From e1ea3fb2c6f16779cdaefda0d78ca7a649e13d31 Mon Sep 17 00:00:00 2001 From: klakshma21 Date: Fri, 19 Jan 2024 05:15:04 +0530 Subject: [PATCH] chore(RHTAPWATCH-568): Add authentication to Service and ServiceMonitor Signed-off-by: Kousalya Lakshmanan --- .../grafana/base/kustomization.yaml | 1 + .../prometheus-exporter-service-monitor.yaml | 56 ++++++++++++ .../base/prometheus-exporter-service.yaml | 90 ++++++++++--------- 3 files changed, 105 insertions(+), 42 deletions(-) create mode 100644 config/exporters/monitoring/grafana/base/prometheus-exporter-service-monitor.yaml diff --git a/config/exporters/monitoring/grafana/base/kustomization.yaml b/config/exporters/monitoring/grafana/base/kustomization.yaml index 42d0e8eb..dc1776fa 100644 --- a/config/exporters/monitoring/grafana/base/kustomization.yaml +++ b/config/exporters/monitoring/grafana/base/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - prometheus-exporter-service.yaml +- prometheus-exporter-service-monitor.yaml images: - name: exporter newName: quay.io/redhat-appstudio/o11y diff --git a/config/exporters/monitoring/grafana/base/prometheus-exporter-service-monitor.yaml b/config/exporters/monitoring/grafana/base/prometheus-exporter-service-monitor.yaml new file mode 100644 index 00000000..d7b3fccc --- /dev/null +++ b/config/exporters/monitoring/grafana/base/prometheus-exporter-service-monitor.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: metrics-reader + namespace: dummy-service-test +--- +apiVersion: v1 +kind: Secret +metadata: + name: metrics-reader + namespace: dummy-service-test + annotations: + kubernetes.io/service-account.name: metrics-reader +type: kubernetes.io/service-account-token +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: o11y-dummy-service-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: prometheus-o11y-dummy-service-metrics-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: o11y-dummy-service-metrics-reader +subjects: +- kind: ServiceAccount + name: metrics-reader + namespace: dummy-service-test +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: o11y-dummy-service + namespace: dummy-service-test +spec: + endpoints: + - path: /metrics + port: https + scheme: https + bearerTokenSecret: + name: "metrics-reader" + key: token + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + app: kube-rbac-proxy diff --git a/config/exporters/monitoring/grafana/base/prometheus-exporter-service.yaml b/config/exporters/monitoring/grafana/base/prometheus-exporter-service.yaml index d776ab46..a0dc0304 100644 --- a/config/exporters/monitoring/grafana/base/prometheus-exporter-service.yaml +++ b/config/exporters/monitoring/grafana/base/prometheus-exporter-service.yaml @@ -1,14 +1,16 @@ +# Example metrics-generating service for showcasing service monitor generation. Based on: +# https://github.com/brancz/kube-rbac-proxy/tree/master/examples/non-resource-url apiVersion: v1 kind: Namespace metadata: - name: appstudio-grafana-datasource-exporter + name: dummy-service-test spec: {} --- apiVersion: v1 kind: ServiceAccount metadata: - name: exporter-sa - namespace: appstudio-grafana-datasource-exporter + name: kube-rbac-proxy + namespace: dummy-service-test --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -20,76 +22,80 @@ rules: verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: - name: exporter-cluster-role-binding -subjects: -- kind: ServiceAccount - name: exporter-sa - namespace: appstudio-grafana-datasource-exporter + name: kube-rbac-proxy roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: exporter-cluster-role + name: kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: kube-rbac-proxy + namespace: dummy-service-test --- apiVersion: v1 kind: Service metadata: - name: exporter-service - namespace: appstudio-grafana-datasource-exporter labels: - app: grafana-datasource-exporter + app: kube-rbac-proxy + name: kube-rbac-proxy + namespace: dummy-service-test spec: ports: - - name: http - port: 8090 - targetPort: http + - name: https + port: 8443 + targetPort: https selector: - app: grafana-datasource-exporter + app: kube-rbac-proxy --- apiVersion: apps/v1 kind: Deployment metadata: - name: exporter-service-deployment - namespace: appstudio-grafana-datasource-exporter + name: kube-rbac-proxy + namespace: dummy-service-test spec: replicas: 1 selector: matchLabels: - app: grafana-datasource-exporter + app: kube-rbac-proxy template: metadata: labels: - app: grafana-datasource-exporter + app: kube-rbac-proxy spec: - serviceAccountName: exporter-sa + serviceAccountName: kube-rbac-proxy containers: - - name: grafana-datasource-exporter - image: exporter:latest + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:v0.14.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=https://127.0.0.1:8090/" + - "--logtostderr=true" + - "--v=10" ports: - - containerPort: 8090 - name: http + - containerPort: 8443 + name: https resources: limits: cpu: 100m - memory: 100Mi + memory: 200Mi requests: cpu: 100m - memory: 10Mi + memory: 200Mi securityContext: + allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: metrics-reader-test - namespace: appstudio-grafana-datasource-exporter -spec: - endpoints: - - path: /metrics - port: http - scheme: http - selector: - matchLabels: - app: grafana-datasource-exporter + - name: example-app + image: quay.io/redhat-appstudio/o11y + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true \ No newline at end of file