vynil/addons
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial release

Browse Source
This commit is contained in:
Sébastien Huss
2024-03-19 13:13:53 +01:00
commit 451fdb09fc
391 changed files with 184309 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
monitor/jaeger/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_jaeger-operator-mutating-webhook-configuration.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: vinyl-monitor/jaeger-operator-serving-cert
labels:
name: jaeger-operator
name: jaeger-operator-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: jaeger-operator-webhook-service
namespace: vinyl-monitor
path: /mutate-v1-deployment
failurePolicy: Ignore
name: deployment.sidecar-injector.jaegertracing.io
objectSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- jaeger-operator
rules:
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: jaeger-operator-webhook-service
namespace: vinyl-monitor
path: /mutate-jaegertracing-io-v1-jaeger
failurePolicy: Fail
name: mjaeger.kb.io
rules:
- apiGroups:
- jaegertracing.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- jaegers
sideEffects: None

29
monitor/jaeger/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_jaeger-operator-validating-webhook-configuration.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: vinyl-monitor/jaeger-operator-serving-cert
labels:
name: jaeger-operator
name: jaeger-operator-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: jaeger-operator-webhook-service
namespace: vinyl-monitor
path: /validate-jaegertracing-io-v1-jaeger
failurePolicy: Fail
name: vjaeger.kb.io
rules:
- apiGroups:
- jaegertracing.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- jaegers
sideEffects: None

95
monitor/jaeger/apps_v1_Deployment_jaeger-operator.yaml Normal file
View File

@@ -0,0 +1,95 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
name: jaeger-operator
name: jaeger-operator
namespace: vinyl-monitor
spec:
replicas: 1
selector:
matchLabels:
name: jaeger-operator
strategy: {}
template:
metadata:
labels:
name: jaeger-operator
spec:
containers:
- args:
- start
- --health-probe-bind-address=:8081
- --leader-elect
command:
- /jaeger-operator
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.annotations['olm.targetNamespaces']
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OPERATOR_NAME
value: jaeger-operator
- name: LOG-LEVEL
value: DEBUG
- name: KAFKA-PROVISIONING-MINIMAL
value: "true"
image: quay.io/jaegertracing/jaeger-operator:1.53.0
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: jaeger-operator
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8383/
- --logtostderr=true
- --v=0
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
securityContext:
runAsNonRoot: true
serviceAccountName: jaeger-operator
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: jaeger-operator-service-cert

18
monitor/jaeger/cert-manager.io_v1_Certificate_jaeger-operator-serving-cert.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
name: jaeger-operator
name: jaeger-operator-serving-cert
namespace: vinyl-monitor
spec:
dnsNames:
- jaeger-operator-webhook-service.vinyl-monitor.svc
- jaeger-operator-webhook-service.vinyl-monitor.svc.cluster.local
issuerRef:
kind: Issuer
name: jaeger-operator-selfsigned-issuer
secretName: jaeger-operator-service-cert
subject:
organizationalUnits:
- jaeger-operator

9
monitor/jaeger/cert-manager.io_v1_Issuer_jaeger-operator-selfsigned-issuer.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
labels:
name: jaeger-operator
name: jaeger-operator-selfsigned-issuer
namespace: vinyl-monitor
spec:
selfSigned: {}

120
monitor/jaeger/datas.tf Normal file
View File

@@ -0,0 +1,120 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
rb-patch = <<-EOF
- op: replace
path: /subjects/0/namespace
value: "${var.namespace}"
EOF
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
namespace = var.namespace
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && length(regexall("ClusterRole",file))<1 && length(regexall("WebhookConfiguration",file))<1]
images {
name = "quay.io/jaegertracing/jaeger-operator"
new_name = "${var.images.operator.registry}/${var.images.operator.repository}"
new_tag = "${var.images.operator.tag}"
}
images {
name = "gcr.io/kubebuilder/kube-rbac-proxy"
new_name = "${var.images.rbac_proxy.registry}/${var.images.rbac_proxy.repository}"
new_tag = "${var.images.rbac_proxy.tag}"
}
patches {
target {
kind = "Certificate"
name = "jaeger-operator-serving-cert"
}
patch = <<-EOF
- op: replace
path: /spec/dnsNames/0
value: "jaeger-operator-webhook-service.${var.namespace}.svc"
- op: replace
path: /spec/dnsNames/1
value: "jaeger-operator-webhook-service.${var.namespace}.svc.cluster.local"
EOF
}
patches {
target {
kind = "Deployment"
name = "jaeger-operator"
}
patch = <<-EOF
- op: remove
path: /spec/template/spec/containers/0/env/0
EOF
}
patches {
target {
kind = "Deployment"
name = "jaeger-operator"
}
patch = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: jaeger-operator
spec:
replicas: ${var.replicas}
EOF
}
}
data "kustomization_overlay" "data_no_ns" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && (length(regexall("ClusterRole",file))>0 || length(regexall("WebhookConfiguration",file))>0)]
patches {
target {
kind = "ClusterRoleBinding"
name = "manager-rolebinding"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "jaeger-operator-proxy-rolebinding"
}
patch = local.rb-patch
}
patches {
target {
kind = "MutatingWebhookConfiguration"
name = "jaeger-operator-mutating-webhook-configuration"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /webhooks/1/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /metadata/annotations/certmanager.k8s.io~1inject-ca-from
value: "${var.namespace}/jaeger-operator-serving-cert"
EOF
}
patches {
target {
kind = "ValidatingWebhookConfiguration"
name = "jaeger-operator-validating-webhook-configuration"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /metadata/annotations/certmanager.k8s.io~1inject-ca-from
value: "${var.namespace}/jaeger-operator-serving-cert"
EOF
}
}

100
monitor/jaeger/index.yaml Normal file
View File

@@ -0,0 +1,100 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: monitor
metadata:
name: jaeger
description: Operator to deploy Jaeger, a distributed tracing plateform. Monitor and troubleshoot workflows in complex distributed systems
options:
images:
default:
operator:
pullPolicy: IfNotPresent
registry: quay.io
repository: jaegertracing/jaeger-operator
tag: 1.53.0
rbac_proxy:
pullPolicy: IfNotPresent
registry: gcr.io
repository: kubebuilder/kube-rbac-proxy
tag: v0.13.1
examples:
- operator:
pullPolicy: IfNotPresent
registry: quay.io
repository: jaegertracing/jaeger-operator
tag: 1.53.0
rbac_proxy:
pullPolicy: IfNotPresent
registry: gcr.io
repository: kubebuilder/kube-rbac-proxy
tag: v0.13.1
properties:
operator:
default:
pullPolicy: IfNotPresent
registry: quay.io
repository: jaegertracing/jaeger-operator
tag: 1.53.0
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: jaegertracing/jaeger-operator
type: string
tag:
default: 1.53.0
type: string
type: object
rbac_proxy:
default:
pullPolicy: IfNotPresent
registry: gcr.io
repository: kubebuilder/kube-rbac-proxy
tag: v0.13.1
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: gcr.io
type: string
repository:
default: kubebuilder/kube-rbac-proxy
type: string
tag:
default: v0.13.1
type: string
type: object
type: object
replicas:
default: 1
examples:
- 1
type: integer
dependencies:
- dist: null
category: crd
component: jaeger
providers:
kubernetes: true
authentik: null
kubectl: true
postgresql: null
mysql: null
restapi: null
http: null
gitea: null
tfaddtype: null

