From a276c98397814cc9c540ff1e08ff43756409369c Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Mon, 20 Feb 2023 14:26:37 -0800 Subject: [PATCH 01/19] Basic Prometheus support This patch adds very basic prometheus support to the agent and server It also has a fix in it so that changes to the agent or server configmaps reload those pods. Signed-off-by: Kevin Fox --- .../charts/spire-agent/templates/configmap.yaml | 9 +++++++++ .../charts/spire-agent/templates/daemonset.yaml | 8 +++++--- charts/spire/charts/spire-agent/values.yaml | 4 ++++ .../charts/spire-server/templates/configmap.yaml | 9 +++++++++ .../charts/spire-server/templates/statefulset.yaml | 8 +++++--- charts/spire/charts/spire-server/values.yaml | 4 ++++ charts/spire/values.yaml | 13 +++++++++++++ 7 files changed, 49 insertions(+), 6 deletions(-) diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 50063d2c1..bb05a440e 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -51,3 +51,12 @@ data: live_path = "/live" ready_path = "/ready" } + + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + telemetry { + Prometheus { + host = "0.0.0.0" + port = 9988 + } + } + {{- end }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 61b489b66..b121f6245 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -1,3 +1,4 @@ +{{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -11,10 +12,11 @@ spec: {{- include "spire-agent.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + checksum/config: {{ $configSum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "spire-agent.selectorLabels" . | nindent 8 }} spec: diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index fab377ab2..b9f6b05c5 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -79,3 +79,7 @@ workloadAttestors: unix: # -- enables the Unix workload attestor enabled: false + +telemetry: + prometheus: + enabled: false diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 52de7513a..e6b4ae378 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -81,3 +81,12 @@ data: live_path = "/live" ready_path = "/ready" } + + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + telemetry { + Prometheus { + host = "0.0.0.0" + port = 9988 + } + } + {{- end }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 983f3b855..ab9e90294 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -1,3 +1,4 @@ +{{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} {{- $fullname := include "spire-server.fullname" . }} apiVersion: apps/v1 kind: StatefulSet @@ -15,10 +16,11 @@ spec: {{- include "spire-server.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + checksum/config: {{ $configSum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "spire-server.selectorLabels" . | nindent 8 }} spec: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 9efa2c068..a79cf74ca 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -159,3 +159,7 @@ controllerManager: # spiffe.io/spiffe-id: "true" dnsNameTemplates: [] # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local' + +telemetry: + prometheus: + enabled: false diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index c57fe14e2..563054e7a 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -1,3 +1,8 @@ +#global: +# telemetry: +# prometheus: +# enabled: false|true + nameOverride: "" fullnameOverride: "" @@ -12,6 +17,10 @@ spire-server: controllerManager: enabled: true + telemetry: + prometheus: + enabled: true + spire-agent: nameOverride: agent bundleConfigMap: *bundleConfigMap @@ -19,6 +28,10 @@ spire-agent: clusterName: *clusterName trustDomain: *trustDomain + telemetry: + prometheus: + enabled: true + spiffe-csi-driver: {} spiffe-oidc-discovery-provider: From 6f2daf0e7be9ddf15952a8531847f12d0b8eb8a0 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 21 Feb 2023 09:33:53 -0800 Subject: [PATCH 02/19] Fix spacing. Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/templates/configmap.yaml | 8 ++++---- charts/spire/charts/spire-server/templates/configmap.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index bb05a440e..d6eeb1515 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -54,9 +54,9 @@ data: {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} telemetry { - Prometheus { - host = "0.0.0.0" - port = 9988 - } + Prometheus { + host = "0.0.0.0" + port = 9988 + } } {{- end }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index e6b4ae378..59482c20e 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -84,9 +84,9 @@ data: {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} telemetry { - Prometheus { - host = "0.0.0.0" - port = 9988 - } + Prometheus { + host = "0.0.0.0" + port = 9988 + } } {{- end }} From 871b3cde8eba307cae38577accd925ddff583a66 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 21 Feb 2023 09:48:19 -0800 Subject: [PATCH 03/19] Update default values Signed-off-by: Kevin Fox --- charts/spire/values.