apiVersion: template.openshift.io/v1 kind: Template metadata: name: prometheus annotations: "openshift.io/display-name": Prometheus description: | A Prometheus deployment that can be customized to monitor components and dispatch alerts. It is secure by default and can be used to monitor arbitrary clients. iconClass: fa fa-cogs tags: "monitoring,prometheus,alertmanager,time-series" parameters: - description: The location of the proxy image name: IMAGE_PROXY value: openshift/oauth-proxy:v1.0.0 - description: The location of the prometheus image name: IMAGE_PROMETHEUS value: openshift/prometheus:v2.3.2 - description: The location of the alertmanager image name: IMAGE_ALERTMANAGER value: openshift/prometheus-alertmanager:v0.15.1 - description: The location of alert-buffer image name: IMAGE_ALERT_BUFFER value: openshift/prometheus-alert-buffer:v0.0.2 - description: The session secret for the proxy name: SESSION_SECRET generate: expression from: "[a-zA-Z0-9]{43}" objects: - apiVersion: v1 kind: ServiceAccount metadata: name: prom annotations: serviceaccounts.openshift.io/oauth-redirectreference.prom: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prom"}}' serviceaccounts.openshift.io/oauth-redirectreference.alerts: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prom-alerts"}}' # Create a fully end-to-end TLS connection to the prometheus proxy - apiVersion: route.openshift.io/v1 kind: Route metadata: name: prom spec: to: name: prom tls: termination: Reencrypt insecureEdgeTerminationPolicy: Redirect - apiVersion: v1 kind: Service metadata: annotations: prometheus.io/scrape: "true" prometheus.io/scheme: https service.alpha.openshift.io/serving-cert-secret-name: prom-tls labels: name: prom name: prom spec: ports: - name: prometheus port: 443 protocol: TCP targetPort: 8443 selector: app: prom - apiVersion: v1 kind: Secret metadata: name: prom-proxy stringData: session_secret: "${SESSION_SECRET}=" - apiVersion: apps/v1beta1 kind: StatefulSet metadata: labels: app: prom name: prom spec: updateStrategy: type: RollingUpdate podManagementPolicy: Parallel selector: matchLabels: app: prom template: metadata: labels: app: prom name: prom spec: serviceAccountName: prom containers: # Deploy Prometheus behind an oauth proxy - name: prom-proxy image: ${IMAGE_PROXY} imagePullPolicy: IfNotPresent ports: - containerPort: 8443 name: web env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace args: - -provider=openshift - -https-address=:8443 - -http-address= - -email-domain=* - -upstream=http://localhost:9090 - -client-id=system:serviceaccount:$(NAMESPACE):prom - -openshift-ca=/etc/pki/tls/cert.pem - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - '-openshift-sar={"resource": "namespaces", "verb": "get", "resourceName": "$(NAMESPACE)", "namespace": "$(NAMESPACE)"}' - -tls-cert=/etc/tls/private/tls.crt - -tls-key=/etc/tls/private/tls.key - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret-file=/etc/proxy/secrets/session_secret - -skip-auth-regex=^/metrics volumeMounts: - mountPath: /etc/tls/private name: prometheus-tls - mountPath: /etc/proxy/secrets name: prometheus-secrets - mountPath: /prometheus name: prometheus-data - name: prometheus args: - --storage.tsdb.retention=6h - --config.file=/etc/prometheus/prometheus.yml - --web.listen-address=localhost:9090 image: ${IMAGE_PROMETHEUS} imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /etc/prometheus name: prometheus-config - mountPath: /prometheus name: prometheus-data # Deploy alertmanager behind an oauth proxy # use http port=4190 and https port=9943 to differ from prom-proxy - name: alerts-proxy image: ${IMAGE_PROXY} imagePullPolicy: IfNotPresent ports: - containerPort: 9443 name: web env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace args: - -provider=openshift - -https-address=:9443 - -http-address= - -email-domain=* - -upstream=http://localhost:9099 - -client-id=system:serviceaccount:$(NAMESPACE):prom - -openshift-ca=/etc/pki/tls/cert.pem - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - '-openshift-sar={"resource": "namespaces", "verb": "get", "resourceName": "$(NAMESPACE)", "namespace": "$(NAMESPACE)"}' - -tls-cert=/etc/tls/private/tls.crt - -tls-key=/etc/tls/private/tls.key - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret-file=/etc/proxy/secrets/session_secret volumeMounts: - mountPath: /etc/tls/private name: alerts-tls - mountPath: /etc/proxy/secrets name: alerts-secrets - name: alertmanager args: - --config.file=/etc/alertmanager/alertmanager.yml image: ${IMAGE_ALERTMANAGER} imagePullPolicy: IfNotPresent ports: - containerPort: 9093 name: web volumeMounts: - mountPath: /etc/alertmanager name: alertmanager-config - mountPath: /alertmanager name: alertmanager-data restartPolicy: Always volumes: - name: prometheus-config secret: secretName: prom - name: prometheus-secrets secret: secretName: prom-proxy - name: prometheus-tls secret: secretName: prom-tls - name: prometheus-data emptyDir: {} - name: alertmanager-config secret: secretName: prom-alerts - name: alerts-secrets secret: secretName: prom-alerts-proxy - name: alerts-tls secret: secretName: prom-alerts-tls - name: alertmanager-data emptyDir: {} # Create a fully end-to-end TLS connection to the alert proxy - apiVersion: route.openshift.io/v1 kind: Route metadata: name: prom-alerts spec: to: name: prom-alerts tls: termination: Reencrypt insecureEdgeTerminationPolicy: Redirect - apiVersion: v1 kind: Service metadata: annotations: service.alpha.openshift.io/serving-cert-secret-name: prom-alerts-tls labels: name: prom-alerts name: prom-alerts spec: ports: - name: alerts port: 443 protocol: TCP targetPort: 9443 selector: app: prom - apiVersion: v1 kind: Secret metadata: name: prom-alerts-proxy stringData: session_secret: "${SESSION_SECRET}="