21
monitor/jaeger/monitoring.coreos.com_v1_ServiceMonitor_jaeger-operator-metrics-monitor.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
name: jaeger-operator
name: jaeger-operator-metrics-monitor
namespace: vinyl-monitor
spec:
endpoints:
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
path: /metrics
scheme: https
scrapeTimeout: 10s
targetPort: 8443
tlsConfig:
insecureSkipVerify: true
selector:
matchLabels:
app.kubernetes.io/component: metrics
name: jaeger-operator

14
monitor/jaeger/rbac.authorization.k8s.io_v1_ClusterRoleBinding_jaeger-operator-proxy-rolebinding.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
name: jaeger-operator
name: jaeger-operator-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: jaeger-operator
namespace: vinyl-monitor

14
monitor/jaeger/rbac.authorization.k8s.io_v1_ClusterRoleBinding_manager-rolebinding.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
name: jaeger-operator
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: jaeger-operator
namespace: vinyl-monitor

11
monitor/jaeger/rbac.authorization.k8s.io_v1_ClusterRole_jaeger-operator-metrics-reader.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
name: jaeger-operator
name: jaeger-operator-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get

257
monitor/jaeger/rbac.authorization.k8s.io_v1_ClusterRole_manager-role.yaml Normal file
View File

@@ -0,0 +1,257 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
name: jaeger-operator
name: manager-role
rules:
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments/status
verbs:
- get
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- console.openshift.io
resources:
- consolelinks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- pods
- secrets
- serviceaccounts
- services
- services/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- namespaces/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- jaegertracing.io
resources:
- jaegers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- jaegertracing.io
resources:
- jaegers/finalizers
verbs:
- update
- apiGroups:
- jaegertracing.io
resources:
- jaegers/status
verbs:
- get
- patch
- update
- apiGroups:
- kafka.strimzi.io
resources:
- kafkas
- kafkausers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- logging.openshift.io
resources:
- elasticsearch
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- logging.openshift.io
resources:
- elasticsearches
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

19
monitor/jaeger/rbac.authorization.k8s.io_v1_ClusterRole_proxy-role.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
name: jaeger-operator
name: proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

15
monitor/jaeger/rbac.authorization.k8s.io_v1_RoleBinding_leader-election-rolebinding.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
name: jaeger-operator
name: leader-election-rolebinding
namespace: vinyl-monitor
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: jaeger-operator
namespace: vinyl-monitor

18
monitor/jaeger/rbac.authorization.k8s.io_v1_RoleBinding_prometheus.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
labels:
name: jaeger-operator
name: prometheus
namespace: vinyl-monitor
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: prometheus
subjects:
- kind: ServiceAccount
name: prometheus-k8s
namespace: openshift-monitoring

39
monitor/jaeger/rbac.authorization.k8s.io_v1_Role_leader-election-role.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
name: jaeger-operator
name: leader-election-role
namespace: vinyl-monitor
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch

21
monitor/jaeger/rbac.authorization.k8s.io_v1_Role_prometheus.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
labels:
name: jaeger-operator
name: prometheus
namespace: vinyl-monitor
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch

45
monitor/jaeger/ressources_no_ns.tf Normal file
View File

@@ -0,0 +1,45 @@
# first loop through resources in ids_prio[0]
resource "kustomization_resource" "pre_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[0]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
}
# then loop through resources in ids_prio[1]
# and set an explicit depends_on on kustomization_resource.pre
# wait 2 minutes for any deployment or daemonset to become ready
resource "kustomization_resource" "main_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[1]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
wait = true
timeouts {
create = "5m"
update = "5m"
}
depends_on = [kustomization_resource.pre_no_ns]
}
# finally, loop through resources in ids_prio[2]
# and set an explicit depends_on on kustomization_resource.main
resource "kustomization_resource" "post_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[2]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
depends_on = [kustomization_resource.main_no_ns]
}

7
monitor/jaeger/v1_ServiceAccount_jaeger-operator.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
name: jaeger-operator
name: jaeger-operator
namespace: vinyl-monitor

16
monitor/jaeger/v1_Service_jaeger-operator-metrics.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: metrics
name: jaeger-operator
name: jaeger-operator-metrics
namespace: vinyl-monitor
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
name: jaeger-operator

14
monitor/jaeger/v1_Service_jaeger-operator-webhook-service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
name: jaeger-operator
name: jaeger-operator-webhook-service
namespace: vinyl-monitor
spec:
ports:
- port: 443
protocol: TCP
targetPort: 9443
selector:
name: jaeger-operator

80
monitor/node-problem-detector/apps_v1_DaemonSet_npd-node-problem-detector.yaml Normal file
View File

@@ -0,0 +1,80 @@
# Source: node-problem-detector/templates/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: npd-node-problem-detector
labels:
app.kubernetes.io/name: node-problem-detector
helm.sh/chart: node-problem-detector-2.3.12
app.kubernetes.io/instance: npd
app.kubernetes.io/managed-by: Helm
namespace: vynil-tools
spec:
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/name: node-problem-detector
app.kubernetes.io/instance: npd
app: node-problem-detector
template:
metadata:
labels:
app.kubernetes.io/name: node-problem-detector
app.kubernetes.io/instance: npd
app: node-problem-detector
annotations:
checksum/config: 871f3a539e0646ffe0c886c946c28fcd1ec9018ad31a53aafc732b71edee895b
spec:
serviceAccountName: npd-node-problem-detector
hostNetwork: false
hostPID: false
terminationGracePeriodSeconds: 30
priorityClassName: "system-node-critical"
containers:
- name: node-problem-detector
image: "registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.15"
imagePullPolicy: "IfNotPresent"
command:
- "/bin/sh"
- "-c"
- "exec /node-problem-detector --logtostderr --config.system-log-monitor=/config/kernel-monitor.json,/config/docker-monitor.json --prometheus-address=0.0.0.0 --prometheus-port=20257 --k8s-exporter-heartbeat-period=5m0s "
securityContext:
privileged: true
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: log
mountPath: /var/log/
readOnly: true
- name: localtime
mountPath: /etc/localtime
readOnly: true
- name: custom-config
mountPath: /custom-config
readOnly: true
ports:
- containerPort: 20257
name: exporter
resources:
{}
tolerations:
- effect: NoSchedule
operator: Exists
volumes:
- name: log
hostPath:
path: /var/log/
- name: localtime
hostPath:
path: /etc/localtime
type: FileOrCreate
- name: custom-config
configMap:
name: npd-node-problem-detector-custom-config
defaultMode: 493

