Skip to content

Commit

Permalink
chore(RHTAPWATCH-568): Add authentication to Service and ServiceMonitor
Browse files Browse the repository at this point in the history
Signed-off-by: Kousalya Lakshmanan <[email protected]>
  • Loading branch information
klakshma21 committed Feb 7, 2024
1 parent 1b291a2 commit 7b4e1b0
Show file tree
Hide file tree
Showing 3 changed files with 116 additions and 46 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- prometheus-exporter-service.yaml
- prometheus-exporter-service-monitor.yaml
images:
- name: exporter
newName: quay.io/redhat-appstudio/o11y
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: metrics-reader
namespace: dummy-service-test
---
apiVersion: v1
kind: Secret
metadata:
name: metrics-reader
namespace: dummy-service-test
annotations:
kubernetes.io/service-account.name: metrics-reader
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: o11y-dummy-service-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-o11y-dummy-service-metrics-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: o11y-dummy-service-metrics-reader
subjects:
- kind: ServiceAccount
name: metrics-reader
namespace: dummy-service-test
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: o11y-dummy-service
namespace: dummy-service-test
spec:
endpoints:
- path: /metrics
port: https
scheme: https
bearerTokenSecret:
name: "metrics-reader"
key: token
tlsConfig:
insecureSkipVerify: true
selector:
matchLabels:
app: kube-rbac-proxy
Original file line number Diff line number Diff line change
@@ -1,95 +1,108 @@
# Example metrics-generating service for showcasing service monitor generation. Based on:
# https://github.com/brancz/kube-rbac-proxy/tree/master/examples/non-resource-url
apiVersion: v1
kind: Namespace
metadata:
name: appstudio-grafana-datasource-exporter
name: dummy-service-test
spec: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: exporter-sa
namespace: appstudio-grafana-datasource-exporter
name: kube-rbac-proxy
namespace: dummy-service-test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: exporter-cluster-role
name: kube-rbac-proxy2
rules:
- apiGroups: ['grafana.integreatly.org']
resources: ['grafanas']
verbs: ["get"]
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
kind: ClusterRoleBinding
metadata:
name: exporter-cluster-role-binding
subjects:
- kind: ServiceAccount
name: exporter-sa
namespace: appstudio-grafana-datasource-exporter
name: kube-rbac-proxy2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: exporter-cluster-role
name: kube-rbac-proxy2
subjects:
- kind: ServiceAccount
name: kube-rbac-proxy
namespace: dummy-service-test
---
apiVersion: v1
kind: Service
metadata:
name: exporter-service
namespace: appstudio-grafana-datasource-exporter
labels:
app: grafana-datasource-exporter
app: kube-rbac-proxy
name: kube-rbac-proxy
namespace: dummy-service-test
spec:
ports:
- name: http
port: 8090
targetPort: http
- name: https
port: 8443
targetPort: https
selector:
app: grafana-datasource-exporter
app: kube-rbac-proxy
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: exporter-service-deployment
namespace: appstudio-grafana-datasource-exporter
name: kube-rbac-proxy
namespace: dummy-service-test
spec:
replicas: 1
selector:
matchLabels:
app: grafana-datasource-exporter
app: kube-rbac-proxy
template:
metadata:
labels:
app: grafana-datasource-exporter
app: kube-rbac-proxy
spec:
serviceAccountName: exporter-sa
serviceAccountName: kube-rbac-proxy
containers:
- name: grafana-datasource-exporter
image: exporter:latest
- name: kube-rbac-proxy
image: quay.io/brancz/kube-rbac-proxy:v0.14.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=https://127.0.0.1:8090/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8090
name: http
- containerPort: 8443
name: https
resources:
limits:
cpu: 100m
memory: 100Mi
memory: 200Mi
requests:
cpu: 100m
memory: 10Mi
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: example-app
image: quay.io/redhat-appstudio/o11y
args:
- "--bind=127.0.0.1:8090"
resources:
limits:
cpu: 100m
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: metrics-reader-test
namespace: appstudio-grafana-datasource-exporter
spec:
endpoints:
- path: /metrics
port: http
scheme: http
selector:
matchLabels:
app: grafana-datasource-exporter

0 comments on commit 7b4e1b0

Please sign in to comment.