feat(chart): harden and add prometheus support

bergerx · Oct 10, 2019 · 879e34b · 879e34b
1 parent df34775
commit 879e34b
Show file tree

Hide file tree

Showing 11 changed files with 234 additions and 9 deletions.
diff --git a/charts/tillerless-helm-release-exporter/templates/NOTES.txt b/charts/tillerless-helm-release-exporter/templates/NOTES.txt
@@ -1,4 +1,10 @@
+tillerless-helm-release-exporter is a simple service that queries the Secrets and ConfigMaps in all namespaces and generates metrics about the helm releases.
+The exposed metrics can be found here:
+https://github.com/bergerx/tillerless-helm-release-exporter/#collected-metrics
+
+The metrics are exported on the HTTP endpoint /metrics on the listening port.
+In your case, {{ template "tillerless-helm-release-exporter.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}/metrics
+
 Get the application URL by running these commands:
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "tillerless-helm-release-exporter.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:80
+  kubectl port-forward -n {{ .Release.Namespace }} svc/{{ template "tillerless-helm-release-exporter.fullname" . }} 8080:80
diff --git a/charts/tillerless-helm-release-exporter/templates/_helpers.tpl b/charts/tillerless-helm-release-exporter/templates/_helpers.tpl
@@ -43,3 +43,15 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "tillerless-helm-release-exporter.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "tillerless-helm-release-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/tillerless-helm-release-exporter/templates/clusterrole.yaml b/charts/tillerless-helm-release-exporter/templates/clusterrole.yaml
@@ -0,0 +1,18 @@
+{{- if and .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ include "tillerless-helm-release-exporter.fullname" . }}
+  labels:
+{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - secrets
+      - namespaces
+    verbs:
+      - get
+      - list
+{{- end -}}
diff --git a/charts/tillerless-helm-release-exporter/templates/clusterrolebinding.yaml b/charts/tillerless-helm-release-exporter/templates/clusterrolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "tillerless-helm-release-exporter.fullname" . }}
+  labels:
+{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "tillerless-helm-release-exporter.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "tillerless-helm-release-exporter.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
+
+
diff --git a/charts/tillerless-helm-release-exporter/templates/deployment.yaml b/charts/tillerless-helm-release-exporter/templates/deployment.yaml
@@ -24,20 +24,32 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            readOnlyRootFilesystem: {{ .Values.readOnlyRootFilesystem }}
+            runAsNonRoot: {{ .Values.runAsNonRoot  }}
+            runAsUser: {{ .Values.runAsUser }}
+          args:
+          {{- if .Values.extraArgs }}
+{{ toYaml .Values.extraArgs | indent 12 }}
+          {{- end }}
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8080
               protocol: TCP
           livenessProbe:
             httpGet:
-              path: /
+              path: /healthz
+              periodSeconds: 1
               port: http
           readinessProbe:
             httpGet:
-              path: /
+              path: /healthz
+              periodSeconds: 1
               port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      serviceAccount: {{ template "tillerless-helm-release-exporter.fullname" . }}
+      serviceAccountName: {{ template "tillerless-helm-release-exporter.fullname" . }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/tillerless-helm-release-exporter/templates/podsecuritypolicy.yaml b/charts/tillerless-helm-release-exporter/templates/podsecuritypolicy.yaml
@@ -0,0 +1,44 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "tillerless-helm-release-exporter.fullname" . }}
+  labels:
+{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
+{{- if .Values.podSecurityPolicy.annotations }}
+  annotations:
+{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
+{{- end }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'secret'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/charts/tillerless-helm-release-exporter/templates/psp-clusterrole.yaml b/charts/tillerless-helm-release-exporter/templates/psp-clusterrole.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.podSecurityPolicy.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp-{{ include "tillerless-helm-release-exporter.fullname" . }}
+  labels:
+{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
+rules:
+- apiGroups: ['extensions']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "tillerless-helm-release-exporter.fullname" . }}
+{{- end -}}
diff --git a/charts/tillerless-helm-release-exporter/templates/psp-clusterrolebinding.yaml b/charts/tillerless-helm-release-exporter/templates/psp-clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.podSecurityPolicy.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: psp-{{ include "tillerless-helm-release-exporter.fullname" . }}
+  labels:
+{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp-{{ template "tillerless-helm-release-exporter.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "tillerless-helm-release-exporter.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+
diff --git a/charts/tillerless-helm-release-exporter/templates/serviceaccount.yaml b/charts/tillerless-helm-release-exporter/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "tillerless-helm-release-exporter.fullname" . }}
+  labels:
+{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
+imagePullSecrets:
+{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }}
+{{- end -}}
+
diff --git a/charts/tillerless-helm-release-exporter/templates/servicemonitor.yaml b/charts/tillerless-helm-release-exporter/templates/servicemonitor.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "tillerless-helm-release-exporter.fullname" . }}
+  {{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Values.serviceMonitor.namespace }}
+  {{- end }}
+  labels:
+{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }}
+    {{- if .Values.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+    - port: http
+      interval: {{ .Values.serviceMonitor.scrapeInterval }}
+      {{- if .Values.serviceMonitor.honorLabels }}
+      honorLabels: true
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "tillerless-helm-release-exporter.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/charts/tillerless-helm-release-exporter/values.yaml b/charts/tillerless-helm-release-exporter/values.yaml
@@ -5,8 +5,8 @@
 replicaCount: 1
 
 image:
-  repository: tillerless-helm-release-exporter
-  tag: v1.0.1
+  repository: bergerx/tillerless-helm-release-exporter
+  tag: df34775
   pullPolicy: IfNotPresent
 
 imagePullSecrets: []
@@ -16,6 +16,36 @@ fullnameOverride: ""
 service:
   type: ClusterIP
   port: 80
+  annotations: {}
+
+metrics:
+  # Enable prometheus native scrape metrics
+  enabled: false
+  # prometheus.io/scrape: "true"
+  # prometheus.io/port: "10254"
+
+serviceMonitor:
+  # Create a ServiceMonitor so prometheus-operator can scrape metrics
+  enabled: false
+  additionalLabels: {}
+  namespace: ""
+  scrapeInterval: 30s
+  # honorLabels: true
+
+rbac:
+  create: true
+
+podSecurityPolicy:
+  enabled: true
+  annotations: {}
+    ## Specify pod annotations
+    ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
+    ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+    ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
+    ##
+    # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+    # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
+    # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -30,7 +60,22 @@ resources: {}
   #   memory: 128Mi
 
 nodeSelector: {}
-
 tolerations: []
-
 affinity: {}
+
+runAsUser: 1000
+readOnlyRootFilesystem: true
+runAsNonRoot: true
+
+extraArgs: []
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created, require rbac true
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+  # Reference to one or more secrets to be used when pulling images
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  imagePullSecrets: []
+