57
monitor/node-problem-detector/datas.tf Normal file
View File

@@ -0,0 +1,57 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
rb-patch = <<-EOF
- op: replace
path: /subjects/0/namespace
value: "${var.namespace}"
EOF
}
data "kustomization_overlay" "data" {
namespace = var.namespace
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && length(regexall("ClusterRole",file))<1 ]
images {
name = "registry.k8s.io/node-problem-detector/node-problem-detector"
new_name = "${var.images.node-problem-detector.registry}/${var.images.node-problem-detector.repository}"
new_tag = "${var.images.node-problem-detector.tag}"
}
patches {
target {
kind = "DaemonSet"
name = "npd-node-problem-detector"
}
patch = <<-EOF
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: npd-node-problem-detector
spec:
template:
spec:
containers:
- name: node-problem-detector
imagePullPolicy: "${var.images.node-problem-detector.pull_policy}"
EOF
}
}
data "kustomization_overlay" "data_no_ns" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && length(regexall("ClusterRole",file))>0 ]
patches {
target {
kind = "ClusterRoleBinding"
name = "npd-node-problem-detector"
}
patch = local.rb-patch
}
}

50
monitor/node-problem-detector/index.yaml Normal file
View File

@@ -0,0 +1,50 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: monitor
metadata:
name: node-problem-detector
description: node-problem-detector aims to make various node problems visible to the upstream layers in the cluster management stack.
options:
images:
default:
node-problem-detector:
pull_policy: IfNotPresent
registry: registry.k8s.io
repository: node-problem-detector/node-problem-detector
tag: v0.8.15
examples:
- node-problem-detector:
pull_policy: IfNotPresent
registry: registry.k8s.io
repository: node-problem-detector/node-problem-detector
tag: v0.8.15
properties:
node-problem-detector:
default:
pull_policy: IfNotPresent
registry: registry.k8s.io
repository: node-problem-detector/node-problem-detector
tag: v0.8.15
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: registry.k8s.io
type: string
repository:
default: node-problem-detector/node-problem-detector
type: string
tag:
default: v0.8.15
type: string
type: object
type: object
dependencies: []
providers: null
tfaddtype: null

18
monitor/node-problem-detector/rbac.authorization.k8s.io_v1_ClusterRoleBinding_npd-node-problem-detector.yaml Normal file
View File

@@ -0,0 +1,18 @@
# Source: node-problem-detector/templates/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: npd-node-problem-detector
labels:
app.kubernetes.io/name: node-problem-detector
helm.sh/chart: node-problem-detector-2.3.12
app.kubernetes.io/instance: npd
app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: npd-node-problem-detector
namespace: vynil-tools
roleRef:
kind: ClusterRole
name: npd-node-problem-detector
apiGroup: rbac.authorization.k8s.io

31
monitor/node-problem-detector/rbac.authorization.k8s.io_v1_ClusterRole_npd-node-problem-detector.yaml Normal file
View File

@@ -0,0 +1,31 @@
# Source: node-problem-detector/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: npd-node-problem-detector
labels:
app.kubernetes.io/name: node-problem-detector
helm.sh/chart: node-problem-detector-2.3.12
app.kubernetes.io/instance: npd
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update

45
monitor/node-problem-detector/ressources_no_ns.tf Normal file
View File

@@ -0,0 +1,45 @@
# first loop through resources in ids_prio[0]
resource "kustomization_resource" "pre_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[0]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
}
# then loop through resources in ids_prio[1]
# and set an explicit depends_on on kustomization_resource.pre
# wait 2 minutes for any deployment or daemonset to become ready
resource "kustomization_resource" "main_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[1]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
wait = true
timeouts {
create = "5m"
update = "5m"
}
depends_on = [kustomization_resource.pre_no_ns]
}
# finally, loop through resources in ids_prio[2]
# and set an explicit depends_on on kustomization_resource.main
resource "kustomization_resource" "post_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[2]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
depends_on = [kustomization_resource.main_no_ns]
}

13
monitor/node-problem-detector/v1_ConfigMap_npd-node-problem-detector-custom-config.yaml Normal file
View File

@@ -0,0 +1,13 @@
# Source: node-problem-detector/templates/custom-config-configmap.yaml
apiVersion: v1
data:
{}
kind: ConfigMap
metadata:
name: npd-node-problem-detector-custom-config
labels:
app.kubernetes.io/name: node-problem-detector
helm.sh/chart: node-problem-detector-2.3.12
app.kubernetes.io/instance: npd
app.kubernetes.io/managed-by: Helm
namespace: vynil-tools

12
monitor/node-problem-detector/v1_ServiceAccount_npd-node-problem-detector.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
# Source: node-problem-detector/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: npd-node-problem-detector
labels:
app.kubernetes.io/name: node-problem-detector
helm.sh/chart: node-problem-detector-2.3.12
app.kubernetes.io/instance: npd
app.kubernetes.io/managed-by: Helm
namespace: vynil-tools

84
monitor/opentelemetry/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_open-telemetry-opentelemetry-operator-mutation.yaml Normal file
View File

@@ -0,0 +1,84 @@
# Source: opentelemetry-operator/templates/admission-webhooks/operator-webhook-with-cert-manager.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: vynil-monitor/open-telemetry-opentelemetry-operator-serving-cert
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: webhook
name: open-telemetry-opentelemetry-operator-mutation
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: open-telemetry-opentelemetry-operator-webhook
namespace: vynil-monitor
path: /mutate-opentelemetry-io-v1alpha1-instrumentation
port: 443
failurePolicy: Fail
name: minstrumentation.kb.io
rules:
- apiGroups:
- opentelemetry.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- instrumentations
scope: Namespaced
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
clientConfig:
service:
name: open-telemetry-opentelemetry-operator-webhook
namespace: vynil-monitor
path: /mutate-opentelemetry-io-v1alpha1-opentelemetrycollector
port: 443
failurePolicy: Fail
name: mopentelemetrycollector.kb.io
rules:
- apiGroups:
- opentelemetry.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- opentelemetrycollectors
scope: Namespaced
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
clientConfig:
service:
name: open-telemetry-opentelemetry-operator-webhook
namespace: vynil-monitor
path: /mutate-v1-pod
port: 443
failurePolicy: Ignore
name: mpod.kb.io
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
scope: Namespaced
sideEffects: None
timeoutSeconds: 10