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 563054e7a..1f8e94c2f 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -28,10 +28,6 @@ spire-agent: clusterName: *clusterName trustDomain: *trustDomain - telemetry: - prometheus: - enabled: true - spiffe-csi-driver: {} spiffe-oidc-discovery-provider: From b375d5394ec173e014db16eae72018ba8d2e2f2e Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 22 Feb 2023 08:49:54 -0800 Subject: [PATCH 04/19] Update readmes Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/README.md | 1 + charts/spire/charts/spire-server/README.md | 1 + 2 files changed, 2 insertions(+) diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 29f798d1e..b377c3b49 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -30,6 +30,7 @@ A Helm chart to install the SPIRE agent. | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | +| telemetry.prometheus.enabled | bool | `false` | | | trustDomain | string | `"example.org"` | | | waitForIt.image.pullPolicy | string | `"IfNotPresent"` | | | waitForIt.image.registry | string | `"cgr.dev"` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index d0571d644..e49734a5f 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -64,6 +64,7 @@ A Helm chart to install the SPIRE server. | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | | socketPath | string | `"/run/spire/server-sockets/spire-server.sock"` | | +| telemetry.prometheus.enabled | bool | `false` | | | tolerations | list | `[]` | | | topologySpreadConstraints | list | `[]` | | | trustDomain | string | `"example.org"` | | From c0d16f45065e19a7b562ebdd3f7603410bb90cae Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 23 Feb 2023 08:58:30 -0800 Subject: [PATCH 05/19] Make ports configurable and fix docs Signed-off-by: Kevin Fox --- charts/spire/README.md | 1 + charts/spire/charts/spire-agent/README.md | 1 + charts/spire/charts/spire-agent/templates/configmap.yaml | 2 +- charts/spire/charts/spire-agent/values.yaml | 1 + charts/spire/values.yaml | 2 +- 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index cf9d3fc30..0e6437ddb 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -70,6 +70,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.clusterName | string | `"example-cluster"` | | | spire-server.controllerManager.enabled | bool | `true` | | | spire-server.nameOverride | string | `"server"` | | +| spire-server.telemetry.prometheus.enabled | bool | `true` | | | spire-server.trustDomain | string | `"example.org"` | | ---------------------------------------------- diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index b377c3b49..d2cb3a70c 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -31,6 +31,7 @@ A Helm chart to install the SPIRE agent. | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | | telemetry.prometheus.enabled | bool | `false` | | +| telemetry.prometheus.port | int | `9988` | | | trustDomain | string | `"example.org"` | | | waitForIt.image.pullPolicy | string | `"IfNotPresent"` | | | waitForIt.image.registry | string | `"cgr.dev"` | | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index d6eeb1515..7cd18573f 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -56,7 +56,7 @@ data: telemetry { Prometheus { host = "0.0.0.0" - port = 9988 + port = {{ .Values.telemetry.prometheus.port }} } } {{- end }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index b9f6b05c5..fd227da85 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -83,3 +83,4 @@ workloadAttestors: telemetry: prometheus: enabled: false + port: 9988 diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 1f8e94c2f..407897d97 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -1,7 +1,7 @@ #global: # telemetry: # prometheus: -# enabled: false|true +# enabled: true nameOverride: "" fullnameOverride: "" From 8eac7a1f9c117f721225b56f7ce0ec8fc9278082 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 23 Feb 2023 11:23:27 -0800 Subject: [PATCH 06/19] Add test Signed-off-by: Kevin Fox --- .github/tests/prometheus/values.yaml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .github/tests/prometheus/values.yaml diff --git a/.github/tests/prometheus/values.yaml b/.github/tests/prometheus/values.yaml new file mode 100644 index 000000000..b66af8d06 --- /dev/null +++ b/.github/tests/prometheus/values.yaml @@ -0,0 +1,4 @@ +global: + telemetry: + prometheus: + enabled: true From 9dc5f8f22ea07b932975d9d684d21a0ca7fbb122 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 23 Feb 2023 11:31:07 -0800 Subject: [PATCH 07/19] Fix docs and bump version for now. Signed-off-by: Kevin Fox --- charts/spire/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index d6562b95c..9f4ec235b 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.2.0 +version: 0.3.0 appVersion: "1.5.5" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/philips-labs/helm-charts/tree/main/charts/spire From 25f7d27e48e3eb5e3c8b4b619f2e2f7747da7cd3 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 23 Feb 2023 11:33:15 -0800 Subject: [PATCH 08/19] Fix lint and docs. Signed-off-by: Kevin Fox --- charts/spire/README.md | 2 +- charts/spire/values.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 0e6437ddb..8a4917b88 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.5](https://img.shields.io/badge/AppVersion-1.5.5-informational?style=flat-square) +![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.5](https://img.shields.io/badge/AppVersion-1.5.5-informational?style=flat-square) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 407897d97..e6d58306d 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -1,7 +1,7 @@ -#global: -# telemetry: -# prometheus: -# enabled: true +# global: +# telemetry: +# prometheus: +# enabled: true nameOverride: "" fullnameOverride: "" From c2cbef4ebcc7a7e79dd605a0ffa1bca049b2ab8f Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 23 Feb 2023 12:50:43 -0800 Subject: [PATCH 09/19] Add oidc-discovery exporter and specify ports. Signed-off-by: Kevin Fox --- .../spiffe-oidc-discovery-provider/README.md | 7 ++++++ .../templates/configmap.yaml | 6 +++++ .../templates/deployment.yaml | 14 +++++++++++ .../values.yaml | 24 +++++++++++++++++++ .../spire-agent/templates/daemonset.yaml | 7 ++++++ .../spire-server/templates/statefulset.yaml | 4 ++++ 6 files changed, 62 insertions(+) diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 349985846..6bfaeb560 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -48,6 +48,13 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | +| telemetry.prometheus.enabled | bool | `false` | | +| telemetry.prometheus.nginxExporter.image.pullPolicy | string | `"IfNotPresent"` | | +| telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | | +| telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | | +| telemetry.prometheus.nginxExporter.image.version | string | `"0.11.0"` | | +| telemetry.prometheus.nginxExporter.resources | object | `{}` | | +| telemetry.prometheus.port | int | `9988` | | | tolerations | list | `[]` | | | trustDomain | string | `"example.org"` | | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml index b44c456c8..70e672d23 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml @@ -53,5 +53,11 @@ data: proxy_pass http://oidc; proxy_set_header Host $host; } + + location /stub_status { + allow 127.0.0.1/32; + deny all; + stub_status on; + } } {{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index a16ea20fa..3a193d273 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -87,6 +87,20 @@ spec: readOnly: true resources: {{- toYaml .Values.insecureScheme.nginx.resources | nindent 12 }} + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - name: nginx-exporter + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spiffe-oidc-discovery-provider.image" .Values.telemetry.prometheus.nginxExporter }} + imagePullPolicy: {{ .Values.telemetry.prometheus.nginxExporter.image.pullPolicy }} + args: + - -nginx.scrape-uri=http://127.0.0.1/stub_status + resources: + {{- toYaml .Values.telemetry.prometheus.nginxExporter.resources | nindent 12 }} + ports: + - containerPort: 9113 + name: prom + {{- end }} {{- end }} volumes: - name: spiffe-workload-api diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index a4b6827e6..90d737930 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -110,3 +110,27 @@ tolerations: [] affinity: {} trustDomain: "example.org" + +telemetry: + prometheus: + enabled: false + port: 9988 + + nginxExporter: + image: + registry: docker.io + repository: nginx/nginx-prometheus-exporter + pullPolicy: IfNotPresent + version: "0.11.0" + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # requests: + # cpu: 50m + # memory: 32Mi + # limits: + # cpu: 100m + # memory: 64Mi diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index b121f6245..61bf76b4f 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -60,6 +60,13 @@ spec: readOnly: false - name: spire-token mountPath: /var/run/secrets/tokens + ports: + - containerPort: {{ .Values.healthChecks.port }} + name: health + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - containerPort: {{ .Values.telemetry.prometheus.port }} + name: prom + {{- end }} livenessProbe: httpGet: path: /live diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index ab9e90294..ab1594fa0 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -47,6 +47,10 @@ spec: protocol: TCP - containerPort: 8080 name: healthz + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - containerPort: 9988 + name: prom + {{- end }} livenessProbe: httpGet: path: /live From 8dcf3d730502bf8de6499132d1f58865686082d0 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 23 Feb 2023 16:03:20 -0800 Subject: [PATCH 10/19] Remove merge conflict issue Signed-off-by: Kevin Fox --- charts/spire/README.md | 1 - charts/spire/values.yaml | 4 ---- 2 files changed, 5 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 8a4917b88..52f94ae76 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -70,7 +70,6 @@ Kubernetes: `>=1.21.0-0` | spire-server.clusterName | string | `"example-cluster"` | | | spire-server.controllerManager.enabled | bool | `true` | | | spire-server.nameOverride | string | `"server"` | | -| spire-server.telemetry.prometheus.enabled | bool | `true` | | | spire-server.trustDomain | string | `"example.org"` | | ---------------------------------------------- diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index e6d58306d..1fd8c8f05 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -17,10 +17,6 @@ spire-server: controllerManager: enabled: true - telemetry: - prometheus: - enabled: true - spire-agent: nameOverride: agent bundleConfigMap: *bundleConfigMap From 26e57dd18218e6bc5ec0a9bf370315ba9d625657 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Fri, 24 Feb 2023 08:40:25 -0800 Subject: [PATCH 11/19] Add a comment Signed-off-by: Kevin Fox --- charts/spire/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 1fd8c8f05..df1b4f5d3 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -1,3 +1,4 @@ +# You can enable features that affect all services here. # global: # telemetry: # prometheus: From df4e1d3236d8fdde6b67b9f63c6bfbf96abae078 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Fri, 24 Feb 2023 12:42:47 -0800 Subject: [PATCH 12/19] Enable prom on the controller manager Signed-off-by: Kevin Fox --- .../spire-server/templates/controller-manager-configmap.yaml | 4 +++- charts/spire/charts/spire-server/templates/statefulset.yaml | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index a447676be..ff48f1025 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -13,8 +13,10 @@ data: namespace: {{ .Release.Namespace }} labels: {{- include "spire-server.labels" . | nindent 8 }} + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} metrics: - bindAddress: 127.0.0.1:8082 + bindAddress: 0.0.0.0:8082 + {{- end }} healthProbe: bindAddress: 127.0.0.1:8083 leaderElection: diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index ab1594fa0..2f2426597 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -98,6 +98,10 @@ spec: protocol: TCP - containerPort: 8008 name: healthz + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - containerPort: 8082 + name: prom2 + {{- end }} # TODO: implement probes # livenessProbe: # httpGet: From b3a24c7311e564f92950503919d16d3fe6941010 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Mon, 20 Feb 2023 14:26:37 -0800 Subject: [PATCH 13/19] Basic Prometheus support This patch adds very basic prometheus support to the agent and server It also has a fix in it so that changes to the agent or server configmaps reload those pods. Signed-off-by: Kevin Fox --- charts/spire/README.md | 2 ++ charts/spire/values.yaml | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index 52f94ae76..369f7b9c3 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -65,11 +65,13 @@ Kubernetes: `>=1.21.0-0` | spire-agent.bundleConfigMap | string | `"spire-bundle"` | | | spire-agent.clusterName | string | `"example-cluster"` | | | spire-agent.nameOverride | string | `"agent"` | | +| spire-agent.telemetry.prometheus.enabled | bool | `true` | | | spire-agent.trustDomain | string | `"example.org"` | | | spire-server.bundleConfigMap | string | `"spire-bundle"` | | | spire-server.clusterName | string | `"example-cluster"` | | | spire-server.controllerManager.enabled | bool | `true` | | | spire-server.nameOverride | string | `"server"` | | +| spire-server.telemetry.prometheus.enabled | bool | `true` | | | spire-server.trustDomain | string | `"example.org"` | | ---------------------------------------------- diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index df1b4f5d3..f1d339bb8 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -18,6 +18,10 @@ spire-server: controllerManager: enabled: true + telemetry: + prometheus: + enabled: true + spire-agent: nameOverride: agent bundleConfigMap: *bundleConfigMap @@ -25,6 +29,10 @@ spire-agent: clusterName: *clusterName trustDomain: *trustDomain + telemetry: + prometheus: + enabled: true + spiffe-csi-driver: {} spiffe-oidc-discovery-provider: From 07847b5ecfa541f30e8e18c6accc1a5c35a7bdeb Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 21 Feb 2023 09:48:19 -0800 Subject: [PATCH 14/19] Update default values Signed-off-by: Kevin Fox --- charts/spire/values.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index f1d339bb8..a5a39806d 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -29,10 +29,6 @@ spire-agent: clusterName: *clusterName trustDomain: *trustDomain - telemetry: - prometheus: - enabled: true - spiffe-csi-driver: {} spiffe-oidc-discovery-provider: From 85900737de419aef64ac2470d811a90629925d99 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 22 Feb 2023 08:49:54 -0800 Subject: [PATCH 15/19] Update readmes Signed-off-by: Kevin Fox --- charts/spire/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 369f7b9c3..8a4917b88 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -65,7 +65,6 @@ Kubernetes: `>=1.21.0-0` | spire-agent.bundleConfigMap | string | `"spire-bundle"` | | | spire-agent.clusterName | string | `"example-cluster"` | | | spire-agent.nameOverride | string | `"agent"` | | -| spire-agent.telemetry.prometheus.enabled | bool | `true` | | | spire-agent.trustDomain | string | `"example.org"` | | | spire-server.bundleConfigMap | string | `"spire-bundle"` | | | spire-server.clusterName | string | `"example-cluster"` | | From 1a0c5ba3403768b14186d4cc946ad3e1e0c69df4 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 23 Feb 2023 16:03:20 -0800 Subject: [PATCH 16/19] Remove merge conflict issue Signed-off-by: Kevin Fox --- charts/spire/README.md | 1 - charts/spire/values.yaml | 4 ---- 2 files changed, 5 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 8a4917b88..52f94ae76 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -70,7 +70,6 @@ Kubernetes: `>=1.21.0-0` | spire-server.clusterName | string | `"example-cluster"` | | | spire-server.controllerManager.enabled | bool | `true` | | | spire-server.nameOverride | string | `"server"` | | -| spire-server.telemetry.prometheus.enabled | bool | `true` | | | spire-server.trustDomain | string | `"example.org"` | | ---------------------------------------------- diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index a5a39806d..df1b4f5d3 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -18,10 +18,6 @@ spire-server: controllerManager: enabled: true - telemetry: - prometheus: - enabled: true - spire-agent: nameOverride: agent bundleConfigMap: *bundleConfigMap From e5623e42d86b7dcfb8089d106a084b2d6c673b67 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 24 Feb 2023 21:17:17 +0100 Subject: [PATCH 17/19] Fixup adding telemetry port in wrong place Signed-off-by: Marco Franssen --- .../spire/charts/spire-agent/templates/daemonset.yaml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 61bf76b4f..4506adbda 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -48,6 +48,10 @@ spec: ports: - containerPort: {{ .Values.healthChecks.port }} name: healthz + {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + - containerPort: {{ .Values.telemetry.prometheus.port }} + name: prom + {{- end }} volumeMounts: - name: spire-config mountPath: /run/spire/config @@ -60,13 +64,6 @@ spec: readOnly: false - name: spire-token mountPath: /var/run/secrets/tokens - ports: - - containerPort: {{ .Values.healthChecks.port }} - name: health - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} - - containerPort: {{ .Values.telemetry.prometheus.port }} - name: prom - {{- end }} livenessProbe: httpGet: path: /live From c44c48a21b580e77915445c16bd3a4d1dda7cbc9 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 24 Feb 2023 21:20:26 +0100 Subject: [PATCH 18/19] Revert version bump Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 9f4ec235b..d6562b95c 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.3.0 +version: 0.2.0 appVersion: "1.5.5" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/philips-labs/helm-charts/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 52f94ae76..cf9d3fc30 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.5](https://img.shields.io/badge/AppVersion-1.5.5-informational?style=flat-square) +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.5](https://img.shields.io/badge/AppVersion-1.5.5-informational?style=flat-square) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. From 0839037118da90f918713d37261ef74a3969d7fa Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Fri, 24 Feb 2023 13:01:49 -0800 Subject: [PATCH 19/19] Ensure metrics config is always there for controller manager Signed-off-by: Kevin Fox --- .../spire-server/templates/controller-manager-configmap.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index ff48f1025..4a329ed53 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -13,10 +13,8 @@ data: namespace: {{ .Release.Namespace }} labels: {{- include "spire-server.labels" . | nindent 8 }} - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} metrics: bindAddress: 0.0.0.0:8082 - {{- end }} healthProbe: bindAddress: 127.0.0.1:8083 leaderElection: