Add blackboxexporter, grafana, pushgateway and thanos

charts/user-monitoring/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.1.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/user-monitoring/templates/user-am.yaml

@@ -0,0 +1,7 @@
+apiVersion: monitoring.coreos.com/v1
+kind: Alertmanager
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ .Values.user }}-am
+  name: {{ .Values.user }}-am
+spec: {}

charts/user-monitoring/templates/user-basic-auth-secret.yaml

@@ -4,4 +4,6 @@ data:
   {{ .Values.user }}: JDEkSzNRZUlsOHAkZVZZb1h2RERNWk40b3RJT2tBc3AwLw== # $(openssl passwd -1 admin)
 kind: Secret
 metadata:
+  labels:
+    app.kubernetes.io/name: basic-auth
   name: basic-auth

charts/user-monitoring/templates/user-blackboxexporter-cm.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blackbox-exporter-config
+  labels:
+    app.kubernetes.io/name: blackbox-exporter
+data:
+  config.yml: |
+    modules:
+      http_2xx:
+        prober: http
+        timeout: 10s
+        http:
+          preferred_ip_protocol: "ip4"
+          tls_config:
+            insecure_skip_verify: true
+      http_3xx:
+        prober: http
+        timeout: 10s
+        http:
+          preferred_ip_protocol: "ip4"
+          follow_redirects: false
+          tls_config:
+            insecure_skip_verify: true
+          valid_status_codes: [300, 301, 302, 303, 304, 305, 306, 307, 308]
+      http_4xx:
+        prober: http
+        timeout: 10s
+        http:
+          preferred_ip_protocol: "ip4"
+          follow_redirects: false
+          tls_config:
+            insecure_skip_verify: true
+          valid_status_codes: [400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 421, 422, 423, 424, 425, 426, 428, 429, 431, 451, 418, 420, 444, 449, 499]
+      tcp_connect:
+        prober: tcp

charts/user-monitoring/templates/user-blackboxexporter-deploy.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: blackbox-exporter
+  name: blackbox-exporter
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: blackbox-exporter
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: blackbox-exporter
+    spec:
+      containers:
+        - name: blackbox-exporter
+          image: quay.io/prometheus/blackbox-exporter:v0.24.0
+          args:
+            - --config.file=/etc/blackbox_exporter/config.yml
+          ports:
+            - containerPort: 9115
+              name: http
+          volumeMounts:
+            - mountPath: /etc/blackbox_exporter/
+              name: blackbox-config
+          resources: {}
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+      volumes:
+        - name: blackbox-config
+          configMap:
+            defaultMode: 420
+            name: blackbox-exporter-config

charts/user-monitoring/templates/user-grafana-cm.yaml

@@ -0,0 +1,17 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: grafana-dashboardproviders
+  labels:
+    app.kubernetes.io/name: grafana
+data:
+  dashboardproviders.yaml: |
+    apiVersion: 1
+    providers:
+    - disableDeletion: false
+      editable: false
+      name: general
+      options:
+        path: /var/lib/grafana/dashboards/general
+      orgId: 1
+      type: file

charts/user-monitoring/templates/user-grafana-datasource-secret.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: grafana-datasources
+  labels:
+    app.kubernetes.io/name: grafana
+    datasource: "true"
+stringData:
+  dashboardproviders.yaml: |
+    apiVersion: 1
+    datasources:
+      - name: thanos-querier
+        access: proxy
+        editable: false
+        type: prometheus
+        url: http://thanos-query.{{ .Values.user }}-monitoring.svc.cluster.local:10902
+        version: 1