105
monitor/opentelemetry/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_open-telemetry-opentelemetry-operator-validation.yaml Normal file
View File

@@ -0,0 +1,105 @@
# Source: opentelemetry-operator/templates/admission-webhooks/operator-webhook-with-cert-manager.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: vynil-monitor/open-telemetry-opentelemetry-operator-serving-cert
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: webhook
name: open-telemetry-opentelemetry-operator-validation
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: open-telemetry-opentelemetry-operator-webhook
namespace: vynil-monitor
path: /validate-opentelemetry-io-v1alpha1-instrumentation
port: 443
failurePolicy: Fail
name: vinstrumentationcreateupdate.kb.io
rules:
- apiGroups:
- opentelemetry.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- instrumentations
scope: Namespaced
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
clientConfig:
service:
name: open-telemetry-opentelemetry-operator-webhook
namespace: vynil-monitor
path: /validate-opentelemetry-io-v1alpha1-instrumentation
port: 443
failurePolicy: Ignore
name: vinstrumentationdelete.kb.io
rules:
- apiGroups:
- opentelemetry.io
apiVersions:
- v1alpha1
operations:
- DELETE
resources:
- instrumentations
scope: Namespaced
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
clientConfig:
service:
name: open-telemetry-opentelemetry-operator-webhook
namespace: vynil-monitor
path: /validate-opentelemetry-io-v1alpha1-opentelemetrycollector
port: 443
failurePolicy: Fail
name: vopentelemetrycollectorcreateupdate.kb.io
rules:
- apiGroups:
- opentelemetry.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- opentelemetrycollectors
scope: Namespaced
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
clientConfig:
service:
name: open-telemetry-opentelemetry-operator-webhook
namespace: vynil-monitor
path: /validate-opentelemetry-io-v1alpha1-opentelemetrycollector
port: 443
failurePolicy: Ignore
name: vopentelemetrycollectordelete.kb.io
rules:
- apiGroups:
- opentelemetry.io
apiVersions:
- v1alpha1
operations:
- DELETE
resources:
- opentelemetrycollectors
scope: Namespaced
sideEffects: None
timeoutSeconds: 10

113
monitor/opentelemetry/apps_v1_Deployment_open-telemetry-opentelemetry-operator.yaml Normal file
View File

@@ -0,0 +1,113 @@
# Source: opentelemetry-operator/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator
namespace: vynil-monitor
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/component: controller-manager
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/component: controller-manager
spec:
hostNetwork: false
containers:
- args:
- --metrics-addr=0.0.0.0:8080
- --enable-leader-election
- --health-probe-addr=:8081
- --webhook-port=9443
- --collector-image=otel/opentelemetry-collector-contrib:0.95.0
command:
- /manager
env:
- name: ENABLE_WEBHOOKS
value: "true"
image: "ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:0.95.0"
name: manager
ports:
- containerPort: 8080
name: metrics
protocol: TCP
- containerPort: 9443
name: webhook-server
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
image: "quay.io/brancz/kube-rbac-proxy:v0.15.0"
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
serviceAccountName: opentelemetry-operator
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: open-telemetry-opentelemetry-operator-controller-manager-service-cert
securityContext:
fsGroup: 65532
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532

24
monitor/opentelemetry/cert-manager.io_v1_Certificate_open-telemetry-opentelemetry-operator-serving-cert.yaml Normal file
View File

@@ -0,0 +1,24 @@
# Source: opentelemetry-operator/templates/certmanager.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: webhook
name: open-telemetry-opentelemetry-operator-serving-cert
namespace: vynil-monitor
spec:
dnsNames:
- open-telemetry-opentelemetry-operator-webhook.vynil-monitor.svc
- open-telemetry-opentelemetry-operator-webhook.vynil-monitor.svc.cluster.local
issuerRef:
kind: Issuer
name: open-telemetry-opentelemetry-operator-selfsigned-issuer
secretName: open-telemetry-opentelemetry-operator-controller-manager-service-cert
subject:
organizationalUnits:
- open-telemetry-opentelemetry-operator

15
monitor/opentelemetry/cert-manager.io_v1_Issuer_open-telemetry-opentelemetry-operator-selfsigned-issuer.yaml Normal file
View File

@@ -0,0 +1,15 @@
# Source: opentelemetry-operator/templates/certmanager.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: webhook
name: open-telemetry-opentelemetry-operator-selfsigned-issuer
namespace: vynil-monitor
spec:
selfSigned: {}

122
monitor/opentelemetry/datas.tf Normal file
View File

@@ -0,0 +1,122 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
rb-patch = <<-EOF
- op: replace
path: /subjects/0/namespace
value: "${var.namespace}"
EOF
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
namespace = var.namespace
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && length(regexall("ClusterRole",file))<1 && length(regexall("WebhookConfiguration",file))<1]
images {
name = "ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator"
new_name = "${var.images.operator.registry}/${var.images.operator.repository}"
new_tag = "${var.images.operator.tag}"
}
images {
name = "quay.io/brancz/kube-rbac-proxy"
new_name = "${var.images.rbac_proxy.registry}/${var.images.rbac_proxy.repository}"
new_tag = "${var.images.rbac_proxy.tag}"
}
patches {
target {
kind = "Certificate"
name = "open-telemetry-opentelemetry-operator-serving-cert"
}
patch = <<-EOF
- op: replace
path: /spec/dnsNames/0
value: "open-telemetry-opentelemetry-operator-webhook.${var.namespace}.svc"
- op: replace
path: /spec/dnsNames/1
value: "open-telemetry-opentelemetry-operator-webhook.${var.namespace}.svc.cluster.local"
EOF
}
patches {
target {
kind = "Deployment"
name = "open-telemetry-opentelemetry-operator"
}
patch = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: open-telemetry-opentelemetry-operator
spec:
replicas: ${var.replicas}
EOF
}
}
data "kustomization_overlay" "data_no_ns" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && (length(regexall("ClusterRole",file))>0 || length(regexall("WebhookConfiguration",file))>0)]
patches {
target {
kind = "ClusterRoleBinding"
name = "open-telemetry-opentelemetry-operator-manager"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "open-telemetry-opentelemetry-operator-proxy"
}
patch = local.rb-patch
}
patches {
target {
kind = "MutatingWebhookConfiguration"
name = "open-telemetry-opentelemetry-operator-mutation"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /webhooks/1/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /webhooks/2/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /metadata/annotations/certmanager.k8s.io~1inject-ca-from
value: "${var.namespace}/open-telemetry-opentelemetry-operator-serving-cert"
EOF
}
patches {
target {
kind = "ValidatingWebhookConfiguration"
name = "open-telemetry-opentelemetry-operator-validation"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /webhooks/1/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /webhooks/2/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /webhooks/3/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /metadata/annotations/certmanager.k8s.io~1inject-ca-from
value: "${var.namespace}/open-telemetry-opentelemetry-operator-serving-cert"
EOF
}
}

