duration_seconds_bucket{route!~"(?i).*tail.*"}[5m])) by (le))) > 1
|
||||
# for: 5m
|
||||
# labels:
|
||||
# severity: critical
|
||||
# annotations:
|
||||
# summary: Loki request latency (instance {{ $labels.instance }})
|
||||
# description: "The {{ $labels.job }} {{ $labels.route }} is experiencing {{ printf \"%.2f\" $value }}s 99th percentile latency\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
|
||||
|
||||
|
||||
initContainers: []
|
||||
## Init containers to be added to the loki pod.
|
||||
# - name: my-init-container
|
||||
# image: busybox:latest
|
||||
# command: ['sh', '-c', 'echo hello']
|
||||
|
||||
extraContainers: []
|
||||
## Additional containers to be added to the loki pod.
|
||||
# - name: reverse-proxy
|
||||
# image: angelbarrera92/basic-auth-reverse-proxy:dev
|
||||
# args:
|
||||
# - "serve"
|
||||
# - "--upstream=http://localhost:3100"
|
||||
# - "--auth-config=/etc/reverse-proxy-conf/authn.yaml"
|
||||
# ports:
|
||||
# - name: http
|
||||
# containerPort: 11811
|
||||
# protocol: TCP
|
||||
# volumeMounts:
|
||||
# - name: reverse-proxy-auth-config
|
||||
# mountPath: /etc/reverse-proxy-conf
|
||||
|
||||
|
||||
extraVolumes: []
|
||||
## Additional volumes to the loki pod.
|
||||
# - name: reverse-proxy-auth-config
|
||||
# secret:
|
||||
# secretName: reverse-proxy-auth-config
|
||||
|
||||
## Extra volume mounts that will be added to the loki container
|
||||
extraVolumeMounts: []
|
||||
|
||||
extraPorts: []
|
||||
## Additional ports to the loki services. Useful to expose extra container ports.
|
||||
# - port: 11811
|
||||
# protocol: TCP
|
||||
# name: http
|
||||
# targetPort: http
|
||||
|
||||
# Extra env variables to pass to the loki container
|
||||
env: []
|
||||
|
||||
# Specify Loki Alerting rules based on this documentation: https://grafana.com/docs/loki/latest/rules/
|
||||
# When specified, you also need to add a ruler config section above. An example is shown in the alerting docs.
|
||||
alerting_groups: []
|
||||
# - name: example
|
||||
# rules:
|
||||
# - alert: HighThroughputLogStreams
|
||||
# expr: sum by(container) (rate({job=~"loki-dev/.*"}[1m])) > 1000
|
||||
# for: 2m
|
||||
|
||||
useExistingAlertingGroup:
|
||||
enabled: false
|
||||
configmapName: ""
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: v2
|
||||
appVersion: 2.5.0
|
||||
description: Promtail is an agent which ships the contents of local logs to a Loki
|
||||
instance
|
||||
home: https://grafana.com/loki
|
||||
icon: https://raw.githubusercontent.com/grafana/loki/master/docs/sources/logo.png
|
||||
maintainers:
|
||||
- email: support@trilio.io
|
||||
name: Trilio
|
||||
name: promtail
|
||||
sources:
|
||||
- https://github.com/grafana/loki
|
||||
- https://grafana.com/oss/loki/
|
||||
- https://grafana.com/docs/loki/latest/
|
||||
type: application
|
||||
version: 4.2.0
|
|
@ -0,0 +1,10 @@
|
|||
***********************************************************************
|
||||
Welcome to Grafana Promtail
|
||||
Chart version: {{ .Chart.Version }}
|
||||
Promtail version: {{ .Values.image.tag | default .Chart.AppVersion }}
|
||||
***********************************************************************
|
||||
|
||||
Verify the application is working by running these commands:
|
||||
|
||||
* kubectl --namespace {{ .Release.Namespace }} port-forward daemonset/{{ include "promtail.fullname" . }} {{ .Values.config.serverPort }}
|
||||
* curl http://127.0.0.1:{{ .Values.config.serverPort }}/metrics
|
|
@ -0,0 +1,81 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "promtail.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "promtail.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "promtail.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "promtail.labels" -}}
|
||||
helm.sh/chart: {{ include "promtail.chart" . }}
|
||||
{{ include "promtail.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "promtail.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "promtail.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{ include "k8s-triliovault-operator.labels" .}}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account
|
||||
*/}}
|
||||
{{- define "promtail.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "promtail.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
The service name to connect to Loki. Defaults to the same logic as "loki.fullname"
|
||||
*/}}
|
||||
{{- define "loki.serviceName" -}}
|
||||
{{- if .Values.loki.serviceName -}}
|
||||
{{- .Values.loki.serviceName -}}
|
||||
{{- else if .Values.loki.fullnameOverride -}}
|
||||
{{- .Values.loki.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default "loki" .Values.loki.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,21 @@
|
|||
{{- if .Values.rbac.create }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" . }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
- nodes/proxy
|
||||
- services
|
||||
- endpoints
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- watch
|
||||
- list
|
||||
{{- end }}
|
|
@ -0,0 +1,16 @@
|
|||
{{- if .Values.rbac.create }}
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" . }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "promtail.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: {{ include "promtail.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
|
@ -0,0 +1,132 @@
|
|||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
{{- with .Values.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "promtail.selectorLabels" . | nindent 6 }}
|
||||
updateStrategy:
|
||||
{{- toYaml .Values.updateStrategy | nindent 4 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "promtail.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/config: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "promtail.serviceAccountName" . }}
|
||||
{{- with .Values.priorityClassName }}
|
||||
priorityClassName: {{ . }}
|
||||
{{- end }}
|
||||
{{- if .Values.initContainer.enabled }}
|
||||
initContainers:
|
||||
- name: init
|
||||
image: "{{ .Values.initContainer.image.registry }}/{{ .Values.initContainer.image.repository }}:{{ .Values.initContainer.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.initContainer.image.pullPolicy }}
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- sysctl -w fs.inotify.max_user_instances={{ .Values.initContainer.fsInotifyMaxUserInstances }}
|
||||
securityContext:
|
||||
privileged: true
|
||||
{{- end }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: promtail
|
||||
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
args:
|
||||
- "-config.file=/etc/promtail/promtail.yaml"
|
||||
{{- with .Values.extraArgs }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/promtail
|
||||
- name: run
|
||||
mountPath: /run/promtail
|
||||
{{- with .Values.defaultVolumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: HOSTNAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
{{- with .Values.extraEnv }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraEnvFrom }}
|
||||
envFrom:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
containerPort: {{ .Values.config.serverPort }}
|
||||
protocol: TCP
|
||||
{{- range $key, $values := .Values.extraPorts }}
|
||||
- name: {{ .name | default $key }}
|
||||
containerPort: {{ $values.containerPort }}
|
||||
protocol: {{ $values.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||
{{- with .Values.livenessProbe }}
|
||||
livenessProbe:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.readinessProbe }}
|
||||
readinessProbe:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config
|
||||
secret:
|
||||
secretName: {{ include "promtail.fullname" . }}
|
||||
- name: run
|
||||
hostPath:
|
||||
path: /run/promtail
|
||||
{{- with .Values.defaultVolumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,4 @@
|
|||
{{ range .Values.extraObjects }}
|
||||
---
|
||||
{{ tpl (toYaml .) $ }}
|
||||
{{ end }}
|
|
@ -0,0 +1,126 @@
|
|||
{{- if .Values.networkPolicy.enabled }}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "promtail.name" . }}-namespace-only
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
egress:
|
||||
- to:
|
||||
- podSelector: {}
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector: {}
|
||||
|
||||
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "promtail.name" . }}-egress-dns
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "promtail.selectorLabels" . | nindent 6 }}
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
to:
|
||||
- namespaceSelector: {}
|
||||
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "promtail.name" . }}-egress-k8s-api
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "promtail.selectorLabels" . | nindent 6 }}
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
- ports:
|
||||
- port: {{ .Values.networkPolicy.k8sApi.port }}
|
||||
protocol: TCP
|
||||
{{- if len .Values.networkPolicy.k8sApi.cidrs }}
|
||||
to:
|
||||
{{- range $cidr := .Values.networkPolicy.k8sApi.cidrs }}
|
||||
- ipBlock:
|
||||
cidr: {{ $cidr }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "promtail.name" . }}-ingress-metrics
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "promtail.selectorLabels" . | nindent 6 }}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- ports:
|
||||
- port: http-metrics
|
||||
protocol: TCP
|
||||
{{- if len .Values.networkPolicy.metrics.cidrs }}
|
||||
from:
|
||||
{{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
|
||||
- ipBlock:
|
||||
cidr: {{ $cidr }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.metrics.namespaceSelector }}
|
||||
- namespaceSelector:
|
||||
{{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 12 }}
|
||||
{{- if .Values.networkPolicy.metrics.podSelector }}
|
||||
podSelector:
|
||||
{{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.extraPorts }}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "promtail.name" . }}-egress-extra-ports
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "promtail.selectorLabels" . | nindent 6 }}
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
- ports:
|
||||
{{- range $extraPortConfig := .Values.extraPorts }}
|
||||
- port: {{ $extraPortConfig.containerPort }}
|
||||
protocol: {{ $extraPortConfig.protocol }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,10 @@
|
|||
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" . }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- toYaml .Values.podSecurityPolicy | nindent 2 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" . }}-psp
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- policy
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
resourceNames:
|
||||
- {{ include "promtail.fullname" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,16 @@
|
|||
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" . }}-psp
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "promtail.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "promtail.serviceAccountName" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
stringData:
|
||||
promtail.yaml: |
|
||||
{{- tpl .Values.config.file . | nindent 4 }}
|
|
@ -0,0 +1,52 @@
|
|||
{{- range $key, $values := .Values.extraPorts }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" $ }}-{{ $key | lower }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" $ | nindent 4 }}
|
||||
{{- with .labels }}
|
||||
{{- toYaml $ | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with $values.service }}
|
||||
type: {{ .type | default "ClusterIP" }}
|
||||
{{- with .clusterIP }}
|
||||
clusterIP: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .loadBalancerIP }}
|
||||
loadBalancerIP: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- with .externalIPs }}
|
||||
externalIPs:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: {{ .name | default $key }}
|
||||
targetPort: {{ .name | default $key }}
|
||||
protocol: TCP
|
||||
{{- if $values.service }}
|
||||
port: {{ $values.service.port | default $values.containerPort }}
|
||||
{{- if $values.service.nodePort }}
|
||||
nodePort: {{ $values.service.nodePort }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
port: {{ $values.containerPort }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "promtail.selectorLabels" $ | nindent 4 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.serviceMonitor.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" . }}-metrics
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
spec:
|
||||
clusterIP: None
|
||||
ports:
|
||||
- name: http-metrics
|
||||
port: {{ .Values.config.serverPort }}
|
||||
targetPort: http-metrics
|
||||
protocol: TCP
|
||||
selector:
|
||||
{{- include "promtail.selectorLabels" . | nindent 4 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,17 @@
|
|||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "promtail.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "promtail.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.serviceAccount.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,40 @@
|
|||
{{- if .Values.serviceMonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "promtail.fullname" $ }}
|
||||
{{- if .Values.serviceMonitor.namespace }}
|
||||
namespace: {{ .Values.serviceMonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- with .Values.serviceMonitor.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "promtail.labels" $ | nindent 4 }}
|
||||
{{- with .Values.serviceMonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with .Values.serviceMonitor.namespaceSelector }}
|
||||
namespaceSelector:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "promtail.selectorLabels" . | nindent 6 }}
|
||||
endpoints:
|
||||
- port: http-metrics
|
||||
{{- with .Values.serviceMonitor.interval }}
|
||||
interval: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.serviceMonitor.relabelings }}
|
||||
relabelings:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,430 @@
|
|||
# -- Overrides the chart's name
|
||||
nameOverride: null
|
||||
|
||||
# -- Overrides the chart's computed fullname
|
||||
fullnameOverride: null
|
||||
|
||||
initContainer:
|
||||
# -- Specifies whether the init container for setting inotify max user instances is to be enabled
|
||||
enabled: false
|
||||
image:
|
||||
# -- The Docker registry for the init container
|
||||
registry: docker.io
|
||||
# -- Docker image repository for the init container
|
||||
repository: busybox
|
||||
# -- Docker tag for the init container
|
||||
tag: 1.33
|
||||
# -- Docker image pull policy for the init container image
|
||||
pullPolicy: IfNotPresent
|
||||
# -- The inotify max user instances to configure
|
||||
fsInotifyMaxUserInstances: 128
|
||||
|
||||
image:
|
||||
# -- The Docker registry
|
||||
registry: docker.io
|
||||
# -- Docker image repository
|
||||
repository: grafana/promtail
|
||||
# -- Overrides the image tag whose default is the chart's appVersion
|
||||
tag: null
|
||||
# -- Docker image pull policy
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
# -- Image pull secrets for Docker images
|
||||
imagePullSecrets: []
|
||||
|
||||
# -- Annotations for the DaemonSet
|
||||
annotations:
|
||||
ignore-check.kube-linter.io/run-as-non-root: "This deployment needs to run as root user to modify log files"
|
||||
ignore-check.kube-linter.io/writable-host-mount: "This deployment needs writable volume mount on host to capture logs"
|
||||
|
||||
# -- The update strategy for the DaemonSet
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
|
||||
# -- Pod labels
|
||||
podLabels: {}
|
||||
|
||||
# -- Pod annotations
|
||||
podAnnotations: {}
|
||||
# prometheus.io/scrape: "true"
|
||||
# prometheus.io/port: "http-metrics"
|
||||
|
||||
# -- The name of the PriorityClass
|
||||
priorityClassName: null
|
||||
|
||||
# -- Liveness probe
|
||||
livenessProbe: {}
|
||||
|
||||
# -- Readiness probe
|
||||
# @default -- See `values.yaml`
|
||||
readinessProbe:
|
||||
failureThreshold: 5
|
||||
httpGet:
|
||||
path: /ready
|
||||
port: http-metrics
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
|
||||
# -- Resource requests and limits
|
||||
resources:
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 500Mi
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 256Mi
|
||||
|
||||
# -- The security context for pods
|
||||
podSecurityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
|
||||
# -- The security context for containers
|
||||
containerSecurityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
allowPrivilegeEscalation: false
|
||||
|
||||
rbac:
|
||||
# -- Specifies whether RBAC resources are to be created
|
||||
create: true
|
||||
# -- Specifies whether a PodSecurityPolicy is to be created
|
||||
pspEnabled: false
|
||||
|
||||
serviceAccount:
