put blackbox-exporter behind kube-rbac-proxy

docs/blackbox-exporter.md

@@ -19,7 +19,8 @@ The `prometheus-operator` defines a `Probe` resource type that can be used to de
 * `_config.versions.configmapReloader`: the tag of the ConfigMap reloader image to deploy. Defaults to the version `kube-prometheus` was tested with.
 * `_config.resources.blackbox-exporter.requests`: the requested resources; this is used for each container. Defaults to `10m` CPU and `20Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
 * `_config.resources.blackbox-exporter.limits`: the resource limits; this is used for each container. Defaults to `20m` CPU and `40Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
-* `_config.blackboxExporter.port`: the port of the exporter. Defaults to `9115`.
+* `_config.blackboxExporter.port`: the exposed HTTPS port of the exporter. This is where Prometheus should send the probe requests. Defaults to `9115`.
+* `_config.blackboxExporter.internalPort`: the internal plaintext port of the exporter. Not accessible from outside the pod. Defaults to `19115`.
 * `_config.blackboxExporter.replicas`: the number of exporter replicas to be deployed. Defaults to `1`.
 * `_config.blackboxExporter.matchLabels`: map of the labels to be used to select resources belonging to the instance deployed. Defaults to `{ 'app.kubernetes.io/name': 'blackbox-exporter' }`
 * `_config.blackboxExporter.assignLabels`: map of the labels applied to components of the instance deployed. Defaults to all the labels included in the `matchLabels` option, and additionally `app.kubernetes.io/version` is set to the version of the blackbox exporter.

jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet

@@ -1,3 +1,5 @@
+local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet';
+
 {
   _config+:: {
     namespace: 'default',
@@ -21,6 +23,7 @@
 
     blackboxExporter: {
       port: 9115,
+      internalPort: 19115,
       replicas: 1,
       matchLabels: {
         'app.kubernetes.io/name': 'blackbox-exporter',
@@ -121,9 +124,13 @@
                 {
                   name: 'blackbox-exporter',
                   image: $._config.imageRepos.blackboxExporter + ':' + $._config.versions.blackboxExporter,
+                  args: [
+                    '--config.file=/etc/blackbox_exporter/config.yml',
+                    '--web.listen-address=:%d' % bb.internalPort,
+                  ],
                   ports: [{
                     name: 'http',
-                    containerPort: bb.port,
+                    containerPort: bb.internalPort,
                   }],
                   resources: {
                     requests: $._config.resources['blackbox-exporter'].requests,
@@ -146,7 +153,7 @@
                   name: 'module-configmap-reloader',
                   image: $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader,
                   args: [
-                    '--webhook-url=http://localhost:' + bb.port + '/-/reload',
+                    '--webhook-url=http://localhost:%d/-/reload' % bb.internalPort,
                     '--volume-dir=/etc/blackbox_exporter/',
                   ],
                   resources: {
@@ -208,5 +215,18 @@
             },
           },
         },
+    } +
+    (kubeRbacProxyContainer {
+       config+:: {
+         kubeRbacProxy: {
+           image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
+           name: 'kube-rbac-proxy',
+           securePortName: 'https',
+           securePort: bb.port,
+           secureListenAddress: ':%d' % self.securePort,
+           upstream: 'http://127.0.0.1:%d/' % bb.internalPort,
+           tlsCipherSuites: $._config.tlsCipherSuites,
          },
+       },
+     }).deploymentMixin,
 }

manifests/blackbox-exporter-deployment.yaml

@@ -18,10 +18,13 @@ spec:
         app.kubernetes.io/version: v0.18.0
     spec:
       containers:
-      - image: quay.io/prometheus/blackbox-exporter:v0.18.0
+      - args:
+        - --config.file=/etc/blackbox_exporter/config.yml
+        - --web.listen-address=:19115
+        image: quay.io/prometheus/blackbox-exporter:v0.18.0
         name: blackbox-exporter
         ports:
-        - containerPort: 9115
+        - containerPort: 19115
           name: http
         resources:
           limits:
@@ -38,7 +41,7 @@ spec:
           name: config
           readOnly: true
       - args:
-        - --webhook-url=http://localhost:9115/-/reload
+        - --webhook-url=http://localhost:19115/-/reload
         - --volume-dir=/etc/blackbox_exporter/
         image: jimmidyson/configmap-reload:v0.4.0
         name: module-configmap-reloader
@@ -58,6 +61,18 @@ spec:
         - mountPath: /etc/blackbox_exporter/
           name: config
           readOnly: true
+      - args:
+        - --logtostderr
+        - --secure-listen-address=:9115
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - --upstream=http://127.0.0.1:19115/
+        image: quay.io/brancz/kube-rbac-proxy:v0.8.0
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 9115
+          name: https
+        securityContext:
+          runAsUser: 65534
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: blackbox-exporter