add cert-exporter

Signed-off-by: Weifeng Wang <[email protected]>

add cert-exporter

Signed-off-by: Weifeng Wang <[email protected]>

add cert-exporter

Signed-off-by: Weifeng Wang <[email protected]>

Makefile

@@ -235,6 +235,7 @@ manifests-monitoring-mixins: $(KUSTOMIZE)
 manifests-common: $(KUSTOMIZE)
 	$(info ******************** generates manifests-common manifests ********************)
 	@$(KUSTOMIZE) build --enable-helm kubernetes/common/alloy > kubernetes/common/alloy/manifests/k8s-all-in-one.yaml
+	@$(KUSTOMIZE) build --enable-helm kubernetes/common/cert-exporter > kubernetes/common/cert-exporter/manifests/k8s-all-in-one.yaml
 	@$(KUSTOMIZE) build --enable-helm kubernetes/common/cert-manager > kubernetes/common/cert-manager/manifests/k8s-all-in-one.yaml
 	@$(KUSTOMIZE) build --enable-helm kubernetes/common/gateway > kubernetes/common/gateway/manifests/k8s-all-in-one.yaml
 	@$(KUSTOMIZE) build --enable-helm kubernetes/common/grafana > kubernetes/common/grafana/manifests/k8s-all-in-one.yaml

kubernetes/common/cert-exporter/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: monitoring-system
+
+helmCharts:
+- name: cert-exporter
+  repo: https://joe-elliott.github.io/cert-exporter
+  version: 3.8.0
+  releaseName: cert-exporter
+  namespace: monitoring-system
+  includeCRDs: false
+  valuesFile: values-k3d-k3s.yaml

kubernetes/common/cert-exporter/manifests/k8s-all-in-one.yaml

@@ -0,0 +1,159 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-exporter
+    app.kubernetes.io/version: v2.13.0
+    helm.sh/chart: cert-exporter-3.8.0
+  name: cert-exporter
+  namespace: monitoring-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-exporter
+    app.kubernetes.io/version: v2.13.0
+    helm.sh/chart: cert-exporter-3.8.0
+  name: cert-exporter
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-exporter
+    app.kubernetes.io/version: v2.13.0
+    helm.sh/chart: cert-exporter-3.8.0
+  name: cert-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-exporter
+subjects:
+- kind: ServiceAccount
+  name: cert-exporter
+  namespace: monitoring-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-exporter
+    app.kubernetes.io/version: v2.13.0
+    cert-exporter.io/type: deployment
+    helm.sh/chart: cert-exporter-3.8.0
+  name: cert-exporter
+  namespace: monitoring-system
+spec:
+  ports:
+  - name: http-metrics
+    port: 8080
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: cert-exporter
+    app.kubernetes.io/name: cert-exporter
+    cert-exporter.io/type: deployment
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-exporter
+    app.kubernetes.io/version: v2.13.0
+    cert-exporter.io/type: deployment
+    helm.sh/chart: cert-exporter-3.8.0
+  name: cert-exporter-cert-manager
+  namespace: monitoring-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-exporter
+      app.kubernetes.io/name: cert-exporter
+      cert-exporter.io/type: deployment
+  template:
+    metadata:
+      annotations:
+        logs.grafana.com/scrape: "true"
+      labels:
+        app.kubernetes.io/instance: cert-exporter
+        app.kubernetes.io/name: cert-exporter
+        cert-exporter.io/type: deployment
+    spec:
+      containers:
+      - args:
+        - --secrets-annotation-selector=cert-manager.io/certificate-name
+        - --secrets-include-glob=*.crt
+        - --logtostderr
+        command:
+        - ./app
+        image: joeelliott/cert-exporter:v2.13.0
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          tcpSocket:
+            port: 8080
+        name: cert-exporter
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 1
+          httpGet:
+            path: /metrics
+            port: 8080
+          periodSeconds: 10
+        resources: {}
+        securityContext: {}
+        volumeMounts: []
+      securityContext: {}
+      serviceAccountName: cert-exporter
+      volumes: []
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-exporter
+    app.kubernetes.io/version: v2.13.0
+    cert-exporter.io/type: deployment
+    helm.sh/chart: cert-exporter-3.8.0
+    prometheus.io/load-rule: "true"
+  name: cert-exporter-cert-manager
+  namespace: monitoring-system
+spec:
+  endpoints:
+  - interval: 15s
+    port: http-metrics
+  jobLabel: jobLabel
+  namespaceSelector:
+    matchNames:
+    - monitoring-system
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-exporter
+      app.kubernetes.io/name: cert-exporter
+      cert-exporter.io/type: deployment

