jsonnet: expose prometheus-operator metrics over secure channel

2025-08-26 17:01:50 +02:00 · 2020-03-18 13:39:02 +01:00 · 2020-03-18 13:39:02 +01:00 · 6f37ddbcf9
commit 6f37ddbcf9
parent 4541b9e10c
1 changed files with 56 additions and 1 deletions
--- a/jsonnet/kube-prometheus/kube-prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/kube-prometheus.libsonnet
@ -50,7 +50,62 @@ local configMapList = k3.core.v1.configMapList;
        preserveUnknownFields: null,
      }),
    },
+    service+: {
+      spec+: {
+        ports: [
+          {
+            name: 'https',
+            port: 8443,
+            targetPort: 'https',
          },
+        ],
+      },
+    },
+    serviceMonitor+: {
+      spec+: {
+        endpoints: [
+          {
+            port: 'https',
+            scheme: 'https',
+            honorLabels: true,
+            bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
+            tlsConfig: {
+              insecureSkipVerify: true,
+            },
+          },
+        ]
+      },
+    },
+    clusterRole+: {
+      rules+: [
+        {
+          apiGroups: ['authentication.k8s.io'],
+          resources: ['tokenreviews'],
+          verbs: ['create'],
+        },
+        {
+          apiGroups: ['authorization.k8s.io'],
+          resources: ['subjectaccessreviews'],
+          verbs: ['create'],
+        },
+      ],
+    },
+  } +
+  ((import 'kube-prometheus/kube-rbac-proxy/container.libsonnet') {
+    config+:: {
+      kubeRbacProxy: {
+        local cfg = self,
+        image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
+        name: 'kube-rbac-proxy',
+        securePortName: 'https',
+        securePort: 8443,
+        secureListenAddress: ':%d' % self.securePort,
+        upstream: 'http://127.0.0.1:8080/',
+        tlsCipherSuites: $._config.tlsCipherSuites,
+      },
+    },
+  }).deploymentMixin,
+
  grafana+:: {
    dashboardDefinitions: configMapList.new(super.dashboardDefinitions),
    serviceMonitor: {