|
||||
# -- Specifies whether a ServiceAccount should be created
|
||||
create: true
|
||||
# -- The name of the ServiceAccount to use.
|
||||
# If not set and `create` is true, a name is generated using the fullname template
|
||||
name: null
|
||||
# -- Image pull secrets for the service account
|
||||
imagePullSecrets: []
|
||||
# -- Annotations for the service account
|
||||
annotations: {}
|
||||
|
||||
# -- Node selector for pods
|
||||
nodeSelector: {}
|
||||
|
||||
# -- Affinity configuration for pods
|
||||
affinity: {}
|
||||
|
||||
# -- Tolerations for pods. By default, pods will be scheduled on master/control-plane nodes.
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
|
||||
# -- Default volumes that are mounted into pods. In most cases, these should not be changed.
|
||||
# Use `extraVolumes`/`extraVolumeMounts` for additional custom volumes.
|
||||
# @default -- See `values.yaml`
|
||||
defaultVolumes:
|
||||
- name: containers
|
||||
hostPath:
|
||||
path: /var/lib/docker/containers
|
||||
- name: pods
|
||||
hostPath:
|
||||
path: /var/log/pods
|
||||
|
||||
# -- Default volume mounts. Corresponds to `volumes`.
|
||||
# @default -- See `values.yaml`
|
||||
defaultVolumeMounts:
|
||||
- name: containers
|
||||
mountPath: /var/lib/docker/containers
|
||||
readOnly: true
|
||||
- name: pods
|
||||
mountPath: /var/log/pods
|
||||
readOnly: true
|
||||
|
||||
# Extra volumes to be added in addition to those specified under `defaultVolumes`.
|
||||
extraVolumes: []
|
||||
|
||||
# Extra volume mounts together. Corresponds to `extraVolumes`.
|
||||
extraVolumeMounts: []
|
||||
|
||||
# Extra args for the Promtail container.
|
||||
extraArgs: []
|
||||
# -- Example:
|
||||
# -- extraArgs:
|
||||
# -- - -client.external-labels=hostname=$(HOSTNAME)
|
||||
|
||||
# -- Extra environment variables
|
||||
extraEnv: []
|
||||
|
||||
# -- Extra environment variables from secrets or configmaps
|
||||
extraEnvFrom: []
|
||||
|
||||
# ServiceMonitor configuration
|
||||
serviceMonitor:
|
||||
# -- If enabled, ServiceMonitor resources for Prometheus Operator are created
|
||||
enabled: false
|
||||
# -- Alternative namespace for ServiceMonitor resources
|
||||
namespace: null
|
||||
# -- Namespace selector for ServiceMonitor resources
|
||||
namespaceSelector: {}
|
||||
# -- ServiceMonitor annotations
|
||||
annotations: {}
|
||||
# -- Additional ServiceMonitor labels
|
||||
labels: {}
|
||||
# -- ServiceMonitor scrape interval
|
||||
interval: null
|
||||
# -- ServiceMonitor scrape timeout in Go duration format (e.g. 15s)
|
||||
scrapeTimeout: null
|
||||
# -- ServiceMonitor relabel configs to apply to samples before scraping
|
||||
# https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
|
||||
relabelings: []
|
||||
|
||||
# -- Configure additional ports and services. For each configured port, a corresponding service is created.
|
||||
# See values.yaml for details
|
||||
extraPorts: {}
|
||||
# syslog:
|
||||
# name: tcp-syslog
|
||||
# containerPort: 1514
|
||||
# protocol: TCP
|
||||
# service:
|
||||
# type: ClusterIP
|
||||
# clusterIP: null
|
||||
# port: 1514
|
||||
# externalIPs: []
|
||||
# nodePort: null
|
||||
# annotations: {}
|
||||
# labels: {}
|
||||
# loadBalancerIP: null
|
||||
# loadBalancerSourceRanges: []
|
||||
# externalTrafficPolicy: null
|
||||
|
||||
# -- PodSecurityPolicy configuration.
|
||||
# @default -- See `values.yaml`
|
||||
podSecurityPolicy:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
volumes:
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'RunAsAny'
|
||||
fsGroup:
|
||||
rule: 'RunAsAny'
|
||||
readOnlyRootFilesystem: true
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
|
||||
# -- Section for crafting Promtails config file. The only directly relevant value is `config.file`
|
||||
# which is a templated string that references the other values and snippets below this key.
|
||||
# @default -- See `values.yaml`
|
||||
config:
|
||||
# -- The log level of the Promtail server
|
||||
# Must be reference in `config.file` to configure `server.log_level`
|
||||
# See default config in `values.yaml`
|
||||
logLevel: info
|
||||
# -- The port of the Promtail server
|
||||
# Must be reference in `config.file` to configure `server.http_listen_port`
|
||||
# See default config in `values.yaml`
|
||||
serverPort: 3101
|
||||
# -- The Loki address to post logs to.
|
||||
# Must be reference in `config.file` to configure `client.url`.
|
||||
# See default config in `values.yaml`
|
||||
lokiAddress: http://{{ .Release.Name }}-loki:3100/loki/api/v1/push
|
||||
# -- A section of reusable snippets that can be reference in `config.file`.
|
||||
# Custom snippets may be added in order to reduce redundancy.
|
||||
# This is especially helpful when multiple `kubernetes_sd_configs` are use which usually have large parts in common.
|
||||
# @default -- See `values.yaml`
|
||||
snippets:
|
||||
pipelineStages:
|
||||
- cri: {}
|
||||
- match:
|
||||
selector: '{app="k8s-triliovault"}'
|
||||
stages:
|
||||
- json:
|
||||
expressions:
|
||||
file: file
|
||||
func: func
|
||||
level: level
|
||||
msg: msg
|
||||
tvk_version: tvk_version
|
||||
tvk_instance_id: tvk_instance_id
|
||||
service_id: service_id
|
||||
service_type: service_type
|
||||
transaction_id: transaction_id
|
||||
transaction_type: transaction_type
|
||||
transaction_resource_name: transaction_resource_name
|
||||
transaction_resource_namespace: transaction_resource_namespace
|
||||
child_transaction_type: child_transaction_type
|
||||
child_transaction_id: child_transaction_id
|
||||
child_transaction_resource_name: child_transaction_resource_name
|
||||
child_transaction_resource_namespace: child_transaction_resource_namespace
|
||||
- labels:
|
||||
file:
|
||||
func:
|
||||
level:
|
||||
msg:
|
||||
tvk_version:
|
||||
tvk_instance_id:
|
||||
service_id:
|
||||
service_type:
|
||||
transaction_id:
|
||||
transaction_type:
|
||||
transaction_resource_name:
|
||||
transaction_resource_namespace:
|
||||
child_transaction_type:
|
||||
child_transaction_id:
|
||||
child_transaction_resource_name:
|
||||
child_transaction_resource_namespace:
|
||||
common:
|
||||
- action: replace
|
||||
source_labels:
|
||||
- __meta_kubernetes_pod_node_name
|
||||
target_label: node_name
|
||||
- action: replace
|
||||
source_labels:
|
||||
- __meta_kubernetes_namespace
|
||||
target_label: namespace
|
||||
- action: replace
|
||||
replacement: $1
|
||||
separator: /
|
||||
source_labels:
|
||||
- namespace
|
||||
- app
|
||||
target_label: job
|
||||
- action: replace
|
||||
source_labels:
|
||||
- __meta_kubernetes_pod_name
|
||||
target_label: pod
|
||||
- action: replace
|
||||
source_labels:
|
||||
- __meta_kubernetes_pod_container_name
|
||||
target_label: container
|
||||
- action: replace
|
||||
replacement: /var/log/pods/*$1/*.log
|
||||
separator: /
|
||||
source_labels:
|
||||
- __meta_kubernetes_pod_uid
|
||||
- __meta_kubernetes_pod_container_name
|
||||
target_label: __path__
|
||||
- action: replace
|
||||
replacement: /var/log/pods/*$1/*.log
|
||||
regex: true/(.*)
|
||||
separator: /
|
||||
source_labels:
|
||||
- __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
|
||||
- __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
|
||||
- __meta_kubernetes_pod_container_name
|
||||
target_label: __path__
|
||||
|
||||
# If set to true, adds an additional label for the scrape job.
|
||||
# This helps debug the Promtail config.
|
||||
addScrapeJobLabel: false
|
||||
|
||||
# -- You can put here any keys that will be directly added to the config file's 'client' block.
|
||||
# @default -- empty
|
||||
extraClientConfigs: []
|
||||
|
||||
# -- You can put here any additional scrape configs you want to add to the config file.
|
||||
# @default -- empty
|
||||
extraScrapeConfigs: ""
|
||||
|
||||
# -- You can put here any additional relabel_configs to "kubernetes-pods" job
|
||||
extraRelabelConfigs: []
|
||||
|
||||
scrapeConfigs: |
|
||||
# See also https://github.com/grafana/loki/blob/master/production/ksonnet/promtail/scrape_config.libsonnet for reference
|
||||
- job_name: kubernetes-pods
|
||||
pipeline_stages:
|
||||
{{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }}
|
||||
kubernetes_sd_configs:
|
||||
- role: pod
|
||||
relabel_configs:
|
||||
- source_labels:
|
||||
- __meta_kubernetes_pod_controller_name
|
||||
regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
|
||||
action: replace
|
||||
target_label: __tmp_controller_name
|
||||
- source_labels:
|
||||
- __meta_kubernetes_pod_label_app_kubernetes_io_name
|
||||
- __meta_kubernetes_pod_label_app
|
||||
- __tmp_controller_name
|
||||
- __meta_kubernetes_pod_name
|
||||
regex: ^;*([^;]+)(;.*)?$
|
||||
action: replace
|
||||
target_label: app
|
||||
- source_labels:
|
||||
- __meta_kubernetes_pod_label_app_kubernetes_io_component
|
||||
- __meta_kubernetes_pod_label_component
|
||||
regex: ^;*([^;]+)(;.*)?$
|
||||
action: replace
|
||||
target_label: component
|
||||
{{- if .Values.config.snippets.addScrapeJobLabel }}
|
||||
- replacement: kubernetes-pods
|
||||
target_label: scrape_job
|
||||
{{- end }}
|
||||
{{- toYaml .Values.config.snippets.common | nindent 4 }}
|
||||
{{- with .Values.config.snippets.extraRelabelConfigs }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
|
||||
# -- Config file contents for Promtail.
|
||||
# Must be configured as string.
|
||||
# It is templated so it can be assembled from reusable snippets in order to avoid redundancy.
|
||||
# @default -- See `values.yaml`
|
||||
file: |
|
||||
server:
|
||||
log_level: {{ .Values.config.logLevel }}
|
||||
http_listen_port: {{ .Values.config.serverPort }}
|
||||
|
||||
clients:
|
||||
- url: {{ tpl .Values.config.lokiAddress . }}
|
||||
{{- with .Values.config.snippets.extraClientConfigs }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
|
||||
positions:
|
||||
filename: /run/promtail/positions.yaml
|
||||
|
||||
scrape_configs:
|
||||
{{- tpl .Values.config.snippets.scrapeConfigs . | nindent 2 }}
|
||||
{{- tpl .Values.config.snippets.extraScrapeConfigs . | nindent 2 }}
|
||||
|
||||
networkPolicy:
|
||||
# -- Specifies whether Network Policies should be created
|
||||
enabled: false
|
||||
metrics:
