federated prometheus instance (#19)

ramius345 · etsauer · commit e716dbbfa2fb · 2019-11-07T09:04:27.000-05:00
* federated prometheus instance

* fix container image that doesnt work on a 3.11 cluster

* fix cluster path in example

* Update extra_prometheus_hosts to be secret based instead of from seed_hosts.yml

* make secret documentation simpler

* missed check

* fix requirements yml

* remove uneeded secrets file

* fix wording in README.md

* update requirements to reference redhat-cop
diff --git a/.applier/group_vars/seed-hosts.yml b/.applier/group_vars/seed-hosts.yml
@@ -1,5 +1,60 @@
 dashboard_namespace: custom-dashboards
+
 openshift_cluster_content:
+  - galaxy_requirements: 
+      - "{{ inventory_dir }}/../mdt-secret-discovery-requirements.yml"
+  - object: MDT Prometheus
+    pre_steps:
+      - role: mdt-quickstart/secret-discovery
+    content:
+      - name: MDT Prometheus htpasswd secret
+        file: "{{ inventory_dir }}/../federated-prometheus/prometheus-htpasswd-secret.yml.j2"
+        namespace: "{{ dashboard_namespace }}"
+        tags:
+          - dashboard-sdm
+      - name: MDT Prometheus operator
+        file: "{{ inventory_dir }}/../federated-prometheus/prometheus-operator-config.yml.j2"
+        namespace: "{{ dashboard_namespace }}"
+        tags:
+          - dashboard-sdm
+      - name: MDT Scrape config secret
+        file: "{{ inventory_dir }}/../federated-prometheus/prometheus-scrape-config-secret.yml.j2"
+        namespace: "{{ dashboard_namespace }}"
+        tags:
+          - dashboard-sdm
+      - name: MDT Prometheus CR
+        file: "{{ inventory_dir }}/../federated-prometheus/prometheus-cr.yml"
+        namespace: "{{ dashboard_namespace }}"
+        tags:
+          - dashboard-sdm
+      - name: MDT Prometheus Service
+        file: "{{ inventory_dir }}/../federated-prometheus/prometheus-svc.yml"
+        namespace: "{{ dashboard_namespace }}"
+        tags:
+          - dashboard-sdm
+      - name: MDT Prometheus Route
+        file: "{{ inventory_dir }}/../federated-prometheus/prometheus-route.yml"
+        namespace: "{{ dashboard_namespace }}"
+        tags:
+          - dashboard-sdm
+      - name: MDT Prometheus Oauth Cluster Role
+        file: "{{ inventory_dir}}/../federated-prometheus/prometheus-oauth-cluster-role.yml"
+        tags:
+          - dashboard-sdm
+      - name: MDT Prometheus Oauth Service Account
+        file: "{{ inventory_dir }}/../federated-prometheus/prometheus-sa.yml"
+        namespace: "{{ dashboard_namespace }}"
+        tags:
+          - dashboard sdm
+      - name: MDT Prometheus Oauth ClusterRoleBinding
+        file: "{{ inventory_dir }}/../federated-prometheus/prometheus-oauth-cluster-role-binding.yml.j2"
+        tags:
+          - dashboard-sdm
+      - name: MDT Repoint Grafana Datasource
+        file: "{{ inventory_dir }}/../federated-prometheus/grafana-mdt-datasources.yml.j2"
+        namespace: "{{ dashboard_namespace }}"
+        tags:
+          - dashboard-sdm
   - object: Dashboards - DevOps
     content:
       - name: Software Delivery Metrics Dashboard
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 dependencies
-temp
+temp
+galaxy
diff --git a/README.md b/README.md
@@ -42,6 +42,30 @@ ansible-playbook -i galaxy/openshift-toolkit/custom-dashboards/.applier galaxy/o
 ansible-playbook -i .applier/ galaxy/openshift-applier/playbooks/openshift-cluster-seed.yml
 ```
 
+### Adding extra prometheus instances
+
+Edit the extra_prometheus_hosts.yml file.  It is a yaml file with an array of entries with the following parameters:
+
+* id - a description of the prometheus host (this will be used as a label to select metrics in the federated instance).
+* hostname - the fully qualified domain name or ip address of the host with the extra prometheus instance
+* password - the password used for the 'internal' basic auth account (this is provided by the k8s metrics prometheus instances in a secret).
+
+For example:
+
+```
+extra_prometheus_hosts:
+  - id: "ci-1"
+    hostname: "prometheus-k8s-openshift-monitoring.apps.example.com"
+    password: "<redacted>"
+```
+Once you are finished adding your extra hosts, apply the file as the secret 'extra-prometheus-secrets'.
+
+```
+oc create secret generic extra-prometheus-secrets --from-file extra_prometheus_hosts.yml
+```
+
+```
+
 ### Cleaning Up
 
 If you would like to undo the changes above:
diff --git a/extra_prometheus_hosts.yml b/extra_prometheus_hosts.yml
@@ -0,0 +1,4 @@
+extra_prometheus_hosts:
+  - id: "ci-1"
+    hostname: "prometheus-k8s-openshift-monitoring.apps.example.com"
+    password: "password here"
diff --git a/federated-prometheus/grafana-mdt-datasources.yml.j2 b/federated-prometheus/grafana-mdt-datasources.yml.j2
@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  prometheus.yaml: {{ new_grafana_datasources_mdt_data }}
+kind: Secret
+metadata:
+  name: grafana-datasources
+type: Opaque
diff --git a/federated-prometheus/prometheus-cr.yml b/federated-prometheus/prometheus-cr.yml
@@ -0,0 +1,49 @@
+apiVersion: monitoring.coreos.com/v1
+kind: Prometheus
+metadata:
+  name: prometheus-mdt
+  labels:
+    prometheus: prometheus-mdt
+spec:
+  replicas: 2
+  serviceAccountName: prometheus-mdt
+  serviceMonitorSelector:
+    matchLabels:
+      junk: junk
+  additionalScrapeConfigs:
+    name: additional-scrape-configs
+    key: prometheus-additional.yml
+  secrets:
+    - prometheus-mdt-tls
+    - prometheus-mdt-htpasswd
+  containers:
+  - args:
+    - -provider=openshift
+    - -https-address=:9091
+    - -http-address=
+    - -email-domain=*
+    - -upstream=http://localhost:9090
+    - -htpasswd-file=/etc/proxy/htpasswd/auth
+    - -openshift-service-account=prometheus-mdt
+    - '-openshift-sar={"resource": "namespaces", "verb": "get"}'
+    - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get"}}'
+    - -tls-cert=/etc/tls/private/tls.crt
+    - -tls-key=/etc/tls/private/tls.key
+    - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+    - -cookie-secret=bacon
+    - -openshift-ca=/etc/pki/tls/cert.pem
+    - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    - -skip-auth-regex=^/metrics
+    image: registry.redhat.io/openshift3/oauth-proxy:v3.11
+    name: prometheus-proxy
+    ports:
+    - containerPort: 9091
+      name: web-tls
+    resources: {}
+    volumeMounts:
+    - mountPath: /etc/tls/private
+      name: secret-prometheus-mdt-tls
+    - mountPath: /etc/proxy/htpasswd
+      name: secret-prometheus-mdt-htpasswd
+
+        
diff --git a/federated-prometheus/prometheus-htpasswd-secret.yml.j2 b/federated-prometheus/prometheus-htpasswd-secret.yml.j2
@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  auth: "{{ mdt_prometheus_htpasswd_auth }}"
+kind: Secret
+metadata:
+  labels:
+    k8s-app: prometheus-mdt
+  name: prometheus-mdt-htpasswd
+type: Opaque
diff --git a/federated-prometheus/prometheus-oauth-cluster-role-binding.yml.j2 b/federated-prometheus/prometheus-oauth-cluster-role-binding.yml.j2
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-mdt-oauth-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-mdt-oauth-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: prometheus-mdt
+  namespace: {{ dashboard_namespace }}
diff --git a/federated-prometheus/prometheus-oauth-cluster-role.yml b/federated-prometheus/prometheus-oauth-cluster-role.yml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: prometheus-mdt-oauth-clusterrole
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - 'create'
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - 'create'
diff --git a/federated-prometheus/prometheus-operator-config.yml.j2 b/federated-prometheus/prometheus-operator-config.yml.j2
@@ -0,0 +1,167 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: prometheus-operator-mdt
+    app.kubernetes.io/version: v0.33.0
+  name: prometheus-operator-mdt
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator-mdt
+subjects:
+- kind: ServiceAccount
+  name: prometheus-operator-mdt
+  namespace: {{ dashboard_namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: prometheus-operator-mdt
+    app.kubernetes.io/version: v0.33.0
+  name: prometheus-operator-mdt
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - '*'
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - prometheuses
+  - prometheuses/finalizers
+  - alertmanagers/finalizers
+  - servicemonitors
+  - podmonitors
+  - prometheusrules
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - services/finalizers
+  - endpoints
+  verbs:
+  - get
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: prometheus-operator-mdt
+    app.kubernetes.io/version: v0.33.0
+  name: prometheus-operator-mdt
+  namespace: {{ dashboard_namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/name: prometheus-operator-mdt
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/name: prometheus-operator-mdt
+        app.kubernetes.io/version: v0.33.0
+    spec:
+      containers:
+      - args:
+        - --kubelet-service=kube-system/kubelet
+        - --logtostderr=true
+        - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
+        - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.33.0
+        image: quay.io/coreos/prometheus-operator:v0.33.0
+        name: prometheus-operator-mdt
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          limits:
+            cpu: 200m
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+      # securityContext:
+        # runAsNonRoot: true
+        #  runAsUser: 1000730001
+        #  runAsUser: 1000360001
+      serviceAccountName: prometheus-operator-mdt
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: prometheus-operator-mdt
+    app.kubernetes.io/version: v0.33.0
+  name: prometheus-operator-mdt
+  namespace: {{ dashboard_namespace }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: prometheus-operator-mdt
+    app.kubernetes.io/version: v0.33.0
+  name: prometheus-operator-mdt
+  namespace: {{ dashboard_namespace }}
+spec:
+  clusterIP: None
+  ports:
+  - name: http
+    port: 8080
+    targetPort: http
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: prometheus-operator-mdt
diff --git a/federated-prometheus/prometheus-route.yml b/federated-prometheus/prometheus-route.yml
@@ -0,0 +1,21 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  annotations:
+    openshift.io/host.generated: "true"
+  creationTimestamp: null
+  name: prometheus-mdt
+spec:
+  port:
+    targetPort: web-tls
+  subdomain: ""
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: reencrypt
+  to:
+    kind: Service
+    name: prometheus-mdt
+    weight: 100
+  wildcardPolicy: None
+status:
+  ingress: null
diff --git a/federated-prometheus/prometheus-sa.yml b/federated-prometheus/prometheus-sa.yml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    serviceaccounts.openshift.io/oauth-redirectreference.prometheus-mdt: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prometheus-mdt"}}'
+  name: prometheus-mdt
+
diff --git a/federated-prometheus/prometheus-scrape-config-secret.yml.j2 b/federated-prometheus/prometheus-scrape-config-secret.yml.j2
diff --git a/federated-prometheus/prometheus-svc.yml b/federated-prometheus/prometheus-svc.yml
diff --git a/mdt-secret-discovery-requirements.yml b/mdt-secret-discovery-requirements.yml
diff --git a/meta/main.yml b/meta/main.yml
diff --git a/secret-discovery/meta/main.yml b/secret-discovery/meta/main.yml
diff --git a/secret-discovery/tasks/main.yml b/secret-discovery/tasks/main.yml

-Original file line number
+Diff line change
@@ @@ -1,2 +1,3 @@ @@
 dependencies
 -temp
 +temp
 +galaxy