Skip to content
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.

Commit

Permalink
Add service monitor (#554)
Browse files Browse the repository at this point in the history 
* Add service monitor

Signed-off-by: QuentinBisson <[email protected]>

* Update helm/cert-operator/values.yaml

* Update helm/cert-operator/values.yaml

Signed-off-by: QuentinBisson <[email protected]>

---------

Signed-off-by: QuentinBisson <[email protected]>
  • Loading branch information
@QuentinBisson
QuentinBisson authored Jul 11, 2023
1 parent 1061ae7 commit b6e0485
Show file tree
Hide file tree
Showing 7 changed files with 97 additions and 22 deletions.
2 changes: 1 addition & 1 deletion .nancy-ignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ CVE-2023-26125
CVE-2023-29401

# golang/google.golang.org/[email protected]
CVE-2023-32731 until=2023-07-30
CVE-2023-32731 until=2023-07-30
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added

- Added the use of the runtime/default seccomp profile.
- Added Service Monitor.
- Added required values for pss policies.
- Added pss exceptions for volumes.

Expand Down
2 changes: 2 additions & 0 deletions helm/cert-operator/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ app.giantswarm.io/branch: {{ .Values.project.branch | quote }}
app.giantswarm.io/commit: {{ .Values.project.commit | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: "{{ .Chart.AppVersion }}{{- if eq $.Chart.Name $.Release.Name }}-unique{{ end }}"
{{- $regexToFind := printf "- provider:\\s%s\n\\s*team:\\s(.+)" .Values.provider.kind }}
application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/owners" | regexFind $regexToFind | replace (printf "- provider: %s\n" .Values.provider.kind) "" | replace "team: " "" | nospace }}
helm.sh/chart: {{ include "chart" . | quote }}
{{- end -}}

Expand Down
7 changes: 4 additions & 3 deletions helm/cert-operator/templates/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,11 @@ metadata:
namespace: {{ include "resource.default.namespace" . }}
labels:
{{- include "labels.common" . | nindent 4 }}
annotations:
prometheus.io/scrape: "true"
spec:
ports:
- port: 8000
- name: http
port: 8000
protocol: TCP
targetPort: http
selector:
{{- include "labels.selector" . | nindent 4 }}
18 changes: 18 additions & 0 deletions helm/cert-operator/templates/servicemonitor.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "resource.default.name" . }}
namespace: {{ include "resource.default.namespace" . }}
labels:
{{- include "labels.common" . | nindent 4 }}
spec:
endpoints:
- interval: {{ .Values.serviceMonitor.interval }}
path: /metrics
port: http
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
selector:
matchLabels:
{{- include "labels.selector" . | nindent 6 }}
{{- end }}
79 changes: 61 additions & 18 deletions helm/cert-operator/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,17 +35,16 @@
"podSecurityContext": {
"type": "object",
"properties": {
"runAsNonRoot": {
"type": "boolean"
},
"seccompProfile": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
}
},
"runAsNonRoot": {
"type": "boolean",
"default": true
}
}
},
Expand All @@ -60,6 +59,14 @@
}
}
},
"provider": {
"type": "object",
"properties": {
"kind": {
"type": "string"
}
}
},
"registry": {
"type": "object",
"properties": {
Expand All @@ -79,32 +86,68 @@
"securityContext": {
"type": "object",
"properties": {
"allowPrivilegeEscalation": {
"type": "boolean",
"default": false
},
"seccompProfile": {
"default": {
"type": "object",
"properties": {
"type": {
"type": "string"
"allowPrivilegeEscalation": {
"type": "boolean"
},
"capabilities": {
"type": "object",
"properties": {
"drop": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"seccompProfile": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
}
}
}
},
"capabilities":{
"initContainers": {
"type": "object",
"properties": {
"drop": {
"type": "array",
"items": {
"type": "string"
},
"default": ["ALL"]
"allowPrivilegeEscalation": {
"type": "boolean"
},
"capabilities": {
"type": "object",
"properties": {
"drop": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
}
}
}
},
"serviceMonitor": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"interval": {
"type": "string"
},
"scrapeTimeout": {
"type": "string"
}
}
},
"userID": {
"type": "integer"
},
Expand Down
10 changes: 10 additions & 0 deletions helm/cert-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ workloadCluster:
api:
endpointBase: ""

provider:
kind: "aws"

# Add seccomp to pod security context
podSecurityContext:
runAsNonRoot: true
Expand All @@ -49,3 +52,10 @@ securityContext:
capabilities:
drop:
- ALL

serviceMonitor:
enabled: true
# -- (duration) Prometheus scrape interval.
interval: "60s"
# -- (duration) Prometheus scrape timeout.
scrapeTimeout: "45s"

0 comments on commit b6e0485

Please sign in to comment.