From d91bc52594c330b543f82bfe8d2f1ea3d9d4db33 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 6 Feb 2025 12:11:01 +0100 Subject: [PATCH 1/2] Introduce cozy-proxy (#615) Signed-off-by: Andrei Kvapil ## Summary by CodeRabbit - **New Features** - Added a new proxy component to enhance deployment orchestration and dependency management. - Introduced dynamic update capabilities for fetching and deploying the latest assets. - Enabled configurable settings for container images, networking, and access control. - Incorporated streamlined resource naming and labeling for improved management. Signed-off-by: Andrei Kvapil --- .../core/platform/bundles/distro-full.yaml | 7 +++++ packages/core/platform/bundles/paas-full.yaml | 6 +++++ packages/system/cozy-proxy/Chart.yaml | 3 +++ packages/system/cozy-proxy/Makefile | 11 ++++++++ .../cozy-proxy/charts/cozy-proxy/Chart.yaml | 6 +++++ .../charts/cozy-proxy/templates/_helpers.tpl | 24 +++++++++++++++++ .../cozy-proxy/templates/daemonset.yaml | 27 +++++++++++++++++++ .../charts/cozy-proxy/templates/role.yaml | 12 +++++++++ .../cozy-proxy/templates/rolebinding.yaml | 16 +++++++++++ .../cozy-proxy/templates/serviceaccount.yaml | 8 ++++++ .../cozy-proxy/charts/cozy-proxy/values.yaml | 12 +++++++++ packages/system/cozy-proxy/values.yaml | 2 ++ 12 files changed, 134 insertions(+) create mode 100644 packages/system/cozy-proxy/Chart.yaml create mode 100644 packages/system/cozy-proxy/Makefile create mode 100644 packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml create mode 100644 packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl create mode 100644 packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml create mode 100644 packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml create mode 100644 packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml create mode 100644 packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml create mode 100644 packages/system/cozy-proxy/charts/cozy-proxy/values.yaml create mode 100644 packages/system/cozy-proxy/values.yaml diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml index 19ad78ec..e0b5d635 100644 --- a/packages/core/platform/bundles/distro-full.yaml +++ b/packages/core/platform/bundles/distro-full.yaml @@ -31,6 +31,13 @@ releases: autoDirectNodeRoutes: true routingMode: native +- name: cozy-proxy + releaseName: cozystack + chart: cozy-cozy-proxy + namespace: cozy-system + optional: true + dependsOn: [cilium] + - name: cert-manager-crds releaseName: cert-manager-crds chart: cozy-cert-manager-crds diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index 328d0bbb..30733b4a 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -50,6 +50,12 @@ releases: SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}" JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}" +- name: cozy-proxy + releaseName: cozystack + chart: cozy-cozy-proxy + namespace: cozy-system + dependsOn: [cilium,kubeovn] + - name: cert-manager-crds releaseName: cert-manager-crds chart: cozy-cert-manager-crds diff --git a/packages/system/cozy-proxy/Chart.yaml b/packages/system/cozy-proxy/Chart.yaml new file mode 100644 index 00000000..5dd1730b --- /dev/null +++ b/packages/system/cozy-proxy/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-cozystack-api +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/cozy-proxy/Makefile b/packages/system/cozy-proxy/Makefile new file mode 100644 index 00000000..0b679c2a --- /dev/null +++ b/packages/system/cozy-proxy/Makefile @@ -0,0 +1,11 @@ +NAME=cozy-proxy +NAMESPACE=cozy-system + +include ../../../scripts/common-envs.mk +include ../../../scripts/package.mk + +update: + rm -rf charts + tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/aenix-io/cozy-proxy | awk -F'[/^]' 'END{print $$3}') && \ + curl -sSL https://github.com/aenix-io/cozy-proxy/archive/refs/tags/$${tag}.tar.gz | \ + tar xzvf - --strip 1 cozy-proxy-$${tag#*v}/charts diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml new file mode 100644 index 00000000..72cbe4e1 --- /dev/null +++ b/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: cozy-proxy +description: A simple kube-proxy addon for 1:1 NAT services in Kubernetes using an NFT backend +type: application +version: 0.1.0 +appVersion: 0.1.0 diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl b/packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl new file mode 100644 index 00000000..9da6b02e --- /dev/null +++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl @@ -0,0 +1,24 @@ +{{- define "cozy-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "cozy-proxy.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if .Values.fullnameOverride -}} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- if eq .Release.Name $name }} + {{- .Release.Name | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "cozy-proxy.labels" -}} +helm.sh/chart: {{ include "cozy-proxy.name" . }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/name: {{ include "cozy-proxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml new file mode 100644 index 00000000..5816a8f9 --- /dev/null +++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "cozy-proxy.fullname" . }} + labels: + {{- include "cozy-proxy.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ include "cozy-proxy.name" . }} + template: + metadata: + labels: + app: {{ include "cozy-proxy.name" . }} + annotations: + {{- toYaml .Values.daemonset.podAnnotations | nindent 8 }} + spec: + serviceAccountName: {{ include "cozy-proxy.fullname" . }} + hostNetwork: {{ .Values.daemonset.hostNetwork }} + containers: + - name: cozy-proxy + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + privileged: true + capabilities: + add: ["NET_ADMIN"] diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml new file mode 100644 index 00000000..5e80fe1e --- /dev/null +++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml @@ -0,0 +1,12 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cozy-proxy.fullname" . }} + labels: + {{- include "cozy-proxy.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["services", "endpoints"] + verbs: ["get", "list", "watch"] +{{- end }} diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml new file mode 100644 index 00000000..b295e83a --- /dev/null +++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cozy-proxy.fullname" . }} + labels: + {{- include "cozy-proxy.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "cozy-proxy.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "cozy-proxy.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml new file mode 100644 index 00000000..18b1a256 --- /dev/null +++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "cozy-proxy.fullname" . }} + labels: + {{- include "cozy-proxy.labels" . | nindent 4 }} +{{- end }} diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml new file mode 100644 index 00000000..57d246b5 --- /dev/null +++ b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml @@ -0,0 +1,12 @@ +image: + repository: ghcr.io/aenix-io/cozystack/cozy-proxy + tag: v0.1.0 + pullPolicy: IfNotPresent + +daemonset: + hostNetwork: true + podAnnotations: {} + podLabels: {} + +rbac: + create: true diff --git a/packages/system/cozy-proxy/values.yaml b/packages/system/cozy-proxy/values.yaml new file mode 100644 index 00000000..33b034fc --- /dev/null +++ b/packages/system/cozy-proxy/values.yaml @@ -0,0 +1,2 @@ +cozy-proxy: + fullnameOverride: cozy-proxy From 5a47754a92345f05fbb5f29342ecce8eec263af7 Mon Sep 17 00:00:00 2001 From: klinch0 <68821526+klinch0@users.noreply.github.com> Date: Thu, 6 Feb 2025 15:40:30 +0300 Subject: [PATCH 2/2] feature/add-etcd-vm-node-scrape (#614) ## Summary by CodeRabbit - **New Features** - Enhanced system monitoring with a new configuration option to collect etcd metrics. Users can now enable the scraping of etcd metrics via updated settings, which improves observability. - Introduced a secure proxy mechanism that conditionally routes metrics data from etcd, offering administrators greater control over monitoring capabilities. - New configuration sections added to various bundles to support etcd metrics scraping. - **Bug Fixes** - Removed outdated configuration for VMNodeScrape resource, ensuring clarity and accuracy in monitoring configurations. - **Chores** - Added new service accounts, roles, and bindings to facilitate secure access for monitoring etcd metrics. --------- Co-authored-by: Andrei Kvapil --- .../core/platform/bundles/distro-full.yaml | 4 + .../core/platform/bundles/distro-hosted.yaml | 4 + packages/core/platform/bundles/paas-full.yaml | 4 + .../core/platform/bundles/paas-hosted.yaml | 4 + .../templates/etcd-proxy-scrape.yaml | 138 ++++++++++++++++++ .../templates/etcd-scrape.yaml | 34 ----- packages/system/monitoring-agents/values.yaml | 4 + 7 files changed, 158 insertions(+), 34 deletions(-) create mode 100644 packages/system/monitoring-agents/templates/etcd-proxy-scrape.yaml delete mode 100644 packages/system/monitoring-agents/templates/etcd-scrape.yaml diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml index e0b5d635..0c1ad6de 100644 --- a/packages/core/platform/bundles/distro-full.yaml +++ b/packages/core/platform/bundles/distro-full.yaml @@ -82,6 +82,10 @@ releases: privileged: true optional: true dependsOn: [cilium,victoria-metrics-operator] + values: + scrapeRules: + etcd: + enabled: true - name: metallb releaseName: metallb diff --git a/packages/core/platform/bundles/distro-hosted.yaml b/packages/core/platform/bundles/distro-hosted.yaml index 45f58a8c..650efccd 100644 --- a/packages/core/platform/bundles/distro-hosted.yaml +++ b/packages/core/platform/bundles/distro-hosted.yaml @@ -58,6 +58,10 @@ releases: privileged: true optional: true dependsOn: [victoria-metrics-operator] + values: + scrapeRules: + etcd: + enabled: true - name: etcd-operator releaseName: etcd-operator diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index 30733b4a..d85af27a 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -103,6 +103,10 @@ releases: namespace: cozy-monitoring privileged: true dependsOn: [cilium,kubeovn,victoria-metrics-operator] + values: + scrapeRules: + etcd: + enabled: true - name: kubevirt-operator releaseName: kubevirt-operator diff --git a/packages/core/platform/bundles/paas-hosted.yaml b/packages/core/platform/bundles/paas-hosted.yaml index 3b1085cd..82edc2ab 100644 --- a/packages/core/platform/bundles/paas-hosted.yaml +++ b/packages/core/platform/bundles/paas-hosted.yaml @@ -70,6 +70,10 @@ releases: namespace: cozy-monitoring privileged: true dependsOn: [victoria-metrics-operator] + values: + scrapeRules: + etcd: + enabled: true - name: etcd-operator releaseName: etcd-operator diff --git a/packages/system/monitoring-agents/templates/etcd-proxy-scrape.yaml b/packages/system/monitoring-agents/templates/etcd-proxy-scrape.yaml new file mode 100644 index 00000000..275a6f47 --- /dev/null +++ b/packages/system/monitoring-agents/templates/etcd-proxy-scrape.yaml @@ -0,0 +1,138 @@ +{{- if .Values.scrapeRules.etcd.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-rbac-proxy + namespace: cozy-monitoring + labels: + app: kube-rbac-proxy +spec: + selector: + matchLabels: + app: kube-rbac-proxy + template: + metadata: + labels: + app: kube-rbac-proxy + spec: + serviceAccountName: kube-rbac-proxy + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/control-plane: "" + containers: + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 + args: + - "--secure-listen-address=$(NODE_IP):9443" + - "--upstream=http://127.0.0.1:2381/" + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + ports: + - containerPort: 9443 + name: etcd-metrics + securityContext: + runAsUser: 1000 + runAsNonRoot: true + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-rbac-proxy + namespace: cozy-monitoring + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-rbac-proxy-auth +rules: + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-rbac-proxy-auth-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-rbac-proxy-auth +subjects: + - kind: ServiceAccount + name: kube-rbac-proxy + namespace: cozy-monitoring + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vm-scrape + namespace: cozy-monitoring + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: etcd-metrics-reader +rules: +- nonResourceURLs: ["/metrics"] + verbs: ["get"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: etcd-metrics-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: etcd-metrics-reader +subjects: +- kind: ServiceAccount + name: vm-scrape + namespace: cozy-monitoring + +--- + +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: vm-token + annotations: + kubernetes.io/service-account.name: vm-scrape + +--- + +apiVersion: operator.victoriametrics.com/v1beta1 +kind: VMPodScrape +metadata: + name: etcd-managment-scrape +spec: + podMetricsEndpoints: + - port: etcd-metrics + scheme: https + tlsConfig: + insecureSkipVerify: true + bearerTokenSecret: + name: vm-token + key: token + selector: + matchLabels: + app: kube-rbac-proxy +{{- end }} diff --git a/packages/system/monitoring-agents/templates/etcd-scrape.yaml b/packages/system/monitoring-agents/templates/etcd-scrape.yaml deleted file mode 100644 index 829e0040..00000000 --- a/packages/system/monitoring-agents/templates/etcd-scrape.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#--- -#apiVersion: operator.victoriametrics.com/v1beta1 -#kind: VMNodeScrape -#metadata: -# name: kube-etcd -# namespace: cozy-monitoring -#spec: -# selector: -# node-role.kubernetes.io/control-plane: "" -# bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token -# honorLabels: true -# metricRelabelConfigs: -# - action: labeldrop -# regex: (uid) -# - action: labeldrop -# regex: (id|name) -# - action: drop -# regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count) -# source_labels: -# - __name__ -# port: "2379" -# relabelConfigs: -# - action: labelmap -# regex: __meta_kubernetes_node_label_(.+) -# - sourceLabels: -# - __metrics_path__ -# targetLabel: metrics_path -# - replacement: etcd -# targetLabel: job -# scheme: https -# scrapeTimeout: 5s -# tlsConfig: -# caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -# insecureSkipVerify: true diff --git a/packages/system/monitoring-agents/values.yaml b/packages/system/monitoring-agents/values.yaml index 250db7d8..d7cb50af 100644 --- a/packages/system/monitoring-agents/values.yaml +++ b/packages/system/monitoring-agents/values.yaml @@ -359,3 +359,7 @@ fluent-bit: Name modify Match * Add cluster root-cluster + +scrapeRules: + etcd: + enabled: false