put blackbox-exporter behind kube-rbac-proxy

2025-10-27 06:01:04 +01:00 · 2020-12-26 11:21:04 +01:00 · 2020-12-26 11:21:04 +01:00 · eda90b6833
commit eda90b6833
parent 97aaa1f534
3 changed files with 43 additions and 7 deletions
--- a/docs/blackbox-exporter.md
+++ b/docs/blackbox-exporter.md
@ -19,7 +19,8 @@ The `prometheus-operator` defines a `Probe` resource type that can be used to de
 * `_config.versions.configmapReloader`: the tag of the ConfigMap reloader image to deploy. Defaults to the version `kube-prometheus` was tested with.
 * `_config.resources.blackbox-exporter.requests`: the requested resources; this is used for each container. Defaults to `10m` CPU and `20Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
 * `_config.resources.blackbox-exporter.limits`: the resource limits; this is used for each container. Defaults to `20m` CPU and `40Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
-* `_config.blackboxExporter.port`: the port of the exporter. Defaults to `9115`.
+* `_config.blackboxExporter.port`: the exposed HTTPS port of the exporter. This is where Prometheus should send the probe requests. Defaults to `9115`.
+* `_config.blackboxExporter.internalPort`: the internal plaintext port of the exporter. Not accessible from outside the pod. Defaults to `19115`.
 * `_config.blackboxExporter.replicas`: the number of exporter replicas to be deployed. Defaults to `1`.
 * `_config.blackboxExporter.matchLabels`: map of the labels to be used to select resources belonging to the instance deployed. Defaults to `{ 'app.kubernetes.io/name': 'blackbox-exporter' }`
 * `_config.blackboxExporter.assignLabels`: map of the labels applied to components of the instance deployed. Defaults to all the labels included in the `matchLabels` option, and additionally `app.kubernetes.io/version` is set to the version of the blackbox exporter.
--- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
@ -1,3 +1,5 @@
+local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet';
+
 {
  _config+:: {
    namespace: 'default',
@ -21,6 +23,7 @@

    blackboxExporter: {
      port: 9115,
+      internalPort: 19115,
      replicas: 1,
      matchLabels: {
        'app.kubernetes.io/name': 'blackbox-exporter',
@ -121,9 +124,13 @@
                {
                  name: 'blackbox-exporter',
                  image: $._config.imageRepos.blackboxExporter + ':' + $._config.versions.blackboxExporter,
+                  args: [
+                    '--config.file=/etc/blackbox_exporter/config.yml',
+                    '--web.listen-address=:%d' % bb.internalPort,
+                  ],
                  ports: [{
                    name: 'http',
-                    containerPort: bb.port,
+                    containerPort: bb.internalPort,
                  }],
                  resources: {
                    requests: $._config.resources['blackbox-exporter'].requests,
@ -146,7 +153,7 @@
                  name: 'module-configmap-reloader',
                  image: $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader,
                  args: [
-                    '--webhook-url=http://localhost:' + bb.port + '/-/reload',
+                    '--webhook-url=http://localhost:%d/-/reload' % bb.internalPort,
                    '--volume-dir=/etc/blackbox_exporter/',
                  ],
                  resources: {
@ -208,5 +215,18 @@
            },
          },
        },
-    },
+    } +
+    (kubeRbacProxyContainer {
+       config+:: {
+         kubeRbacProxy: {
+           image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
+           name: 'kube-rbac-proxy',
+           securePortName: 'https',
+           securePort: bb.port,
+           secureListenAddress: ':%d' % self.securePort,
+           upstream: 'http://127.0.0.1:%d/' % bb.internalPort,
+           tlsCipherSuites: $._config.tlsCipherSuites,
+         },
+       },
+     }).deploymentMixin,
 }
--- a/manifests/blackbox-exporter-deployment.yaml
+++ b/manifests/blackbox-exporter-deployment.yaml
@ -18,10 +18,13 @@ spec:
        app.kubernetes.io/version: v0.18.0
    spec:
      containers:
-      - image: quay.io/prometheus/blackbox-exporter:v0.18.0
+      - args:
+        - --config.file=/etc/blackbox_exporter/config.yml
+        - --web.listen-address=:19115
+        image: quay.io/prometheus/blackbox-exporter:v0.18.0
        name: blackbox-exporter
        ports:
-        - containerPort: 9115
+        - containerPort: 19115
          name: http
        resources:
          limits:
@ -38,7 +41,7 @@ spec:
          name: config
          readOnly: true
      - args:
-        - --webhook-url=http://localhost:9115/-/reload
+        - --webhook-url=http://localhost:19115/-/reload
        - --volume-dir=/etc/blackbox_exporter/
        image: jimmidyson/configmap-reload:v0.4.0
        name: module-configmap-reloader
@ -58,6 +61,18 @@ spec:
        - mountPath: /etc/blackbox_exporter/
          name: config
          readOnly: true
+      - args:
+        - --logtostderr
+        - --secure-listen-address=:9115
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - --upstream=http://127.0.0.1:19115/
+        image: quay.io/brancz/kube-rbac-proxy:v0.8.0
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 9115
+          name: https
+        securityContext:
+          runAsUser: 65534
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: blackbox-exporter