Kube prom stack 33.2.0 (#266)

terraform-modules/aws/helm/istio-kiali/main.tf

@@ -0,0 +1,15 @@
+resource "helm_release" "helm_chart" {
+  chart            = "kiali-operator"
+  namespace        = var.namespace
+  create_namespace = "true"
+  name             = var.chart_name
+  version          = var.helm_version
+  verify           = var.verify
+  repository       = "https://kiali.org/helm-charts"
+
+  values = [
+    file("${path.module}/values.yaml"),
+    var.helm_values,
+  ]
+
+}

terraform-modules/aws/helm/istio-kiali/values.yaml

@@ -0,0 +1,44 @@
+# CR spec: https://kiali.io/docs/configuration/kialis.kiali.io/
+cr:
+  create: true
+  namespace: istio-system
+
+  # Kiali operator CRD spec/config
+  # the CRD kind is "Kiali"
+  spec:
+    auth:
+      strategy: anonymous
+
+    external_services:
+      prometheus:
+        # Prometheus service name is "metrics" and is in the "telemetry" namespace
+        url: "http://prometheus-operated.monitoring.svc:9090/"
+
+    deployment:
+      ingress:
+        # default: additional_labels is empty
+        additional_labels:
+          ingressAdditionalLabel: "ingressAdditionalLabelValue"
+        class_name: "istio"
+        # default: enabled is undefined
+        enabled: true
+        # default: override_yaml is undefined
+        override_yaml:
+          metadata:
+            annotations:
+              kubernetes.io/ingress.class: istio
+          spec:
+            rules:
+            - host: "kiali.kubernetes-ops.com"
+              http:
+                paths:
+                - path: "/kiali"
+                  pathType: Prefix
+                  backend:
+                    service:
+                      name: kiali
+                      port:
+                        number: 20001
+            tls:
+            - hosts:
+              - "kiali.kubernetes-ops.com"

terraform-modules/aws/helm/istio-kiali/variables.tf

@@ -0,0 +1,29 @@
+variable helm_version {
+  type        = string
+  default     = "1.47.0"
+  description = "Helm chart version"
+}
+
+variable verify {
+  type        = bool
+  default     = false
+  description = "Verify the helm download"
+}
+
+variable namespace {
+  type        = string
+  default     = "kiali-operator"
+  description = "Namespace to install in"
+}
+
+variable chart_name {
+  type        = string
+  default     = "kiali-operator"
+  description = "Name to set the helm deployment to"
+}
+
+variable helm_values {
+  type        = string
+  default     = ""
+  description = "Additional helm values to pass in.  These values would override the default in this module."
+}

terraform-modules/aws/helm/kube-prometheus-stack/README.md

@@ -1,3 +1,84 @@
 # helm chart - kube-prometheus-stack
 
 Chart source: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
+
+## AlertManager Receiver configuration
+You can use the helm `values.yaml` file to configure the AlertManager's configs.  One problem with this
+is that you have to commit the "receiver's" secret into git.  For example, like the Slack URL or the
+Pager Duty's key.
+
+An alternative way is to leave these receivers out of the helm `values.yaml` file and create the
+AlertManager's CR (custom resource).
+
+You can use the `../../kubernetes/menifest` module to apply arbitrary Kubernetes yamls to the cluster.
+
+You can create the `AlertmanagerConfig` CR to send alerts to slack:
+```
+# example: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/alerting.md#alertmanagerconfig-resource
+# API doc: 
+# * https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md
+# * https://prometheus-operator.dev/docs/operator/api/#table-of-contents
+apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alert-config
+  namespace: monitoring
+  labels:
+    # This label has to match the `alertmanagerConfigSelector` config on what that is set to
+    release: kube-prometheus-stack
+spec:
+  # doc: https://prometheus.io/docs/alerting/latest/configuration/#route
+  route:
+    groupBy: ['job', 'severity']
+    groupWait: 30s
+    groupInterval: 5m
+    repeatInterval: 12h
+    receiver: 'slack-${account_name}'
+    matchers:
+      ## Label to match.
+    - name: severity
+      ## Label value to match.
+      value: critical
+      ## Match type: !=, =, =~, !~
+      ## Match operation available with AlertManager >= v0.22.0 and takes precedence over Regex (deprecated) if non-empty.
+      # matchType: "="
+      ## true | False - deprecated
+      # regex: false
+  receivers:
+  # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#slackconfig
+  - name: 'slack-${account_name}'
+    slackConfigs:
+    - apiURL:
+        # A kubernetes secret
+        name: 'slack-key'
+        key: 'key'
+      sendResolved: true
+      channel: ${channel_name}
+      username: prom-${account_name}
+      title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}'
+      titleLink: https://alertmanager.${domain_name}
+      text: |-
+          {{ range .Alerts }}
+              Annotations:
+              {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }}
+              {{ end }}
+              Details:
+              {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }}
+              {{ end }}
+          {{ end }}
+
+# # Kubernetes Secret format
+# ---
+# apiVersion: v1
+# kind: Secret
+# type: Opaque
+# metadata:
+#   name: slack-key
+#   namespace: monitoring
+# data:
+#   key: <base64 encoded Slack URL>
+```
+
+You can then place the secret into AWS Secrets and use the `../../external-secrets` module to 
+sync the secret for this CR to use.  By going this route (which is way more work), you don't
+have to commit the secret into git.