|
||||
# -- Specifies the Pods which are allowed to access the metrics port.
|
||||
# As this is cross-namespace communication, you also neeed the namespaceSelector.
|
||||
podSelector: {}
|
||||
# -- Specifies the namespaces which are allowed to access the metrics port
|
||||
namespaceSelector: {}
|
||||
# -- Specifies specific network CIDRs which are allowed to access the metrics port.
|
||||
# In case you use namespaceSelector, you also have to specify your kubelet networks here.
|
||||
# The metrics ports are also used for probes.
|
||||
cidrs: []
|
||||
k8sApi:
|
||||
# -- Specify the k8s API endpoint port
|
||||
port: 8443
|
||||
# -- Specifies specific network CIDRs you want to limit access to
|
||||
cidrs: []
|
||||
|
||||
# -- Extra K8s manifests to deploy
|
||||
extraObjects: []
|
||||
# - apiVersion: "kubernetes-client.io/v1"
|
||||
# kind: ExternalSecret
|
||||
# metadata:
|
||||
# name: promtail-secrets
|
||||
# spec:
|
||||
# backendType: gcpSecretsManager
|
||||
# data:
|
||||
# - key: promtail-oauth2-creds
|
||||
# name: client_secret
|
|
@ -0,0 +1,50 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "logging.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "logging.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "logging.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
The service name to connect to Loki. Defaults to the same logic as "loki.fullname"
|
||||
*/}}
|
||||
{{- define "loki.serviceName" -}}
|
||||
{{- if .Values.loki.serviceName -}}
|
||||
{{- .Values.loki.serviceName -}}
|
||||
{{- else if .Values.loki.fullnameOverride -}}
|
||||
{{- .Values.loki.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default "loki" .Values.loki.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "logging.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "logging.name" . }}
|
||||
chart: {{ template "logging.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
app.kubernetes.io/instance: {{ template "logging.name" . }}
|
||||
{{- include "k8s-triliovault-operator.labels" . | nindent 4 }}
|
||||
grafana_datasource: "1"
|
||||
data:
|
||||
logging-datasource.yaml: |-
|
||||
apiVersion: 1
|
||||
datasources:
|
||||
{{- if .Values.loki.enabled }}
|
||||
- name: Loki
|
||||
type: loki
|
||||
access: proxy
|
||||
url: http://{{(include "loki.serviceName" .)}}:{{ .Values.loki.service.port }}
|
||||
version: 1
|
||||
{{- end }}
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: v2
|
||||
appVersion: 0.1.0
|
||||
dependencies:
|
||||
- condition: prometheus.enabled
|
||||
name: prometheus
|
||||
repository: https://prometheus-community.github.io/helm-charts
|
||||
version: ^15.8.7
|
||||
description: Monitoring Stack designed to manage the K8s-TrilioVault Application's
|
||||
Monitoring.
|
||||
icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png
|
||||
kubeVersion: '>=1.19.0-0'
|
||||
maintainers:
|
||||
- email: support@trilio.io
|
||||
name: Trilio
|
||||
name: monitoring
|
||||
version: 0.1.0
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: v2
|
||||
appVersion: 2.34.0
|
||||
dependencies:
|
||||
- condition: kubeStateMetrics.enabled
|
||||
name: kube-state-metrics
|
||||
repository: https://prometheus-community.github.io/helm-charts
|
||||
version: 4.7.*
|
||||
description: Prometheus is a monitoring system and time series database.
|
||||
home: https://prometheus.io/
|
||||
icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
|
||||
maintainers:
|
||||
- email: support@trilio.io
|
||||
name: Trilio
|
||||
name: prometheus
|
||||
sources:
|
||||
- https://github.com/prometheus/alertmanager
|
||||
- https://github.com/prometheus/prometheus
|
||||
- https://github.com/prometheus/pushgateway
|
||||
- https://github.com/prometheus/node_exporter
|
||||
- https://github.com/kubernetes/kube-state-metrics
|
||||
type: application
|
||||
version: 15.8.7
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: v2
|
||||
appVersion: 2.4.1
|
||||
description: Install kube-state-metrics to generate and expose cluster-level metrics
|
||||
home: https://github.com/kubernetes/kube-state-metrics/
|
||||
keywords:
|
||||
- metric
|
||||
- monitoring
|
||||
- prometheus
|
||||
- kubernetes
|
||||
maintainers:
|
||||
- email: support@trilio.io
|
||||
name: Trilio
|
||||
name: kube-state-metrics
|
||||
sources:
|
||||
- https://github.com/kubernetes/kube-state-metrics/
|
||||
type: application
|
||||
version: 4.7.0
|
|
@ -0,0 +1,10 @@
|
|||
kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects.
|
||||
The exposed metrics can be found here:
|
||||
https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics
|
||||
|
||||
The metrics are exported on the HTTP endpoint /metrics on the listening port.
|
||||
In your case, {{ template "kube-state-metrics.fullname" . }}.{{ template "kube-state-metrics.namespace" . }}.svc.cluster.local:{{ .Values.service.port }}/metrics
|
||||
|
||||
They are served either as plaintext or protobuf depending on the Accept header.
|
||||
They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint.
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "kube-state-metrics.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "kube-state-metrics.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "kube-state-metrics.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "kube-state-metrics.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
|
||||
*/}}
|
||||
{{- define "kube-state-metrics.namespace" -}}
|
||||
{{- if .Values.namespaceOverride -}}
|
||||
{{- .Values.namespaceOverride -}}
|
||||
{{- else -}}
|
||||
{{- .Release.Namespace -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "kube-state-metrics.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Generate basic labels
|
||||
*/}}
|
||||
{{- define "kube-state-metrics.labels" }}
|
||||
helm.sh/chart: {{ template "kube-state-metrics.chart" . }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/component: metrics
|
||||
app.kubernetes.io/part-of: {{ template "kube-state-metrics.name" . }}
|
||||
{{- include "kube-state-metrics.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.customLabels }}
|
||||
{{ toYaml .Values.customLabels }}
|
||||
{{- end }}
|
||||
{{- if .Values.releaseLabel }}
|
||||
release: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "kube-state-metrics.selectorLabels" }}
|
||||
app.kubernetes.io/name: {{ include "kube-state-metrics.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if and .Values.rbac.create .Values.rbac.useClusterRole -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
name: {{ template "kube-state-metrics.fullname" . }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
{{- if .Values.rbac.useExistingRole }}
|
||||
name: {{ .Values.rbac.useExistingRole }}
|
||||
{{- else }}
|
||||
name: {{ template "kube-state-metrics.fullname" . }}
|
||||
{{- end }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "kube-state-metrics.serviceAccountName" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,156 @@
|
|||
apiVersion: apps/v1
|
||||
{{- if .Values.autosharding.enabled }}
|
||||
kind: StatefulSet
|
||||
{{- else }}
|
||||
kind: Deployment
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ template "kube-state-metrics.fullname" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "kube-state-metrics.selectorLabels" . | indent 6 }}
|
||||
replicas: {{ .Values.replicas }}
|
||||
{{- if .Values.autosharding.enabled }}
|
||||
serviceName: {{ template "kube-state-metrics.fullname" . }}
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
volumeClaimTemplates: []
|
||||
{{- else }}
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 8 }}
|
||||
{{- if .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
hostNetwork: {{ .Values.hostNetwork }}
|
||||
serviceAccountName: {{ template "kube-state-metrics.serviceAccountName" . }}
|
||||
{{- if .Values.securityContext.enabled }}
|
||||
securityContext:
|
||||
fsGroup: {{ .Values.securityContext.fsGroup }}
|
||||
runAsGroup: {{ .Values.securityContext.runAsGroup }}
|
||||
runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
{{- end }}
|
||||
{{- if .Values.priorityClassName }}
|
||||
priorityClassName: {{ .Values.priorityClassName }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
{{- if .Values.autosharding.enabled }}
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- end }}
|
||||
args:
|
||||
{{- if .Values.extraArgs }}
|
||||
{{- range .Values.extraArgs }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.service.port }}
|
||||
- --port={{ .Values.service.port | default 8080}}
|
||||
{{- end }}
|
||||
{{- if .Values.collectors }}
|
||||
- --resources={{ .Values.collectors | join "," }}
|
||||
{{- end }}
|
||||
{{- if .Values.metricLabelsAllowlist }}
|
||||
- --metric-labels-allowlist={{ .Values.metricLabelsAllowlist | join "," }}
|
||||
{{- end }}
|
||||
{{- if .Values.metricAnnotationsAllowList }}
|
||||
- --metric-annotations-allowlist={{ .Values.metricAnnotationsAllowList | join "," }}
|
||||
{{- end }}
|
||||
{{- if .Values.metricAllowlist }}
|
||||
- --metric-allowlist={{ .Values.metricAllowlist | join "," }}
|
||||
{{- end }}
|
||||
{{- if .Values.metricDenylist }}
|
||||
- --metric-denylist={{ .Values.metricDenylist | join "," }}
|
||||
{{- end }}
|
||||
{{- if .Values.namespaces }}
|
||||
- --namespaces={{ tpl (.Values.namespaces | join ",") $ }}
|
||||
{{- end }}
|
||||
{{- if .Values.namespacesDenylist }}
|
||||
- --namespaces-denylist={{ tpl (.Values.namespacesDenylist | join ",") $ }}
|
||||
{{- end }}
|
||||
{{- if .Values.autosharding.enabled }}
|
||||
- --pod=$(POD_NAME)
|
||||
- --pod-namespace=$(POD_NAMESPACE)
|
||||
{{- end }}
|
||||
{{- if .Values.kubeconfig.enabled }}
|
||||
- --kubeconfig=/opt/k8s/.kube/config
|
||||
{{- end }}
|
||||
{{- if .Values.selfMonitor.telemetryHost }}
|
||||
- --telemetry-host={{ .Values.selfMonitor.telemetryHost }}
|
||||
{{- end }}
|
||||
- --telemetry-port={{ .Values.selfMonitor.telemetryPort | default 8081 }}
|
||||
{{- if .Values.kubeconfig.enabled }}
|
||||
volumeMounts:
|
||||
- name: kubeconfig
|
||||
mountPath: /opt/k8s/.kube/
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
ports:
|
||||
- containerPort: {{ .Values.service.port | default 8080}}
|
||||
name: "http"
|
||||
{{- if .Values.selfMonitor.enabled }}
|
||||
- containerPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }}
|
||||
name: "metrics"
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: {{ .Values.service.port | default 8080}}
|
||||
initialDelaySeconds: 5
|
||||
timeoutSeconds: 5
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: {{ .Values.service.port | default 8080}}
|
||||
initialDelaySeconds: 5
|
||||
timeoutSeconds: 5
|
||||
{{- if .Values.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.containerSecurityContext | indent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{ toYaml .Values.imagePullSecrets | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.affinity }}
|
||||
affinity:
|
||||
{{ toYaml .Values.affinity | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml .Values.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.tolerations | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.kubeconfig.enabled}}
|
||||
volumes:
|
||||
- name: kubeconfig
|
||||
secret:
|
||||
secretName: {{ template "kube-state-metrics.fullname" . }}-kubeconfig
|
||||
{{- end }}
|
|
@ -0,0 +1,12 @@
|
|||
{{- if .Values.kubeconfig.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "kube-state-metrics.fullname" . }}-kubeconfig
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
config: '{{ .Values.kubeconfig.secret }}'
|
||||
{{- end -}}
|
|
@ -0,0 +1,14 @@
|
|||
{{- if .Values.podDisruptionBudget -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ template "kube-state-metrics.fullname" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }}
|
||||
{{ toYaml .Values.podDisruptionBudget | indent 2 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,39 @@
|
|||
{{- if .Values.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "kube-state-metrics.fullname" . }}
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
{{- if .Values.podSecurityPolicy.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
volumes:
|
||||
- 'secret'
|
||||
{{- if .Values.podSecurityPolicy.additionalVolumes }}
|
||||
{{ toYaml .Values.podSecurityPolicy.additionalVolumes | indent 4 }}
|
||||
{{- end }}
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAsNonRoot'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
||||
{{- end }}
|
|
@ -0,0 +1,19 @@
|
|||
{{- if and .Values.podSecurityPolicy.enabled .Values.rbac.create -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
name: psp-{{ template "kube-state-metrics.fullname" . }}
|
||||
rules:
|
||||
{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }}
|
||||
{{- if semverCompare "> 1.15.0-0" $kubeTargetVersion }}
|
||||
- apiGroups: ['policy']
|
||||
{{- else }}
|
||||
- apiGroups: ['extensions']
|
||||
{{- end }}
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "kube-state-metrics.fullname" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,16 @@
|
|||
{{- if and .Values.podSecurityPolicy.enabled .Values.rbac.create -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
name: psp-{{ template "kube-state-metrics.fullname" . }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: psp-{{ template "kube-state-metrics.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "kube-state-metrics.serviceAccountName" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,187 @@
|
|||
{{- if and (eq .Values.rbac.create true) (not .Values.rbac.useExistingRole) -}}
|
||||
{{- range (ternary (split "," .Values.namespaces) (list "") (eq $.Values.rbac.useClusterRole false)) }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- if eq $.Values.rbac.useClusterRole false }}
|
||||
kind: Role
|
||||
{{- else }}
|
||||
kind: ClusterRole
|
||||
{{- end }}
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" $ | indent 4 }}
|
||||
name: {{ template "kube-state-metrics.fullname" $ }}
|
||||
{{- if eq $.Values.rbac.useClusterRole false }}
|
||||
namespace: {{ . }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{ if has "certificatesigningrequests" $.Values.collectors }}
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- certificatesigningrequests
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "configmaps" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- configmaps
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "cronjobs" $.Values.collectors }}
|
||||
- apiGroups: ["batch"]
|
||||
resources:
|
||||
- cronjobs
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "daemonsets" $.Values.collectors }}
|
||||
- apiGroups: ["extensions", "apps"]
|
||||