charts/user-monitoring/templates/user-grafana-deploy.yaml

@@ -0,0 +1,113 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+  name: grafana
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: grafana
+    spec:
+      serviceAccount: grafana
+      serviceAccountName: grafana
+      initContainers:
+        - name: grafana-sc-datasources
+          env:
+          - name: METHOD
+            value: LIST
+          - name: LABEL
+            value: datasource
+          - name: LABEL_VALUE
+            value: "true"
+          - name: FOLDER
+            value: /etc/grafana/provisioning/datasources
+          - name: RESOURCE
+            value: secret
+          image: quay.io/kiwigrid/k8s-sidecar:1.25.0
+          resources:
+            limits:
+              cpu: 200m
+              memory: 128Mi
+            requests:
+              cpu: 50m
+              memory: 32Mi
+          volumeMounts:
+          - mountPath: /etc/grafana/provisioning/datasources
+            name: datasource-volume
+      containers:
+        - name: grafana-sc-dashboard
+          env:
+            - name: LABEL
+              value: dashboard
+            - name: LABEL_VALUE
+              value: "true"
+            - name: FOLDER
+              value: /var/lib/grafana/dashboards/general
+            - name: RESOURCE
+              value: configmap
+          image: quay.io/kiwigrid/k8s-sidecar:1.25.0
+          resources:
+            limits:
+              cpu: 1
+              memory: 128Mi
+            requests:
+              cpu: 50m
+              memory: 32Mi
+          volumeMounts:
+            - mountPath: /var/lib/grafana/dashboards/general
+              name: dashboard-volume
+        - name: grafana
+          env:
+            - name: GF_ANALYTICS_REPORTING_ENABLED
+              value: "false"
+            - name: TZ
+              value: "Europe/Zurich"
+          image: grafana/grafana:10.0.3
+          livenessProbe:
+            failureThreshold: 10
+            httpGet:
+              path: /api/health
+              port: 3000
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 30
+          ports:
+            - containerPort: 3000
+              name: grafana-http
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /api/health
+              port: 3000
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - mountPath: /etc/grafana/provisioning/dashboards/
+              name: grafana-dashboardproviders
+            - mountPath: /var/lib/grafana/data
+              name: grafana-volume
+            - mountPath: /var/lib/grafana/dashboards/general
+              name: dashboard-volume
+            - mountPath: /etc/grafana/provisioning/datasources/
+              name: datasource-volume
+      volumes:
+        - name: grafana-dashboardproviders
+          configMap:
+            defaultMode: 420
+            name: grafana-dashboardproviders
+        - emptyDir: {}
+          name: grafana-volume
+        - emptyDir: {}
+          name: dashboard-volume
+        - emptyDir: {}
+          name: datasource-volume

charts/user-monitoring/templates/user-grafana-ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    haproxy.org/auth-secret: basic-auth
+    haproxy.org/auth-type: basic-auth
+    haproxy.org/auth-realm: Authentication Required
+  name: grafana
+spec:
+  ingressClassName: haproxy
+  rules:
+  - host: {{ .Values.user }}-grafana.training.cluster.acend.ch
+    http:
+      paths:
+      - backend:
+          service:
+            name: grafana
+            port:
+              number: 3000
+        path: /
+        pathType: ImplementationSpecific
+  tls:
+  - hosts:
+    - {{ .Values.user }}-grafana.training.cluster.acend.ch
+    secretName: acend-wildcard

charts/user-monitoring/templates/user-grafana-rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+  name: grafana
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-prometheus-stack-grafana-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: grafana

charts/user-monitoring/templates/user-grafana-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+  name: grafana

charts/user-monitoring/templates/user-grafana-svc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana
+  labels:
+    app.kubernetes.io/name: grafana
+spec:
+  ports:
+    - name: http
+      port: 3000
+      protocol: TCP
+      targetPort: 3000
+  selector:
+    app.kubernetes.io/name: grafana
+  type: ClusterIP

charts/user-monitoring/templates/user-prom-ingress.yaml

@@ -5,6 +5,8 @@ metadata:
     haproxy.org/auth-secret: basic-auth
     haproxy.org/auth-type: basic-auth
     haproxy.org/auth-realm: Authentication Required
+  labels:
+    app.kubernetes.io/name: {{ .Values.user }}-prometheus
   name: {{ .Values.user }}-prometheus
 spec:
   ingressClassName: haproxy

charts/user-monitoring/templates/user-prom-role.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  labels:
+    app.kubernetes.io/name: {{ .Values.user }}-prometheus
   name: prometheus-{{ .Values.user }}
 rules:
 - apiGroups: [""]

charts/user-monitoring/templates/user-prom-rolebinding.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
   name: prometheus
 roleRef:
   apiGroup: rbac.authorization.k8s.io

charts/user-monitoring/templates/user-prom-sa.yaml

@@ -1,5 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  labels:
+    app.kubernetes.io/name: prometheus-{{ .Values.user }}
   name: prometheus-{{ .Values.user }}
 

charts/user-monitoring/templates/user-prometheus.yaml

@@ -1,6 +1,8 @@
 apiVersion: monitoring.coreos.com/v1
 kind: Prometheus
 metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
   name: prometheus
 spec:
   scrapeInterval: 10s

