Skip to content

Commit

Permalink
feat(chart): harden and add prometheus support
Browse files Browse the repository at this point in the history
  • Loading branch information
bergerx committed Oct 10, 2019
1 parent df34775 commit 879e34b
Show file tree
Hide file tree
Showing 11 changed files with 234 additions and 9 deletions.
10 changes: 8 additions & 2 deletions charts/tillerless-helm-release-exporter/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
tillerless-helm-release-exporter is a simple service that queries the Secrets and ConfigMaps in all namespaces and generates metrics about the helm releases.
The exposed metrics can be found here:
https://github.com/bergerx/tillerless-helm-release-exporter/#collected-metrics

The metrics are exported on the HTTP endpoint /metrics on the listening port.
In your case, {{ template "tillerless-helm-release-exporter.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}/metrics

Get the application URL by running these commands:
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "tillerless-helm-release-exporter.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
kubectl port-forward -n {{ .Release.Namespace }} svc/{{ template "tillerless-helm-release-exporter.fullname" . }} 8080:80
12 changes: 12 additions & 0 deletions charts/tillerless-helm-release-exporter/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,15 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}

{{/*
Create the name of the service account to use
*/}}
{{- define "tillerless-helm-release-exporter.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "tillerless-helm-release-exporter.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

18 changes: 18 additions & 0 deletions charts/tillerless-helm-release-exporter/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if and .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ include "tillerless-helm-release-exporter.fullname" . }}
labels:
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
- namespaces
verbs:
- get
- list
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ include "tillerless-helm-release-exporter.fullname" . }}
labels:
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "tillerless-helm-release-exporter.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "tillerless-helm-release-exporter.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}


18 changes: 15 additions & 3 deletions charts/tillerless-helm-release-exporter/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,32 @@ spec:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
readOnlyRootFilesystem: {{ .Values.readOnlyRootFilesystem }}
runAsNonRoot: {{ .Values.runAsNonRoot }}
runAsUser: {{ .Values.runAsUser }}
args:
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 12 }}
{{- end }}
ports:
- name: http
containerPort: 80
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /
path: /healthz
periodSeconds: 1
port: http
readinessProbe:
httpGet:
path: /
path: /healthz
periodSeconds: 1
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
serviceAccount: {{ template "tillerless-helm-release-exporter.fullname" . }}
serviceAccountName: {{ template "tillerless-helm-release-exporter.fullname" . }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{{- if .Values.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "tillerless-helm-release-exporter.fullname" . }}
labels:
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
{{- if .Values.podSecurityPolicy.annotations }}
annotations:
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
{{- end }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
volumes:
- 'secret'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{- if .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp-{{ include "tillerless-helm-release-exporter.fullname" . }}
labels:
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "tillerless-helm-release-exporter.fullname" . }}
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if .Values.podSecurityPolicy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: psp-{{ include "tillerless-helm-release-exporter.fullname" . }}
labels:
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp-{{ template "tillerless-helm-release-exporter.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "tillerless-helm-release-exporter.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "tillerless-helm-release-exporter.fullname" . }}
labels:
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
imagePullSecrets:
{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }}
{{- end -}}

Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "tillerless-helm-release-exporter.fullname" . }}
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- end }}
labels:
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
spec:
endpoints:
- port: http
interval: {{ .Values.serviceMonitor.scrapeInterval }}
{{- if .Values.serviceMonitor.honorLabels }}
honorLabels: true
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "tillerless-helm-release-exporter.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
53 changes: 49 additions & 4 deletions charts/tillerless-helm-release-exporter/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
replicaCount: 1

image:
repository: tillerless-helm-release-exporter
tag: v1.0.1
repository: bergerx/tillerless-helm-release-exporter
tag: df34775
pullPolicy: IfNotPresent

imagePullSecrets: []
Expand All @@ -16,6 +16,36 @@ fullnameOverride: ""
service:
type: ClusterIP
port: 80
annotations: {}

metrics:
# Enable prometheus native scrape metrics
enabled: false
# prometheus.io/scrape: "true"
# prometheus.io/port: "10254"

serviceMonitor:
# Create a ServiceMonitor so prometheus-operator can scrape metrics
enabled: false
additionalLabels: {}
namespace: ""
scrapeInterval: 30s
# honorLabels: true

rbac:
create: true

podSecurityPolicy:
enabled: true
annotations: {}
## Specify pod annotations
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
##
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
# seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
# apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'

resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
Expand All @@ -30,7 +60,22 @@ resources: {}
# memory: 128Mi

nodeSelector: {}

tolerations: []

affinity: {}

runAsUser: 1000
readOnlyRootFilesystem: true
runAsNonRoot: true

extraArgs: []

serviceAccount:
# Specifies whether a ServiceAccount should be created, require rbac true
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
# Reference to one or more secrets to be used when pulling images
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []

0 comments on commit 879e34b

Please sign in to comment.