resources:
|
||||
- daemonsets
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "deployments" $.Values.collectors }}
|
||||
- apiGroups: ["extensions", "apps"]
|
||||
resources:
|
||||
- deployments
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "endpoints" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- endpoints
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "horizontalpodautoscalers" $.Values.collectors }}
|
||||
- apiGroups: ["autoscaling"]
|
||||
resources:
|
||||
- horizontalpodautoscalers
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "ingresses" $.Values.collectors }}
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources:
|
||||
- ingresses
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "jobs" $.Values.collectors }}
|
||||
- apiGroups: ["batch"]
|
||||
resources:
|
||||
- jobs
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "limitranges" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- limitranges
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "mutatingwebhookconfigurations" $.Values.collectors }}
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources:
|
||||
- mutatingwebhookconfigurations
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "namespaces" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- namespaces
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "networkpolicies" $.Values.collectors }}
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources:
|
||||
- networkpolicies
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "nodes" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- nodes
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "persistentvolumeclaims" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- persistentvolumeclaims
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "persistentvolumes" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- persistentvolumes
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "poddisruptionbudgets" $.Values.collectors }}
|
||||
- apiGroups: ["policy"]
|
||||
resources:
|
||||
- poddisruptionbudgets
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "pods" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "replicasets" $.Values.collectors }}
|
||||
- apiGroups: ["extensions", "apps"]
|
||||
resources:
|
||||
- replicasets
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "replicationcontrollers" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- replicationcontrollers
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "resourcequotas" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- resourcequotas
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "secrets" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- secrets
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "services" $.Values.collectors }}
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- services
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "statefulsets" $.Values.collectors }}
|
||||
- apiGroups: ["apps"]
|
||||
resources:
|
||||
- statefulsets
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "storageclasses" $.Values.collectors }}
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources:
|
||||
- storageclasses
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "validatingwebhookconfigurations" $.Values.collectors }}
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources:
|
||||
- validatingwebhookconfigurations
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "volumeattachments" $.Values.collectors }}
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources:
|
||||
- volumeattachments
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{ if has "verticalpodautoscalers" $.Values.collectors }}
|
||||
- apiGroups: ["autoscaling.k8s.io"]
|
||||
resources:
|
||||
- verticalpodautoscalers
|
||||
verbs: ["list", "watch"]
|
||||
{{ end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,24 @@
|
|||
{{- if and (eq .Values.rbac.create true) (eq .Values.rbac.useClusterRole false) -}}
|
||||
{{- range (split "," $.Values.namespaces) }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" $ | indent 4 }}
|
||||
name: {{ template "kube-state-metrics.fullname" $ }}
|
||||
namespace: {{ . }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
{{- if (not $.Values.rbac.useExistingRole) }}
|
||||
name: {{ template "kube-state-metrics.fullname" $ }}
|
||||
{{- else }}
|
||||
name: {{ $.Values.rbac.useExistingRole }}
|
||||
{{- end }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "kube-state-metrics.serviceAccountName" $ }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" $ }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "kube-state-metrics.fullname" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
annotations:
|
||||
{{- if .Values.prometheusScrape }}
|
||||
prometheus.io/scrape: '{{ .Values.prometheusScrape }}'
|
||||
{{- end }}
|
||||
{{- if .Values.service.annotations }}
|
||||
{{- toYaml .Values.service.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: "{{ .Values.service.type }}"
|
||||
ports:
|
||||
- name: "http"
|
||||
protocol: TCP
|
||||
port: {{ .Values.service.port | default 8080}}
|
||||
{{- if .Values.service.nodePort }}
|
||||
nodePort: {{ .Values.service.nodePort }}
|
||||
{{- end }}
|
||||
targetPort: {{ .Values.service.port | default 8080}}
|
||||
{{ if .Values.selfMonitor.enabled }}
|
||||
- name: "metrics"
|
||||
protocol: TCP
|
||||
port: {{ .Values.selfMonitor.telemetryPort | default 8081 }}
|
||||
targetPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }}
|
||||
{{ end }}
|
||||
{{- if .Values.service.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ .Values.service.loadBalancerIP }}"
|
||||
{{- end }}
|
||||
{{- if .Values.service.clusterIP }}
|
||||
clusterIP: "{{ .Values.service.clusterIP }}"
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "kube-state-metrics.selectorLabels" . | indent 4 }}
|
|
@ -0,0 +1,15 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
name: {{ template "kube-state-metrics.serviceAccountName" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
{{- if .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
imagePullSecrets:
|
||||
{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,66 @@
|
|||
{{- if .Values.prometheus.monitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "kube-state-metrics.fullname" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
{{- with .Values.prometheus.monitor.additionalLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- if .Values.prometheus.monitor.selectorOverride -}}
|
||||
{{ toYaml .Values.prometheus.monitor.selectorOverride | nindent 6 }}
|
||||
{{ else }}
|
||||
{{- include "kube-state-metrics.selectorLabels" . | indent 6 }}
|
||||
{{- end }}
|
||||
endpoints:
|
||||
- port: http
|
||||
{{- if .Values.prometheus.monitor.interval }}
|
||||
interval: {{ .Values.prometheus.monitor.interval }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.proxyUrl }}
|
||||
proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.honorLabels }}
|
||||
honorLabels: true
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.metricRelabelings }}
|
||||
metricRelabelings:
|
||||
{{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.relabelings }}
|
||||
relabelings:
|
||||
{{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.selfMonitor.enabled }}
|
||||
- port: metrics
|
||||
{{- if .Values.prometheus.monitor.interval }}
|
||||
interval: {{ .Values.prometheus.monitor.interval }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.proxyUrl }}
|
||||
proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.honorLabels }}
|
||||
honorLabels: true
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.metricRelabelings }}
|
||||
metricRelabelings:
|
||||
{{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.monitor.relabelings }}
|
||||
relabelings:
|
||||
{{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,26 @@
|
|||
{{- if and .Values.autosharding.enabled .Values.rbac.create -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- apps
|
||||
resourceNames:
|
||||
- {{ template "kube-state-metrics.fullname" . }}
|
||||
resources:
|
||||
- statefulsets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
{{- end }}
|
|
@ -0,0 +1,17 @@
|
|||
{{- if and .Values.autosharding.enabled .Values.rbac.create -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
labels:
|
||||
{{- include "kube-state-metrics.labels" . | indent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "kube-state-metrics.serviceAccountName" . }}
|
||||
namespace: {{ template "kube-state-metrics.namespace" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,232 @@
|
|||
# Default values for kube-state-metrics.
|
||||
prometheusScrape: true
|
||||
image:
|
||||
repository: k8s.gcr.io/kube-state-metrics/kube-state-metrics
|
||||
tag: v2.4.1
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
imagePullSecrets: []
|
||||
# - name: "image-pull-secret"
|
||||
|
||||
# If set to true, this will deploy kube-state-metrics as a StatefulSet and the data
|
||||
# will be automatically sharded across <.Values.replicas> pods using the built-in
|
||||
# autodiscovery feature: https://github.com/kubernetes/kube-state-metrics#automated-sharding
|
||||
# This is an experimental feature and there are no stability guarantees.
|
||||
autosharding:
|
||||
enabled: false
|
||||
|
||||
replicas: 1
|
||||
|
||||
# List of additional cli arguments to configure kube-state-metrics
|
||||
# for example: --enable-gzip-encoding, --log-file, etc.
|
||||
# all the possible args can be found here: https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cli-arguments.md
|
||||
extraArgs: []
|
||||
|
||||
service:
|
||||
port: 8080
|
||||
# Default to clusterIP for backward compatibility
|
||||
type: ClusterIP
|
||||
nodePort: 0
|
||||
loadBalancerIP: ""
|
||||
clusterIP: ""
|
||||
annotations: {}
|
||||
|
||||
## Additional labels to add to all resources
|
||||
customLabels: {}
|
||||
# app: kube-state-metrics
|
||||
|
||||
## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box
|
||||
releaseLabel: false
|
||||
|
||||
hostNetwork: false
|
||||
|
||||
rbac:
|
||||
# If true, create & use RBAC resources
|
||||
create: true
|
||||
|
||||
# Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to it, rolename set here.
|
||||
# useExistingRole: your-existing-role
|
||||
|
||||
# If set to false - Run without Cluteradmin privs needed - ONLY works if namespace is also set (if useExistingRole is set this name is used as ClusterRole or Role to bind to)
|
||||
useClusterRole: true
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a ServiceAccount should be created, require rbac true
|
||||
create: true
|
||||
# The name of the ServiceAccount to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
name:
|
||||
# Reference to one or more secrets to be used when pulling images
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
||||
imagePullSecrets: []
|
||||
# ServiceAccount annotations.
|
||||
# Use case: AWS EKS IAM roles for service accounts
|
||||
# ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
|
||||
annotations: {}
|
||||
|
||||
prometheus:
|
||||
monitor:
|
||||
enabled: false
|
||||
additionalLabels: {}
|
||||
namespace: ""
|
||||
jobLabel: ""
|
||||
interval: ""
|
||||
scrapeTimeout: ""
|
||||
proxyUrl: ""
|
||||
selectorOverride: {}
|
||||
honorLabels: false
|
||||
metricRelabelings: []
|
||||
relabelings: []
|
||||
|
||||
## Specify if a Pod Security Policy for kube-state-metrics must be created
|
||||
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
##
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
annotations: {}
|
||||
## Specify pod annotations
|
||||
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
|
||||
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
|
||||
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
|
||||
##
|
||||
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
|
||||
# seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
# apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
|
||||
additionalVolumes: []
|
||||
|
||||
securityContext:
|
||||
enabled: true
|
||||
runAsGroup: 65534
|
||||
runAsUser: 65534
|
||||
fsGroup: 65534
|
||||
|
||||
## Specify security settings for a Container
|
||||
## Allows overrides and additional options compared to (Pod) securityContext
|
||||
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
containerSecurityContext: {}
|
||||
|
||||
## Node labels for pod assignment
|
||||
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
||||
nodeSelector: {}
|
||||
|
||||
## Affinity settings for pod assignment
|
||||
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
|
||||
affinity: {}
|
||||
|
||||
## Tolerations for pod assignment
|
||||
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
||||
tolerations: []
|
||||
|
||||
# Annotations to be added to the pod
|
||||
podAnnotations: {}
|
||||
|
||||
## Assign a PriorityClassName to pods if set
|
||||
# priorityClassName: ""
|
||||
|
||||
# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
|
||||
podDisruptionBudget: {}
|
||||
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
|
||||
# Comma-separated list of metrics to be exposed.
|
||||
# This list comprises of exact metric names and/or regex patterns.
|
||||
# The allowlist and denylist are mutually exclusive.
|
||||
metricAllowlist: []
|
||||
|
||||
# Comma-separated list of metrics not to be enabled.
|
||||
# This list comprises of exact metric names and/or regex patterns.
|
||||
# The allowlist and denylist are mutually exclusive.
|
||||
metricDenylist: []
|
||||
|
||||
# Comma-separated list of additional Kubernetes label keys that will be used in the resource's
|
||||
# labels metric. By default the metric contains only name and namespace labels.
|
||||
# To include additional labels, provide a list of resource names in their plural form and Kubernetes
|
||||
# label keys you would like to allow for them (Example: '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'.
|
||||
# A single '*' can be provided per resource instead to allow any labels, but that has
|
||||
# severe performance implications (Example: '=pods=[*]').
|
||||
metricLabelsAllowlist: []
|
||||
# - namespaces=[k8s-label-1,k8s-label-n]
|
||||
|
||||
# Comma-separated list of Kubernetes annotations keys that will be used in the resource'
|
||||
# labels metric. By default the metric contains only name and namespace labels.
|
||||
# To include additional annotations provide a list of resource names in their plural form and Kubernetes
|
||||
# annotation keys you would like to allow for them (Example: '=namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...)'.
