From d355d1b2ae86564be263b64bdbdf7216125a09f1 Mon Sep 17 00:00:00 2001 From: Kornel David Date: Tue, 9 May 2023 13:26:21 +0100 Subject: [PATCH] chore: Add static yamls namespace creation not included, by default set to stunner --- .../stunner-gateway-operator-manifests.yaml | 412 +++++++++++++ deploy/manifests/stunner-manifests.yaml | 140 +++++ .../stunner-prometheus-manifests.yaml | 570 ++++++++++++++++++ 3 files changed, 1122 insertions(+) create mode 100644 deploy/manifests/stunner-gateway-operator-manifests.yaml create mode 100644 deploy/manifests/stunner-manifests.yaml create mode 100644 deploy/manifests/stunner-prometheus-manifests.yaml diff --git a/deploy/manifests/stunner-gateway-operator-manifests.yaml b/deploy/manifests/stunner-gateway-operator-manifests.yaml new file mode 100644 index 00000000..289f309d --- /dev/null +++ b/deploy/manifests/stunner-gateway-operator-manifests.yaml @@ -0,0 +1,412 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: stunner-auth + namespace: stunner +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: stunner-gateway-operator-controller-manager + namespace: stunner +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: stunner-gateway-operator-manager-config + namespace: stunner +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 92062b70.l7mp.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: stunner-auth-service-role +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: stunner-gateway-operator-manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - endpoints + - nodes + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - endpoints/status + - nodes/status + - services/status + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - udproutes + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - udproutes/status + verbs: + - patch + - update +- apiGroups: + - stunner.l7mp.io + resources: + - gatewayconfigs + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - stunner.l7mp.io + resources: + - gatewayconfigs/finalizers + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: stunner-gateway-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: stunner-gateway-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: stunner-auth-service-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stunner-auth-service-role +subjects: + - kind: ServiceAccount + name: stunner-auth + namespace: stunner +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: stunner-gateway-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stunner-gateway-operator-manager-role +subjects: +- kind: ServiceAccount + name: stunner-gateway-operator-controller-manager + namespace: stunner +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: stunner-gateway-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stunner-gateway-operator-proxy-role +subjects: +- kind: ServiceAccount + name: stunner-gateway-operator-controller-manager + namespace: stunner +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: stunner-gateway-operator-leader-election-role + namespace: stunner +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stunner-gateway-operator-leader-election-rolebinding + namespace: stunner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: stunner-gateway-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: stunner-gateway-operator-controller-manager + namespace: stunner +--- +apiVersion: v1 +kind: Service +metadata: + name: stunner-auth + namespace: stunner + labels: + app: stunner-auth +spec: + selector: + app: stunner-auth + ports: + - name: stunner-auth-server + port: 8088 + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: stunner-gateway-operator-controller-manager-metrics-service + namespace: stunner +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: stunner-auth + namespace: stunner + labels: + app: stunner-auth +spec: + selector: + matchLabels: + app: stunner-auth + replicas: 1 + template: + metadata: + labels: + app: stunner-auth + spec: + serviceAccountName: stunner-auth + terminationGracePeriodSeconds: 10 + containers: + - name: stunner-auth-server + image: l7mp/stunner-auth-server:dev + imagePullPolicy: Always + command: [ "./manager" ] + args: ["-zap-log-level","10", "-port", "8088"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: controller-manager + name: stunner-gateway-operator-controller-manager + namespace: stunner +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + image: "l7mp/stunner-gateway-operator:0.14.0" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 250m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: stunner-gateway-operator-controller-manager + terminationGracePeriodSeconds: 10 + nodeSelector: + kubernetes.io/os: linux +--- diff --git a/deploy/manifests/stunner-manifests.yaml b/deploy/manifests/stunner-manifests.yaml new file mode 100644 index 00000000..149f270b --- /dev/null +++ b/deploy/manifests/stunner-manifests.yaml @@ -0,0 +1,140 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: stunner-config-watcher-serviceaccount + namespace: stunner +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: stunner-config-watcher-clusterrole +rules: +- apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stunner-config-watcher-clusterrolebind +roleRef: + kind: ClusterRole + name: stunner-config-watcher-clusterrole + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: stunner-config-watcher-serviceaccount + namespace: stunner +--- +apiVersion: v1 +kind: Service +metadata: + name: stunner + namespace: stunner + labels: + app: stunner +spec: + selector: + app: stunner + ports: + - port: 3478 + protocol: UDP + name: stunner + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: stunner + namespace: stunner + annotations: + app: stunner + helm.sh/chart: stunner-0.14.0 + app.kubernetes.io/version: "0.14.0" +spec: + selector: + matchLabels: + app: stunner + app.kubernetes.io/name: stunner + app.kubernetes.io/instance: stunner + app.kubernetes.io/managed-by: Helm + replicas: 1 + template: + metadata: + labels: + app: stunner + app.kubernetes.io/name: stunner + app.kubernetes.io/instance: stunner + app.kubernetes.io/managed-by: Helm + spec: + serviceAccountName: stunner-config-watcher-serviceaccount + volumes: + - name: stunnerd-config-volume + terminationGracePeriodSeconds: 3600 + hostNetwork: false + containers: + - name: stunnerd + image: "l7mp/stunnerd:0.15.0" + imagePullPolicy: IfNotPresent + command: ["stunnerd"] + args: ["-w", "-c", "/etc/stunnerd/stunnerd.conf", "--udp-thread-num=16"] + env: + - name: STUNNER_ADDR + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + volumeMounts: + - name: stunnerd-config-volume + mountPath: /etc/stunnerd + readOnly: true + resources: + limits: + cpu: 2 + memory: 512Mi + requests: + cpu: 500m + memory: 128Mi + livenessProbe: + httpGet: + path: /live + port: 8086 + initialDelaySeconds: 0 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /ready + port: 8086 + initialDelaySeconds: 0 + periodSeconds: 5 + ports: + - name: web + containerPort: 8080 + - name: config-watcher + image: kiwigrid/k8s-sidecar:latest + imagePullPolicy: IfNotPresent + volumeMounts: + - name: stunnerd-config-volume + mountPath: /etc/stunnerd + env: + - name: LABEL + value: stunner.l7mp.io/owned-by + - name: LABEL_VALUE + value: stunner + - name: FOLDER + value: /etc/stunnerd + - name: RESOURCE + value: configmap + - name: NAMESPACE + value: stunner + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 128Mi + nodeSelector: + kubernetes.io/os: linux +--- diff --git a/deploy/manifests/stunner-prometheus-manifests.yaml b/deploy/manifests/stunner-prometheus-manifests.yaml new file mode 100644 index 00000000..b99486ac --- /dev/null +++ b/deploy/manifests/stunner-prometheus-manifests.yaml @@ -0,0 +1,570 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v2.7.0 + name: kube-state-metrics + namespace: monitoring +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus-operator + namespace: monitoring + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + app.kubernetes.io/version: v0.61.1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-datasources + namespace: monitoring +data: + prometheus.yaml: | + { + "apiVersion": 1, + "datasources": [ + { + "access":"proxy", + "editable": true, + "name": "prometheus", + "orgId": 1, + "type": "prometheus", + "url": "http://prometheus.monitoring.svc:9090", + "version": 1 + } + ] + } +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v2.7.0 + name: kube-state-metrics +rules: +- apiGroups: + - "" + resources: + - configmaps + - secrets + - nodes + - pods + - services + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: + - list + - watch +- apiGroups: + - extensions + resources: + - daemonsets + - deployments + - replicasets + - ingresses + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + - daemonsets + - deployments + - replicasets + verbs: + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - list + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - list + - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + app.kubernetes.io/version: v0.61.1 + name: prometheus-operator +rules: +- apiGroups: + - monitoring.coreos.com + resources: + - alertmanagers + - alertmanagers/finalizers + - alertmanagerconfigs + - prometheuses + - prometheuses/status + - prometheuses/finalizers + - thanosrulers + - thanosrulers/finalizers + - servicemonitors + - podmonitors + - probes + - prometheusrules + verbs: + - '*' +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - delete + - watch +- apiGroups: + - "" + resources: + - services + - services/finalizers + - endpoints + verbs: + - get + - list + - create + - update + - delete + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v2.7.0 + name: kube-state-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-state-metrics +subjects: +- kind: ServiceAccount + name: kube-state-metrics + namespace: monitoring +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + app.kubernetes.io/version: v0.61.1 + name: prometheus-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-operator +subjects: +- kind: ServiceAccount + name: prometheus-operator + namespace: monitoring +--- +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: monitoring + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '3000' +spec: + selector: + app: grafana + type: NodePort + ports: + - port: 80 + targetPort: 3000 + nodePort: 30901 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v2.7.0 + name: kube-state-metrics + namespace: monitoring +spec: + clusterIP: None + ports: + - name: https-main + port: 8443 + targetPort: https-main + - name: https-self + port: 9443 + targetPort: https-self + selector: + app.kubernetes.io/name: kube-state-metrics +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + app.kubernetes.io/version: v0.61.1 + name: prometheus-operator + namespace: monitoring +spec: + clusterIP: None + ports: + - name: web + port: 8080 + targetPort: web + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator +--- +apiVersion: v1 +kind: Service +metadata: + name: prometheus + namespace: monitoring +spec: + type: NodePort + ports: + - name: http + nodePort: 30900 + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app.kubernetes.io/name: prometheus +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + namespace: monitoring +spec: + replicas: 1 + selector: + matchLabels: + app: grafana + template: + metadata: + name: grafana + labels: + app: grafana + spec: + containers: + - name: grafana + image: grafana/grafana:latest + ports: + - name: grafana + containerPort: 3000 + resources: + limits: + memory: "2Gi" + cpu: "1000m" + requests: + memory: "750Mi" + cpu: "250m" + volumeMounts: + - mountPath: /var/lib/grafana + name: grafana-storage + - mountPath: /etc/grafana/provisioning/datasources + name: grafana-datasources + readOnly: false + volumes: + - name: grafana-storage + emptyDir: {} + - name: grafana-datasources + configMap: + defaultMode: 420 + name: grafana-datasources +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v2.7.0 + metrics: kube-state-metrics + name: kube-state-metrics + namespace: monitoring +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kube-state-metrics + template: + metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v2.7.0 + spec: + containers: + - args: + - --host=127.0.0.1 + - --port=8081 + - --telemetry-host=127.0.0.1 + - --telemetry-port=8082 + image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0 + name: kube-state-metrics + - args: + - --logtostderr + - --secure-listen-address=:8443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:8081/ + image: quay.io/brancz/kube-rbac-proxy:v0.14.0 + name: kube-rbac-proxy-main + ports: + - containerPort: 8443 + name: https-main + securityContext: + runAsUser: 65534 + - args: + - --logtostderr + - --secure-listen-address=:9443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:8082/ + image: quay.io/brancz/kube-rbac-proxy:v0.14.0 + name: kube-rbac-proxy-self + ports: + - containerPort: 9443 + name: https-self + securityContext: + runAsUser: 65534 + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: kube-state-metrics +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + app.kubernetes.io/version: v0.61.1 + name: prometheus-operator + namespace: monitoring +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + app.kubernetes.io/version: v0.61.1 + spec: + containers: + - args: + - --kubelet-service=kube-system/kubelet + - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.61.1 + image: quay.io/prometheus-operator/prometheus-operator:v0.61.1 + name: prometheus-operator + ports: + - containerPort: 8080 + name: web + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: prometheus-operator +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: prometheus-operator + labels: + metrics: stunner + namespace: monitoring +spec: + podMetricsEndpoints: + - honorLabels: True + interval: 5s + port: web + selector: + matchExpressions: + - {key: app, operator: In, values: ['stunner']} + namespaceSelector: + matchNames: + - stunner + - default + - monitoring +--- +apiVersion: monitoring.coreos.com/v1 +kind: Prometheus +metadata: + name: prometheus + namespace: monitoring + labels: + prometheus: prometheus +spec: + replicas: 1 + serviceAccountName: prometheus-operator + serviceMonitorSelector: + matchExpressions: + - {key: metrics, operator: Exists } + podMonitorSelector: + matchExpressions: + - {key: metrics, operator: Exists } + ruleSelector: + matchLabels: + role: alert-rules + prometheus: prometheus +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v2.7.0 + metrics: kube-state-metrics + name: kube-state-metrics + namespace: monitoring +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + honorLabels: true + interval: 30s + port: https-main + relabelings: + - action: labeldrop + regex: (pod|service|endpoint|namespace) + scheme: https + scrapeTimeout: 30s + tlsConfig: + insecureSkipVerify: true + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + port: https-self + scheme: https + tlsConfig: + insecureSkipVerify: true + jobLabel: app.kubernetes.io/name + selector: + matchLabels: + app.kubernetes.io/name: kube-state-metrics +---