From b0a13dfa0acdef5c34ed0cb1897868eace83d751 Mon Sep 17 00:00:00 2001
From: Peter Pflaeging <peter@pflaeging.net>
Date: Thu, 30 Mar 2023 18:26:54 +0200
Subject: [PATCH] Enable external metrics for the cluster

---
 README.md                              | 13 +++++++++++++
 env.sh                                 |  4 ++--
 get-metrics-reader-config.sh           | 11 +++++++++++
 metrics-server/clusterrole.yaml        |  9 +++++++++
 metrics-server/clusterrolebinding.yaml | 12 ++++++++++++
 metrics-server/install.sh              |  5 +++++
 metrics-server/kustomization.yaml      | 18 ++++++++++++++++++
 metrics-server/sa.yaml                 |  5 +++++
 metrics-server/secret.yaml             |  8 ++++++++
 9 files changed, 83 insertions(+), 2 deletions(-)
 create mode 100755 get-metrics-reader-config.sh
 create mode 100644 metrics-server/clusterrole.yaml
 create mode 100644 metrics-server/clusterrolebinding.yaml
 create mode 100644 metrics-server/install.sh
 create mode 100644 metrics-server/kustomization.yaml
 create mode 100644 metrics-server/sa.yaml
 create mode 100644 metrics-server/secret.yaml

diff --git a/README.md b/README.md
index 9c57b67..f3ea1dd 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,19 @@ The dashboard is always listening on port 32443 with SSL and a private certifica
 
 <https://myfamous-minicluster-hostname.cloud:32443>
 
+## Getting Prometheus metric for an external monitoring
+
+You must rollout the component `metrics-server` (enable this in `env.sh`).
+
+After this you get the config by executing `./get-metrics-reader-config.sh`.
+
+The config makes a:
+
+- ServiceAccount
+- ClusterRole
+- Rolebinding
+- Bearer Token to access the metrics via the API
+
 ## Getting login info for your cluster
 
 You can copy the admin.conf in your local kube environment. As normal user:
diff --git a/env.sh b/env.sh
index 8833df0..72030fa 100644
--- a/env.sh
+++ b/env.sh
@@ -10,5 +10,5 @@ WILDCARD_INGRESS=gubernat1.pflaeging.net
 MYIP=192.168.254.130
 
 # all components:
-#   cert-manager contour-ingress kubernetes-dashboard local-storage
-COMPONENTS="contour-ingress kubernetes-dashboard local-storage"
\ No newline at end of file
+#   cert-manager contour-ingress kubernetes-dashboard local-storage metrics-server
+COMPONENTS="contour-ingress kubernetes-dashboard local-storage metrics-server"
\ No newline at end of file
diff --git a/get-metrics-reader-config.sh b/get-metrics-reader-config.sh
new file mode 100755
index 0000000..c9d0317
--- /dev/null
+++ b/get-metrics-reader-config.sh
@@ -0,0 +1,11 @@
+#! /bin/sh 
+
+# get ip address 
+HOSTNAME=`hostname`
+# get token for pre-defined admin-user 
+TOKEN=$(kubectl get secret metrics-reader -n kube-system -o jsonpath='{.data.token}' | base64 -d)
+
+echo To access metrics:
+echo
+echo TOKEN=$TOKEN
+echo curl -vv -k https://$HOSTNAME:6443/metrics --header \"Authorization: Bearer \$TOKEN\"
diff --git a/metrics-server/clusterrole.yaml b/metrics-server/clusterrole.yaml
new file mode 100644
index 0000000..7daca33
--- /dev/null
+++ b/metrics-server/clusterrole.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-reader
+rules:
+  - nonResourceURLs:
+    - "/metrics"
+    verbs:
+    - get
diff --git a/metrics-server/clusterrolebinding.yaml b/metrics-server/clusterrolebinding.yaml
new file mode 100644
index 0000000..16c08a4
--- /dev/null
+++ b/metrics-server/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-reader-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-reader
+  namespace: kube-system
diff --git a/metrics-server/install.sh b/metrics-server/install.sh
new file mode 100644
index 0000000..f2a644b
--- /dev/null
+++ b/metrics-server/install.sh
@@ -0,0 +1,5 @@
+#! /bin/sh
+
+. ../env.sh
+
+kubectl apply -k .
\ No newline at end of file
diff --git a/metrics-server/kustomization.yaml b/metrics-server/kustomization.yaml
new file mode 100644
index 0000000..3d1b78a
--- /dev/null
+++ b/metrics-server/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+- sa.yaml
+- clusterrole.yaml
+- clusterrolebinding.yaml
+- secret.yaml
+
+patches:
+  - target:
+      kind: Deployment
+      name: metrics-server
+    patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --kubelet-insecure-tls
diff --git a/metrics-server/sa.yaml b/metrics-server/sa.yaml
new file mode 100644
index 0000000..94f8e0f
--- /dev/null
+++ b/metrics-server/sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metrics-reader
+  namespace: kube-system
diff --git a/metrics-server/secret.yaml b/metrics-server/secret.yaml
new file mode 100644
index 0000000..be667bd
--- /dev/null
+++ b/metrics-server/secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: metrics-reader
+  name: metrics-reader
+  namespace: kube-system
+type: kubernetes.io/service-account-token