|
||||
# A single '*' can be provided per resource instead to allow any annotations, but that has
|
||||
# severe performance implications (Example: '=pods=[*]').
|
||||
metricAnnotationsAllowList: []
|
||||
# - pods=[k8s-annotation-1,k8s-annotation-n]
|
||||
|
||||
# Available collectors for kube-state-metrics.
|
||||
# By default, all available resources are enabled, comment out to disable.
|
||||
collectors:
|
||||
- certificatesigningrequests
|
||||
- configmaps
|
||||
- cronjobs
|
||||
- daemonsets
|
||||
- deployments
|
||||
- endpoints
|
||||
- horizontalpodautoscalers
|
||||
- ingresses
|
||||
- jobs
|
||||
- limitranges
|
||||
- mutatingwebhookconfigurations
|
||||
- namespaces
|
||||
- networkpolicies
|
||||
- nodes
|
||||
- persistentvolumeclaims
|
||||
- persistentvolumes
|
||||
- poddisruptionbudgets
|
||||
- pods
|
||||
- replicasets
|
||||
- replicationcontrollers
|
||||
- resourcequotas
|
||||
- secrets
|
||||
- services
|
||||
- statefulsets
|
||||
- storageclasses
|
||||
- validatingwebhookconfigurations
|
||||
- volumeattachments
|
||||
# - verticalpodautoscalers # not a default resource, see also: https://github.com/kubernetes/kube-state-metrics#enabling-verticalpodautoscalers
|
||||
|
||||
# Enabling kubeconfig will pass the --kubeconfig argument to the container
|
||||
kubeconfig:
|
||||
enabled: false
|
||||
# base64 encoded kube-config file
|
||||
secret:
|
||||
|
||||
# Comma-separated list of namespaces to be enabled for collecting resources. By default all namespaces are collected.
|
||||
namespaces: ""
|
||||
|
||||
# Comma-separated list of namespaces not to be enabled. If namespaces and namespaces-denylist are both set,
|
||||
# only namespaces that are excluded in namespaces-denylist will be used.
|
||||
namespacesDenylist: ""
|
||||
|
||||
## Override the deployment namespace
|
||||
##
|
||||
namespaceOverride: ""
|
||||
|
||||
resources:
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
# choice for the user. This also increases chances charts run on environments with little
|
||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 128Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 64Mi
|
||||
|
||||
## Provide a k8s version to define apiGroups for podSecurityPolicy Cluster Role.
|
||||
## For example: kubeTargetVersionOverride: 1.14.9
|
||||
##
|
||||
kubeTargetVersionOverride: ""
|
||||
|
||||
# Enable self metrics configuration for service and Service Monitor
|
||||
# Default values for telemetry configuration can be overridden
|
||||
selfMonitor:
|
||||
enabled: false
|
||||
# telemetryHost: 0.0.0.0
|
||||
# telemetryPort: 8081
|
|
@ -0,0 +1,112 @@
|
|||
{{- if .Values.server.enabled -}}
|
||||
The Prometheus server can be accessed via port {{ .Values.server.service.servicePort }} on the following DNS name from within your cluster:
|
||||
{{ template "prometheus.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
|
||||
|
||||
{{ if .Values.server.ingress.enabled -}}
|
||||
From outside the cluster, the server URL(s) are:
|
||||
{{- range .Values.server.ingress.hosts }}
|
||||
http://{{ . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
Get the Prometheus server URL by running these commands in the same shell:
|
||||
{{- if contains "NodePort" .Values.server.service.type }}
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.server.fullname" . }})
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
echo http://$NODE_IP:$NODE_PORT
|
||||
{{- else if contains "LoadBalancer" .Values.server.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.server.fullname" . }}'
|
||||
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
|
||||
echo http://$SERVICE_IP:{{ .Values.server.service.servicePort }}
|
||||
{{- else if contains "ClusterIP" .Values.server.service.type }}
|
||||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.server.name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9090
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.server.persistentVolume.enabled }}
|
||||
{{- else }}
|
||||
#################################################################################
|
||||
###### WARNING: Persistence is disabled!!! You will lose your data when #####
|
||||
###### the Server pod is terminated. #####
|
||||
#################################################################################
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{ if .Values.alertmanager.enabled }}
|
||||
The Prometheus alertmanager can be accessed via port {{ .Values.alertmanager.service.servicePort }} on the following DNS name from within your cluster:
|
||||
{{ template "prometheus.alertmanager.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
|
||||
|
||||
{{ if .Values.alertmanager.ingress.enabled -}}
|
||||
From outside the cluster, the alertmanager URL(s) are:
|
||||
{{- range .Values.alertmanager.ingress.hosts }}
|
||||
http://{{ . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
Get the Alertmanager URL by running these commands in the same shell:
|
||||
{{- if contains "NodePort" .Values.alertmanager.service.type }}
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.alertmanager.fullname" . }})
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
echo http://$NODE_IP:$NODE_PORT
|
||||
{{- else if contains "LoadBalancer" .Values.alertmanager.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.alertmanager.fullname" . }}'
|
||||
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.alertmanager.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
|
||||
echo http://$SERVICE_IP:{{ .Values.alertmanager.service.servicePort }}
|
||||
{{- else if contains "ClusterIP" .Values.alertmanager.service.type }}
|
||||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.alertmanager.name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9093
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.alertmanager.persistentVolume.enabled }}
|
||||
{{- else }}
|
||||
#################################################################################
|
||||
###### WARNING: Persistence is disabled!!! You will lose your data when #####
|
||||
###### the AlertManager pod is terminated. #####
|
||||
#################################################################################
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.nodeExporter.podSecurityPolicy.enabled }}
|
||||
{{- else }}
|
||||
#################################################################################
|
||||
###### WARNING: Pod Security Policy has been moved to a global property. #####
|
||||
###### use .Values.podSecurityPolicy.enabled with pod-based #####
|
||||
###### annotations #####
|
||||
###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) #####
|
||||
#################################################################################
|
||||
{{- end }}
|
||||
|
||||
{{ if .Values.pushgateway.enabled }}
|
||||
The Prometheus PushGateway can be accessed via port {{ .Values.pushgateway.service.servicePort }} on the following DNS name from within your cluster:
|
||||
{{ template "prometheus.pushgateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
|
||||
|
||||
{{ if .Values.pushgateway.ingress.enabled -}}
|
||||
From outside the cluster, the pushgateway URL(s) are:
|
||||
{{- range .Values.pushgateway.ingress.hosts }}
|
||||
http://{{ . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
Get the PushGateway URL by running these commands in the same shell:
|
||||
{{- if contains "NodePort" .Values.pushgateway.service.type }}
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.pushgateway.fullname" . }})
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
echo http://$NODE_IP:$NODE_PORT
|
||||
{{- else if contains "LoadBalancer" .Values.pushgateway.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.pushgateway.fullname" . }}'
|
||||
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.pushgateway.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
|
||||
echo http://$SERVICE_IP:{{ .Values.pushgateway.service.servicePort }}
|
||||
{{- else if contains "ClusterIP" .Values.pushgateway.service.type }}
|
||||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.pushgateway.name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9091
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
For more information on running Prometheus, visit:
|
||||
https://prometheus.io/
|
|
@ -0,0 +1,288 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "prometheus.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "prometheus.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create unified labels for prometheus components
|
||||
*/}}
|
||||
{{- define "prometheus.common.matchLabels" -}}
|
||||
app: {{ template "prometheus.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
{{ include "k8s-triliovault-operator.labels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.common.metaLabels" -}}
|
||||
chart: {{ template "prometheus.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
{{ include "k8s-triliovault-operator.labels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.alertmanager.labels" -}}
|
||||
{{ include "prometheus.alertmanager.matchLabels" . }}
|
||||
{{ include "prometheus.common.metaLabels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.alertmanager.matchLabels" -}}
|
||||
component: {{ .Values.alertmanager.name | quote }}
|
||||
app.kubernetes.io/instance: {{ .Values.alertmanager.name | quote }}
|
||||
{{ include "prometheus.common.matchLabels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.nodeExporter.labels" -}}
|
||||
{{ include "prometheus.nodeExporter.matchLabels" . }}
|
||||
{{ include "prometheus.common.metaLabels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.nodeExporter.matchLabels" -}}
|
||||
component: {{ .Values.nodeExporter.name | quote }}
|
||||
app.kubernetes.io/instance: {{ .Values.nodeExporter.name | quote }}
|
||||
{{ include "prometheus.common.matchLabels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.pushgateway.labels" -}}
|
||||
{{ include "prometheus.pushgateway.matchLabels" . }}
|
||||
{{ include "prometheus.common.metaLabels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.pushgateway.matchLabels" -}}
|
||||
component: {{ .Values.pushgateway.name | quote }}
|
||||
app.kubernetes.io/instance: {{ .Values.pushgateway.name | quote }}
|
||||
{{ include "prometheus.common.matchLabels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.server.labels" -}}
|
||||
{{ include "prometheus.server.matchLabels" . }}
|
||||
{{ include "prometheus.common.metaLabels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "prometheus.server.matchLabels" -}}
|
||||
component: {{ .Values.server.name | quote }}
|
||||
app.kubernetes.io/instance: {{ .Values.server.name | quote }}
|
||||
{{ include "prometheus.common.matchLabels" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "prometheus.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a fully qualified alertmanager name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
|
||||
{{- define "prometheus.alertmanager.fullname" -}}
|
||||
{{- if .Values.alertmanager.fullnameOverride -}}
|
||||
{{- .Values.alertmanager.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- printf "%s-%s" .Release.Name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s-%s" .Release.Name $name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a fully qualified node-exporter name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "prometheus.nodeExporter.fullname" -}}
|
||||
{{- if .Values.nodeExporter.fullnameOverride -}}
|
||||
{{- .Values.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- printf "%s-%s" .Release.Name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s-%s" .Release.Name $name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a fully qualified Prometheus server name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "prometheus.server.fullname" -}}
|
||||
{{- if .Values.server.fullnameOverride -}}
|
||||
{{- .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a fully qualified pushgateway name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "prometheus.pushgateway.fullname" -}}
|
||||
{{- if .Values.pushgateway.fullnameOverride -}}
|
||||
{{- .Values.pushgateway.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- printf "%s-%s" .Release.Name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s-%s" .Release.Name $name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get KubeVersion removing pre-release information.
|
||||
*/}}
|
||||
{{- define "prometheus.kubeVersion" -}}
|
||||
{{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for deployment.
|
||||
*/}}
|
||||
{{- define "prometheus.deployment.apiVersion" -}}
|
||||
{{- print "apps/v1" -}}
|
||||
{{- end -}}
|
||||
{{/*
|
||||
Return the appropriate apiVersion for daemonset.
|
||||
*/}}
|
||||
{{- define "prometheus.daemonset.apiVersion" -}}
|
||||
{{- print "apps/v1" -}}
|
||||
{{- end -}}
|
||||
{{/*
|
||||
Return the appropriate apiVersion for networkpolicy.
|
||||
*/}}
|
||||
{{- define "prometheus.networkPolicy.apiVersion" -}}
|
||||
{{- print "networking.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{/*
|
||||
Return the appropriate apiVersion for podsecuritypolicy.
|
||||
*/}}
|
||||
{{- define "prometheus.podSecurityPolicy.apiVersion" -}}
|
||||
{{- print "policy/v1beta1" -}}
|
||||
{{- end -}}
|
||||
{{/*
|
||||
Return the appropriate apiVersion for rbac.
|
||||
*/}}
|
||||
{{- define "rbac.apiVersion" -}}
|
||||
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
|
||||
{{- print "rbac.authorization.k8s.io/v1" -}}
|
||||
{{- else -}}
|
||||
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{/*
|
||||
Return the appropriate apiVersion for ingress.
|
||||
*/}}
|
||||
{{- define "ingress.apiVersion" -}}
|
||||
{{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "prometheus.kubeVersion" .)) -}}
|
||||
{{- print "networking.k8s.io/v1" -}}
|
||||
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
|
||||
{{- print "networking.k8s.io/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return if ingress is stable.
|
||||
*/}}
|
||||
{{- define "ingress.isStable" -}}
|
||||
{{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return if ingress supports ingressClassName.
|
||||
*/}}
|
||||
{{- define "ingress.supportsIngressClassName" -}}
|
||||
{{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}}
|
||||
{{- end -}}
|
||||
{{/*
|
||||
Return if ingress supports pathType.