charts/user-monitoring/templates/user-pushgateway-deploy.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: pushgateway
+  name: pushgateway
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: pushgateway
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: pushgateway
+    spec:
+      containers:
+        - name: pushgateway
+          image: quay.io/prometheus/pushgateway:v1.6.0
+          ports:
+            - containerPort: 9091
+              name: web
+          resources: {}
+          livenessProbe:
+            httpGet:
+              path: /-/healthy
+              port: web
+          readinessProbe:
+            httpGet:
+              path: /-/ready
+              port: web

charts/user-monitoring/templates/user-pushgateway-servicemonitor.yaml

@@ -0,0 +1,15 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: pushgateway
+  name: pushgateway
+spec:
+  endpoints:
+    - interval: 30s
+      port: web
+      honorLabels: true
+  namespaceSelector: {}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: pushgateway

charts/user-monitoring/templates/user-pushgateway-svc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pushgateway
+  labels:
+    app.kubernetes.io/name: pushgateway
+spec:
+  ports:
+    - name: http
+      port: 9091
+      protocol: TCP
+      targetPort: 9091
+  selector:
+    app.kubernetes.io/name: pushgateway
+  type: ClusterIP

charts/user-monitoring/templates/user-thanos-query-deploy.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: thanos-query
+  name: thanos-query
+  namespace: {{ .Values.user }}-monitoring
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: thanos-query
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: thanos-query
+    spec:
+      containers:
+      - args:
+        - query
+        - --log.level=debug
+        - --query.replica-label=prometheus_replica
+        - --query.replica-label=thanos_ruler_replica
+        - --endpoint=prometheus-operated.{{ .Values.user }}-monitoring.svc.cluster.local:10901
+        - --endpoint=thanos-ruler-operated.{{ .Values.user }}-monitoring.svc.cluster.local:10901
+        - --endpoint=prometheus-operated.monitoring.svc.cluster.local:10901
+        - --store.unhealthy-timeout=3d
+        image: quay.io/thanos/thanos:v0.25.1
+        name: thanos-query
+        ports:
+        - containerPort: 10902
+          name: http
+        - containerPort: 10901
+          name: grpc

charts/user-monitoring/templates/user-thanos-query-ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    haproxy.org/auth-secret: basic-auth
+    haproxy.org/auth-type: basic-auth
+    haproxy.org/auth-realm: Authentication Required
+  labels:
+    app.kubernetes.io/name: {{ .Values.user }}-thanos
+  name: {{ .Values.user }}-thanos
+spec:
+  ingressClassName: haproxy
+  rules:
+  - host: {{ .Values.user }}-thanos-query.training.cluster.acend.ch
+    http:
+      paths:
+      - backend:
+          service:
+            name: thanos-query
+            port:
+              number: 10902
+        path: /
+        pathType: ImplementationSpecific
+  tls:
+  - hosts:
+    - {{ .Values.user }}-thanos-query.training.cluster.acend.ch
+    secretName: acend-wildcard

charts/user-monitoring/templates/user-thanos-query-svc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: thanos-query
+  labels:
+    app.kubernetes.io/name: thanos-query
+spec:
+  ports:
+  - name: http
+    port: 10902
+    protocol: TCP
+    targetPort: http
+  selector:
+    app.kubernetes.io/name: thanos-query
+  type: ClusterIP

charts/user-monitoring/templates/user-thanosruler-ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    haproxy.org/auth-secret: basic-auth
+    haproxy.org/auth-type: basic-auth
+    haproxy.org/auth-realm: Authentication Required
+  name: user1-thanos-ruler
+spec:
+  ingressClassName: haproxy
+  rules:
+  - host: user1-thanos-ruler.training.cluster.acend.ch
+    http:
+      paths:
+      - backend:
+          service:
+            name: thanos-ruler-operated
+            port:
+              number: 10902
+        path: /
+        pathType: ImplementationSpecific
+  tls:
+  - hosts:
+    - user1-thanos-ruler.training.cluster.acend.ch
+    secretName: acend-wildcard

charts/user-monitoring/templates/user-thanosruler.yaml

@@ -0,0 +1,15 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ThanosRuler
+metadata:
+  labels:
+    app.kubernetes.io/name: thanos-ruler
+  name: thanos-ruler
+spec:
+  alertQueryUrl: {{ .Values.user }}-thanos-query.training.cluster.acend.ch
+  evaluationInterval: 10s
+  queryEndpoints:
+  - thanos-query.{{ .Values.user }}-monitoring.svc.cluster.local:10902
+  ruleSelector: {}
+  ruleNamespaceSelector:
+    matchLabels:
+      user: {{ .Values.user }}