terraform-modules/aws/helm/kube-prometheus-stack/values.yaml

@@ -43,10 +43,136 @@ grafana:
       kubernetes.io/ingress.class: istio
     hosts:
     - grafana.kubernetes-ops.com
+  # nodeSelector:
+  #   app-type: my-app
+  # tolerations:
+  # - key: "app-type"
+  #   operator: "Equal"
+  #   value: "my-app"
+  #   effect: "NoSchedule"
+
+
+## Configuration for alertmanager
+## ref: https://prometheus.io/docs/alerting/alertmanager/
+##
+alertmanager:
+
+  ingress:
+    enabled: false
+
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: alertmanager.internal.managedkube.com
+      kubernetes.io/ingress.class: nginx-external
+      # certmanager.k8s.io/cluster-issuer: prod
+      # certmanager.k8s.io/acme-http01-edit-in-place: "true"
+
+    hosts:
+      - alertmanager.internal.managedkube.com
+
     tls:
-    - hosts:
-      - grafana.kubernetes-ops.com # This should match a DNS name in the Certificate
-      # secretName: domain-wildcard # This should match the Certificate secretName
+      - secretName: cert-manager-tls-cert
+        hosts:
+          - alertmanager.internal.managedkube.com
+        # secretName: domain-wildcard # This should match the Certificate secretName
+
+  ## Alertmanager configuration directives
+  ## ref: https://prometheus.io/docs/alerting/configuration/#configuration-file
+  ##      https://prometheus.io/webtools/alerting/routing-tree-editor/
+  ##
+  config:
+    route:
+      receiver: 'null'
+      routes:
+      - match:
+          alertname: Watchdog
+        receiver: 'null'
+      - match:
+          alertname: KubeControllerManagerDown
+        receiver: 'null'
+      - match:
+          alertname: KubeProxyDown
+        receiver: 'null'
+      - match:
+          alertname: KubeSchedulerDown
+        receiver: 'null'
+
+      # - match_re:
+      #     severity: critical|page|alert
+      #   receiver: slack-critical
+      #   continue: true
+      # - match:
+      #     severity: warning
+      #   receiver: slack-warning
+      #   continue: true
+      # - match_re:
+      #     severity: critical|page|alert
+      #   receiver: pagerduty-critical
+      #   continue: true
+
+    receivers:
+    - name: 'null'
+
+    ## Receiver config docs:
+    ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md
+    #
+    # - name: 'slack-tests'
+    #   slack_configs:
+    #   - api_url: https://hooks.slack.com/services/xxx/xxx/xxx
+    #     channel: kube-alerts
+    #     send_resolved: true
+    #     text: |-
+    #       {{ range .Alerts }}
+    #           Annotations:
+    #           {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }}
+    #           {{ end }}
+    #           Details:
+    #           {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }}
+    #           {{ end }}
+    #       {{ end }}
+    #     title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}'
+    #     title_link: https://alertmanager.internal.managedkube.com
+    #     username: slack-test-dev-us
+
+    # - name: slack-critical
+    #   slack_configs:
+    #   - api_url: https://hooks.slack.com/services/xxx/xxx/xxx
+    #     channel: kube-alerts
+    #     send_resolved: true
+    #     text: |-
+    #       {{ range .Alerts }}
+    #           Annotations:
+    #           {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }}
+    #           {{ end }}
+    #           Details:
+    #           {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }}
+    #           {{ end }}
+    #       {{ end }}
+    #     title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}'
+    #     title_link: https://alertmanager.internal.managedkube.com
+    #     username: slack-critical-dev-us
+
+    # - name: 'slack-warning'
+    #   slack_configs:
+    #   - api_url: https://hooks.slack.com/services/xxx/xxx/xxx
+    #     channel: kube-alerts
+    #     send_resolved: true
+    #     text: |-
+    #       {{ range .Alerts }}
+    #           Annotations:
+    #           {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }}
+    #           {{ end }}
+    #           Details:
+    #           {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }}
+    #           {{ end }}
+    #       {{ end }}
+    #     title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}'
+    #     title_link: https://alertmanager.internal.managedkube.com
+    #     username: slack-warning-dev-us
+
+    # - name: 'pagerduty-critical'
+    #   pagerduty_configs:
+    #   - service_key: xxxxx
+
   additionalDataSources:
   - name: loki
     access: proxy
@@ -61,10 +187,10 @@ grafana:
     url: http://loki-stack:3100
     version: 1
 
-# Istio changes to not add the istio sidecar to the prometheus operator's addmission webhook patch
-# https://github.com/prometheus-community/helm-charts/issues/479#issuecomment-752709725
-prometheusOperator:
-  admissionWebhooks:
-    patch:
-      podAnnotations:
-        sidecar.istio.io/inject: "false"
+## Istio changes to not add the istio sidecar to the prometheus operator's addmission webhook patch
+## https://github.com/prometheus-community/helm-charts/issues/479#issuecomment-752709725
+# prometheusOperator:
+#   admissionWebhooks:
+#     patch:
+#       podAnnotations:
+#         sidecar.istio.io/inject: "false"

terraform-modules/aws/helm/kube-prometheus-stack/variables.tf

@@ -1,6 +1,6 @@
 variable helm_version {
   type        = string
-  default     = "19.0.2"
+  default     = "33.2.0"
   description = "Helm chart version"
 }
 

terraform-modules/aws/kubernetes/manifest/main.tf

@@ -0,0 +1,3 @@
+resource "kubernetes_manifest" "manifest" {
+  manifest = yamldecode(var.manifest)
+}

terraform-modules/aws/kubernetes/manifest/variables.tf

@@ -0,0 +1,14 @@
+variable "manifest" {
+  type        = string
+  default     = <<EOT
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: game-demo
+  namespace: foobar
+data:
+  # property-like keys; each key maps to a simple value
+  player_initial_lives: "3"
+EOT
+  description = "The yaml Kubernetes manifest to apply.  Can input via inline or from a file."
+}