|
||||
*/}}
|
||||
{{- define "ingress.supportsPathType" -}}
|
||||
{{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the alertmanager component
|
||||
*/}}
|
||||
{{- define "prometheus.serviceAccountName.alertmanager" -}}
|
||||
{{- if .Values.serviceAccounts.alertmanager.create -}}
|
||||
{{ default (include "prometheus.alertmanager.fullname" .) .Values.serviceAccounts.alertmanager.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccounts.alertmanager.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the nodeExporter component
|
||||
*/}}
|
||||
{{- define "prometheus.serviceAccountName.nodeExporter" -}}
|
||||
{{- if .Values.serviceAccounts.nodeExporter.create -}}
|
||||
{{ default (include "prometheus.nodeExporter.fullname" .) .Values.serviceAccounts.nodeExporter.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccounts.nodeExporter.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the pushgateway component
|
||||
*/}}
|
||||
{{- define "prometheus.serviceAccountName.pushgateway" -}}
|
||||
{{- if .Values.serviceAccounts.pushgateway.create -}}
|
||||
{{ default (include "prometheus.pushgateway.fullname" .) .Values.serviceAccounts.pushgateway.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccounts.pushgateway.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the server component
|
||||
*/}}
|
||||
{{- define "prometheus.serviceAccountName.server" -}}
|
||||
{{- if .Values.serviceAccounts.server.create -}}
|
||||
{{ default (include "prometheus.server.fullname" .) .Values.serviceAccounts.server.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccounts.server.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Define the prometheus.namespace template if set with forceNamespace or .Release.Namespace is set
|
||||
*/}}
|
||||
{{- define "prometheus.namespace" -}}
|
||||
{{- if .Values.forceNamespace -}}
|
||||
{{ printf "namespace: %s" .Values.forceNamespace }}
|
||||
{{- else -}}
|
||||
{{ printf "namespace: %s" .Release.Namespace }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,21 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole (not .Values.alertmanager.useExistingRole) -}}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
rules:
|
||||
{{- if .Values.podSecurityPolicy.enabled }}
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
resourceNames:
|
||||
- {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{- else }}
|
||||
[]
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole -}}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "prometheus.serviceAccountName.alertmanager" . }}
|
||||
{{ include "prometheus.namespace" . | indent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
{{- if (not .Values.alertmanager.useExistingRole) }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{- else }}
|
||||
name: {{ .Values.alertmanager.useExistingRole }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,19 @@
|
|||
{{- if and .Values.alertmanager.enabled (and (empty .Values.alertmanager.configMapOverrideName) (empty .Values.alertmanager.configFromSecret)) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
data:
|
||||
{{- $root := . -}}
|
||||
{{- range $key, $value := .Values.alertmanagerFiles }}
|
||||
{{- if $key | regexMatch ".*\\.ya?ml$" }}
|
||||
{{ $key }}: |
|
||||
{{ toYaml $value | default "{}" | indent 4 }}
|
||||
{{- else }}
|
||||
{{ $key }}: {{ toYaml $value | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,208 @@
|
|||
{{- if and .Values.alertmanager.enabled (not .Values.alertmanager.statefulSet.enabled) -}}
|
||||
apiVersion: {{ template "prometheus.deployment.apiVersion" . }}
|
||||
kind: Deployment
|
||||
metadata:
|
||||
{{- if .Values.alertmanager.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.deploymentAnnotations | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }}
|
||||
replicas: {{ .Values.alertmanager.replicaCount }}
|
||||
{{- if .Values.alertmanager.strategy }}
|
||||
strategy:
|
||||
{{ toYaml .Values.alertmanager.strategy | trim | indent 4 }}
|
||||
{{ if eq .Values.alertmanager.strategy.type "Recreate" }}rollingUpdate: null{{ end }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
{{- if .Values.alertmanager.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 8 }}
|
||||
{{- if .Values.alertmanager.podLabels}}
|
||||
{{ toYaml .Values.alertmanager.podLabels | nindent 8 }}
|
||||
{{- end}}
|
||||
spec:
|
||||
{{- if .Values.alertmanager.schedulerName }}
|
||||
schedulerName: "{{ .Values.alertmanager.schedulerName }}"
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }}
|
||||
{{- if .Values.alertmanager.extraInitContainers }}
|
||||
initContainers:
|
||||
{{ toYaml .Values.alertmanager.extraInitContainers | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.alertmanager.priorityClassName }}"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}
|
||||
image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}"
|
||||
env:
|
||||
{{- range $key, $value := .Values.alertmanager.extraEnv }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $value }}
|
||||
{{- end }}
|
||||
- name: POD_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.podIP
|
||||
args:
|
||||
- --config.file=/etc/config/{{ .Values.alertmanager.configFileName }}
|
||||
- --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }}
|
||||
{{- if .Values.alertmanager.service.enableMeshPeer }}
|
||||
- --cluster.listen-address=0.0.0.0:6783
|
||||
- --cluster.advertise-address=[$(POD_IP)]:6783
|
||||
{{- else }}
|
||||
- --cluster.listen-address=
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.alertmanager.extraArgs }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.baseURL }}
|
||||
- --web.external-url={{ .Values.alertmanager.baseURL }}
|
||||
{{- end }}
|
||||
{{- range .Values.alertmanager.clusterPeers }}
|
||||
- --cluster.peer={{ . }}
|
||||
{{- end }}
|
||||
|
||||
ports:
|
||||
- containerPort: 9093
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: {{ .Values.alertmanager.prefixURL }}/-/ready
|
||||
port: 9093
|
||||
{{- if .Values.alertmanager.probeHeaders }}
|
||||
httpHeaders:
|
||||
{{- range .Values.alertmanager.probeHeaders }}
|
||||
- name: {{ .name }}
|
||||
value: {{ .value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 30
|
||||
resources:
|
||||
{{ toYaml .Values.alertmanager.resources | indent 12 }}
|
||||
volumeMounts:
|
||||
- name: config-volume
|
||||
mountPath: /etc/config
|
||||
- name: storage-volume
|
||||
mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}"
|
||||
subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}"
|
||||
{{- range .Values.alertmanager.extraSecretMounts }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath }}
|
||||
subPath: {{ .subPath }}
|
||||
readOnly: {{ .readOnly }}
|
||||
{{- end }}
|
||||
{{- range .Values.alertmanager.extraConfigmapMounts }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath }}
|
||||
subPath: {{ .subPath }}
|
||||
readOnly: {{ .readOnly }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.configmapReload.alertmanager.enabled }}
|
||||
- name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }}
|
||||
image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}"
|
||||
args:
|
||||
- --volume-dir=/etc/config
|
||||
- --webhook-url=http://127.0.0.1:9093{{ .Values.alertmanager.prefixURL }}/-/reload
|
||||
{{- range $key, $value := .Values.configmapReload.alertmanager.extraArgs }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
{{- end }}
|
||||
{{- range .Values.configmapReload.alertmanager.extraVolumeDirs }}
|
||||
- --volume-dir={{ . }}
|
||||
{{- end }}
|
||||
{{- if .Values.configmapReload.alertmanager.containerPort }}
|
||||
ports:
|
||||
- containerPort: {{ .Values.configmapReload.alertmanager.containerPort }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }}
|
||||
volumeMounts:
|
||||
- name: config-volume
|
||||
mountPath: /etc/config
|
||||
readOnly: true
|
||||
{{- range .Values.configmapReload.alertmanager.extraConfigmapMounts }}
|
||||
- name: {{ $.Values.configmapReload.alertmanager.name }}-{{ .name }}
|
||||
mountPath: {{ .mountPath }}
|
||||
subPath: {{ .subPath }}
|
||||
readOnly: {{ .readOnly }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{ toYaml .Values.imagePullSecrets | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.alertmanager.dnsConfig }}
|
||||
dnsConfig:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.securityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.alertmanager.securityContext | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.alertmanager.tolerations | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.affinity }}
|
||||
affinity:
|
||||
{{ toYaml .Values.alertmanager.affinity | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config-volume
|
||||
{{- if empty .Values.alertmanager.configFromSecret }}
|
||||
configMap:
|
||||
name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }}
|
||||
{{- else }}
|
||||
secret:
|
||||
secretName: {{ .Values.alertmanager.configFromSecret }}
|
||||
{{- end }}
|
||||
{{- range .Values.alertmanager.extraSecretMounts }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName }}
|
||||
{{- with .optional }}
|
||||
optional: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range .Values.alertmanager.extraConfigmapMounts }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMap }}
|
||||
{{- end }}
|
||||
{{- range .Values.configmapReload.alertmanager.extraConfigmapMounts }}
|
||||
- name: {{ $.Values.configmapReload.alertmanager.name }}-{{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMap }}
|
||||
{{- end }}
|
||||
- name: storage-volume
|
||||
{{- if .Values.alertmanager.persistentVolume.enabled }}
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ if .Values.alertmanager.persistentVolume.existingClaim }}{{ .Values.alertmanager.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }}
|
||||
{{- else }}
|
||||
emptyDir:
|
||||
{{- if .Values.alertmanager.emptyDir.sizeLimit }}
|
||||
sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }}
|
||||
{{- else }}
|
||||
{}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
|
@ -0,0 +1,31 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
{{- if .Values.alertmanager.statefulSet.headless.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.statefulSet.headless.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
{{- if .Values.alertmanager.statefulSet.headless.labels }}
|
||||
{{ toYaml .Values.alertmanager.statefulSet.headless.labels | indent 4 }}
|
||||
{{- end }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}-headless
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
clusterIP: None
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ .Values.alertmanager.statefulSet.headless.servicePort }}
|
||||
protocol: TCP
|
||||
targetPort: 9093
|
||||
{{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }}
|
||||
- name: meshpeer
|
||||
port: 6783
|
||||
protocol: TCP
|
||||
targetPort: 6783
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,57 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.alertmanager.ingress.enabled -}}
|
||||
{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}}
|
||||
{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}}
|
||||
{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}}
|
||||
{{- $releaseName := .Release.Name -}}
|
||||
{{- $serviceName := include "prometheus.alertmanager.fullname" . }}
|
||||
{{- $servicePort := .Values.alertmanager.service.servicePort -}}
|
||||
{{- $ingressPath := .Values.alertmanager.ingress.path -}}
|
||||
{{- $ingressPathType := .Values.alertmanager.ingress.pathType -}}
|
||||
{{- $extraPaths := .Values.alertmanager.ingress.extraPaths -}}
|
||||
apiVersion: {{ template "ingress.apiVersion" . }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
{{- if .Values.alertmanager.ingress.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.ingress.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
{{- range $key, $value := .Values.alertmanager.ingress.extraLabels }}
|
||||
{{ $key }}: {{ $value }}
|
||||
{{- end }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
{{- if and $ingressSupportsIngressClassName .Values.alertmanager.ingress.ingressClassName }}
|
||||
ingressClassName: {{ .Values.alertmanager.ingress.ingressClassName }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range .Values.alertmanager.ingress.hosts }}
|
||||
{{- $url := splitList "/" . }}
|
||||
- host: {{ first $url }}
|
||||
http:
|
||||
paths:
|
||||
{{ if $extraPaths }}
|
||||
{{ toYaml $extraPaths | indent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ $ingressPath }}
|
||||
{{- if $ingressSupportsPathType }}
|
||||
pathType: {{ $ingressPathType }}
|
||||
{{- end }}
|
||||
backend:
|
||||
{{- if $ingressApiIsStable }}
|
||||
service:
|
||||
name: {{ $serviceName }}
|
||||
port:
|
||||
number: {{ $servicePort }}
|
||||
{{- else }}
|
||||
serviceName: {{ $serviceName }}
|
||||
servicePort: {{ $servicePort }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- if .Values.alertmanager.ingress.tls }}
|
||||
tls:
|
||||
{{ toYaml .Values.alertmanager.ingress.tls | indent 4 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.networkPolicy.enabled -}}
|
||||
apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }}
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }}
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.server.matchLabels" . | nindent 12 }}
|
||||
- ports:
|
||||
- port: 9093
|
||||
{{- end -}}
|
|
@ -0,0 +1,14 @@
|
|||
{{- if .Values.alertmanager.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
spec:
|
||||
maxUnavailable: {{ .Values.alertmanager.podDisruptionBudget.maxUnavailable }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 6 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,46 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }}
|
||||
apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- if .Values.alertmanager.podSecurityPolicy.annotations }}
|
||||
{{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'persistentVolumeClaim'
|
||||
- 'emptyDir'
|
||||
- 'secret'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: /etc
|
||||
readOnly: true
|
||||
- pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }}
|
||||
hostNetwork: false
|
||||
hostPID: false
|
||||
hostIPC: false
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
|
@ -0,0 +1,37 @@
|
|||
{{- if not .Values.alertmanager.statefulSet.enabled -}}
|
||||
{{- if and .Values.alertmanager.enabled .Values.alertmanager.persistentVolume.enabled -}}
|
||||
{{- if not .Values.alertmanager.persistentVolume.existingClaim -}}
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
{{- if .Values.alertmanager.persistentVolume.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 4 }}
|
||||
{{- if .Values.alertmanager.persistentVolume.storageClass }}
|
||||
{{- if (eq "-" .Values.alertmanager.persistentVolume.storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.persistentVolume.volumeBindingMode }}
|
||||
volumeBindingMode: "{{ .Values.alertmanager.persistentVolume.volumeBindingMode }}"
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: "{{ .Values.alertmanager.persistentVolume.size }}"
|
||||
