diff --git a/.github/tests/prometheus/values.yaml b/.github/tests/prometheus/values.yaml new file mode 100644 index 000000000..b66af8d06 --- /dev/null +++ b/.github/tests/prometheus/values.yaml @@ -0,0 +1,4 @@ +global: + telemetry: + prometheus: + enabled: true diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 349985846..6bfaeb560 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -48,6 +48,13 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | +| telemetry.prometheus.enabled | bool | `false` | | +| telemetry.prometheus.nginxExporter.image.pullPolicy | string | `"IfNotPresent"` | | +| telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | | +| telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | | +| telemetry.prometheus.nginxExporter.image.version | string | `"0.11.0"` | | +| telemetry.prometheus.nginxExporter.resources | object | `{}` | | +| telemetry.prometheus.port | int | `9988` | | | tolerations | list | `[]` | | | trustDomain | string | `"example.org"` | | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml index b44c456c8..70e672d23 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml @@ -53,5 +53,11 @@ data: proxy_pass http://oidc; proxy_set_header Host $host; } + + location /stub_status { + allow 127.0.0.1/32; + deny all; + stub_status on; + } } {{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index a16ea20fa..3a193d273 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -87,6 +87,20 @@ spec: readOnly: true resources: {{- toYaml .Values.insecureScheme.nginx.resources | nindent 12 }} + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - name: nginx-exporter + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spiffe-oidc-discovery-provider.image" .Values.telemetry.prometheus.nginxExporter }} + imagePullPolicy: {{ .Values.telemetry.prometheus.nginxExporter.image.pullPolicy }} + args: + - -nginx.scrape-uri=http://127.0.0.1/stub_status + resources: + {{- toYaml .Values.telemetry.prometheus.nginxExporter.resources | nindent 12 }} + ports: + - containerPort: 9113 + name: prom + {{- end }} {{- end }} volumes: - name: spiffe-workload-api diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index a4b6827e6..90d737930 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -110,3 +110,27 @@ tolerations: [] affinity: {} trustDomain: "example.org" + +telemetry: + prometheus: + enabled: false + port: 9988 + + nginxExporter: + image: + registry: docker.io + repository: nginx/nginx-prometheus-exporter + pullPolicy: IfNotPresent + version: "0.11.0" + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # requests: + # cpu: 50m + # memory: 32Mi + # limits: + # cpu: 100m + # memory: 64Mi diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 29f798d1e..d2cb3a70c 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -30,6 +30,8 @@ A Helm chart to install the SPIRE agent. | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | +| telemetry.prometheus.enabled | bool | `false` | | +| telemetry.prometheus.port | int | `9988` | | | trustDomain | string | `"example.org"` | | | waitForIt.image.pullPolicy | string | `"IfNotPresent"` | | | waitForIt.image.registry | string | `"cgr.dev"` | | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 50063d2c1..7cd18573f 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -51,3 +51,12 @@ data: live_path = "/live" ready_path = "/ready" } + + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + telemetry { + Prometheus { + host = "0.0.0.0" + port = {{ .Values.telemetry.prometheus.port }} + } + } + {{- end }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 61b489b66..4506adbda 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -1,3 +1,4 @@ +{{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -11,10 +12,11 @@ spec: {{- include "spire-agent.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + checksum/config: {{ $configSum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "spire-agent.selectorLabels" . | nindent 8 }} spec: @@ -46,6 +48,10 @@ spec: ports: - containerPort: {{ .Values.healthChecks.port }} name: healthz + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - containerPort: {{ .Values.telemetry.prometheus.port }} + name: prom + {{- end }} volumeMounts: - name: spire-config mountPath: /run/spire/config diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index fab377ab2..fd227da85 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -79,3 +79,8 @@ workloadAttestors: unix: # -- enables the Unix workload attestor enabled: false + +telemetry: + prometheus: + enabled: false + port: 9988 diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index d0571d644..e49734a5f 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -64,6 +64,7 @@ A Helm chart to install the SPIRE server. | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | | socketPath | string | `"/run/spire/server-sockets/spire-server.sock"` | | +| telemetry.prometheus.enabled | bool | `false` | | | tolerations | list | `[]` | | | topologySpreadConstraints | list | `[]` | | | trustDomain | string | `"example.org"` | | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 52de7513a..59482c20e 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -81,3 +81,12 @@ data: live_path = "/live" ready_path = "/ready" } + + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + telemetry { + Prometheus { + host = "0.0.0.0" + port = 9988 + } + } + {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index a447676be..4a329ed53 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -14,7 +14,7 @@ data: labels: {{- include "spire-server.labels" . | nindent 8 }} metrics: - bindAddress: 127.0.0.1:8082 + bindAddress: 0.0.0.0:8082 healthProbe: bindAddress: 127.0.0.1:8083 leaderElection: diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 983f3b855..2f2426597 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -1,3 +1,4 @@ +{{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} {{- $fullname := include "spire-server.fullname" . }} apiVersion: apps/v1 kind: StatefulSet @@ -15,10 +16,11 @@ spec: {{- include "spire-server.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + checksum/config: {{ $configSum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "spire-server.selectorLabels" . | nindent 8 }} spec: @@ -45,6 +47,10 @@ spec: protocol: TCP - containerPort: 8080 name: healthz + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - containerPort: 9988 + name: prom + {{- end }} livenessProbe: httpGet: path: /live @@ -92,6 +98,10 @@ spec: protocol: TCP - containerPort: 8008 name: healthz + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - containerPort: 8082 + name: prom2 + {{- end }} # TODO: implement probes # livenessProbe: # httpGet: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 9efa2c068..a79cf74ca 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -159,3 +159,7 @@ controllerManager: # spiffe.io/spiffe-id: "true" dnsNameTemplates: [] # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local' + +telemetry: + prometheus: + enabled: false diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index c57fe14e2..df1b4f5d3 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -1,3 +1,9 @@ +# You can enable features that affect all services here. +# global: +# telemetry: +# prometheus: +# enabled: true + nameOverride: "" fullnameOverride: ""