kubernetes/common/cert-exporter/values-k3d-k3s.yaml

@@ -0,0 +1,13 @@
+certManager:
+  podAnnotations:
+    logs.grafana.com/scrape: "true"
+
+service:
+  # Requires prometheus-operator to be installed
+  serviceMonitor:
+    create: true
+    interval: 15s
+
+dashboards:
+  certManagerDashboard:
+    create: false

kubernetes/common/cert-exporter/values.yaml

@@ -0,0 +1,166 @@
+certManager:
+  # DaemonSet or Deployment
+  kind: Deployment
+  replicaCount: 1
+  # Adds additional labels to pods
+  additionalPodLabels: {}
+  # label1: test
+  # label2: test
+
+  image:
+    repository: joeelliott/cert-exporter
+    # The default tag is ".Chart.AppVersion", only set "tag" to override that
+    tag: 
+    pullPolicy: IfNotPresent
+    command: ["./app"]
+    args:
+      - --secrets-annotation-selector=cert-manager.io/certificate-name
+      - --secrets-include-glob=*.crt
+      - --logtostderr
+    env: []
+    # - name: NODE_NAME
+    #   valueFrom:
+    #     fieldRef:
+    #       fieldPath: spec.nodeName
+
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+
+  podAnnotations: {}
+  # environment: prod
+  # prometheus.io/scrape: true
+  # prometheus.io/port: 8080
+  # prometheus.io/path: /metrics
+
+  podSecurityContext: {}
+  # fsGroup: 2000
+
+  securityContext: {}
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+    # runAsUser: 1000
+
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+  volumes: []
+    # - name: kubelet
+    #   hostPath:
+    #     path: /var/lib/kubelet
+    #     type: Directory
+  volumeMounts: []
+    # - mountPath: /var/lib/kubelet/pki
+    #   mountPropagation: HostToContainer
+    #   name: kubelet
+    #   readOnly: true
+
+  containerPort: 8080
+
+service:
+  type: ClusterIP
+  port: 8080
+
+  portName: http-metrics
+
+  # Annotations to add to the service
+  annotations: {}
+
+  # Requires prometheus-operator to be installed
+  serviceMonitor:
+    create: false
+
+    # cannot be empty
+    additionalLabels:
+      prometheus.io/load-rule: "true"
+
+    ## Scrape interval. If not set, the Prometheus default scrape interval is used.
+    ##
+    interval: 20s
+
+    ## metric relabel configs to apply to samples before ingestion.
+    ##
+    metricRelabelings: []
+    # - action: keep
+    #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
+    #   sourceLabels: [__name__]
+
+    # relabel configs to apply to samples before ingestion.
+    ##
+    relabelings: []
+    # - sourceLabels: [__meta_kubernetes_pod_node_name]
+    #   separator: ;
+    #   regex: ^(.*)$
+    #   targetLabel: nodename
+    #   replacement: $1
+    #   action: replace
+
+rbac:
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: cert-exporter
+
+  clusterRole:
+    # New role to grant to the service account
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # Rules for the Role
+    rules:
+    - apiGroups: [""]
+      resources: ["secrets"]
+      verbs: ["get", "list"]
+
+  clusterRoleBinding:
+    create: true
+
+# Extra manifests to deploy as an array
+extraManifests: []
+  # - |
+  #   apiVersion: rbac.authorization.k8s.io/v1
+  #   kind: Role
+  #   metadata:
+  #     name: cert-exporter
+  #   rules:
+  #   - apiGroups: [""]
+  #     resources: ["configmaps", "secrets"]
+  #     verbs: ["get", "list"]
+  # - |
+  #   apiVersion: rbac.authorization.k8s.io/v1
+  #   kind: RoleBinding
+  #   metadata:
+  #     name: cert-exporter
+  #   roleRef:
+  #     apiGroup: rbac.authorization.k8s.io
+  #     kind: Role
+  #     name: cert-exporter
+  #   subjects:
+  #     - kind: ServiceAccount
+  #       name: cert-exporter
+
+dashboards:
+  # Labels to add to all dashboard ConfigMaps
+  additionalLabels:
+    grafana_dashboard: "1"
+  certManagerDashboard:
+    create: true
+  namespace: monitoring