{{- if .Values.alertmanager.persistentVolume.selector }}
|
||||
selector:
|
||||
{{- toYaml .Values.alertmanager.persistentVolume.selector | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,24 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) (not .Values.alertmanager.useExistingRole) -}}
|
||||
{{- range $.Values.alertmanager.namespaces }}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: Role
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" $ | nindent 4 }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" $ }}
|
||||
namespace: {{ . }}
|
||||
rules:
|
||||
{{- if $.Values.podSecurityPolicy.enabled }}
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
resourceNames:
|
||||
- {{ template "prometheus.alertmanager.fullname" $ }}
|
||||
{{- else }}
|
||||
[]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,23 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) -}}
|
||||
{{ range $.Values.alertmanager.namespaces }}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" $ | nindent 4 }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" $ }}
|
||||
namespace: {{ . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "prometheus.serviceAccountName.alertmanager" $ }}
|
||||
{{ include "prometheus.namespace" $ | indent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
{{- if (not $.Values.alertmanager.useExistingRole) }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" $ }}
|
||||
{{- else }}
|
||||
name: {{ $.Values.alertmanager.useExistingRole }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ end }}
|
|
@ -0,0 +1,53 @@
|
|||
{{- if .Values.alertmanager.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
{{- if .Values.alertmanager.service.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.service.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
{{- if .Values.alertmanager.service.labels }}
|
||||
{{ toYaml .Values.alertmanager.service.labels | indent 4 }}
|
||||
{{- end }}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
{{- if .Values.alertmanager.service.clusterIP }}
|
||||
clusterIP: {{ .Values.alertmanager.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.service.externalIPs }}
|
||||
externalIPs:
|
||||
{{ toYaml .Values.alertmanager.service.externalIPs | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.service.loadBalancerIP }}
|
||||
loadBalancerIP: {{ .Values.alertmanager.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{- range $cidr := .Values.alertmanager.service.loadBalancerSourceRanges }}
|
||||
- {{ $cidr }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ .Values.alertmanager.service.servicePort }}
|
||||
protocol: TCP
|
||||
targetPort: 9093
|
||||
{{- if .Values.alertmanager.service.nodePort }}
|
||||
nodePort: {{ .Values.alertmanager.service.nodePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.service.enableMeshPeer }}
|
||||
- name: meshpeer
|
||||
port: 6783
|
||||
protocol: TCP
|
||||
targetPort: 6783
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }}
|
||||
{{- if .Values.alertmanager.service.sessionAffinity }}
|
||||
sessionAffinity: {{ .Values.alertmanager.service.sessionAffinity }}
|
||||
{{- end }}
|
||||
type: "{{ .Values.alertmanager.service.type }}"
|
||||
{{- end }}
|
|
@ -0,0 +1,11 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.serviceAccounts.alertmanager.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.serviceAccountName.alertmanager" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
annotations:
|
||||
{{ toYaml .Values.serviceAccounts.alertmanager.annotations | indent 4 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,188 @@
|
|||
{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}}
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
{{- if .Values.alertmanager.statefulSet.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.statefulSet.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 4 }}
|
||||
{{- if .Values.alertmanager.statefulSet.labels}}
|
||||
{{ toYaml .Values.alertmanager.statefulSet.labels | nindent 4 }}
|
||||
{{- end}}
|
||||
name: {{ template "prometheus.alertmanager.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
serviceName: {{ template "prometheus.alertmanager.fullname" . }}-headless
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }}
|
||||
replicas: {{ .Values.alertmanager.replicaCount }}
|
||||
podManagementPolicy: {{ .Values.alertmanager.statefulSet.podManagementPolicy }}
|
||||
template:
|
||||
metadata:
|
||||
{{- if .Values.alertmanager.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.alertmanager.labels" . | nindent 8 }}
|
||||
{{- if .Values.alertmanager.podLabels}}
|
||||
{{ toYaml .Values.alertmanager.podLabels | nindent 8 }}
|
||||
{{- end}}
|
||||
spec:
|
||||
{{- if .Values.alertmanager.affinity }}
|
||||
affinity:
|
||||
{{ toYaml .Values.alertmanager.affinity | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.schedulerName }}
|
||||
schedulerName: "{{ .Values.alertmanager.schedulerName }}"
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }}
|
||||
{{- if .Values.alertmanager.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.alertmanager.priorityClassName }}"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}
|
||||
image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}"
|
||||
env:
|
||||
{{- range $key, $value := .Values.alertmanager.extraEnv }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $value }}
|
||||
{{- end }}
|
||||
- name: POD_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.podIP
|
||||
args:
|
||||
- --config.file=/etc/config/alertmanager.yml
|
||||
- --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }}
|
||||
{{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }}
|
||||
- --cluster.advertise-address=[$(POD_IP)]:6783
|
||||
- --cluster.listen-address=0.0.0.0:6783
|
||||
{{- range $n := until (.Values.alertmanager.replicaCount | int) }}
|
||||
- --cluster.peer={{ template "prometheus.alertmanager.fullname" $ }}-{{ $n }}.{{ template "prometheus.alertmanager.fullname" $ }}-headless:6783
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- --cluster.listen-address=
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.alertmanager.extraArgs }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.baseURL }}
|
||||
- --web.external-url={{ .Values.alertmanager.baseURL }}
|
||||
{{- end }}
|
||||
|
||||
ports:
|
||||
- containerPort: 9093
|
||||
{{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }}
|
||||
- containerPort: 6783
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: {{ .Values.alertmanager.prefixURL }}/#/status
|
||||
port: 9093
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 30
|
||||
resources:
|
||||
{{ toYaml .Values.alertmanager.resources | indent 12 }}
|
||||
volumeMounts:
|
||||
- name: config-volume
|
||||
mountPath: /etc/config
|
||||
- name: storage-volume
|
||||
mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}"
|
||||
subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}"
|
||||
{{- range .Values.alertmanager.extraSecretMounts }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath }}
|
||||
subPath: {{ .subPath }}
|
||||
readOnly: {{ .readOnly }}
|
||||
{{- end }}
|
||||
{{- if .Values.configmapReload.alertmanager.enabled }}
|
||||
- name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }}
|
||||
image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}"
|
||||
args:
|
||||
- --volume-dir=/etc/config
|
||||
- --webhook-url=http://localhost:9093{{ .Values.alertmanager.prefixURL }}/-/reload
|
||||
{{- range $key, $value := .Values.configmapReload.alertmanager.extraArgs }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
{{- end }}
|
||||
{{- if .Values.configmapReload.alertmanager.port }}
|
||||
ports:
|
||||
- containerPort: {{ .Values.configmapReload.alertmanager.port }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }}
|
||||
volumeMounts:
|
||||
- name: config-volume
|
||||
mountPath: /etc/config
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{ toYaml .Values.imagePullSecrets | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.securityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.alertmanager.securityContext | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.alertmanager.tolerations | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config-volume
|
||||
{{- if empty .Values.alertmanager.configFromSecret }}
|
||||
configMap:
|
||||
name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }}
|
||||
{{- else }}
|
||||
secret:
|
||||
secretName: {{ .Values.alertmanager.configFromSecret }}
|
||||
{{- end }}
|
||||
{{- range .Values.alertmanager.extraSecretMounts }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName }}
|
||||
{{- with .optional }}
|
||||
optional: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.alertmanager.persistentVolume.enabled }}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: storage-volume
|
||||
{{- if .Values.alertmanager.persistentVolume.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 10 }}
|
||||
resources:
|
||||
requests:
|
||||
storage: "{{ .Values.alertmanager.persistentVolume.size }}"
|
||||
{{- if .Values.server.persistentVolume.storageClass }}
|
||||
{{- if (eq "-" .Values.server.persistentVolume.storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: storage-volume
|
||||
emptyDir:
|
||||
{{- if .Values.alertmanager.emptyDir.sizeLimit }}
|
||||
sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }}
|
||||
{{- else }}
|
||||
{}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,150 @@
|
|||
{{- if .Values.nodeExporter.enabled -}}
|
||||
apiVersion: {{ template "prometheus.daemonset.apiVersion" . }}
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
{{- if .Values.nodeExporter.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.nodeExporter.deploymentAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.nodeExporter.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.nodeExporter.matchLabels" . | nindent 6 }}
|
||||
{{- if .Values.nodeExporter.updateStrategy }}
|
||||
updateStrategy:
|
||||
{{ toYaml .Values.nodeExporter.updateStrategy | indent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
{{- if .Values.nodeExporter.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.nodeExporter.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.nodeExporter.labels" . | nindent 8 }}
|
||||
{{- if .Values.nodeExporter.pod.labels }}
|
||||
{{ toYaml .Values.nodeExporter.pod.labels | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "prometheus.serviceAccountName.nodeExporter" . }}
|
||||
{{- if .Values.nodeExporter.extraInitContainers }}
|
||||
initContainers:
|
||||
{{ toYaml .Values.nodeExporter.extraInitContainers | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.nodeExporter.priorityClassName }}"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ template "prometheus.name" . }}-{{ .Values.nodeExporter.name }}
|
||||
image: "{{ .Values.nodeExporter.image.repository }}:{{ .Values.nodeExporter.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.nodeExporter.image.pullPolicy }}"
|
||||
args:
|
||||
- --path.procfs=/host/proc
|
||||
- --path.sysfs=/host/sys
|
||||
{{- if .Values.nodeExporter.hostRootfs }}
|
||||
- --path.rootfs=/host/root
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.hostNetwork }}
|
||||
- --web.listen-address=:{{ .Values.nodeExporter.service.hostPort }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.nodeExporter.extraArgs }}
|
||||
{{- if $value }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
{{- else }}
|
||||
- --{{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
{{- if .Values.nodeExporter.hostNetwork }}
|
||||
containerPort: {{ .Values.nodeExporter.service.hostPort }}
|
||||
{{- else }}
|
||||
containerPort: 9100
|
||||
{{- end }}
|
||||
hostPort: {{ .Values.nodeExporter.service.hostPort }}
|
||||
resources:
|
||||
{{ toYaml .Values.nodeExporter.resources | indent 12 }}
|
||||
{{- if .Values.nodeExporter.container.securityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.nodeExporter.container.securityContext | indent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: proc
|
||||
mountPath: /host/proc
|
||||
readOnly: true
|
||||
- name: sys
|
||||
mountPath: /host/sys
|
||||
readOnly: true
|
||||
{{- if .Values.nodeExporter.hostRootfs }}
|
||||
- name: root
|
||||
mountPath: /host/root
|
||||
mountPropagation: HostToContainer
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range .Values.nodeExporter.extraHostPathMounts }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath }}
|
||||
readOnly: {{ .readOnly }}
|
||||
{{- if .mountPropagation }}
|
||||
mountPropagation: {{ .mountPropagation }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range .Values.nodeExporter.extraConfigmapMounts }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath }}
|
||||
readOnly: {{ .readOnly }}
|
||||
{{- end }}
|
||||
{{- if .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{ toYaml .Values.imagePullSecrets | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.hostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.hostPID }}
|
||||
hostPID: true
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.nodeExporter.tolerations | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml .Values.nodeExporter.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeExporter.dnsConfig }}
|
||||
dnsConfig:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.securityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.nodeExporter.securityContext | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: proc
|
||||
hostPath:
|
||||
path: /proc
|
||||
- name: sys
|
||||
hostPath:
|
||||
path: /sys
|
||||
{{- if .Values.nodeExporter.hostRootfs }}
|
||||
- name: root
|
||||
hostPath:
|
||||
path: /
|
||||
{{- end }}
|
||||
{{- range .Values.nodeExporter.extraHostPathMounts }}
|
||||
- name: {{ .name }}
|
||||
hostPath:
|
||||
path: {{ .hostPath }}
|
||||
{{- end }}
|
||||
{{- range .Values.nodeExporter.extraConfigmapMounts }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMap }}
|
||||
{{- end }}
|
||||
|
||||
{{- end -}}
|
|
@ -0,0 +1,55 @@
|
|||
{{- if and .Values.nodeExporter.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }}
|
||||
apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "prometheus.nodeExporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- if .Values.nodeExporter.podSecurityPolicy.annotations }}
|
||||
{{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'hostPath'
|
||||
- 'secret'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: /proc
|
||||
readOnly: true
|
||||
- pathPrefix: /sys
|
||||
readOnly: true
|
||||
- pathPrefix: /
|
||||
readOnly: true
|
||||
{{- range .Values.nodeExporter.extraHostPathMounts }}
|
||||
- pathPrefix: {{ .hostPath }}
|
||||
readOnly: {{ .readOnly }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.nodeExporter.hostNetwork }}
|
||||
hostPID: {{ .Values.nodeExporter.hostPID }}
|
||||
hostIPC: false
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
||||
hostPorts:
|
||||
- min: 1
|
||||
max: 65535
|
||||
{{- end }}
|
|
@ -0,0 +1,17 @@
|
|||
{{- if and .Values.nodeExporter.enabled .Values.rbac.create }}
|
||||
