chore(addons): prometheus , mysql-cluster add networkpolicy (#10)

Author: EamonZhang

addons/mysql-cluster/8.0/chart/mysql-cluster/templates/networkpolicy.yaml

@@ -25,6 +25,7 @@ spec:
     - ports:
       - port: {{ .Values.router.service.portrw }}
       - port: {{ .Values.router.service.portro }}
+      - port: 24901
       {{- if and .Values.metrics.enabled }}
       - port: {{ .Values.metrics.service.port }}
       {{ end }} 

addons/mysql-cluster/8.0/chart/mysql-cluster/templates/primary/statefulset.yaml

@@ -298,7 +298,7 @@ spec:
               if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then
                   password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE")
               fi
-              MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
+              MYSQLD_EXPORTER_PASSWORD=${password_aux} /opt/drycc/mysqld_exporter/bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
           {{- end }}
           ports:
             - name: metrics

addons/mysql-cluster/8.0/chart/mysql-cluster/values.yaml

@@ -971,7 +971,7 @@ rbac:
 networkPolicy:
   ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
   ##
-  enabled: true
+  enabled: true 
   ## @param networkPolicy.allowExternal The Policy model to apply.
   ## When set to false, only pods with the correct
   ## client label will have network access to the port MySQL is listening
@@ -1023,7 +1023,7 @@ volumePermissions:
 metrics:
   ## @param metrics.enabled Start a side-car prometheus exporter
   ##
-  enabled: true
+  enabled: true 
   ## @param metrics.image.registry Exporter image registry
   ## @param metrics.image.repository Exporter image repository
   ## @param metrics.image.tag Exporter image tag (immutable tags are recommended)
@@ -1032,9 +1032,9 @@ metrics:
   ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array
   ##
   image:
-    registry: docker.io
-    repository: drycc/mysqld-exporter
-    tag: 0.14.0-debian-11-r45
+    registry: registry.drycc.cc
+    repository: drycc-addons/mysqld-exporter
+    tag: 0
     digest: ""
     pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets.

addons/prometheus/2/chart/prometheus/templates/_scrape_config.tpl

@@ -12,6 +12,7 @@ Usage:
 kubernetes_sd_configs:
   - role: endpoints
     namespaces:
+      own_namespace: true
       names:
       - {{ include "common.names.namespace" .context }}
 metrics_path: /metrics
@@ -83,4 +84,4 @@ relabel_configs:
       - __tmp_hash
     regex: 0
     action: keep
-{{- end -}}
+{{- end -}}

addons/prometheus/2/chart/prometheus/templates/networkpolicy.yaml

@@ -0,0 +1,47 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ template "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "common.labels.matchLabels" . | nindent 6 }}
+  ingress:
+    # Allow inbound connections
+    - ports:
+      - port: {{ .Values.alertmanager.service.ports.http }} 
+      - port: {{ .Values.alertmanager.service.ports.cluster }} 
+      - port: {{ .Values.alertmanager.containerPorts.http }} 
+      - port: {{ .Values.alertmanager.containerPorts.cluster }} 
+      - port: {{ .Values.server.containerPorts.http }}
+      - port: {{ .Values.server.service.ports.http }}
+      {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+      from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+      {{- end }}
+      {{- end }}
+  {{- end }}
+{{- end }}

addons/prometheus/2/chart/prometheus/values.yaml

@@ -360,7 +360,7 @@ alertmanager:
   ingress:
     ## @param alertmanager.ingress.enabled Enable ingress record generation for Alertmanager
     ##
-    enabled: false
+    enabled: true
     ## @param alertmanager.ingress.pathType Ingress path type
     ##
     pathType: ImplementationSpecific
@@ -628,6 +628,9 @@ server:
     {{- if .Values.server.extraScrapeConfigs}}
     {{- include "common.tplvalues.render" (dict "value" .Values.server.extraScrapeConfigs "context" $) | nindent 2 }}
     {{- end }}
+    {{- if .Values.server.dsScrapeConfigs}}
+    {{- include "common.tplvalues.render" (dict "value" .Values.server.dsScrapeConfigs "context" $) | nindent 2 }}
+    {{- end }}
     {{- if or .Values.alertmanager.enabled .Values.server.alertingEndpoints}}
     alerting:
       alertmanagers:
@@ -649,7 +652,50 @@ server:
   ## @param server.extraScrapeConfigs Promethus configuration, useful to declare new scrape_configs. This content will be merged with the 'server.configuration' value and stored in the the prometheus.yaml file.
   ## ref: <https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config>
   ##
-  extraScrapeConfigs: []
+  extraScrapeConfigs: [] 
+  dsScrapeConfigs: 
+      - job_name: 'service-endpoints'
+        honor_labels: true
+        kubernetes_sd_configs:
+          - role: endpoints
+            namespaces:
+              own_namespace: true
+              names:
+                - default
+        relabel_configs:
+          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
+            action: keep
+            regex: true
+          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow]
+            action: drop
+            regex: true
+          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
+            action: replace
+            target_label: __scheme__
+            regex: (https?)
+          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
+            action: replace
+            target_label: __metrics_path__
+            regex: (.+)
+          - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
+            action: replace
+            target_label: __address__
+            regex: (.+?)(?::\d+)?;(\d+)
+            replacement: $1:$2
+          - action: labelmap
+            regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
+            replacement: __param_$1
+          - action: labelmap
+            regex: __meta_kubernetes_service_label_(.+)
+          - source_labels: [__meta_kubernetes_namespace]
+            action: replace
+            target_label: namespace
+          - source_labels: [__meta_kubernetes_service_name]
+            action: replace
+            target_label: service
+          - source_labels: [__meta_kubernetes_pod_node_name]
+            action: replace
+            target_label: node
   ## @param server.replicaCount Number of Prometheus replicas to deploy
   ##
   replicaCount: 1
@@ -824,7 +870,7 @@ server:
     ## StrategyType
     ## Can be set to RollingUpdate or Recreate
     ##
-    type: RollingUpdate
+    type: Recreate 
 
   ## @param server.priorityClassName Prometheus pods' priorityClassName
   ##
@@ -1225,7 +1271,7 @@ server:
   ingress:
     ## @param server.ingress.enabled Enable ingress record generation for Prometheus
     ##
-    enabled: false
+    enabled: true
     ## @param server.ingress.pathType Ingress path type
     ##
     pathType: ImplementationSpecific
@@ -1460,6 +1506,21 @@ server:
     ##
     rules: []
 
+## Prometheus Nework Policy configuration
+##
+networkPolicy:
+  ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
+  ##
+  enabled: true 
+  ## @param networkPolicy.allowExternal The Policy model to apply.
+  ## When set to false, only pods with the correct
+  ## client label will have network access to the port MySQL is listening
+  ## on. When true, MySQL will accept connections from any source
+  ## (with the correct destination port).
+  ##
+  allowCurrentNamespace: true
+  allowNamespaces: 
+    - traefik
 ## @section Init Container Parameters
 ##
 
@@ -1507,4 +1568,4 @@ volumePermissions:
   ##   "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
   ##
   containerSecurityContext:
-    runAsUser: 0
+    runAsUser: 0

addons/prometheus/2/plans/standard-10/bind.yaml

@@ -0,0 +1,28 @@
+credential:
+  {{- if (eq .Values.server.service.type "LoadBalancer") }}
+  - name: host
+    valueFrom:
+      serviceRef:
+        name: {{ printf "%s" (include "common.names.fullname" .) }}
+        jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
+  - name: port
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}
+        jsonpath: '{ .spec.ports.port }' 
+  {{- end }}
+
+alertmanager
+
+  {{- if (eq .Values.alertmanager.service.type "LoadBalancer") }}
+  - name: host
+    valueFrom:
+      serviceRef:
+        name: {{ printf "%s" (include "common.names.fullname" .) }}
+        jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
+  - name: port
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}
+        jsonpath: '{ .spec.ports.port }' 
+  {{- end }}