100
monitor/opentelemetry/index.yaml Normal file
View File

@@ -0,0 +1,100 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: monitor
metadata:
name: opentelemetry
description: Kubernetes Operator for OpenTelemetry Collector
options:
images:
default:
operator:
pullPolicy: IfNotPresent
registry: ghcr.io
repository: open-telemetry/opentelemetry-operator/opentelemetry-operator
tag: 0.92.1
rbac_proxy:
pullPolicy: IfNotPresent
registry: quay.io
repository: brancz/kube-rbac-proxy
tag: v0.15.0
examples:
- operator:
pullPolicy: IfNotPresent
registry: ghcr.io
repository: open-telemetry/opentelemetry-operator/opentelemetry-operator
tag: 0.92.1
rbac_proxy:
pullPolicy: IfNotPresent
registry: quay.io
repository: brancz/kube-rbac-proxy
tag: v0.15.0
properties:
operator:
default:
pullPolicy: IfNotPresent
registry: ghcr.io
repository: open-telemetry/opentelemetry-operator/opentelemetry-operator
tag: 0.92.1
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: ghcr.io
type: string
repository:
default: open-telemetry/opentelemetry-operator/opentelemetry-operator
type: string
tag:
default: 0.92.1
type: string
type: object
rbac_proxy:
default:
pullPolicy: IfNotPresent
registry: quay.io
repository: brancz/kube-rbac-proxy
tag: v0.15.0
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: brancz/kube-rbac-proxy
type: string
tag:
default: v0.15.0
type: string
type: object
type: object
replicas:
default: 1
examples:
- 1
type: integer
dependencies:
- dist: null
category: crd
component: opentelemetry
providers:
kubernetes: true
authentik: null
kubectl: true
postgresql: null
mysql: null
restapi: null
http: null
gitea: null
tfaddtype: null

20
monitor/opentelemetry/policy_v1_PodDisruptionBudget_open-telemetry-opentelemetry-operator.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
# Source: opentelemetry-operator/templates/pdb.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator
namespace: vynil-monitor
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/component: controller-manager

20
monitor/opentelemetry/rbac.authorization.k8s.io_v1_ClusterRoleBinding_open-telemetry-opentelemetry-operator-manager.yaml Normal file
View File

@@ -0,0 +1,20 @@
# Source: opentelemetry-operator/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: open-telemetry-opentelemetry-operator-manager
subjects:
- kind: ServiceAccount
name: opentelemetry-operator
namespace: vynil-monitor

20
monitor/opentelemetry/rbac.authorization.k8s.io_v1_ClusterRoleBinding_open-telemetry-opentelemetry-operator-proxy.yaml Normal file
View File

@@ -0,0 +1,20 @@
# Source: opentelemetry-operator/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator-proxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: open-telemetry-opentelemetry-operator-proxy
subjects:
- kind: ServiceAccount
name: opentelemetry-operator
namespace: vynil-monitor

208
monitor/opentelemetry/rbac.authorization.k8s.io_v1_ClusterRole_open-telemetry-opentelemetry-operator-manager.yaml Normal file
View File

@@ -0,0 +1,208 @@
# Source: opentelemetry-operator/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator-manager
rules:
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- persistentvolumes
- pods
- serviceaccounts
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- config.openshift.io
resources:
- infrastructures
- infrastructures/status
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- apiGroups:
- monitoring.coreos.com
resources:
- podmonitors
- servicemonitors
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- opentelemetry.io
resources:
- instrumentations
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- opentelemetry.io
resources:
- opampbridges
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- opentelemetry.io
resources:
- opampbridges/finalizers
verbs:
- update
- apiGroups:
- opentelemetry.io
resources:
- opampbridges/status
verbs:
- get
- patch
- update
- apiGroups:
- opentelemetry.io
resources:
- opentelemetrycollectors
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- opentelemetry.io
resources:
- opentelemetrycollectors/finalizers
verbs:
- get
- patch
- update
- apiGroups:
- opentelemetry.io
resources:
- opentelemetrycollectors/status
verbs:
- get
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/custom-host
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

17
monitor/opentelemetry/rbac.authorization.k8s.io_v1_ClusterRole_open-telemetry-opentelemetry-operator-metrics.yaml Normal file
View File

@@ -0,0 +1,17 @@
# Source: opentelemetry-operator/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator-metrics
rules:
- nonResourceURLs:
- /metrics
verbs:
- get

25
monitor/opentelemetry/rbac.authorization.k8s.io_v1_ClusterRole_open-telemetry-opentelemetry-operator-proxy.yaml Normal file
View File

@@ -0,0 +1,25 @@
# Source: opentelemetry-operator/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator-proxy
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

21
monitor/opentelemetry/rbac.authorization.k8s.io_v1_RoleBinding_open-telemetry-opentelemetry-operator-leader-election.yaml Normal file
View File

@@ -0,0 +1,21 @@
# Source: opentelemetry-operator/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator-leader-election
namespace: vynil-monitor
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: open-telemetry-opentelemetry-operator-leader-election
subjects:
- kind: ServiceAccount
name: opentelemetry-operator
namespace: vynil-monitor

41
monitor/opentelemetry/rbac.authorization.k8s.io_v1_Role_open-telemetry-opentelemetry-operator-leader-election.yaml Normal file
View File

@@ -0,0 +1,41 @@
# Source: opentelemetry-operator/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator-leader-election
namespace: vynil-monitor
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch

45
monitor/opentelemetry/ressources_no_ns.tf Normal file
View File

@@ -0,0 +1,45 @@
# first loop through resources in ids_prio[0]
resource "kustomization_resource" "pre_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[0]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
}
# then loop through resources in ids_prio[1]
# and set an explicit depends_on on kustomization_resource.pre
# wait 2 minutes for any deployment or daemonset to become ready
resource "kustomization_resource" "main_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[1]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
wait = true
timeouts {
create = "5m"
update = "5m"
}
depends_on = [kustomization_resource.pre_no_ns]
}
# finally, loop through resources in ids_prio[2]
# and set an explicit depends_on on kustomization_resource.main
resource "kustomization_resource" "post_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[2]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
depends_on = [kustomization_resource.main_no_ns]
}

13
monitor/opentelemetry/v1_ServiceAccount_opentelemetry-operator.yaml Normal file
View File

@@ -0,0 +1,13 @@
# Source: opentelemetry-operator/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: opentelemetry-operator
namespace: vynil-monitor
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager

21
monitor/opentelemetry/v1_Service_open-telemetry-opentelemetry-operator-webhook.yaml Normal file
View File

@@ -0,0 +1,21 @@
# Source: opentelemetry-operator/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator-webhook
namespace: vynil-monitor
spec:
ports:
- port: 443
protocol: TCP
targetPort: webhook-server
selector:
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/component: controller-manager

26
monitor/opentelemetry/v1_Service_open-telemetry-opentelemetry-operator.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Source: opentelemetry-operator/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: opentelemetry-operator-0.49.1
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/version: "0.95.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: open-telemetry
app.kubernetes.io/component: controller-manager
name: open-telemetry-opentelemetry-operator
namespace: vynil-monitor
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
- name: metrics
port: 8080
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: opentelemetry-operator
app.kubernetes.io/component: controller-manager

41
monitor/prometheus/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_prometheus-community-kube-admission.yaml Normal file
View File

@@ -0,0 +1,41 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: prometheus-community-kube-admission
annotations:
certmanager.k8s.io/inject-ca-from: "vynil-monitor/prometheus-community-kube-admission"
cert-manager.io/inject-ca-from: "vynil-monitor/prometheus-community-kube-admission"
labels:
app: kube-prometheus-stack-admission
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator-webhook
webhooks:
- name: prometheusrulemutate.monitoring.coreos.com
failurePolicy: Fail
rules:
- apiGroups:
- monitoring.coreos.com
apiVersions:
- "*"
resources:
- prometheusrules
operations:
- CREATE
- UPDATE
clientConfig:
service:
namespace: vynil-monitor
name: prometheus-community-kube-operator
path: /admission-prometheusrules/mutate
timeoutSeconds: 10
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None

41
monitor/prometheus/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_prometheus-community-kube-admission.yaml Normal file
View File

@@ -0,0 +1,41 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: prometheus-community-kube-admission
annotations:
certmanager.k8s.io/inject-ca-from: "vynil-monitor/prometheus-community-kube-admission"
cert-manager.io/inject-ca-from: "vynil-monitor/prometheus-community-kube-admission"
labels:
app: kube-prometheus-stack-admission
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator-webhook
webhooks:
- name: prometheusrulemutate.monitoring.coreos.com
failurePolicy: Fail
rules:
- apiGroups:
- monitoring.coreos.com
apiVersions:
- "*"
resources:
- prometheusrules
operations:
- CREATE
- UPDATE
clientConfig:
service:
namespace: vynil-monitor
name: prometheus-community-kube-operator
path: /admission-prometheusrules/validate
timeoutSeconds: 10
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None

91
monitor/prometheus/apps_v1_Deployment_prometheus-community-kube-operator.yaml Normal file
View File

@@ -0,0 +1,91 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus-community-kube-operator
namespace: vynil-monitor
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app: kube-prometheus-stack-operator
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: kube-prometheus-stack-operator
release: "prometheus-community"
template:
metadata:
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app: kube-prometheus-stack-operator
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator
spec:
containers:
- name: kube-prometheus-stack
image: "quay.io/prometheus-operator/prometheus-operator:v0.72.0"
imagePullPolicy: "IfNotPresent"
args:
- --kubelet-service=kube-system/prometheus-community-kube-kubelet
- --localhost=127.0.0.1
- --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.72.0
- --config-reloader-cpu-request=0
- --config-reloader-cpu-limit=0
- --config-reloader-memory-request=0
- --config-reloader-memory-limit=0
- --thanos-default-base-image=quay.io/thanos/thanos:v0.34.1
- --secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1
- --web.enable-tls=true
- --web.cert-file=/cert/tls.crt
- --web.key-file=/cert/tls.key
- --web.listen-address=:10250
- --web.tls-min-version=VersionTLS13
ports:
- containerPort: 10250
name: https
env:
- name: GOGC
value: "30"
resources:
{}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- name: tls-secret
mountPath: /cert
readOnly: true
volumes:
- name: tls-secret
secret:
defaultMode: 420
secretName: prometheus-community-kube-admission
securityContext:
fsGroup: 65534
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: prometheus-community-kube-operator
automountServiceAccountToken: true

15
monitor/prometheus/cert-manager.io_v1_Certificate_prometheus-community-kube-admission.yaml Normal file
View File

@@ -0,0 +1,15 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml
# generate a server certificate for the apiservices to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: prometheus-community-kube-admission
namespace: vynil-monitor
spec:
secretName: prometheus-community-kube-admission
duration: "8760h0m0s"
issuerRef:
name: prometheus-community-kube-root-issuer
dnsNames:
- prometheus-community-kube-operator
- prometheus-community-kube-operator.vynil-monitor.svc

14
monitor/prometheus/cert-manager.io_v1_Certificate_prometheus-community-kube-root-cert.yaml Normal file
View File

@@ -0,0 +1,14 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: prometheus-community-kube-root-cert
namespace: vynil-monitor
spec:
secretName: prometheus-community-kube-root-cert
duration: "43800h0m0s"
issuerRef:
name: prometheus-community-kube-self-signed-issuer
commonName: "ca.webhook.kube-prometheus-stack"
isCA: true

10
monitor/prometheus/cert-manager.io_v1_Issuer_prometheus-community-kube-root-issuer.yaml Normal file
View File

@@ -0,0 +1,10 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: prometheus-community-kube-root-issuer
namespace: vynil-monitor
spec:
ca:
secretName: prometheus-community-kube-root-cert

10
monitor/prometheus/cert-manager.io_v1_Issuer_prometheus-community-kube-self-signed-issuer.yaml Normal file
View File

@@ -0,0 +1,10 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: prometheus-community-kube-self-signed-issuer
namespace: vynil-monitor
spec:
selfSigned: {}

199
monitor/prometheus/datas.tf Normal file
View File

@@ -0,0 +1,199 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
rb-patch = <<-EOF
- op: replace
path: /subjects/0/namespace
value: "${var.namespace}"
EOF
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
namespace = var.namespace
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && length(regexall("ClusterRole",file))<1 && length(regexall("WebhookConfiguration",file))<1]
images {
name = "quay.io/prometheus-operator/prometheus-operator"
new_name = "${var.images.operator.registry}/${var.images.operator.repository}"
new_tag = "${var.images.operator.tag}"
}
patches {
target {
kind = "Deployment"
name = "prometheus-community-kube-operator"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.operator.pullPolicy}"
EOF
}
patches {
target {
kind = "ServiceMonitor"
name = "prometheus-community-kube-operator"
}
patch = <<-EOF
- op: replace
path: /spec/namespaceSelector/matchNames/0
value: "${var.namespace}"
EOF
}
patches {
target {
kind = "Certificate"
name = "prometheus-community-kube-admission"
}
patch = <<-EOF
- op: replace
path: /spec/dnsNames/1
value: "prometheus-community-kube-operator.${var.namespace}.svc"
EOF
}
patches {
target {
kind = "PrometheusRule"
name = "prometheus-community-kube-prometheus-operator"
}
patch = <<-EOF
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: prometheus-community-kube-prometheus-operator
spec:
groups:
- name: prometheus-operator
rules:
- alert: PrometheusOperatorListErrors
annotations:
description: Errors while performing List operations in controller {{$labels.controller}} in {{$labels.namespace}} namespace.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorlisterrors
summary: Errors while performing list operations in controller.
expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_list_operations_failed_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[10m])) / sum by (cluster,controller,namespace) (rate(prometheus_operator_list_operations_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[10m]))) > 0.4
for: 15m
labels:
severity: warning
- alert: PrometheusOperatorWatchErrors
annotations:
description: Errors while performing watch operations in controller {{$labels.controller}} in {{$labels.namespace}} namespace.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorwatcherrors
summary: Errors while performing watch operations in controller.
expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_watch_operations_failed_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m])) / sum by (cluster,controller,namespace) (rate(prometheus_operator_watch_operations_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]))) > 0.4
for: 15m
labels:
severity: warning
- alert: PrometheusOperatorSyncFailed
annotations:
description: Controller {{ $labels.controller }} in {{ $labels.namespace }} namespace fails to reconcile {{ $value }} objects.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorsyncfailed
summary: Last controller reconciliation failed
expr: min_over_time(prometheus_operator_syncs{status="failed",job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]) > 0
for: 10m
labels:
severity: warning
- alert: PrometheusOperatorReconcileErrors
annotations:
description: '{{ $value | humanizePercentage }} of reconciling operations failed for {{ $labels.controller }} controller in {{ $labels.namespace }} namespace.'
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorreconcileerrors
summary: Errors while reconciling objects.
expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_reconcile_errors_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]))) / (sum by (cluster,controller,namespace) (rate(prometheus_operator_reconcile_operations_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]))) > 0.1
for: 10m
labels:
severity: warning
- alert: PrometheusOperatorStatusUpdateErrors
annotations:
description: '{{ $value | humanizePercentage }} of status update operations failed for {{ $labels.controller }} controller in {{ $labels.namespace }} namespace.'
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorstatusupdateerrors
summary: Errors while updating objects status.
expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_status_update_errors_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]))) / (sum by (cluster,controller,namespace) (rate(prometheus_operator_status_update_operations_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]))) > 0.1
for: 10m
labels:
severity: warning
- alert: PrometheusOperatorNodeLookupErrors
annotations:
description: Errors while reconciling Prometheus in {{ $labels.namespace }} Namespace.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatornodelookuperrors
summary: Errors while reconciling Prometheus.
expr: rate(prometheus_operator_node_address_lookup_errors_total{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]) > 0.1
for: 10m
labels:
severity: warning
- alert: PrometheusOperatorNotReady
annotations:
description: Prometheus operator in {{ $labels.namespace }} namespace isn't ready to reconcile {{ $labels.controller }} resources.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatornotready
summary: Prometheus operator not ready
expr: min by (cluster,controller,namespace) (max_over_time(prometheus_operator_ready{job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]) == 0)
for: 5m
labels:
severity: warning
- alert: PrometheusOperatorRejectedResources
annotations:
description: Prometheus operator in {{ $labels.namespace }} namespace rejected {{ printf "%0.0f" $value }} {{ $labels.controller }}/{{ $labels.resource }} resources.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorrejectedresources
summary: Resources rejected by Prometheus operator
expr: min_over_time(prometheus_operator_managed_resources{state="rejected",job="prometheus-community-kube-operator",namespace="${var.namespace}"}[5m]) > 0
for: 5m
labels:
severity: warning
EOF
}
}
data "kustomization_overlay" "data_no_ns" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && (length(regexall("ClusterRole",file))>0 || length(regexall("WebhookConfiguration",file))>0)]
patches {
target {
kind = "ClusterRoleBinding"
name = "prometheus-community-kube-operator"
}
patch = local.rb-patch
}
patches {
target {
kind = "MutatingWebhookConfiguration"
name = "prometheus-community-kube-admission"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /metadata/annotations/certmanager.k8s.io~1inject-ca-from
value: "${var.namespace}/prometheus-community-kube-admission"
- op: replace
path: /metadata/annotations/cert-manager.io~1inject-ca-from
value: "${var.namespace}/prometheus-community-kube-admission"
EOF
}
patches {
target {
kind = "ValidatingWebhookConfiguration"
name = "prometheus-community-kube-admission"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
- op: replace
path: /metadata/annotations/certmanager.k8s.io~1inject-ca-from
value: "${var.namespace}/prometheus-community-kube-admission"
- op: replace
path: /metadata/annotations/cert-manager.io~1inject-ca-from
value: "${var.namespace}/prometheus-community-kube-admission"
EOF
}
}

58
monitor/prometheus/index.yaml Normal file
View File

@@ -0,0 +1,58 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: monitor
metadata:
name: prometheus
description: Prometheus operator
options:
images:
default:
operator:
pullPolicy: IfNotPresent
registry: quay.io
repository: prometheus-operator/prometheus-operator
tag: v0.71.0
examples:
- operator:
pullPolicy: IfNotPresent
registry: quay.io
repository: prometheus-operator/prometheus-operator
tag: v0.71.0
properties:
operator:
default:
pullPolicy: IfNotPresent
registry: quay.io
repository: prometheus-operator/prometheus-operator
tag: v0.71.0
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: prometheus-operator/prometheus-operator
type: string
tag:
default: v0.71.0
type: string
type: object
type: object
dependencies: []
providers:
kubernetes: true
authentik: null
kubectl: true
postgresql: null
mysql: null
restapi: null
http: null
gitea: null
tfaddtype: null

92
monitor/prometheus/monitoring.coreos.com_v1_PrometheusRule_prometheus-community-kube-prometheus-operator.yaml Normal file
View File

@@ -0,0 +1,92 @@
# Source: kube-prometheus-stack/templates/prometheus/rules-1.14/prometheus-operator.yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: prometheus-community-kube-prometheus-operator
namespace: vynil-monitor
labels:
app: kube-prometheus-stack
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
spec:
groups:
- name: prometheus-operator
rules:
- alert: PrometheusOperatorListErrors
annotations:
description: Errors while performing List operations in controller {{$labels.controller}} in {{$labels.namespace}} namespace.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorlisterrors
summary: Errors while performing list operations in controller.
expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_list_operations_failed_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[10m])) / sum by (cluster,controller,namespace) (rate(prometheus_operator_list_operations_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[10m]))) > 0.4
for: 15m
labels:
severity: warning
- alert: PrometheusOperatorWatchErrors
annotations:
description: Errors while performing watch operations in controller {{$labels.controller}} in {{$labels.namespace}} namespace.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorwatcherrors
summary: Errors while performing watch operations in controller.
expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_watch_operations_failed_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m])) / sum by (cluster,controller,namespace) (rate(prometheus_operator_watch_operations_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]))) > 0.4
for: 15m
labels:
severity: warning
- alert: PrometheusOperatorSyncFailed
annotations:
description: Controller {{ $labels.controller }} in {{ $labels.namespace }} namespace fails to reconcile {{ $value }} objects.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorsyncfailed
summary: Last controller reconciliation failed
expr: min_over_time(prometheus_operator_syncs{status="failed",job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]) > 0
for: 10m
labels:
severity: warning
- alert: PrometheusOperatorReconcileErrors
annotations:
description: '{{ $value | humanizePercentage }} of reconciling operations failed for {{ $labels.controller }} controller in {{ $labels.namespace }} namespace.'
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorreconcileerrors
summary: Errors while reconciling objects.
expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_reconcile_errors_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]))) / (sum by (cluster,controller,namespace) (rate(prometheus_operator_reconcile_operations_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]))) > 0.1
for: 10m
labels:
severity: warning
- alert: PrometheusOperatorStatusUpdateErrors
annotations:
description: '{{ $value | humanizePercentage }} of status update operations failed for {{ $labels.controller }} controller in {{ $labels.namespace }} namespace.'
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorstatusupdateerrors
summary: Errors while updating objects status.
expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_status_update_errors_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]))) / (sum by (cluster,controller,namespace) (rate(prometheus_operator_status_update_operations_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]))) > 0.1
for: 10m
labels:
severity: warning
- alert: PrometheusOperatorNodeLookupErrors
annotations:
description: Errors while reconciling Prometheus in {{ $labels.namespace }} Namespace.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatornodelookuperrors
summary: Errors while reconciling Prometheus.
expr: rate(prometheus_operator_node_address_lookup_errors_total{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]) > 0.1
for: 10m
labels:
severity: warning
- alert: PrometheusOperatorNotReady
annotations:
description: Prometheus operator in {{ $labels.namespace }} namespace isn't ready to reconcile {{ $labels.controller }} resources.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatornotready
summary: Prometheus operator not ready
expr: min by (cluster,controller,namespace) (max_over_time(prometheus_operator_ready{job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]) == 0)
for: 5m
labels:
severity: warning
- alert: PrometheusOperatorRejectedResources
annotations:
description: Prometheus operator in {{ $labels.namespace }} namespace rejected {{ printf "%0.0f" $value }} {{ $labels.controller }}/{{ $labels.resource }} resources.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorrejectedresources
summary: Resources rejected by Prometheus operator
expr: min_over_time(prometheus_operator_managed_resources{state="rejected",job="prometheus-community-kube-operator",namespace="vynil-monitor"}[5m]) > 0
for: 5m
labels:
severity: warning

38
monitor/prometheus/monitoring.coreos.com_v1_ServiceMonitor_prometheus-community-kube-operator.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/servicemonitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: prometheus-community-kube-operator
namespace: vynil-monitor
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app: kube-prometheus-stack-operator
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator
spec:
endpoints:
- port: https
scheme: https
tlsConfig:
serverName: prometheus-community-kube-operator
ca:
secret:
name: prometheus-community-kube-admission
key: ca.crt
optional: false
honorLabels: true
selector:
matchLabels:
app: kube-prometheus-stack-operator
release: "prometheus-community"
namespaceSelector:
matchNames:
- "vynil-monitor"

25
monitor/prometheus/rbac.authorization.k8s.io_v1_ClusterRoleBinding_prometheus-community-kube-operator.yaml Normal file
View File

@@ -0,0 +1,25 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-community-kube-operator
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app: kube-prometheus-stack-operator
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-community-kube-operator
subjects:
- kind: ServiceAccount
name: prometheus-community-kube-operator
namespace: vynil-monitor

108
monitor/prometheus/rbac.authorization.k8s.io_v1_ClusterRole_prometheus-community-kube-operator.yaml Normal file
View File

@@ -0,0 +1,108 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus-community-kube-operator
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app: kube-prometheus-stack-operator
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator
rules:
- apiGroups:
- monitoring.coreos.com
resources:
- alertmanagers
- alertmanagers/finalizers
- alertmanagers/status
- alertmanagerconfigs
- prometheuses
- prometheuses/finalizers
- prometheuses/status
- prometheusagents
- prometheusagents/finalizers
- prometheusagents/status
- thanosrulers
- thanosrulers/finalizers
- thanosrulers/status
- scrapeconfigs
- servicemonitors
- podmonitors
- probes
- prometheusrules
verbs:
- '*'
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- delete
- apiGroups:
- ""
resources:
- services
- services/finalizers
- endpoints
verbs:
- get
- create
- update
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- patch
- create
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get

45
monitor/prometheus/ressources_no_ns.tf Normal file
View File

@@ -0,0 +1,45 @@
# first loop through resources in ids_prio[0]
resource "kustomization_resource" "pre_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[0]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
}
# then loop through resources in ids_prio[1]
# and set an explicit depends_on on kustomization_resource.pre
# wait 2 minutes for any deployment or daemonset to become ready
resource "kustomization_resource" "main_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[1]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
wait = true
timeouts {
create = "5m"
update = "5m"
}
depends_on = [kustomization_resource.pre_no_ns]
}
# finally, loop through resources in ids_prio[2]
# and set an explicit depends_on on kustomization_resource.main
resource "kustomization_resource" "post_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[2]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
depends_on = [kustomization_resource.main_no_ns]
}

20
monitor/prometheus/v1_ServiceAccount_prometheus-community-kube-operator.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
# Source: kube-prometheus-stack/templates/prometheus-operator/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus-community-kube-operator
namespace: vynil-monitor
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app: kube-prometheus-stack-operator
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator
automountServiceAccountToken: true

27
monitor/prometheus/v1_Service_prometheus-community-kube-operator.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Source: kube-prometheus-stack/templates/prometheus-operator/service.yaml
apiVersion: v1
kind: Service
metadata:
name: prometheus-community-kube-operator
namespace: vynil-monitor
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: prometheus-community
app.kubernetes.io/version: "57.0.3"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-57.0.3
release: "prometheus-community"
heritage: "Helm"
app: kube-prometheus-stack-operator
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator
spec:
ports:
- name: https
port: 443
targetPort: https
selector:
app: kube-prometheus-stack-operator
release: "prometheus-community"
type: "ClusterIP"