{{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "prometheus.nodeExporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
rules:
|
||||
- apiGroups: ['extensions']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "prometheus.nodeExporter.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,19 @@
|
|||
{{- if and .Values.nodeExporter.enabled .Values.rbac.create }}
|
||||
{{- if .Values.podSecurityPolicy.enabled }}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "prometheus.nodeExporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ template "prometheus.nodeExporter.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "prometheus.serviceAccountName.nodeExporter" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,11 @@
|
|||
{{- if and .Values.nodeExporter.enabled .Values.serviceAccounts.nodeExporter.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.serviceAccountName.nodeExporter" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
annotations:
|
||||
{{ toYaml .Values.serviceAccounts.nodeExporter.annotations | indent 4 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,47 @@
|
|||
{{- if .Values.nodeExporter.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
{{- if .Values.nodeExporter.service.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.nodeExporter.service.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
|
||||
{{- if .Values.nodeExporter.service.labels }}
|
||||
{{ toYaml .Values.nodeExporter.service.labels | indent 4 }}
|
||||
{{- end }}
|
||||
name: {{ template "prometheus.nodeExporter.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
{{- if .Values.nodeExporter.service.clusterIP }}
|
||||
clusterIP: {{ .Values.nodeExporter.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.service.externalIPs }}
|
||||
externalIPs:
|
||||
{{ toYaml .Values.nodeExporter.service.externalIPs | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.service.loadBalancerIP }}
|
||||
loadBalancerIP: {{ .Values.nodeExporter.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeExporter.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{- range $cidr := .Values.nodeExporter.service.loadBalancerSourceRanges }}
|
||||
- {{ $cidr }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
{{- if .Values.nodeExporter.hostNetwork }}
|
||||
port: {{ .Values.nodeExporter.service.hostPort }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.nodeExporter.service.hostPort }}
|
||||
{{- else }}
|
||||
port: {{ .Values.nodeExporter.service.servicePort }}
|
||||
protocol: TCP
|
||||
targetPort: 9100
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "prometheus.nodeExporter.matchLabels" . | nindent 4 }}
|
||||
type: "{{ .Values.nodeExporter.service.type }}"
|
||||
{{- end -}}
|
|
@ -0,0 +1,21 @@
|
|||
{{- if and .Values.pushgateway.enabled .Values.rbac.create -}}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
rules:
|
||||
{{- if .Values.podSecurityPolicy.enabled }}
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
resourceNames:
|
||||
- {{ template "prometheus.pushgateway.fullname" . }}
|
||||
{{- else }}
|
||||
[]
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,16 @@
|
|||
{{- if and .Values.pushgateway.enabled .Values.rbac.create -}}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "prometheus.serviceAccountName.pushgateway" . }}
|
||||
{{ include "prometheus.namespace" . | indent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,119 @@
|
|||
{{- if .Values.pushgateway.enabled -}}
|
||||
apiVersion: {{ template "prometheus.deployment.apiVersion" . }}
|
||||
kind: Deployment
|
||||
metadata:
|
||||
{{- if .Values.pushgateway.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.pushgateway.deploymentAnnotations | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
selector:
|
||||
{{- if .Values.schedulerName }}
|
||||
schedulerName: "{{ .Values.schedulerName }}"
|
||||
{{- end }}
|
||||
matchLabels:
|
||||
{{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }}
|
||||
replicas: {{ .Values.pushgateway.replicaCount }}
|
||||
{{- if .Values.pushgateway.strategy }}
|
||||
strategy:
|
||||
{{ toYaml .Values.pushgateway.strategy | trim | indent 4 }}
|
||||
{{ if eq .Values.pushgateway.strategy.type "Recreate" }}rollingUpdate: null{{ end }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
{{- if .Values.pushgateway.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.pushgateway.podAnnotations | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 8 }}
|
||||
{{- if .Values.pushgateway.podLabels }}
|
||||
{{ toYaml .Values.pushgateway.podLabels | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "prometheus.serviceAccountName.pushgateway" . }}
|
||||
{{- if .Values.pushgateway.extraInitContainers }}
|
||||
initContainers:
|
||||
{{ toYaml .Values.pushgateway.extraInitContainers | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.pushgateway.priorityClassName }}"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ template "prometheus.name" . }}-{{ .Values.pushgateway.name }}
|
||||
image: "{{ .Values.pushgateway.image.repository }}:{{ .Values.pushgateway.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.pushgateway.image.pullPolicy }}"
|
||||
args:
|
||||
{{- range $key, $value := .Values.pushgateway.extraArgs }}
|
||||
{{- $stringvalue := toString $value }}
|
||||
{{- if eq $stringvalue "true" }}
|
||||
- --{{ $key }}
|
||||
{{- else }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 9091
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
{{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }}
|
||||
path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/healthy
|
||||
{{- else }}
|
||||
path: /-/healthy
|
||||
{{- end }}
|
||||
port: 9091
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
{{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }}
|
||||
path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/ready
|
||||
{{- else }}
|
||||
path: /-/ready
|
||||
{{- end }}
|
||||
port: 9091
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 10
|
||||
resources:
|
||||
{{ toYaml .Values.pushgateway.resources | indent 12 }}
|
||||
{{- if .Values.pushgateway.persistentVolume.enabled }}
|
||||
volumeMounts:
|
||||
- name: storage-volume
|
||||
mountPath: "{{ .Values.pushgateway.persistentVolume.mountPath }}"
|
||||
subPath: "{{ .Values.pushgateway.persistentVolume.subPath }}"
|
||||
{{- end }}
|
||||
{{- if .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{ toYaml .Values.imagePullSecrets | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml .Values.pushgateway.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.pushgateway.dnsConfig }}
|
||||
dnsConfig:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.securityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.pushgateway.securityContext | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.pushgateway.tolerations | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.affinity }}
|
||||
affinity:
|
||||
{{ toYaml .Values.pushgateway.affinity | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.persistentVolume.enabled }}
|
||||
volumes:
|
||||
- name: storage-volume
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ if .Values.pushgateway.persistentVolume.existingClaim }}{{ .Values.pushgateway.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.pushgateway.fullname" . }}{{- end }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
|
@ -0,0 +1,54 @@
|
|||
{{- if and .Values.pushgateway.enabled .Values.pushgateway.ingress.enabled -}}
|
||||
{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}}
|
||||
{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}}
|
||||
{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}}
|
||||
{{- $releaseName := .Release.Name -}}
|
||||
{{- $serviceName := include "prometheus.pushgateway.fullname" . }}
|
||||
{{- $servicePort := .Values.pushgateway.service.servicePort -}}
|
||||
{{- $ingressPath := .Values.pushgateway.ingress.path -}}
|
||||
{{- $ingressPathType := .Values.pushgateway.ingress.pathType -}}
|
||||
{{- $extraPaths := .Values.pushgateway.ingress.extraPaths -}}
|
||||
apiVersion: {{ template "ingress.apiVersion" . }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
{{- if .Values.pushgateway.ingress.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.pushgateway.ingress.annotations | indent 4}}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
{{- if and $ingressSupportsIngressClassName .Values.pushgateway.ingress.ingressClassName }}
|
||||
ingressClassName: {{ .Values.pushgateway.ingress.ingressClassName }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range .Values.pushgateway.ingress.hosts }}
|
||||
{{- $url := splitList "/" . }}
|
||||
- host: {{ first $url }}
|
||||
http:
|
||||
paths:
|
||||
{{ if $extraPaths }}
|
||||
{{ toYaml $extraPaths | indent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ $ingressPath }}
|
||||
{{- if $ingressSupportsPathType }}
|
||||
pathType: {{ $ingressPathType }}
|
||||
{{- end }}
|
||||
backend:
|
||||
{{- if $ingressApiIsStable }}
|
||||
service:
|
||||
name: {{ $serviceName }}
|
||||
port:
|
||||
number: {{ $servicePort }}
|
||||
{{- else }}
|
||||
serviceName: {{ $serviceName }}
|
||||
servicePort: {{ $servicePort }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- if .Values.pushgateway.ingress.tls }}
|
||||
tls:
|
||||
{{ toYaml .Values.pushgateway.ingress.tls | indent 4 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if and .Values.pushgateway.enabled .Values.networkPolicy.enabled -}}
|
||||
apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }}
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }}
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.server.matchLabels" . | nindent 12 }}
|
||||
- ports:
|
||||
- port: 9091
|
||||
{{- end -}}
|
|
@ -0,0 +1,14 @@
|
|||
{{- if .Values.pushgateway.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
spec:
|
||||
maxUnavailable: {{ .Values.pushgateway.podDisruptionBudget.maxUnavailable }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 6 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,42 @@
|
|||
{{- if and .Values.pushgateway.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }}
|
||||
apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- if .Values.pushgateway.podSecurityPolicy.annotations }}
|
||||
{{ toYaml .Values.pushgateway.podSecurityPolicy.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
volumes:
|
||||
- 'persistentVolumeClaim'
|
||||
- 'secret'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }}
|
||||
hostNetwork: false
|
||||
hostPID: false
|
||||
hostIPC: false
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
|
@ -0,0 +1,31 @@
|
|||
{{- if .Values.pushgateway.persistentVolume.enabled -}}
|
||||
{{- if not .Values.pushgateway.persistentVolume.existingClaim -}}
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
{{- if .Values.pushgateway.persistentVolume.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.pushgateway.persistentVolume.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{ toYaml .Values.pushgateway.persistentVolume.accessModes | indent 4 }}
|
||||
{{- if .Values.pushgateway.persistentVolume.storageClass }}
|
||||
{{- if (eq "-" .Values.pushgateway.persistentVolume.storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ .Values.pushgateway.persistentVolume.storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.persistentVolume.volumeBindingMode }}
|
||||
volumeBindingMode: "{{ .Values.pushgateway.persistentVolume.volumeBindingMode }}"
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: "{{ .Values.pushgateway.persistentVolume.size }}"
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,41 @@
|
|||
{{- if .Values.pushgateway.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
{{- if .Values.pushgateway.service.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.pushgateway.service.annotations | indent 4}}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
{{- if .Values.pushgateway.service.labels }}
|
||||
{{ toYaml .Values.pushgateway.service.labels | indent 4}}
|
||||
{{- end }}
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
{{- if .Values.pushgateway.service.clusterIP }}
|
||||
clusterIP: {{ .Values.pushgateway.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.service.externalIPs }}
|
||||
externalIPs:
|
||||
{{ toYaml .Values.pushgateway.service.externalIPs | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.service.loadBalancerIP }}
|
||||
loadBalancerIP: {{ .Values.pushgateway.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.pushgateway.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{- range $cidr := .Values.pushgateway.service.loadBalancerSourceRanges }}
|
||||
- {{ $cidr }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ .Values.pushgateway.service.servicePort }}
|
||||
protocol: TCP
|
||||
targetPort: 9091
|
||||
selector:
|
||||
{{- include "prometheus.pushgateway.matchLabels" . | nindent 4 }}
|
||||
type: "{{ .Values.pushgateway.service.type }}"
|
||||
{{- end }}
|
|
@ -0,0 +1,11 @@
|
|||
{{- if and .Values.pushgateway.enabled .Values.serviceAccounts.pushgateway.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.serviceAccountName.pushgateway" . }}
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
annotations:
|
||||
{{ toYaml .Values.serviceAccounts.pushgateway.annotations | indent 4 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.pushgateway.enabled -}}
|
||||
{{- if .Values.pushgateway.verticalAutoscaler.enabled -}}
|
||||
apiVersion: autoscaling.k8s.io/v1beta2
|
||||
kind: VerticalPodAutoscaler
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.pushgateway.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}-vpa
|
||||
{{ include "prometheus.namespace" . | indent 2 }}
|
||||
spec:
|
||||
targetRef:
|
||||
apiVersion: "apps/v1"
|
||||
kind: Deployment
|
||||
name: {{ template "prometheus.pushgateway.fullname" . }}
|
||||
updatePolicy:
|
||||
updateMode: {{ .Values.pushgateway.verticalAutoscaler.updateMode | default "Off" | quote }}
|
||||
resourcePolicy:
|
||||
containerPolicies: {{ .Values.pushgateway.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }}
|
||||
{{- end -}} {{/* if .Values.pushgateway.verticalAutoscaler.enabled */}}
|
||||
{{- end -}} {{/* .Values.pushgateway.enabled */}}
|
|
@ -0,0 +1,48 @@
|
|||
{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.useExistingClusterRoleName) -}}
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "prometheus.server.labels" . | nindent 4 }}
|
||||
name: {{ template "prometheus.server.fullname" . }}
|
||||
rules:
|
||||
{{- if .Values.podSecurityPolicy.enabled }}
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
resourceNames:
|
||||
- {{ template "prometheus.server.fullname" . }}
|
||||
{{- end }}
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
- nodes/proxy
|
||||
- nodes/metrics
|
||||
- services
|
||||
- endpoints
|
||||
- pods
|
||||
- ingresses
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "extensions"
|
||||
- "networking.k8s.io"
|
||||
resources:
|
||||
- ingresses/status
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- nonResourceURLs:
|
||||
- "/metrics"
|
||||
verbs:
|
||||
- get
|
||||
{{- end }}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue