Skip to content

Commit

Permalink
Add a standalone prometheus example
Browse files Browse the repository at this point in the history 
Can be used on many different clusters
  • Loading branch information
@smarterclayton
smarterclayton committed Dec 11, 2017
1 parent 3287329 commit ba373ca
Show file tree
Hide file tree
Showing 2 changed files with 283 additions and 2 deletions.
38 changes: 36 additions & 2 deletions examples/prometheus/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
# Prometheus Ops Metrics Example
# Prometheus for OpenShift

This template creates a Prometheus instance preconfigured to gather OpenShift and Kubernetes platform and node metrics and report them to admins. It is protected by an OAuth proxy that only allows access for users who have view access to the `kube-system` namespace.
This directory contains example components for running either an operational Prometheus setup for your OpenShift cluster, or deploying a standalone secured Prometheus instance for configurating yourself.

## Prometheus for Operations

The `prometheus.yaml` template creates a Prometheus instance preconfigured to gather OpenShift and Kubernetes platform and node metrics and report them to admins. It is protected by an OAuth proxy that only allows access for users who have view access to the `kube-system` namespace.

To deploy, run:

Expand All @@ -20,6 +24,36 @@ $ oc create -f node-exporter.yaml -n kube-system
$ oc adm policy add-scc-to-user -z prometheus-node-exporter -n kube-system hostaccess
```

## Standalone Prometheus

The `prometheus-standalone.yaml` template creates a Prometheus instance without any configuration, intended for use when you have your own configuration. It expects two secrets to be created ahead of time:

* `prom` which should contain:
* `prometheus.yml`: The Prometheus configuration
* `*.rules`: Will be treated as recording or alerting rules
* Any additional files referenced by `prometheus.yml`
* `prom-alerts` which should contain:
* `alertmanager.yml`: The Alert Manager configuration
* Any additional files referenced by `alertmanager.yml`

The example uses secrets instead of config maps in case either config file needs to reference a secret.

Example creation steps:

```
# Create the prom secret
$ oc create secret generic prom --from-file=../prometheus.yml
# Create the prom-alerts secret
$ oc create secret generic prom --from-file=../alertmanager.yml
# Create the prometheus instance
$ oc process -f prometheus-standalone.yaml | oc apply -f -
```

You can find the Prometheus route by invoking `oc get routes` and then browsing in your web console. Users who are granted `view` access on the namespace will have access to login to Prometheus.


## Useful metrics queries

### Related to how much data is being gathered by Prometheus
Expand Down
247 changes: 247 additions & 0 deletions examples/prometheus/prometheus-standalone.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,247 @@
apiVersion: template.openshift.io/v1
kind: Template
metadata:
name: prometheus
annotations:
"openshift.io/display-name": Prometheus
description: |
A Prometheus deployment that can be customized to monitor components and dispatch alerts. It is secure by default and can be used to monitor arbitrary clients.
iconClass: icon-cogs
tags: "monitoring,prometheus,alertmanager,time-series"
parameters:
- description: The location of the proxy image
name: IMAGE_PROXY
value: openshift/oauth-proxy:v1.0.0
- description: The location of the prometheus image
name: IMAGE_PROMETHEUS
value: openshift/prometheus:v2.0.0
- description: The location of the alertmanager image
name: IMAGE_ALERTMANAGER
value: openshift/prometheus-alertmanager:v0.9.1
- description: The location of alert-buffer image
name: IMAGE_ALERT_BUFFER
value: openshift/prometheus-alert-buffer:v0.0.2
- description: The session secret for the proxy
name: SESSION_SECRET
generate: expression
from: "[a-zA-Z0-9]{43}"

objects:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: prom
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.prom: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prom"}}'
serviceaccounts.openshift.io/oauth-redirectreference.alerts: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prom-alerts"}}'

# Create a fully end-to-end TLS connection to the prometheus proxy
- apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: prom
spec:
to:
name: prom
tls:
termination: Reencrypt
insecureEdgeTerminationPolicy: Redirect
- apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/scheme: https
service.alpha.openshift.io/serving-cert-secret-name: prom-tls
labels:
name: prom
name: prom
spec:
ports:
- name: prometheus
port: 443
protocol: TCP
targetPort: 8443
selector:
app: prom
- apiVersion: v1
kind: Secret
metadata:
name: prom-proxy
stringData:
session_secret: "${SESSION_SECRET}="
- apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
labels:
app: prom
name: prom
spec:
updateStrategy:
type: RollingUpdate
podManagementPolicy: Parallel
selector:
matchLabels:
app: prom
template:
metadata:
labels:
app: prom
name: prom
spec:
serviceAccountName: prom
containers:
# Deploy Prometheus behind an oauth proxy
- name: prom-proxy
image: ${IMAGE_PROXY}
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
name: web
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
args:
- -provider=openshift
- -https-address=:8443
- -http-address=
- -email-domain=*
- -upstream=http://localhost:9090
- -client-id=system:serviceaccount:$(NAMESPACE):prom
- -openshift-ca=/etc/pki/tls/cert.pem
- -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- '-openshift-sar={"resource": "namespaces", "verb": "get", "resourceName": "$(NAMESPACE)", "namespace": "$(NAMESPACE)"}'
- -tls-cert=/etc/tls/private/tls.crt
- -tls-key=/etc/tls/private/tls.key
- -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
- -cookie-secret-file=/etc/proxy/secrets/session_secret
- -skip-auth-regex=^/metrics
volumeMounts:
- mountPath: /etc/tls/private
name: prometheus-tls
- mountPath: /etc/proxy/secrets
name: prometheus-secrets
- mountPath: /prometheus
name: prometheus-data

- name: prometheus
args:
- --storage.tsdb.retention=6h
- --storage.tsdb.min-block-duration=2m
- --config.file=/etc/prometheus/prometheus.yml
- --web.listen-address=localhost:9090
image: ${IMAGE_PROMETHEUS}
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /etc/prometheus
name: prometheus-config
- mountPath: /prometheus
name: prometheus-data

# Deploy alertmanager behind an oauth proxy
# use http port=4190 and https port=9943 to differ from prom-proxy
- name: alerts-proxy
image: ${IMAGE_PROXY}
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: web
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
args:
- -provider=openshift
- -https-address=:9443
- -http-address=
- -email-domain=*
- -upstream=http://localhost:9099
- -client-id=system:serviceaccount:$(NAMESPACE):prom
- -openshift-ca=/etc/pki/tls/cert.pem
- -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- '-openshift-sar={"resource": "namespaces", "verb": "get", "resourceName": "$(NAMESPACE)", "namespace": "$(NAMESPACE)"}'
- -tls-cert=/etc/tls/private/tls.crt
- -tls-key=/etc/tls/private/tls.key
- -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
- -cookie-secret-file=/etc/proxy/secrets/session_secret
volumeMounts:
- mountPath: /etc/tls/private
name: alerts-tls
- mountPath: /etc/proxy/secrets
name: alerts-secrets

- name: alertmanager
args:
- -config.file=/etc/alertmanager/alertmanager.yml
image: ${IMAGE_ALERTMANAGER}
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9093
name: web
volumeMounts:
- mountPath: /etc/alertmanager
name: alertmanager-config
- mountPath: /alertmanager
name: alertmanager-data

restartPolicy: Always
volumes:
- name: prometheus-config
secret:
secretName: prom
- name: prometheus-secrets
secret:
secretName: prom-proxy
- name: prometheus-tls
secret:
secretName: prom-tls
- name: prometheus-data
emptyDir: {}
- name: alertmanager-config
secret:
secretName: prom-alerts
- name: alerts-secrets
secret:
secretName: prom-alerts-proxy
- name: alerts-tls
secret:
secretName: prom-alerts-tls
- name: alertmanager-data
emptyDir: {}

# Create a fully end-to-end TLS connection to the alert proxy
- apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: prom-alerts
spec:
to:
name: prom-alerts
tls:
termination: Reencrypt
insecureEdgeTerminationPolicy: Redirect
- apiVersion: v1
kind: Service
metadata:
annotations:
service.alpha.openshift.io/serving-cert-secret-name: prom-alerts-tls
labels:
name: prom-alerts
name: prom-alerts
spec:
ports:
- name: alerts
port: 443
protocol: TCP
targetPort: 9443
selector:
app: prom
- apiVersion: v1
kind: Secret
metadata:
name: prom-alerts-proxy
stringData:
session_secret: "${SESSION_SECRET}="

0 comments on commit ba373ca

Please sign in to comment.