Created
June 13, 2017 19:40
-
-
Save ilackarms/f1611abd24d780585762388978b9767b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Template | |
metadata: | |
name: prometheus | |
annotations: | |
"openshift.io/display-name": Prometheus | |
description: | | |
A monitoring solution for an OpenShift cluster - collect and gather metrics from nodes, services, and the infrastructure. | |
iconClass: icon-cogs | |
tags: "monitoring,prometheus,time-series" | |
parameters: | |
- description: The namespace to instantiate prometheus under. Defaults to 'kube-system'. | |
name: NAMESPACE | |
value: default | |
- description: The location of the proxy image | |
name: IMAGE_PROXY | |
value: docker.io/fabric8/openshift-auth-proxy:latest | |
#value: registry.svc.ci.openshift.org/ci/oauth-proxy:latest | |
- description: The location of the prometheus image | |
name: IMAGE_PROMETHEUS | |
value: registry.svc.ci.openshift.org/ci/prometheus:latest | |
- description: The session secret for the proxy | |
name: SESSION_SECRET | |
generate: expression | |
from: "[a-zA-Z0-9]{43}" | |
- description: "Internal URL for the master, for authentication retrieval" | |
name: OAP_MASTER_URL | |
value: "https://kubernetes.default.svc.cluster.local" | |
- description: "Public URL for the master, for sending the browser to authenticate" | |
name: OAP_PUBLIC_MASTER_URL | |
required: true | |
- description: "Show extra proxy debug information at startup and during operations" | |
name: OAP_DEBUG | |
value: "true" | |
objects: | |
# Authorize the prometheus service account to read data about the cluster | |
- apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: prometheus | |
namespace: "${NAMESPACE}" | |
annotations: | |
serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prometheus"}}' | |
- apiVersion: v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: prometheus-cluster-reader | |
roleRef: | |
name: cluster-reader | |
subjects: | |
- kind: ServiceAccount | |
name: prometheus | |
namespace: "${NAMESPACE}" | |
# Create a fully end-to-end TLS connection to the proxy | |
- apiVersion: v1 | |
kind: Route | |
metadata: | |
name: prometheus | |
namespace: "${NAMESPACE}" | |
spec: | |
to: | |
name: prometheus | |
tls: | |
termination: Reencrypt | |
destinationCACertificate: | | |
-----BEGIN CERTIFICATE----- | |
MIIDWjCCAkKgAwIBAgIJAJkUdYKwZ8xwMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV | |
BAYTAlVTMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg | |
Q29tcGFueSBMdGQwHhcNMTcwNjEyMTQ1MjI2WhcNMjAwNDAxMTQ1MjI2WjBCMQsw | |
CQYDVQQGEwJVUzEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh | |
dWx0IENvbXBhbnkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA | |
q18mVbAI0G6Y5evhei9dYWhEfUwmVnzsS+WAJRHuKUrWeRXdbp1Lh8FluXCQLlbz | |
SjgMZcKx7PCP+xmYO4d0oWm+eHo/+GGcFe80ioQGKp99FLRu6/ynUBd2ArquPICj | |
dqwKrmYKu72pUn+goQlepjx6c4f8nS3ONElak84Plf5ok/IXfZm7Wz+/dRla1qYR | |
nlD12B7M6izvTkNX8jqFvhf6xeR6nvibTsD6Ac0/5wPVaHMvX55YjXIh78QLGI8V | |
HaEdVzmIm/bZglBGUrthEhhZO3oZnBRtSGdcKcQcocsIEm+O1g8QgW+yCE1Mu4/X | |
5qbDp2FIPxB4aNh6aeZsTwIDAQABo1MwUTAdBgNVHQ4EFgQU/tJSkBMo+5ZWMlAV | |
ceHl4YuXU3gwHwYDVR0jBBgwFoAU/tJSkBMo+5ZWMlAVceHl4YuXU3gwDwYDVR0T | |
AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGH3wLMKQwkWod1LcL6rLUAVl | |
E2t0HPkpexsG4lxwqh5rB8vt0tUUpK8yjC3qiMGjy18euJwuvxzvyhMxGgYR1c/r | |
DSV9AEWy3MYgUxyu8gj0gyFG696xrseSt0z/FUHB2BjECcLz9j0PYfth/uNVd1Ks | |
9cD5aIkYQ7K64vDHQixAd2ogG52+KGzfFD5pAiuMiOOotfW4/tgijsK2vBUPjhhH | |
HwDMCzXdrwO4TPrYYRladKAGjI4gkuATYGQneqoH9/+xFN8kz1M3rMQ89Ho9Ec4f | |
cRbGfXr1vKwKqMxqXBHrMMFMsCI1AaHgmUYIji1205FxFeyaOgnSyKX4+IVT4w== | |
-----END CERTIFICATE----- | |
- apiVersion: v1 | |
kind: Service | |
metadata: | |
annotations: | |
prometheus.io/scrape: "true" | |
prometheus.io/scheme: https | |
service.alpha.openshift.io/serving-cert-secret-name: prometheus-tls | |
labels: | |
name: prometheus | |
name: prometheus | |
namespace: "${NAMESPACE}" | |
spec: | |
ports: | |
- name: prometheus | |
port: 443 | |
protocol: TCP | |
targetPort: 8443 | |
selector: | |
app: prometheus | |
- apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: prometheus-proxy | |
namespace: "${NAMESPACE}" | |
stringData: | |
session_secret: "${SESSION_SECRET}=" | |
# Deploy Prometheus behind an oauth proxy | |
- apiVersion: extensions/v1beta1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: prometheus | |
name: prometheus | |
namespace: "${NAMESPACE}" | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: prometheus | |
template: | |
metadata: | |
labels: | |
app: prometheus | |
name: prometheus | |
spec: | |
serviceAccountName: prometheus | |
containers: | |
- name: "prometheus-proxy" | |
image: ${IMAGE_PROXY} | |
# command: | |
# - sleep | |
# - "10000000000" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- | |
name: "oaproxy" | |
containerPort: 3000 | |
env: | |
- | |
name: "OCP_AUTH_PROXY_MEMORY_LIMIT" | |
value: "64m" | |
- | |
name: "OAP_BACKEND_URL" | |
value: "http://localhost:9090" | |
- | |
name: "OAP_AUTH_MODE" | |
value: "oauth2" | |
- | |
name: "OAP_TRANSFORM" | |
value: "user_header,token_header" | |
- | |
name: "OAP_OAUTH_ID" | |
value: prometheus-proxy | |
- | |
name: "OAP_MASTER_URL" | |
value: ${OAP_MASTER_URL} | |
- | |
name: "OAP_PUBLIC_MASTER_URL" | |
value: ${OAP_PUBLIC_MASTER_URL} | |
- | |
name: "OAP_LOGOUT_REDIRECT" | |
value: ${OAP_PUBLIC_MASTER_URL}/console/logout | |
- | |
name: "OAP_MASTER_CA_FILE" | |
value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" | |
- | |
name: "OAP_DEBUG" | |
value: ${OAP_DEBUG} | |
volumeMounts: | |
- name: prometheus-proxy-secret | |
mountPath: /opt/openshift-auth-proxy/secret | |
readOnly: true | |
- name: prometheus | |
args: | |
- -config.file=/etc/prometheus/prometheus.yml | |
- -web.listen-address=localhost:9090 | |
image: ${IMAGE_PROMETHEUS} | |
imagePullPolicy: IfNotPresent | |
volumeMounts: | |
- mountPath: /etc/prometheus | |
name: config-volume | |
- mountPath: /prometheus | |
name: data-volume | |
restartPolicy: Always | |
volumes: | |
- configMap: | |
defaultMode: 420 | |
name: prometheus | |
name: config-volume | |
- name: prometheus-proxy-secret | |
secret: | |
#this secret must be defined externally via | |
# oc secrets new prometheus-proxy-secret \ | |
# oauth-secret=<oauth-secret> \ | |
# session-secret=<session-secret> \ | |
# server-key=<prometheus-proxy.key> \ | |
# server-cert=<prometheus-proxy.crt> \ | |
# server-tls.json=<server-tls.json> | |
secretName: prometheus-proxy-secret | |
- name: prometheus-tls | |
secret: | |
secretName: prometheus-tls | |
- emptyDir: {} | |
name: data-volume | |
- apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: prometheus | |
namespace: "${NAMESPACE}" | |
data: | |
prometheus.yml: | | |
# A scrape configuration for running Prometheus on a Kubernetes cluster. | |
# This uses separate scrape configs for cluster components (i.e. API server, node) | |
# and services to allow each to use different authentication configs. | |
# | |
# Kubernetes labels will be added as Prometheus labels on metrics via the | |
# `labelmap` relabeling action. | |
# Scrape config for API servers. | |
# | |
# Kubernetes exposes API servers as endpoints to the default/kubernetes | |
# service so this uses `endpoints` role and uses relabelling to only keep | |
# the endpoints associated with the default/kubernetes service using the | |
# default named port `https`. This works for single API server deployments as | |
# well as HA API server deployments. | |
scrape_configs: | |
- job_name: 'kubernetes-apiservers' | |
kubernetes_sd_configs: | |
- role: endpoints | |
# Default to scraping over https. If required, just disable this or change to | |
# `http`. | |
scheme: https | |
# This TLS & bearer token file config is used to connect to the actual scrape | |
# endpoints for cluster components. This is separate to discovery auth | |
# configuration because discovery & scraping are two separate concerns in | |
# Prometheus. The discovery auth config is automatic if Prometheus runs inside | |
# the cluster. Otherwise, more config options have to be provided within the | |
# <kubernetes_sd_config>. | |
tls_config: | |
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | |
# If your node certificates are self-signed or use a different CA to the | |
# master CA, then disable certificate verification below. Note that | |
# certificate verification is an integral part of a secure infrastructure | |
# so this should only be disabled in a controlled environment. You can | |
# disable certificate verification by uncommenting the line below. | |
# | |
# insecure_skip_verify: true | |
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token | |
# Keep only the default/kubernetes service endpoints for the https port. This | |
# will add targets for each API server which Kubernetes adds an endpoint to | |
# the default/kubernetes service. | |
relabel_configs: | |
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] | |
action: keep | |
regex: default;kubernetes;https | |
- job_name: 'kubernetes-nodes' | |
# Default to scraping over https. If required, just disable this or change to | |
# `http`. | |
scheme: https | |
# This TLS & bearer token file config is used to connect to the actual scrape | |
# endpoints for cluster components. This is separate to discovery auth | |
# configuration because discovery & scraping are two separate concerns in | |
# Prometheus. The discovery auth config is automatic if Prometheus runs inside | |
# the cluster. Otherwise, more config options have to be provided within the | |
# <kubernetes_sd_config>. | |
tls_config: | |
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | |
# If your node certificates are self-signed or use a different CA to the | |
# master CA, then disable certificate verification below. Note that | |
# certificate verification is an integral part of a secure infrastructure | |
# so this should only be disabled in a controlled environment. You can | |
# disable certificate verification by uncommenting the line below. | |
# | |
# insecure_skip_verify: true | |
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token | |
kubernetes_sd_configs: | |
- role: node | |
relabel_configs: | |
- action: labelmap | |
regex: __meta_kubernetes_node_label_(.+) | |
# Scrape config for service endpoints. | |
# | |
# The relabeling allows the actual service scrape endpoint to be configured | |
# via the following annotations: | |
# | |
# * `prometheus.io/scrape`: Only scrape services that have a value of `true` | |
# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need | |
# to set this to `https` & most likely set the `tls_config` of the scrape config. | |
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this. | |
# * `prometheus.io/port`: If the metrics are exposed on a different port to the | |
# service then set this appropriately. | |
- job_name: 'kubernetes-service-endpoints' | |
tls_config: | |
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | |
# TODO: this should be per target | |
insecure_skip_verify: true | |
kubernetes_sd_configs: | |
- role: endpoints | |
relabel_configs: | |
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] | |
action: keep | |
regex: true | |
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] | |
action: replace | |
target_label: __scheme__ | |
regex: (https?) | |
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] | |
action: replace | |
target_label: __metrics_path__ | |
regex: (.+) | |
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] | |
action: replace | |
target_label: __address__ | |
regex: (.+)(?::\d+);(\d+) | |
replacement: $1:$2 | |
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_username] | |
action: replace | |
target_label: __basic_auth_username__ | |
regex: (.+) | |
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_password] | |
action: replace | |
target_label: __basic_auth_password__ | |
regex: (.+) | |
- action: labelmap | |
regex: __meta_kubernetes_service_label_(.+) | |
- source_labels: [__meta_kubernetes_namespace] | |
action: replace | |
target_label: kubernetes_namespace | |
- source_labels: [__meta_kubernetes_service_name] | |
action: replace | |
target_label: kubernetes_name |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment