-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(chart): harden and add prometheus support
- Loading branch information
Showing
11 changed files
with
234 additions
and
9 deletions.
There are no files selected for viewing
10 changes: 8 additions & 2 deletions
10
charts/tillerless-helm-release-exporter/templates/NOTES.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,10 @@ | ||
tillerless-helm-release-exporter is a simple service that queries the Secrets and ConfigMaps in all namespaces and generates metrics about the helm releases. | ||
The exposed metrics can be found here: | ||
https://github.com/bergerx/tillerless-helm-release-exporter/#collected-metrics | ||
|
||
The metrics are exported on the HTTP endpoint /metrics on the listening port. | ||
In your case, {{ template "tillerless-helm-release-exporter.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}/metrics | ||
|
||
Get the application URL by running these commands: | ||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "tillerless-helm-release-exporter.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") | ||
echo "Visit http://127.0.0.1:8080 to use your application" | ||
kubectl port-forward $POD_NAME 8080:80 | ||
kubectl port-forward -n {{ .Release.Namespace }} svc/{{ template "tillerless-helm-release-exporter.fullname" . }} 8080:80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
charts/tillerless-helm-release-exporter/templates/clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{{- if and .Values.rbac.create -}} | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ include "tillerless-helm-release-exporter.fullname" . }} | ||
labels: | ||
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }} | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
- secrets | ||
- namespaces | ||
verbs: | ||
- get | ||
- list | ||
{{- end -}} |
18 changes: 18 additions & 0 deletions
18
charts/tillerless-helm-release-exporter/templates/clusterrolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{{- if .Values.rbac.create -}} | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: {{ include "tillerless-helm-release-exporter.fullname" . }} | ||
labels: | ||
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: {{ template "tillerless-helm-release-exporter.fullname" . }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ template "tillerless-helm-release-exporter.fullname" . }} | ||
namespace: {{ .Release.Namespace }} | ||
{{- end -}} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
charts/tillerless-helm-release-exporter/templates/podsecuritypolicy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
{{- if .Values.podSecurityPolicy.enabled }} | ||
apiVersion: policy/v1beta1 | ||
kind: PodSecurityPolicy | ||
metadata: | ||
name: {{ include "tillerless-helm-release-exporter.fullname" . }} | ||
labels: | ||
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }} | ||
{{- if .Values.podSecurityPolicy.annotations }} | ||
annotations: | ||
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} | ||
{{- end }} | ||
spec: | ||
privileged: false | ||
# Required to prevent escalations to root. | ||
allowPrivilegeEscalation: false | ||
# This is redundant with non-root + disallow privilege escalation, | ||
# but we can provide it for defense in depth. | ||
requiredDropCapabilities: | ||
- ALL | ||
volumes: | ||
- 'secret' | ||
hostNetwork: false | ||
hostIPC: false | ||
hostPID: false | ||
runAsUser: | ||
# Require the container to run without root privileges. | ||
rule: 'MustRunAsNonRoot' | ||
seLinux: | ||
# This policy assumes the nodes are using AppArmor rather than SELinux. | ||
rule: 'RunAsAny' | ||
supplementalGroups: | ||
rule: 'MustRunAs' | ||
ranges: | ||
# Forbid adding the root group. | ||
- min: 1 | ||
max: 65535 | ||
fsGroup: | ||
rule: 'MustRunAs' | ||
ranges: | ||
# Forbid adding the root group. | ||
- min: 1 | ||
max: 65535 | ||
readOnlyRootFilesystem: false | ||
{{- end }} |
14 changes: 14 additions & 0 deletions
14
charts/tillerless-helm-release-exporter/templates/psp-clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{{- if .Values.podSecurityPolicy.enabled -}} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: psp-{{ include "tillerless-helm-release-exporter.fullname" . }} | ||
labels: | ||
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }} | ||
rules: | ||
- apiGroups: ['extensions'] | ||
resources: ['podsecuritypolicies'] | ||
verbs: ['use'] | ||
resourceNames: | ||
- {{ template "tillerless-helm-release-exporter.fullname" . }} | ||
{{- end -}} |
17 changes: 17 additions & 0 deletions
17
charts/tillerless-helm-release-exporter/templates/psp-clusterrolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{{- if .Values.podSecurityPolicy.enabled -}} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: psp-{{ include "tillerless-helm-release-exporter.fullname" . }} | ||
labels: | ||
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: psp-{{ template "tillerless-helm-release-exporter.fullname" . }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ template "tillerless-helm-release-exporter.fullname" . }} | ||
namespace: {{ .Release.Namespace }} | ||
{{- end }} | ||
|
11 changes: 11 additions & 0 deletions
11
charts/tillerless-helm-release-exporter/templates/serviceaccount.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{{- if .Values.serviceAccount.create -}} | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ template "tillerless-helm-release-exporter.fullname" . }} | ||
labels: | ||
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }} | ||
imagePullSecrets: | ||
{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }} | ||
{{- end -}} | ||
|
28 changes: 28 additions & 0 deletions
28
charts/tillerless-helm-release-exporter/templates/servicemonitor.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
{{- if .Values.serviceMonitor.enabled }} | ||
apiVersion: monitoring.coreos.com/v1 | ||
kind: ServiceMonitor | ||
metadata: | ||
name: {{ template "tillerless-helm-release-exporter.fullname" . }} | ||
{{- if .Values.serviceMonitor.namespace }} | ||
namespace: {{ .Values.serviceMonitor.namespace }} | ||
{{- end }} | ||
labels: | ||
{{ include "tillerless-helm-release-exporter.labels" . | indent 4 }} | ||
{{- if .Values.serviceMonitor.additionalLabels }} | ||
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }} | ||
{{- end }} | ||
spec: | ||
endpoints: | ||
- port: http | ||
interval: {{ .Values.serviceMonitor.scrapeInterval }} | ||
{{- if .Values.serviceMonitor.honorLabels }} | ||
honorLabels: true | ||
{{- end }} | ||
namespaceSelector: | ||
matchNames: | ||
- {{ .Release.Namespace }} | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: {{ include "tillerless-helm-release-exporter.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters