From 1efa5f26db15d3603e0c12158557ba6b3c3e14d3 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Tue, 26 May 2026 16:26:46 -0500 Subject: [PATCH 01/12] USHIFT-6951: Add metrics exporters as optional microshift-metrics RPM Add kustomize manifests for metrics-server, kube-state-metrics, and node-exporter as optional components delivered via a single microshift-metrics RPM. Includes SCC RBAC grants (hostmount-anyuid for metrics-server, privileged for node-exporter), service-ca TLS integration, health check registration, and release-info packaging. Co-Authored-By: Claude Opus 4.6 --- .../kube-state-metrics/01-serviceaccount.yaml | 5 + .../kube-state-metrics/02-clusterrole.yaml | 77 ++++++++++++ .../03-clusterrolebinding.yaml | 12 ++ .../kube-state-metrics/04-deployment.yaml | 111 ++++++++++++++++++ .../kube-state-metrics/05-service.yaml | 22 ++++ .../kustomization.aarch64.yaml | 7 ++ .../kustomization.x86_64.yaml | 7 ++ .../kube-state-metrics/kustomization.yaml | 8 ++ .../optional/metrics-server/00-namespace.yaml | 9 ++ .../metrics-server/01-serviceaccount.yaml | 5 + .../metrics-server/02-clusterrole.yaml | 44 +++++++ .../metrics-server/03-clusterrolebinding.yaml | 25 ++++ .../metrics-server/04-rolebinding.yaml | 13 ++ .../metrics-server/05-deployment.yaml | 95 +++++++++++++++ .../optional/metrics-server/06-service.yaml | 17 +++ .../metrics-server/07-apiservice.yaml | 14 +++ .../metrics-server/kustomization.aarch64.yaml | 4 + .../metrics-server/kustomization.x86_64.yaml | 4 + .../metrics-server/kustomization.yaml | 11 ++ .../release-metrics-aarch64.json | 10 ++ .../release-metrics-x86_64.json | 10 ++ .../node-exporter/01-serviceaccount.yaml | 5 + .../node-exporter/02-clusterrole.yaml | 22 ++++ .../node-exporter/03-clusterrolebinding.yaml | 12 ++ .../optional/node-exporter/04-daemonset.yaml | 100 ++++++++++++++++ assets/optional/node-exporter/05-service.yaml | 18 +++ .../node-exporter/kustomization.aarch64.yaml | 7 ++ .../node-exporter/kustomization.x86_64.yaml | 7 ++ .../optional/node-exporter/kustomization.yaml | 8 ++ packaging/rpm/microshift.spec | 71 +++++++++++ .../microshift_optional_workloads.go | 13 ++ .../config/kickstart.ks.template | 2 +- scripts/devenv-builder/create-vm.sh | 9 ++ scripts/devenv-builder/manage-vm.sh | 6 + test/bin/common.sh | 2 + 35 files changed, 791 insertions(+), 1 deletion(-) create mode 100644 assets/optional/kube-state-metrics/01-serviceaccount.yaml create mode 100644 assets/optional/kube-state-metrics/02-clusterrole.yaml create mode 100644 assets/optional/kube-state-metrics/03-clusterrolebinding.yaml create mode 100644 assets/optional/kube-state-metrics/04-deployment.yaml create mode 100644 assets/optional/kube-state-metrics/05-service.yaml create mode 100644 assets/optional/kube-state-metrics/kustomization.aarch64.yaml create mode 100644 assets/optional/kube-state-metrics/kustomization.x86_64.yaml create mode 100644 assets/optional/kube-state-metrics/kustomization.yaml create mode 100644 assets/optional/metrics-server/00-namespace.yaml create mode 100644 assets/optional/metrics-server/01-serviceaccount.yaml create mode 100644 assets/optional/metrics-server/02-clusterrole.yaml create mode 100644 assets/optional/metrics-server/03-clusterrolebinding.yaml create mode 100644 assets/optional/metrics-server/04-rolebinding.yaml create mode 100644 assets/optional/metrics-server/05-deployment.yaml create mode 100644 assets/optional/metrics-server/06-service.yaml create mode 100644 assets/optional/metrics-server/07-apiservice.yaml create mode 100644 assets/optional/metrics-server/kustomization.aarch64.yaml create mode 100644 assets/optional/metrics-server/kustomization.x86_64.yaml create mode 100644 assets/optional/metrics-server/kustomization.yaml create mode 100644 assets/optional/metrics-server/release-metrics-aarch64.json create mode 100644 assets/optional/metrics-server/release-metrics-x86_64.json create mode 100644 assets/optional/node-exporter/01-serviceaccount.yaml create mode 100644 assets/optional/node-exporter/02-clusterrole.yaml create mode 100644 assets/optional/node-exporter/03-clusterrolebinding.yaml create mode 100644 assets/optional/node-exporter/04-daemonset.yaml create mode 100644 assets/optional/node-exporter/05-service.yaml create mode 100644 assets/optional/node-exporter/kustomization.aarch64.yaml create mode 100644 assets/optional/node-exporter/kustomization.x86_64.yaml create mode 100644 assets/optional/node-exporter/kustomization.yaml diff --git a/assets/optional/kube-state-metrics/01-serviceaccount.yaml b/assets/optional/kube-state-metrics/01-serviceaccount.yaml new file mode 100644 index 0000000000..719595d740 --- /dev/null +++ b/assets/optional/kube-state-metrics/01-serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-state-metrics + namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/02-clusterrole.yaml b/assets/optional/kube-state-metrics/02-clusterrole.yaml new file mode 100644 index 0000000000..f9b04c0ab2 --- /dev/null +++ b/assets/optional/kube-state-metrics/02-clusterrole.yaml @@ -0,0 +1,77 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-state-metrics +rules: + - apiGroups: [""] + resources: + - configmaps + - secrets + - nodes + - pods + - services + - serviceaccounts + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + - events + verbs: ["list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - daemonsets + - deployments + - replicasets + verbs: ["list", "watch"] + - apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: ["list", "watch"] + - apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: + - storageclasses + - volumeattachments + verbs: ["list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + - ingresses + verbs: ["list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: ["list", "watch"] + - apiGroups: ["policy"] + resources: + - poddisruptionbudgets + verbs: ["list", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - certificatesigningrequests + verbs: ["list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: ["list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: ["list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/assets/optional/kube-state-metrics/03-clusterrolebinding.yaml b/assets/optional/kube-state-metrics/03-clusterrolebinding.yaml new file mode 100644 index 0000000000..301822f5fe --- /dev/null +++ b/assets/optional/kube-state-metrics/03-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-state-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-state-metrics +subjects: + - kind: ServiceAccount + name: kube-state-metrics + namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/04-deployment.yaml b/assets/optional/kube-state-metrics/04-deployment.yaml new file mode 100644 index 0000000000..998d579667 --- /dev/null +++ b/assets/optional/kube-state-metrics/04-deployment.yaml @@ -0,0 +1,111 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-state-metrics + namespace: openshift-monitoring + labels: + app.kubernetes.io/name: kube-state-metrics +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kube-state-metrics + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: restricted-v2 + spec: + serviceAccountName: kube-state-metrics + priorityClassName: system-cluster-critical + containers: + - name: kube-state-metrics + image: quay.io/openshift/kube-state-metrics:latest + imagePullPolicy: IfNotPresent + args: + - --host=127.0.0.1 + - --port=8081 + - --telemetry-host=127.0.0.1 + - --telemetry-port=8082 + resources: + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + - name: kube-rbac-proxy-main + image: quay.io/openshift/kube-rbac-proxy:latest + imagePullPolicy: IfNotPresent + args: + - --secure-listen-address=:8443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - --tls-min-version=VersionTLS12 + - --upstream=http://127.0.0.1:8081/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + ports: + - containerPort: 8443 + name: https-main + protocol: TCP + resources: + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - name: metrics-tls + mountPath: /etc/tls/private + readOnly: true + - name: tmp + mountPath: /tmp + - name: kube-rbac-proxy-self + image: quay.io/openshift/kube-rbac-proxy:latest + imagePullPolicy: IfNotPresent + args: + - --secure-listen-address=:9443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - --tls-min-version=VersionTLS12 + - --upstream=http://127.0.0.1:8082/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + ports: + - containerPort: 9443 + name: https-self + protocol: TCP + resources: + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - name: metrics-tls + mountPath: /etc/tls/private + readOnly: true + - name: tmp-self + mountPath: /tmp + volumes: + - name: metrics-tls + secret: + secretName: kube-state-metrics-tls + - name: tmp + emptyDir: {} + - name: tmp-self + emptyDir: {} + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/master: "" + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists diff --git a/assets/optional/kube-state-metrics/05-service.yaml b/assets/optional/kube-state-metrics/05-service.yaml new file mode 100644 index 0000000000..ee580822dc --- /dev/null +++ b/assets/optional/kube-state-metrics/05-service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: kube-state-metrics + namespace: openshift-monitoring + annotations: + service.beta.openshift.io/serving-cert-secret-name: kube-state-metrics-tls + labels: + app.kubernetes.io/name: kube-state-metrics +spec: + clusterIP: None + selector: + app.kubernetes.io/name: kube-state-metrics + ports: + - name: https-main + port: 8443 + targetPort: https-main + protocol: TCP + - name: https-self + port: 9443 + targetPort: https-self + protocol: TCP diff --git a/assets/optional/kube-state-metrics/kustomization.aarch64.yaml b/assets/optional/kube-state-metrics/kustomization.aarch64.yaml new file mode 100644 index 0000000000..87c6f75a6b --- /dev/null +++ b/assets/optional/kube-state-metrics/kustomization.aarch64.yaml @@ -0,0 +1,7 @@ +images: + - name: quay.io/openshift/kube-state-metrics + newName: registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9 + digest: sha256:placeholder + - name: quay.io/openshift/kube-rbac-proxy + newName: registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9 + digest: sha256:placeholder diff --git a/assets/optional/kube-state-metrics/kustomization.x86_64.yaml b/assets/optional/kube-state-metrics/kustomization.x86_64.yaml new file mode 100644 index 0000000000..7b9724d270 --- /dev/null +++ b/assets/optional/kube-state-metrics/kustomization.x86_64.yaml @@ -0,0 +1,7 @@ +images: + - name: quay.io/openshift/kube-state-metrics + newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev + digest: sha256:47dcd507a8ad265c7ebd6b128bb9bdaeb7688b5731503817b94ae1d1badd6a77 + - name: quay.io/openshift/kube-rbac-proxy + newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev + digest: sha256:242b3d66438c42745f4ef318bdeaf3d793426f12962a42ea83e18d06c08aaf09 diff --git a/assets/optional/kube-state-metrics/kustomization.yaml b/assets/optional/kube-state-metrics/kustomization.yaml new file mode 100644 index 0000000000..6a4e067254 --- /dev/null +++ b/assets/optional/kube-state-metrics/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - 01-serviceaccount.yaml + - 02-clusterrole.yaml + - 03-clusterrolebinding.yaml + - 04-deployment.yaml + - 05-service.yaml diff --git a/assets/optional/metrics-server/00-namespace.yaml b/assets/optional/metrics-server/00-namespace.yaml new file mode 100644 index 0000000000..17f727565a --- /dev/null +++ b/assets/optional/metrics-server/00-namespace.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openshift-monitoring + labels: + name: openshift-monitoring + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/assets/optional/metrics-server/01-serviceaccount.yaml b/assets/optional/metrics-server/01-serviceaccount.yaml new file mode 100644 index 0000000000..cf249eea39 --- /dev/null +++ b/assets/optional/metrics-server/01-serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/02-clusterrole.yaml b/assets/optional/metrics-server/02-clusterrole.yaml new file mode 100644 index 0000000000..0644c02648 --- /dev/null +++ b/assets/optional/metrics-server/02-clusterrole.yaml @@ -0,0 +1,44 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:metrics-server +rules: + - apiGroups: [""] + resources: + - nodes/metrics + verbs: + - get + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - list + - watch + - apiGroups: ["security.openshift.io"] + resources: + - securitycontextconstraints + resourceNames: + - hostmount-anyuid + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:aggregated-metrics-reader + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: ["metrics.k8s.io"] + resources: + - pods + - nodes + verbs: + - get + - list + - watch diff --git a/assets/optional/metrics-server/03-clusterrolebinding.yaml b/assets/optional/metrics-server/03-clusterrolebinding.yaml new file mode 100644 index 0000000000..2bc36c7bf2 --- /dev/null +++ b/assets/optional/metrics-server/03-clusterrolebinding.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: + - kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/04-rolebinding.yaml b/assets/optional/metrics-server/04-rolebinding.yaml new file mode 100644 index 0000000000..a6af65b543 --- /dev/null +++ b/assets/optional/metrics-server/04-rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/05-deployment.yaml b/assets/optional/metrics-server/05-deployment.yaml new file mode 100644 index 0000000000..eede4e0ed9 --- /dev/null +++ b/assets/optional/metrics-server/05-deployment.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metrics-server + namespace: openshift-monitoring + labels: + app.kubernetes.io/name: metrics-server +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: metrics-server + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: metrics-server + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: hostmount-anyuid + spec: + serviceAccountName: metrics-server + priorityClassName: system-cluster-critical + containers: + - name: metrics-server + image: quay.io/openshift/metrics-server:latest + imagePullPolicy: IfNotPresent + args: + - --secure-port=4443 + - --kubelet-preferred-address-types=Hostname,InternalIP + - --kubelet-use-node-status-port + - --metric-resolution=15s + - --tls-cert-file=/etc/tls/serving/tls.crt + - --tls-private-key-file=/etc/tls/serving/tls.key + - --kubelet-client-certificate=/etc/tls/kubelet-client/client.crt + - --kubelet-client-key=/etc/tls/kubelet-client/client.key + - --kubelet-certificate-authority=/etc/tls/kubelet-ca/ca-bundle.crt + ports: + - containerPort: 4443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: https + scheme: HTTPS + periodSeconds: 10 + failureThreshold: 3 + livenessProbe: + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + failureThreshold: 3 + resources: + requests: + cpu: 50m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: serving-cert + mountPath: /etc/tls/serving + readOnly: true + - name: kubelet-client-cert + mountPath: /etc/tls/kubelet-client + readOnly: true + - name: kubelet-ca + mountPath: /etc/tls/kubelet-ca + readOnly: true + - name: tmp + mountPath: /tmp + volumes: + - name: serving-cert + secret: + secretName: metrics-server-tls + - name: kubelet-client-cert + hostPath: + path: /var/lib/microshift/certs/kube-apiserver-to-kubelet-client-signer/kube-apiserver-to-kubelet-client + type: DirectoryOrCreate + - name: kubelet-ca + hostPath: + path: /var/lib/microshift/certs/kubelet-csr-signer-signer/csr-signer + type: DirectoryOrCreate + - name: tmp + emptyDir: {} + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/master: "" + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists diff --git a/assets/optional/metrics-server/06-service.yaml b/assets/optional/metrics-server/06-service.yaml new file mode 100644 index 0000000000..f90f66af71 --- /dev/null +++ b/assets/optional/metrics-server/06-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: metrics-server + namespace: openshift-monitoring + annotations: + service.beta.openshift.io/serving-cert-secret-name: metrics-server-tls + labels: + app.kubernetes.io/name: metrics-server +spec: + selector: + app.kubernetes.io/name: metrics-server + ports: + - name: https + port: 443 + targetPort: https + protocol: TCP diff --git a/assets/optional/metrics-server/07-apiservice.yaml b/assets/optional/metrics-server/07-apiservice.yaml new file mode 100644 index 0000000000..78e6f80bdb --- /dev/null +++ b/assets/optional/metrics-server/07-apiservice.yaml @@ -0,0 +1,14 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.metrics.k8s.io + annotations: + service.beta.openshift.io/inject-cabundle: "true" +spec: + service: + name: metrics-server + namespace: openshift-monitoring + group: metrics.k8s.io + version: v1beta1 + groupPriorityMinimum: 100 + versionPriority: 100 diff --git a/assets/optional/metrics-server/kustomization.aarch64.yaml b/assets/optional/metrics-server/kustomization.aarch64.yaml new file mode 100644 index 0000000000..671a77f4d6 --- /dev/null +++ b/assets/optional/metrics-server/kustomization.aarch64.yaml @@ -0,0 +1,4 @@ +images: + - name: quay.io/openshift/metrics-server + newName: registry.redhat.io/openshift4/ose-metrics-server-rhel9 + digest: sha256:placeholder diff --git a/assets/optional/metrics-server/kustomization.x86_64.yaml b/assets/optional/metrics-server/kustomization.x86_64.yaml new file mode 100644 index 0000000000..c49d572764 --- /dev/null +++ b/assets/optional/metrics-server/kustomization.x86_64.yaml @@ -0,0 +1,4 @@ +images: + - name: quay.io/openshift/metrics-server + newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev + digest: sha256:b09f284fccdb9d3f5c699ef0573ab9a2242ebf6c222303b270dd80d19d730dfa diff --git a/assets/optional/metrics-server/kustomization.yaml b/assets/optional/metrics-server/kustomization.yaml new file mode 100644 index 0000000000..1d202e8028 --- /dev/null +++ b/assets/optional/metrics-server/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - 00-namespace.yaml + - 01-serviceaccount.yaml + - 02-clusterrole.yaml + - 03-clusterrolebinding.yaml + - 04-rolebinding.yaml + - 05-deployment.yaml + - 06-service.yaml + - 07-apiservice.yaml diff --git a/assets/optional/metrics-server/release-metrics-aarch64.json b/assets/optional/metrics-server/release-metrics-aarch64.json new file mode 100644 index 0000000000..f043a8b869 --- /dev/null +++ b/assets/optional/metrics-server/release-metrics-aarch64.json @@ -0,0 +1,10 @@ +{ + "release": { + "base": "placeholder" + }, + "images": { + "metrics_server": "registry.redhat.io/openshift4/ose-metrics-server-rhel9@sha256:placeholder", + "node_exporter": "registry.redhat.io/openshift4/ose-prometheus-node-exporter-rhel9@sha256:placeholder", + "kube_state_metrics": "registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9@sha256:placeholder" + } +} diff --git a/assets/optional/metrics-server/release-metrics-x86_64.json b/assets/optional/metrics-server/release-metrics-x86_64.json new file mode 100644 index 0000000000..f043a8b869 --- /dev/null +++ b/assets/optional/metrics-server/release-metrics-x86_64.json @@ -0,0 +1,10 @@ +{ + "release": { + "base": "placeholder" + }, + "images": { + "metrics_server": "registry.redhat.io/openshift4/ose-metrics-server-rhel9@sha256:placeholder", + "node_exporter": "registry.redhat.io/openshift4/ose-prometheus-node-exporter-rhel9@sha256:placeholder", + "kube_state_metrics": "registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9@sha256:placeholder" + } +} diff --git a/assets/optional/node-exporter/01-serviceaccount.yaml b/assets/optional/node-exporter/01-serviceaccount.yaml new file mode 100644 index 0000000000..58db6211b1 --- /dev/null +++ b/assets/optional/node-exporter/01-serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-exporter + namespace: openshift-monitoring diff --git a/assets/optional/node-exporter/02-clusterrole.yaml b/assets/optional/node-exporter/02-clusterrole.yaml new file mode 100644 index 0000000000..433a3330b3 --- /dev/null +++ b/assets/optional/node-exporter/02-clusterrole.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-exporter +rules: + - apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create + - apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: ["security.openshift.io"] + resources: + - securitycontextconstraints + resourceNames: + - privileged + verbs: + - use diff --git a/assets/optional/node-exporter/03-clusterrolebinding.yaml b/assets/optional/node-exporter/03-clusterrolebinding.yaml new file mode 100644 index 0000000000..64285d9f06 --- /dev/null +++ b/assets/optional/node-exporter/03-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-exporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-exporter +subjects: + - kind: ServiceAccount + name: node-exporter + namespace: openshift-monitoring diff --git a/assets/optional/node-exporter/04-daemonset.yaml b/assets/optional/node-exporter/04-daemonset.yaml new file mode 100644 index 0000000000..23ba97c406 --- /dev/null +++ b/assets/optional/node-exporter/04-daemonset.yaml @@ -0,0 +1,100 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: node-exporter + namespace: openshift-monitoring + labels: + app.kubernetes.io/name: node-exporter +spec: + selector: + matchLabels: + app.kubernetes.io/name: node-exporter + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app.kubernetes.io/name: node-exporter + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: privileged + spec: + serviceAccountName: node-exporter + hostNetwork: true + hostPID: true + containers: + - name: node-exporter + image: quay.io/openshift/node-exporter:latest + imagePullPolicy: IfNotPresent + args: + - --web.listen-address=127.0.0.1:9100 + - --path.sysfs=/host/sys + - --path.rootfs=/host/root + - --path.udev.data=/host/root/run/udev/data + - --no-collector.wifi + ports: + - containerPort: 9100 + hostPort: 9100 + name: http + protocol: TCP + resources: + requests: + cpu: 8m + memory: 32Mi + securityContext: + privileged: true + readOnlyRootFilesystem: true + volumeMounts: + - name: sys + mountPath: /host/sys + mountPropagation: HostToContainer + readOnly: true + - name: root + mountPath: /host/root + mountPropagation: HostToContainer + readOnly: true + - name: kube-rbac-proxy + image: quay.io/openshift/kube-rbac-proxy:latest + imagePullPolicy: IfNotPresent + args: + - --secure-listen-address=:9101 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - --tls-min-version=VersionTLS12 + - --upstream=http://127.0.0.1:9100/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + ports: + - containerPort: 9101 + hostPort: 9101 + name: https + protocol: TCP + resources: + requests: + cpu: 10m + memory: 40Mi + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - name: metrics-tls + mountPath: /etc/tls/private + readOnly: true + - name: tmp + mountPath: /tmp + volumes: + - name: sys + hostPath: + path: /sys + - name: root + hostPath: + path: / + - name: metrics-tls + secret: + secretName: node-exporter-tls + - name: tmp + emptyDir: {} + nodeSelector: + kubernetes.io/os: linux + tolerations: + - operator: Exists diff --git a/assets/optional/node-exporter/05-service.yaml b/assets/optional/node-exporter/05-service.yaml new file mode 100644 index 0000000000..80d45d0663 --- /dev/null +++ b/assets/optional/node-exporter/05-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: node-exporter + namespace: openshift-monitoring + annotations: + service.beta.openshift.io/serving-cert-secret-name: node-exporter-tls + labels: + app.kubernetes.io/name: node-exporter +spec: + clusterIP: None + selector: + app.kubernetes.io/name: node-exporter + ports: + - name: https + port: 9101 + targetPort: https + protocol: TCP diff --git a/assets/optional/node-exporter/kustomization.aarch64.yaml b/assets/optional/node-exporter/kustomization.aarch64.yaml new file mode 100644 index 0000000000..ceb97cc989 --- /dev/null +++ b/assets/optional/node-exporter/kustomization.aarch64.yaml @@ -0,0 +1,7 @@ +images: + - name: quay.io/openshift/node-exporter + newName: registry.redhat.io/openshift4/ose-prometheus-node-exporter-rhel9 + digest: sha256:placeholder + - name: quay.io/openshift/kube-rbac-proxy + newName: registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9 + digest: sha256:placeholder diff --git a/assets/optional/node-exporter/kustomization.x86_64.yaml b/assets/optional/node-exporter/kustomization.x86_64.yaml new file mode 100644 index 0000000000..b68179f43c --- /dev/null +++ b/assets/optional/node-exporter/kustomization.x86_64.yaml @@ -0,0 +1,7 @@ +images: + - name: quay.io/openshift/node-exporter + newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev + digest: sha256:7e1456825b53fc7e6ea6aa2003b3f3626ad7846802f9fd9dc69874e349b849ad + - name: quay.io/openshift/kube-rbac-proxy + newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev + digest: sha256:242b3d66438c42745f4ef318bdeaf3d793426f12962a42ea83e18d06c08aaf09 diff --git a/assets/optional/node-exporter/kustomization.yaml b/assets/optional/node-exporter/kustomization.yaml new file mode 100644 index 0000000000..f024ac8941 --- /dev/null +++ b/assets/optional/node-exporter/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - 01-serviceaccount.yaml + - 02-clusterrole.yaml + - 03-clusterrolebinding.yaml + - 04-daemonset.yaml + - 05-service.yaml diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index 6362e4f552..47f950e565 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -261,6 +261,26 @@ The microshift-cert-manager-release-info package provides release information fi release. These files contain the list of container image references used by Cert Manager and can be used to embed those images into osbuilder blueprints or bootc containerfiles. +%package metrics +Summary: Kubernetes metrics exporters for MicroShift +ExclusiveArch: x86_64 aarch64 +Requires: microshift = %{version} + +%description metrics +The microshift-metrics package provides metrics-server, node-exporter, and +kube-state-metrics for MicroShift. Install this package to enable kubectl top +and expose host and cluster metrics via secure endpoints. + +%package metrics-release-info +Summary: Release information for metrics exporters for MicroShift +BuildArch: noarch +Requires: microshift-release-info = %{version} + +%description metrics-release-info +The microshift-metrics-release-info package provides release information files for this +release. These files contain the list of container image references used by the metrics +exporters and can be used to embed those images into osbuilder blueprints or bootc containerfiles. + %package sriov Summary: SR-IOV Network Operator for MicroShift ExclusiveArch: x86_64 aarch64 @@ -599,6 +619,46 @@ cat assets/optional/cert-manager/manager/images-x86_64.yaml >> %{buildroot}/%{_p mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release install -p -m644 assets/optional/cert-manager/release-cert-manager-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ +# metrics-server +install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/0*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server + +%ifarch %{arm} aarch64 +cat assets/optional/metrics-server/kustomization.aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/kustomization.yaml +%endif +%ifarch x86_64 +cat assets/optional/metrics-server/kustomization.x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/kustomization.yaml +%endif + +# kube-state-metrics +install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/0*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics + +%ifarch %{arm} aarch64 +cat assets/optional/kube-state-metrics/kustomization.aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/kustomization.yaml +%endif +%ifarch x86_64 +cat assets/optional/kube-state-metrics/kustomization.x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/kustomization.yaml +%endif + +# node-exporter +install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/0*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter + +%ifarch %{arm} aarch64 +cat assets/optional/node-exporter/kustomization.aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter/kustomization.yaml +%endif +%ifarch x86_64 +cat assets/optional/node-exporter/kustomization.x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter/kustomization.yaml +%endif + +# metrics-release-info +mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release +install -p -m644 assets/optional/metrics-server/release-metrics-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ + # sriov install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/070-microshift-sriov install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/070-microshift-sriov/crd @@ -802,6 +862,17 @@ fi %files cert-manager-release-info %{_datadir}/microshift/release/release-cert-manager-{x86_64,aarch64}.json +%files metrics +%dir %{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/* +%dir %{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/* +%dir %{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter/* + +%files metrics-release-info +%{_datadir}/microshift/release/release-metrics-{x86_64,aarch64}.json + %files sriov %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov/crd diff --git a/pkg/healthcheck/microshift_optional_workloads.go b/pkg/healthcheck/microshift_optional_workloads.go index 80e2d9a3b0..f9944c971c 100644 --- a/pkg/healthcheck/microshift_optional_workloads.go +++ b/pkg/healthcheck/microshift_optional_workloads.go @@ -38,6 +38,19 @@ var optionalWorkloadPaths = map[string]optionalWorkloads{ Namespace: "sriov-network-operator", Workloads: NamespaceWorkloads{Deployments: []string{"sriov-network-operator"}}, }, + + "/usr/lib/microshift/manifests.d/080-microshift-metrics-server": { + Namespace: "openshift-monitoring", + Workloads: NamespaceWorkloads{Deployments: []string{"metrics-server"}}, + }, + "/usr/lib/microshift/manifests.d/081-microshift-kube-state-metrics": { + Namespace: "openshift-monitoring", + Workloads: NamespaceWorkloads{Deployments: []string{"kube-state-metrics"}}, + }, + "/usr/lib/microshift/manifests.d/082-microshift-node-exporter": { + Namespace: "openshift-monitoring", + Workloads: NamespaceWorkloads{DaemonSets: []string{"node-exporter"}}, + }, } // fillOptionalMicroShiftWorkloads assembles list of optional MicroShift workloads diff --git a/scripts/devenv-builder/config/kickstart.ks.template b/scripts/devenv-builder/config/kickstart.ks.template index 1dcbedfcaf..65565fbd99 100644 --- a/scripts/devenv-builder/config/kickstart.ks.template +++ b/scripts/devenv-builder/config/kickstart.ks.template @@ -22,7 +22,7 @@ network --bootproto=dhcp --device=link --activate --onboot=on --hostname=REPLACE zerombr clearpart --all --initlabel part /boot/efi --fstype=efi --size=200 -part /boot --fstype=xfs --asprimary --size=800 +part /boot --fstype=xfs --size=800 part swap --fstype=swap --size=REPLACE_SWAP_SIZE part pv.01 --grow volgroup rhel pv.01 diff --git a/scripts/devenv-builder/create-vm.sh b/scripts/devenv-builder/create-vm.sh index 9de18a97db..03ea7949fe 100755 --- a/scripts/devenv-builder/create-vm.sh +++ b/scripts/devenv-builder/create-vm.sh @@ -54,6 +54,14 @@ if [ "${SWAPSIZE}" -eq 0 ] ; then sed -i "s;^part swap;#part swap;" "${KICKSTART_FILE}" fi + +# RHEL 10+ requires UEFI boot +BOOT_OPTS="" +RHEL_MAJOR=$(echo "${VMNAME}" | grep -oP '(\d+)\.\d+' | cut -d. -f1) +if [ "${RHEL_MAJOR:-0}" -ge 10 ]; then + BOOT_OPTS="--boot uefi" +fi + sudo bash -c " \ cd ${VMDISKDIR} && \ virt-install \ @@ -63,6 +71,7 @@ virt-install \ --disk pool=${MICROSHIFT_VOL_POOL},path=./${VMNAME}.qcow2,size=${DISKSIZE} \ --network network=${NETWORK},model=virtio \ --events on_reboot=restart \ + ${BOOT_OPTS} \ --location ${ISOFILE} \ --initrd-inject=${KICKSTART_FILE} \ --extra-args \"inst.ks=file:/$(basename "${KICKSTART_FILE}")\" \ diff --git a/scripts/devenv-builder/manage-vm.sh b/scripts/devenv-builder/manage-vm.sh index 0502d45f7b..38ce9b6c94 100755 --- a/scripts/devenv-builder/manage-vm.sh +++ b/scripts/devenv-builder/manage-vm.sh @@ -61,6 +61,12 @@ function get_base_isofile { 9.*) echo "rhel-${rhel_version}-$(uname -m)-dvd.iso" ;; + 10) + echo "rhel-10.2-$(uname -m)-dvd.iso" + ;; + 10.*) + echo "rhel-${rhel_version}-$(uname -m)-dvd.iso" + ;; *) echo "Unknown RHEL version ${rhel_version}" 1>&2 exit 1 diff --git a/test/bin/common.sh b/test/bin/common.sh index ef682a676f..7169093e4b 100644 --- a/test/bin/common.sh +++ b/test/bin/common.sh @@ -388,6 +388,8 @@ MICROSHIFT_Y2_OPTIONAL_RPMS_LIST=( microshift-cert-manager-release-info microshift-sriov microshift-sriov-release-info + microshift-metrics + microshift-metrics-release-info ) MICROSHIFT_Y1_OPTIONAL_RPMS_LIST=( "${MICROSHIFT_Y2_OPTIONAL_RPMS_LIST[@]}" From 1eed7ea5f2eb6654a5462a70cf589889741fdd6f Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Wed, 27 May 2026 14:12:50 -0500 Subject: [PATCH 02/12] USHIFT-6951: Provision metrics-server kubelet client cert via Secret Replace hostPath cert volumes with Kubernetes Secrets/ConfigMaps to work under enforcing SELinux (container_t cannot read container_var_lib_t files). Generate a dedicated metrics-server-kubelet-client cert under the kube-apiserver-to-kubelet-signer and provision it into the openshift-monitoring namespace before kustomize applies the manifests. - Add metrics-server-kubelet-client cert to kube-apiserver-to-kubelet-signer chain - Add provisionMetricsServerCerts() to create Secret/ConfigMap from cert on disk - Replace hostPath volumes with Secret/ConfigMap references in deployment - Remove SCC use rule (no longer needs hostmount-anyuid) - Add system:metrics-server User subject to ClusterRoleBinding for kubelet auth - Prefer InternalIP over Hostname for kubelet address resolution Co-Authored-By: Claude Opus 4.6 --- .../metrics-server/kubelet-ca-configmap.yaml | 9 +++ .../metrics-server/kubelet-client-secret.yaml | 11 ++++ .../metrics-server/02-clusterrole.yaml | 7 --- .../metrics-server/03-clusterrolebinding.yaml | 3 + .../metrics-server/05-deployment.yaml | 21 ++++--- pkg/cmd/init.go | 7 +++ pkg/cmd/metrics.go | 61 +++++++++++++++++++ pkg/cmd/run.go | 5 ++ pkg/util/cryptomaterial/certinfo.go | 4 ++ 9 files changed, 111 insertions(+), 17 deletions(-) create mode 100644 assets/components/metrics-server/kubelet-ca-configmap.yaml create mode 100644 assets/components/metrics-server/kubelet-client-secret.yaml create mode 100644 pkg/cmd/metrics.go diff --git a/assets/components/metrics-server/kubelet-ca-configmap.yaml b/assets/components/metrics-server/kubelet-ca-configmap.yaml new file mode 100644 index 0000000000..94c2354c5e --- /dev/null +++ b/assets/components/metrics-server/kubelet-ca-configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-monitoring + name: metrics-server-kubelet-ca + annotations: + openshift.io/owning-component: metrics-server +data: + ca-bundle.crt: diff --git a/assets/components/metrics-server/kubelet-client-secret.yaml b/assets/components/metrics-server/kubelet-client-secret.yaml new file mode 100644 index 0000000000..06fbe51cf4 --- /dev/null +++ b/assets/components/metrics-server/kubelet-client-secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: openshift-monitoring + name: metrics-server-kubelet-client + annotations: + openshift.io/owning-component: metrics-server +type: kubernetes.io/tls +data: + tls.crt: + tls.key: diff --git a/assets/optional/metrics-server/02-clusterrole.yaml b/assets/optional/metrics-server/02-clusterrole.yaml index 0644c02648..fc944209fd 100644 --- a/assets/optional/metrics-server/02-clusterrole.yaml +++ b/assets/optional/metrics-server/02-clusterrole.yaml @@ -17,13 +17,6 @@ rules: - get - list - watch - - apiGroups: ["security.openshift.io"] - resources: - - securitycontextconstraints - resourceNames: - - hostmount-anyuid - verbs: - - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/assets/optional/metrics-server/03-clusterrolebinding.yaml b/assets/optional/metrics-server/03-clusterrolebinding.yaml index 2bc36c7bf2..2be034b6bd 100644 --- a/assets/optional/metrics-server/03-clusterrolebinding.yaml +++ b/assets/optional/metrics-server/03-clusterrolebinding.yaml @@ -10,6 +10,9 @@ subjects: - kind: ServiceAccount name: metrics-server namespace: openshift-monitoring + - kind: User + name: system:metrics-server + apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/assets/optional/metrics-server/05-deployment.yaml b/assets/optional/metrics-server/05-deployment.yaml index eede4e0ed9..7c1cc7098f 100644 --- a/assets/optional/metrics-server/05-deployment.yaml +++ b/assets/optional/metrics-server/05-deployment.yaml @@ -18,7 +18,7 @@ spec: app.kubernetes.io/name: metrics-server annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: hostmount-anyuid + openshift.io/required-scc: restricted-v2 spec: serviceAccountName: metrics-server priorityClassName: system-cluster-critical @@ -28,13 +28,13 @@ spec: imagePullPolicy: IfNotPresent args: - --secure-port=4443 - - --kubelet-preferred-address-types=Hostname,InternalIP + - --kubelet-preferred-address-types=InternalIP,Hostname - --kubelet-use-node-status-port - --metric-resolution=15s - --tls-cert-file=/etc/tls/serving/tls.crt - --tls-private-key-file=/etc/tls/serving/tls.key - - --kubelet-client-certificate=/etc/tls/kubelet-client/client.crt - - --kubelet-client-key=/etc/tls/kubelet-client/client.key + - --kubelet-client-certificate=/etc/tls/kubelet-client/tls.crt + - --kubelet-client-key=/etc/tls/kubelet-client/tls.key - --kubelet-certificate-authority=/etc/tls/kubelet-ca/ca-bundle.crt ports: - containerPort: 4443 @@ -78,13 +78,14 @@ spec: secret: secretName: metrics-server-tls - name: kubelet-client-cert - hostPath: - path: /var/lib/microshift/certs/kube-apiserver-to-kubelet-client-signer/kube-apiserver-to-kubelet-client - type: DirectoryOrCreate + secret: + secretName: metrics-server-kubelet-client - name: kubelet-ca - hostPath: - path: /var/lib/microshift/certs/kubelet-csr-signer-signer/csr-signer - type: DirectoryOrCreate + configMap: + name: metrics-server-kubelet-ca + items: + - key: ca-bundle.crt + path: ca-bundle.crt - name: tmp emptyDir: {} nodeSelector: diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go index 50851ed33e..58c91b496b 100644 --- a/pkg/cmd/init.go +++ b/pkg/cmd/init.go @@ -155,6 +155,13 @@ func certSetup(cfg *config.Config) (*certchains.CertificateChains, error) { Validity: alignValidity(cryptomaterial.ShortLivedCertificateValidity), }, UserInfo: &user.DefaultInfo{Name: "system:kube-apiserver", Groups: []string{"kube-master"}}, + }).WithClientCertificates( + &certchains.ClientCertificateSigningRequestInfo{ + CSRMeta: certchains.CSRMeta{ + Name: "metrics-server-kubelet-client", + Validity: alignValidity(cryptomaterial.ShortLivedCertificateValidity), + }, + UserInfo: &user.DefaultInfo{Name: "system:metrics-server", Groups: []string{""}}, }), // admin-kubeconfig-signer diff --git a/pkg/cmd/metrics.go b/pkg/cmd/metrics.go new file mode 100644 index 0000000000..e6aac9ea09 --- /dev/null +++ b/pkg/cmd/metrics.go @@ -0,0 +1,61 @@ +package cmd + +import ( + "context" + "os" + + "github.com/openshift/microshift/pkg/assets" + "github.com/openshift/microshift/pkg/config" + "github.com/openshift/microshift/pkg/util" + "github.com/openshift/microshift/pkg/util/cryptomaterial" + "k8s.io/klog/v2" +) + +const metricsServerManifestPath = "/usr/lib/microshift/manifests.d/080-microshift-metrics-server" + +func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error { + exists, err := util.PathExists(metricsServerManifestPath) + if err != nil { + return err + } + if !exists { + klog.V(2).Infof("Metrics-server manifests not found at %s, skipping cert provisioning", metricsServerManifestPath) + return nil + } + + certsDir := cryptomaterial.CertsDirectory(config.DataDir) + kubeconfigPath := cfg.KubeConfigPath(config.KubeAdmin) + + certDir := cryptomaterial.MetricsServerKubeletClientCertDir(certsDir) + certPEM, err := os.ReadFile(cryptomaterial.ClientCertPath(certDir)) + if err != nil { + return err + } + keyPEM, err := os.ReadFile(cryptomaterial.ClientKeyPath(certDir)) + if err != nil { + return err + } + + secretData := map[string][]byte{ + "tls.crt": certPEM, + "tls.key": keyPEM, + } + if err := assets.ApplySecretWithData(ctx, "components/metrics-server/kubelet-client-secret.yaml", secretData, kubeconfigPath); err != nil { + return err + } + + caPEM, err := os.ReadFile(cryptomaterial.KubeletClientCAPath(certsDir)) + if err != nil { + return err + } + + cmData := map[string]string{ + "ca-bundle.crt": string(caPEM), + } + if err := assets.ApplyConfigMapWithData(ctx, "components/metrics-server/kubelet-ca-configmap.yaml", cmData, kubeconfigPath); err != nil { + return err + } + + klog.Infof("Provisioned metrics-server kubelet client cert and CA bundle") + return nil +} diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go index 94c2fbd8f6..5266bb75e5 100644 --- a/pkg/cmd/run.go +++ b/pkg/cmd/run.go @@ -300,6 +300,11 @@ func RunMicroshift(cfg *config.Config) error { klog.Info("service does not support sd_notify readiness messages") } + // Provision certs for optional components before kustomize applies their manifests. + if err := provisionMetricsServerCerts(runCtx, cfg); err != nil { + klog.Warningf("Failed to provision metrics-server certs: %v", err) + } + // After MicroShift's core becomes ready, run the kustomizer (delete and/or apply manifests). kustomize.NewKustomizer(cfg).RunStandalone(runCtx) diff --git a/pkg/util/cryptomaterial/certinfo.go b/pkg/util/cryptomaterial/certinfo.go index aed383b9fa..4e8c50989e 100644 --- a/pkg/util/cryptomaterial/certinfo.go +++ b/pkg/util/cryptomaterial/certinfo.go @@ -74,6 +74,10 @@ func AdminKubeconfigClientCertDir(certsDir string) string { return filepath.Join(AdminKubeconfigSignerDir(certsDir), "admin-kubeconfig-client") } +func MetricsServerKubeletClientCertDir(certsDir string) string { + return filepath.Join(KubeAPIServerToKubeletSignerCertDir(certsDir), "metrics-server-kubelet-client") +} + // KubeletCSRSignerSignerCertDir returns path to the signer that signs kubelet CSRs // and the signer that signs CSRs of the CSR API func KubeletCSRSignerSignerCertDir(certsDir string) string { From 823ba8066266ae48107bb0a6d25d05076135f719 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Wed, 27 May 2026 23:05:28 -0500 Subject: [PATCH 03/12] USHIFT-6951: Add otel-collector drop-in config for metrics exporters Add drop-in config infrastructure so the otel-collector can scrape metrics exporters installed by the microshift-metrics RPM. The service file dynamically loads YAML configs from otelcol.d/ and the collector merges them with the base config. Move metrics-server cert provisioning to run asynchronously after kustomize, waiting for the namespace to exist via PollUntilContextTimeout before creating the kubelet client Secret and CA ConfigMap. Co-Authored-By: Claude Opus 4.6 --- .../microshift-observability.service | 2 +- .../otelcol.d/microshift-metrics.yaml | 15 ++++++++++ packaging/rpm/microshift.spec | 7 +++++ pkg/cmd/metrics.go | 30 ++++++++++++++++++- pkg/cmd/run.go | 17 +++++++---- 5 files changed, 64 insertions(+), 7 deletions(-) create mode 100644 packaging/observability/otelcol.d/microshift-metrics.yaml diff --git a/packaging/observability/microshift-observability.service b/packaging/observability/microshift-observability.service index 2fc2e984dc..826c2f86db 100644 --- a/packaging/observability/microshift-observability.service +++ b/packaging/observability/microshift-observability.service @@ -8,7 +8,7 @@ ConditionPathExists=/var/lib/microshift/resources/observability-client/kubeconfi Environment=KUBECONFIG=/var/lib/microshift/resources/observability-client/kubeconfig Environment=K8S_NODE_NAME="%l" ExecStartPre=/usr/bin/mkdir -p /var/lib/microshift-observability -ExecStart=/usr/bin/opentelemetry-collector --config=/etc/microshift/observability/opentelemetry-collector.yaml +ExecStart=/bin/bash -c 'ARGS="--config=file:/etc/microshift/observability/opentelemetry-collector.yaml"; for f in /etc/microshift/observability/otelcol.d/*.yaml; do [ -f "$$f" ] && ARGS="$$ARGS --config=file:$$f"; done; exec /usr/bin/opentelemetry-collector $$ARGS' Restart=always User=root diff --git a/packaging/observability/otelcol.d/microshift-metrics.yaml b/packaging/observability/otelcol.d/microshift-metrics.yaml new file mode 100644 index 0000000000..30a1ccf9e7 --- /dev/null +++ b/packaging/observability/otelcol.d/microshift-metrics.yaml @@ -0,0 +1,15 @@ +receivers: + prometheus/node_exporter: + config: + scrape_configs: + - job_name: node-exporter + scrape_interval: 30s + static_configs: + - targets: ["127.0.0.1:9100"] + +service: + pipelines: + metrics/node_exporter: + receivers: [prometheus/node_exporter] + processors: [batch] + exporters: [otlp] diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index 47f950e565..e8a0f739b9 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -582,6 +582,7 @@ install -p -m644 assets/optional/ai-model-serving/release-ai-model-serving-x86_6 # observability install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability +install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability/otelcol.d install -p -m644 packaging/observability/*.yaml -D %{buildroot}%{_sysconfdir}/microshift/observability/ # Explicit copy of large config as default. Not using symlink to avoid accidental package upgrade overwriting user config if the user edits the config without copying (i.e. edits the target of symlink). install -p -m644 packaging/observability/opentelemetry-collector-large.yaml -D %{buildroot}%{_sysconfdir}/microshift/observability/opentelemetry-collector.yaml @@ -655,6 +656,10 @@ cat assets/optional/node-exporter/kustomization.aarch64.yaml >> %{buildroot}/%{_ cat assets/optional/node-exporter/kustomization.x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter/kustomization.yaml %endif +# otel-collector drop-in for metrics exporters +install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability/otelcol.d +install -p -m644 packaging/observability/otelcol.d/microshift-metrics.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ + # metrics-release-info mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release install -p -m644 assets/optional/metrics-server/release-metrics-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ @@ -850,6 +855,7 @@ fi %files observability %dir %{_prefix}/lib/microshift/manifests.d/003-microshift-observability %dir %{_sysconfdir}/microshift/observability/ +%dir %{_sysconfdir}/microshift/observability/otelcol.d %{_unitdir}/microshift-observability.service %config(noreplace) %{_sysconfdir}/microshift/observability/opentelemetry-collector.yaml %{_sysconfdir}/microshift/observability/opentelemetry-collector-*.yaml @@ -869,6 +875,7 @@ fi %{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/* %dir %{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter %{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter/* +%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics.yaml %files metrics-release-info %{_datadir}/microshift/release/release-metrics-{x86_64,aarch64}.json diff --git a/pkg/cmd/metrics.go b/pkg/cmd/metrics.go index e6aac9ea09..d9980df805 100644 --- a/pkg/cmd/metrics.go +++ b/pkg/cmd/metrics.go @@ -2,12 +2,18 @@ package cmd import ( "context" + "fmt" "os" + "time" "github.com/openshift/microshift/pkg/assets" "github.com/openshift/microshift/pkg/config" "github.com/openshift/microshift/pkg/util" "github.com/openshift/microshift/pkg/util/cryptomaterial" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/clientcmd" "k8s.io/klog/v2" ) @@ -23,9 +29,31 @@ func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error return nil } - certsDir := cryptomaterial.CertsDirectory(config.DataDir) kubeconfigPath := cfg.KubeConfigPath(config.KubeAdmin) + restCfg, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath) + if err != nil { + return fmt.Errorf("building kubeconfig: %w", err) + } + clientset, err := kubernetes.NewForConfig(restCfg) + if err != nil { + return fmt.Errorf("creating clientset: %w", err) + } + const ns = "openshift-monitoring" + err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 5*time.Minute, true, func(ctx context.Context) (bool, error) { + _, err := clientset.CoreV1().Namespaces().Get(ctx, ns, metav1.GetOptions{}) + if err == nil { + return true, nil + } + klog.V(2).Infof("Waiting for namespace %s to be created by kustomize", ns) + return false, nil + }) + if err != nil { + return fmt.Errorf("waiting for namespace %s: %w", ns, err) + } + + certsDir := cryptomaterial.CertsDirectory(config.DataDir) + certDir := cryptomaterial.MetricsServerKubeletClientCertDir(certsDir) certPEM, err := os.ReadFile(cryptomaterial.ClientCertPath(certDir)) if err != nil { diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go index 5266bb75e5..b02da57e82 100644 --- a/pkg/cmd/run.go +++ b/pkg/cmd/run.go @@ -300,14 +300,21 @@ func RunMicroshift(cfg *config.Config) error { klog.Info("service does not support sd_notify readiness messages") } - // Provision certs for optional components before kustomize applies their manifests. - if err := provisionMetricsServerCerts(runCtx, cfg); err != nil { - klog.Warningf("Failed to provision metrics-server certs: %v", err) - } - // After MicroShift's core becomes ready, run the kustomizer (delete and/or apply manifests). kustomize.NewKustomizer(cfg).RunStandalone(runCtx) + // Provision certs for optional components after kustomize creates their namespaces. + go func() { + defer func() { + if r := recover(); r != nil { + klog.Errorf("Panic in metrics-server cert provisioning: %v", r) + } + }() + if err := provisionMetricsServerCerts(runCtx, cfg); err != nil { + klog.Warningf("Failed to provision metrics-server certs: %v", err) + } + }() + // Watch for SIGTERM or service error to exit, now that we are ready. select { case <-sigTerm: From 5dc45c38a7dc70b1d00010eac1a76cc49b71e946 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Thu, 28 May 2026 15:03:39 -0500 Subject: [PATCH 04/12] USHIFT-6951: Integrate metrics manifests into auto-rebase Add CMO (cluster-monitoring-operator) to the rebase infrastructure so metrics exporter manifests stay in sync with upstream during future rebases. CMO is cloned via a new OPTIONAL_COMPONENTS list and its manifests are copied using a handle_assets.py recipe. RBAC files (serviceaccount, clusterrole, clusterrolebinding, service) are taken directly from CMO. Deployments and namespace use git_restore to preserve MicroShift's single-node adaptations while surfacing upstream changes for human review. Co-Authored-By: Claude Opus 4.6 --- scripts/auto-rebase/assets_metrics.yaml | 77 +++++++++++++++++++++++++ scripts/auto-rebase/rebase.sh | 14 ++++- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 scripts/auto-rebase/assets_metrics.yaml diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml new file mode 100644 index 0000000000..a8f73bc3c2 --- /dev/null +++ b/scripts/auto-rebase/assets_metrics.yaml @@ -0,0 +1,77 @@ +assets: + - dir: optional/metrics-server/ + no_clean: True + src: cluster-monitoring-operator/assets/metrics-server/ + files: + - file: 00-namespace.yaml + git_restore: True + - file: 01-serviceaccount.yaml + src: service-account.yaml + - file: 02-clusterrole.yaml + src: cluster-role.yaml + - file: 03-clusterrolebinding.yaml + src: cluster-role-binding.yaml + git_restore: True + - file: 04-rolebinding.yaml + src: role-binding-auth-reader.yaml + - file: 05-deployment.yaml + src: deployment.yaml + git_restore: True + - file: 06-service.yaml + src: service.yaml + - file: 07-apiservice.yaml + src: api-service.yaml + - file: kustomization.yaml + ignore: "Provided by MicroShift" + - file: kustomization.x86_64.yaml + ignore: "Provided by MicroShift" + - file: kustomization.aarch64.yaml + ignore: "Provided by MicroShift" + - file: release-metrics-aarch64.json + ignore: "Provided by MicroShift" + - file: release-metrics-x86_64.json + ignore: "Provided by MicroShift" + + - dir: optional/node-exporter/ + no_clean: True + src: cluster-monitoring-operator/assets/node-exporter/ + files: + - file: 01-serviceaccount.yaml + src: service-account.yaml + - file: 02-clusterrole.yaml + src: cluster-role.yaml + - file: 03-clusterrolebinding.yaml + src: cluster-role-binding.yaml + - file: 04-daemonset.yaml + src: daemonset.yaml + git_restore: True + - file: 05-service.yaml + src: service.yaml + - file: kustomization.yaml + ignore: "Provided by MicroShift" + - file: kustomization.x86_64.yaml + ignore: "Provided by MicroShift" + - file: kustomization.aarch64.yaml + ignore: "Provided by MicroShift" + + - dir: optional/kube-state-metrics/ + no_clean: True + src: cluster-monitoring-operator/assets/kube-state-metrics/ + files: + - file: 01-serviceaccount.yaml + src: service-account.yaml + - file: 02-clusterrole.yaml + src: cluster-role.yaml + - file: 03-clusterrolebinding.yaml + src: cluster-role-binding.yaml + - file: 04-deployment.yaml + src: deployment.yaml + git_restore: True + - file: 05-service.yaml + src: service.yaml + - file: kustomization.yaml + ignore: "Provided by MicroShift" + - file: kustomization.x86_64.yaml + ignore: "Provided by MicroShift" + - file: kustomization.aarch64.yaml + ignore: "Provided by MicroShift" diff --git a/scripts/auto-rebase/rebase.sh b/scripts/auto-rebase/rebase.sh index 1bcdb6cae5..0d1ab96faf 100755 --- a/scripts/auto-rebase/rebase.sh +++ b/scripts/auto-rebase/rebase.sh @@ -38,6 +38,7 @@ REBASE_USE_SSH="${REBASE_USE_SSH:-false}" EMBEDDED_COMPONENTS="route-controller-manager cluster-policy-controller hyperkube etcd kube-storage-version-migrator cluster-config-api" EMBEDDED_COMPONENT_OPERATORS="cluster-kube-apiserver-operator cluster-kube-controller-manager-operator cluster-openshift-controller-manager-operator cluster-kube-scheduler-operator machine-config-operator operator-lifecycle-manager" LOADED_COMPONENTS="cluster-dns-operator cluster-ingress-operator service-ca-operator cluster-network-operator cluster-csi-snapshot-controller-operator" +OPTIONAL_COMPONENTS="cluster-monitoring-operator" declare -a ARCHS=("amd64" "arm64") declare -A GOARCH_TO_UNAME_MAP=( ["amd64"]="x86_64" ["arm64"]="aarch64" ) @@ -200,7 +201,7 @@ download_release() { component=$(echo "${line}" | cut -d ' ' -f 1) repo=$(echo "${line}" | cut -d ' ' -f 2) commit=$(echo "${line}" | cut -d ' ' -f 3) - if [[ "${EMBEDDED_COMPONENTS}" == *"${component}"* ]] || [[ "${LOADED_COMPONENTS}" == *"${component}"* ]] || [[ "${EMBEDDED_COMPONENT_OPERATORS}" == *"${component}"* ]]; then + if [[ "${EMBEDDED_COMPONENTS}" == *"${component}"* ]] || [[ "${LOADED_COMPONENTS}" == *"${component}"* ]] || [[ "${EMBEDDED_COMPONENT_OPERATORS}" == *"${component}"* ]] || [[ "${OPTIONAL_COMPONENTS}" == *"${component}"* ]]; then clone_repo "${repo}" "${commit}" "." echo "${repo} embedded-component ${commit}" >> "${new_commits_file}" echo @@ -663,6 +664,15 @@ copy_manifests() { "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets.yaml" } +copy_metrics_manifests() { + if [ ! -d "${STAGING_DIR}/cluster-monitoring-operator" ]; then + >&2 echo "cluster-monitoring-operator not found in ${STAGING_DIR}, you need to download the release first." + exit 1 + fi + title "Copying metrics manifests" + "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets_metrics.yaml" +} + # Updates embedded component manifests by gathering these from various places # in the staged repos and copying them into the asset directory. @@ -1303,6 +1313,7 @@ rebase_to() { fi copy_manifests + copy_metrics_manifests update_openshift_manifests if [[ -n "$(git status -s assets)" ]]; then if [[ -n "${FAIL_ON_MANIFEST_CHANGE+x}" ]] && [[ "${FAIL_ON_MANIFEST_CHANGE}" == "1" ]]; then @@ -1394,6 +1405,7 @@ case "$command" in ;; manifests) copy_manifests + copy_metrics_manifests update_openshift_manifests ;; *) usage;; From 0dd6366b5095a68a8c4866f778f0894212603ca7 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Thu, 28 May 2026 16:42:22 -0500 Subject: [PATCH 05/12] USHIFT-6951: Add KSM and metrics-server otel scrape configs Extend the microshift-metrics otel-collector drop-in to scrape kube-state-metrics and metrics-server in addition to node-exporter. Both new receivers use Kubernetes endpoints service discovery with service-CA TLS, targeting the openshift-monitoring namespace. Co-Authored-By: Claude Opus 4.6 --- .../otelcol.d/microshift-metrics.yaml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/packaging/observability/otelcol.d/microshift-metrics.yaml b/packaging/observability/otelcol.d/microshift-metrics.yaml index 30a1ccf9e7..52aef522f0 100644 --- a/packaging/observability/otelcol.d/microshift-metrics.yaml +++ b/packaging/observability/otelcol.d/microshift-metrics.yaml @@ -7,9 +7,53 @@ receivers: static_configs: - targets: ["127.0.0.1:9100"] + prometheus/kube_state_metrics: + config: + scrape_configs: + - job_name: kube-state-metrics + scrape_interval: 30s + scheme: https + tls_config: + ca_file: /var/lib/microshift/certs/service-ca/ca.crt + kubernetes_sd_configs: + - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig + role: endpoints + namespaces: + names: [openshift-monitoring] + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kube-state-metrics;https-main + + prometheus/metrics_server: + config: + scrape_configs: + - job_name: metrics-server + scrape_interval: 30s + scheme: https + tls_config: + ca_file: /var/lib/microshift/certs/service-ca/ca.crt + kubernetes_sd_configs: + - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig + role: endpoints + namespaces: + names: [openshift-monitoring] + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: metrics-server;https + service: pipelines: metrics/node_exporter: receivers: [prometheus/node_exporter] processors: [batch] exporters: [otlp] + metrics/kube_state_metrics: + receivers: [prometheus/kube_state_metrics] + processors: [batch] + exporters: [otlp] + metrics/metrics_server: + receivers: [prometheus/metrics_server] + processors: [batch] + exporters: [otlp] From ac2383cea75e7ebf160101ecc81c2a259ad3ff51 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Thu, 28 May 2026 16:43:14 -0500 Subject: [PATCH 06/12] USHIFT-6951: Add metrics image rebase function Add update_metrics_images() to rebase.sh to populate architecture- specific kustomization overlays and release-metrics JSON files from the OCP release payload. Covers metrics-server, kube-state-metrics, node-exporter, and kube-rbac-proxy images for both x86_64 and aarch64. Co-Authored-By: Claude Opus 4.6 --- scripts/auto-rebase/rebase.sh | 72 +++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/scripts/auto-rebase/rebase.sh b/scripts/auto-rebase/rebase.sh index 0d1ab96faf..b454ae166b 100755 --- a/scripts/auto-rebase/rebase.sh +++ b/scripts/auto-rebase/rebase.sh @@ -931,6 +931,7 @@ EOF update_olm_images update_multus_images + update_metrics_images popd >/dev/null } @@ -1121,6 +1122,77 @@ EOF done # for goarch } +update_metrics_images() { + title "Rebasing metrics component images" + + # Maps kustomization image name -> OCP release tag name + declare -A METRICS_IMAGE_MAP=( + ["quay.io/openshift/metrics-server"]="metrics-server" + ["quay.io/openshift/kube-state-metrics"]="kube-state-metrics" + ["quay.io/openshift/node-exporter"]="prometheus-node-exporter" + ["quay.io/openshift/kube-rbac-proxy"]="kube-rbac-proxy" + ) + + # Maps release JSON key -> OCP release tag name + declare -A METRICS_JSON_MAP=( + ["metrics_server"]="metrics-server" + ["kube_state_metrics"]="kube-state-metrics" + ["node_exporter"]="prometheus-node-exporter" + ) + + for goarch in amd64 arm64; do + arch=${GOARCH_TO_UNAME_MAP["${goarch}"]:-noarch} + + local release_file="${STAGING_DIR}/release_${goarch}.json" + local metrics_release_json="${REPOROOT}/assets/optional/metrics-server/release-metrics-${arch}.json" + + local base_release + base_release=$(jq -r ".metadata.version" "${release_file}") + jq -n "{\"release\": {\"base\": \"$base_release\"}, \"images\": {}}" > "${metrics_release_json}" + + # Update release-metrics-${arch}.json + for json_key in "${!METRICS_JSON_MAP[@]}"; do + local release_tag="${METRICS_JSON_MAP[$json_key]}" + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") + yq -i -o json ".images += {\"${json_key}\": \"${new_image}\"}" "${metrics_release_json}" + done + + # Update per-component kustomization.${arch}.yaml + for component_dir in metrics-server kube-state-metrics node-exporter; do + local kustomization_arch_file="${REPOROOT}/assets/optional/${component_dir}/kustomization.${arch}.yaml" + + cat < "${kustomization_arch_file}" +images: +EOF + + # Read image names from the base kustomization and deployment/daemonset + local image_names + image_names=$(grep -h 'image:' "${REPOROOT}/assets/optional/${component_dir}/"*.yaml 2>/dev/null \ + | sed 's/.*image: *//; s/:.*//; s/@.*//' | sort -u) + + for orig_image in ${image_names}; do + local release_tag="${METRICS_IMAGE_MAP[$orig_image]:-}" + if [[ -z "${release_tag}" ]]; then + >&2 echo "WARNING: Unknown metrics image '${orig_image}' in ${component_dir}, skipping" + continue + fi + + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") + local new_image_name="${new_image%@*}" + local new_image_digest="${new_image#*@}" + + cat <> "${kustomization_arch_file}" + - name: ${orig_image} + newName: ${new_image_name} + digest: ${new_image_digest} +EOF + done + done + done +} + update_olm_images() { title "Rebasing operator-lifecycle-manager manifests" From e2e15fc8651fbc379274cafb9e6b5e44114592e9 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Tue, 2 Jun 2026 22:11:43 -0500 Subject: [PATCH 07/12] USHIFT-6951: Align metrics-server and node-exporter manifests with CMO upstream Rename all manifests from numeric prefixes to CMO-matching names for both metrics-server and node-exporter. Add missing CMO files verbatim (configmap-audit-profiles, network-policy, PDB, SCC, kube-rbac-proxy secret, accelerators configmap). Fix metrics-server deployment image placeholder from empty string to quay.io/openshift/metrics-server so the kustomize images transformer can match and inject the OCP digest. Replace git_restore with ignore + reason in the rebase recipe since they are functionally identical under no_clean and ignore communicates why MicroShift diverges from CMO. Co-Authored-By: Claude Opus 4.6 --- .../metrics-server/kubelet-ca-configmap.yaml | 2 +- .../metrics-server/kubelet-client-secret.yaml | 2 +- .../metrics-server/01-serviceaccount.yaml | 5 - .../metrics-server/02-clusterrole.yaml | 37 ---- .../metrics-server/03-clusterrolebinding.yaml | 28 --- .../metrics-server/04-rolebinding.yaml | 13 -- .../metrics-server/05-deployment.yaml | 96 --------- .../optional/metrics-server/06-service.yaml | 17 -- .../{07-apiservice.yaml => api-service.yaml} | 13 +- .../cluster-role-binding-auth-delegator.yaml | 17 ++ .../metrics-server/cluster-role-binding.yaml | 18 ++ .../optional/metrics-server/cluster-role.yaml | 25 +++ .../configmap-audit-profiles.yaml | 45 +++++ .../optional/metrics-server/deployment.yaml | 111 ++++++++++ .../metrics-server/kustomization.yaml | 16 +- .../network-policy-downstream.yaml | 22 ++ .../metrics-server/pod-disruption-budget.yaml | 18 ++ .../role-binding-auth-reader.yaml | 18 ++ .../metrics-server/service-account.yaml | 10 + assets/optional/metrics-server/service.yaml | 22 ++ .../node-exporter/01-serviceaccount.yaml | 5 - .../node-exporter/02-clusterrole.yaml | 22 -- .../node-exporter/03-clusterrolebinding.yaml | 12 -- .../optional/node-exporter/04-daemonset.yaml | 100 --------- assets/optional/node-exporter/05-service.yaml | 18 -- .../accelerators-collector-configmap.yaml | 139 +++++++++++++ .../node-exporter/cluster-role-binding.yaml | 18 ++ .../optional/node-exporter/cluster-role.yaml | 31 +++ assets/optional/node-exporter/daemonset.yaml | 191 ++++++++++++++++++ .../node-exporter/kube-rbac-proxy-secret.yaml | 19 ++ .../optional/node-exporter/kustomization.yaml | 13 +- .../security-context-constraints.yaml | 22 ++ .../node-exporter/service-account.yaml | 12 ++ assets/optional/node-exporter/service.yaml | 24 +++ packaging/rpm/microshift.spec | 22 +- scripts/auto-rebase/assets_metrics.yaml | 56 +++-- 36 files changed, 838 insertions(+), 401 deletions(-) delete mode 100644 assets/optional/metrics-server/01-serviceaccount.yaml delete mode 100644 assets/optional/metrics-server/02-clusterrole.yaml delete mode 100644 assets/optional/metrics-server/03-clusterrolebinding.yaml delete mode 100644 assets/optional/metrics-server/04-rolebinding.yaml delete mode 100644 assets/optional/metrics-server/05-deployment.yaml delete mode 100644 assets/optional/metrics-server/06-service.yaml rename assets/optional/metrics-server/{07-apiservice.yaml => api-service.yaml} (56%) create mode 100644 assets/optional/metrics-server/cluster-role-binding-auth-delegator.yaml create mode 100644 assets/optional/metrics-server/cluster-role-binding.yaml create mode 100644 assets/optional/metrics-server/cluster-role.yaml create mode 100644 assets/optional/metrics-server/configmap-audit-profiles.yaml create mode 100644 assets/optional/metrics-server/deployment.yaml create mode 100644 assets/optional/metrics-server/network-policy-downstream.yaml create mode 100644 assets/optional/metrics-server/pod-disruption-budget.yaml create mode 100644 assets/optional/metrics-server/role-binding-auth-reader.yaml create mode 100644 assets/optional/metrics-server/service-account.yaml create mode 100644 assets/optional/metrics-server/service.yaml delete mode 100644 assets/optional/node-exporter/01-serviceaccount.yaml delete mode 100644 assets/optional/node-exporter/02-clusterrole.yaml delete mode 100644 assets/optional/node-exporter/03-clusterrolebinding.yaml delete mode 100644 assets/optional/node-exporter/04-daemonset.yaml delete mode 100644 assets/optional/node-exporter/05-service.yaml create mode 100644 assets/optional/node-exporter/accelerators-collector-configmap.yaml create mode 100644 assets/optional/node-exporter/cluster-role-binding.yaml create mode 100644 assets/optional/node-exporter/cluster-role.yaml create mode 100644 assets/optional/node-exporter/daemonset.yaml create mode 100644 assets/optional/node-exporter/kube-rbac-proxy-secret.yaml create mode 100644 assets/optional/node-exporter/security-context-constraints.yaml create mode 100644 assets/optional/node-exporter/service-account.yaml create mode 100644 assets/optional/node-exporter/service.yaml diff --git a/assets/components/metrics-server/kubelet-ca-configmap.yaml b/assets/components/metrics-server/kubelet-ca-configmap.yaml index 94c2354c5e..5a5aea5a47 100644 --- a/assets/components/metrics-server/kubelet-ca-configmap.yaml +++ b/assets/components/metrics-server/kubelet-ca-configmap.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: namespace: openshift-monitoring - name: metrics-server-kubelet-ca + name: kubelet-serving-ca-bundle annotations: openshift.io/owning-component: metrics-server data: diff --git a/assets/components/metrics-server/kubelet-client-secret.yaml b/assets/components/metrics-server/kubelet-client-secret.yaml index 06fbe51cf4..7454e89672 100644 --- a/assets/components/metrics-server/kubelet-client-secret.yaml +++ b/assets/components/metrics-server/kubelet-client-secret.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: namespace: openshift-monitoring - name: metrics-server-kubelet-client + name: metrics-server-client-certs annotations: openshift.io/owning-component: metrics-server type: kubernetes.io/tls diff --git a/assets/optional/metrics-server/01-serviceaccount.yaml b/assets/optional/metrics-server/01-serviceaccount.yaml deleted file mode 100644 index cf249eea39..0000000000 --- a/assets/optional/metrics-server/01-serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: metrics-server - namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/02-clusterrole.yaml b/assets/optional/metrics-server/02-clusterrole.yaml deleted file mode 100644 index fc944209fd..0000000000 --- a/assets/optional/metrics-server/02-clusterrole.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:metrics-server -rules: - - apiGroups: [""] - resources: - - nodes/metrics - verbs: - - get - - apiGroups: [""] - resources: - - pods - - nodes - - namespaces - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:aggregated-metrics-reader - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: ["metrics.k8s.io"] - resources: - - pods - - nodes - verbs: - - get - - list - - watch diff --git a/assets/optional/metrics-server/03-clusterrolebinding.yaml b/assets/optional/metrics-server/03-clusterrolebinding.yaml deleted file mode 100644 index 2be034b6bd..0000000000 --- a/assets/optional/metrics-server/03-clusterrolebinding.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:metrics-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:metrics-server -subjects: - - kind: ServiceAccount - name: metrics-server - namespace: openshift-monitoring - - kind: User - name: system:metrics-server - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metrics-server:system:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: metrics-server - namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/04-rolebinding.yaml b/assets/optional/metrics-server/04-rolebinding.yaml deleted file mode 100644 index a6af65b543..0000000000 --- a/assets/optional/metrics-server/04-rolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: metrics-server-auth-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - kind: ServiceAccount - name: metrics-server - namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/05-deployment.yaml b/assets/optional/metrics-server/05-deployment.yaml deleted file mode 100644 index 7c1cc7098f..0000000000 --- a/assets/optional/metrics-server/05-deployment.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metrics-server - namespace: openshift-monitoring - labels: - app.kubernetes.io/name: metrics-server -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: metrics-server - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: metrics-server - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 - spec: - serviceAccountName: metrics-server - priorityClassName: system-cluster-critical - containers: - - name: metrics-server - image: quay.io/openshift/metrics-server:latest - imagePullPolicy: IfNotPresent - args: - - --secure-port=4443 - - --kubelet-preferred-address-types=InternalIP,Hostname - - --kubelet-use-node-status-port - - --metric-resolution=15s - - --tls-cert-file=/etc/tls/serving/tls.crt - - --tls-private-key-file=/etc/tls/serving/tls.key - - --kubelet-client-certificate=/etc/tls/kubelet-client/tls.crt - - --kubelet-client-key=/etc/tls/kubelet-client/tls.key - - --kubelet-certificate-authority=/etc/tls/kubelet-ca/ca-bundle.crt - ports: - - containerPort: 4443 - name: https - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: https - scheme: HTTPS - periodSeconds: 10 - failureThreshold: 3 - livenessProbe: - httpGet: - path: /livez - port: https - scheme: HTTPS - periodSeconds: 10 - failureThreshold: 3 - resources: - requests: - cpu: 50m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - name: serving-cert - mountPath: /etc/tls/serving - readOnly: true - - name: kubelet-client-cert - mountPath: /etc/tls/kubelet-client - readOnly: true - - name: kubelet-ca - mountPath: /etc/tls/kubelet-ca - readOnly: true - - name: tmp - mountPath: /tmp - volumes: - - name: serving-cert - secret: - secretName: metrics-server-tls - - name: kubelet-client-cert - secret: - secretName: metrics-server-kubelet-client - - name: kubelet-ca - configMap: - name: metrics-server-kubelet-ca - items: - - key: ca-bundle.crt - path: ca-bundle.crt - - name: tmp - emptyDir: {} - nodeSelector: - kubernetes.io/os: linux - node-role.kubernetes.io/master: "" - tolerations: - - key: node-role.kubernetes.io/master - operator: Exists diff --git a/assets/optional/metrics-server/06-service.yaml b/assets/optional/metrics-server/06-service.yaml deleted file mode 100644 index f90f66af71..0000000000 --- a/assets/optional/metrics-server/06-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: metrics-server - namespace: openshift-monitoring - annotations: - service.beta.openshift.io/serving-cert-secret-name: metrics-server-tls - labels: - app.kubernetes.io/name: metrics-server -spec: - selector: - app.kubernetes.io/name: metrics-server - ports: - - name: https - port: 443 - targetPort: https - protocol: TCP diff --git a/assets/optional/metrics-server/07-apiservice.yaml b/assets/optional/metrics-server/api-service.yaml similarity index 56% rename from assets/optional/metrics-server/07-apiservice.yaml rename to assets/optional/metrics-server/api-service.yaml index 78e6f80bdb..54303f0d9d 100644 --- a/assets/optional/metrics-server/07-apiservice.yaml +++ b/assets/optional/metrics-server/api-service.yaml @@ -1,14 +1,21 @@ apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: - name: v1beta1.metrics.k8s.io annotations: service.beta.openshift.io/inject-cabundle: "true" + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: v1beta1.metrics.k8s.io spec: + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: false service: name: metrics-server namespace: openshift-monitoring - group: metrics.k8s.io + port: 443 version: v1beta1 - groupPriorityMinimum: 100 versionPriority: 100 diff --git a/assets/optional/metrics-server/cluster-role-binding-auth-delegator.yaml b/assets/optional/metrics-server/cluster-role-binding-auth-delegator.yaml new file mode 100644 index 0000000000..fad58afef1 --- /dev/null +++ b/assets/optional/metrics-server/cluster-role-binding-auth-delegator.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: auth-delegator + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/cluster-role-binding.yaml b/assets/optional/metrics-server/cluster-role-binding.yaml new file mode 100644 index 0000000000..8a32b85158 --- /dev/null +++ b/assets/optional/metrics-server/cluster-role-binding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring +- kind: User + name: system:metrics-server diff --git a/assets/optional/metrics-server/cluster-role.yaml b/assets/optional/metrics-server/cluster-role.yaml new file mode 100644 index 0000000000..19be5ca4b0 --- /dev/null +++ b/assets/optional/metrics-server/cluster-role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get +- apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - watch diff --git a/assets/optional/metrics-server/configmap-audit-profiles.yaml b/assets/optional/metrics-server/configmap-audit-profiles.yaml new file mode 100644 index 0000000000..1cff598a6d --- /dev/null +++ b/assets/optional/metrics-server/configmap-audit-profiles.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +data: + metadata-profile.yaml: |- + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "Metadata" + "omitStages": + - "RequestReceived" + "rules": + - "level": "Metadata" + none-profile.yaml: |- + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "None" + "omitStages": + - "RequestReceived" + "rules": + - "level": "None" + request-profile.yaml: |- + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "Request" + "omitStages": + - "RequestReceived" + "rules": + - "level": "Request" + requestresponse-profile.yaml: |- + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "RequestResponse" + "omitStages": + - "RequestReceived" + "rules": + - "level": "RequestResponse" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server-audit-profiles + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/deployment.yaml b/assets/optional/metrics-server/deployment.yaml new file mode 100644 index 0000000000..fe6ef2425d --- /dev/null +++ b/assets/optional/metrics-server/deployment.yaml @@ -0,0 +1,111 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server + namespace: openshift-monitoring +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + strategy: + type: Recreate + template: + metadata: + annotations: + openshift.io/required-scc: restricted-v2 + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + spec: + containers: + - args: + - --secure-port=10250 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + - --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt + - --kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt + - --kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --shutdown-send-retry-after=true + - --shutdown-delay-duration=150s + - --disable-http2-serving=true + image: quay.io/openshift/metrics-server + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + name: metrics-server + ports: + - containerPort: 10250 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 20 + resources: + requests: + cpu: 1m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: secret-metrics-server-tls + - mountPath: /etc/tls/metrics-server-client-certs + name: secret-metrics-server-client-certs + - mountPath: /etc/tls/kubelet-serving-ca-bundle + name: configmap-kubelet-serving-ca-bundle + - mountPath: /etc/audit + name: metrics-server-audit-profiles + readOnly: true + - mountPath: /var/log/metrics-server + name: audit-log + readOnly: false + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: metrics-server + terminationGracePeriodSeconds: 170 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - name: secret-metrics-server-client-certs + secret: + secretName: metrics-server-client-certs + - name: secret-metrics-server-tls + secret: + secretName: metrics-server-tls + - configMap: + name: kubelet-serving-ca-bundle + name: configmap-kubelet-serving-ca-bundle + - emptyDir: {} + name: audit-log + - configMap: + name: metrics-server-audit-profiles + name: metrics-server-audit-profiles diff --git a/assets/optional/metrics-server/kustomization.yaml b/assets/optional/metrics-server/kustomization.yaml index 1d202e8028..c6c1f1f54e 100644 --- a/assets/optional/metrics-server/kustomization.yaml +++ b/assets/optional/metrics-server/kustomization.yaml @@ -2,10 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - 00-namespace.yaml - - 01-serviceaccount.yaml - - 02-clusterrole.yaml - - 03-clusterrolebinding.yaml - - 04-rolebinding.yaml - - 05-deployment.yaml - - 06-service.yaml - - 07-apiservice.yaml + - service-account.yaml + - cluster-role.yaml + - cluster-role-binding.yaml + - cluster-role-binding-auth-delegator.yaml + - role-binding-auth-reader.yaml + - configmap-audit-profiles.yaml + - deployment.yaml + - service.yaml + - api-service.yaml diff --git a/assets/optional/metrics-server/network-policy-downstream.yaml b/assets/optional/metrics-server/network-policy-downstream.yaml new file mode 100644 index 0000000000..60cf626231 --- /dev/null +++ b/assets/optional/metrics-server/network-policy-downstream.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server + namespace: openshift-monitoring +spec: + egress: + - {} + ingress: + - ports: + - port: 10250 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + policyTypes: + - Ingress + - Egress diff --git a/assets/optional/metrics-server/pod-disruption-budget.yaml b/assets/optional/metrics-server/pod-disruption-budget.yaml new file mode 100644 index 0000000000..c5fd745097 --- /dev/null +++ b/assets/optional/metrics-server/pod-disruption-budget.yaml @@ -0,0 +1,18 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server + namespace: openshift-monitoring +spec: + minAvailable: 1 + selector: + matchLabels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + unhealthyPodEvictionPolicy: AlwaysAllow diff --git a/assets/optional/metrics-server/role-binding-auth-reader.yaml b/assets/optional/metrics-server/role-binding-auth-reader.yaml new file mode 100644 index 0000000000..6b11a238ce --- /dev/null +++ b/assets/optional/metrics-server/role-binding-auth-reader.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server-auth-reader + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/service-account.yaml b/assets/optional/metrics-server/service-account.yaml new file mode 100644 index 0000000000..310685e790 --- /dev/null +++ b/assets/optional/metrics-server/service-account.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/service.yaml b/assets/optional/metrics-server/service.yaml new file mode 100644 index 0000000000..3a485b2dad --- /dev/null +++ b/assets/optional/metrics-server/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + openshift.io/description: Expose the metrics-server web server on port 443. This port is for internal use, and no other usage is guaranteed. + service.beta.openshift.io/serving-cert-secret-name: metrics-server-tls + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server + namespace: openshift-monitoring +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/optional/node-exporter/01-serviceaccount.yaml b/assets/optional/node-exporter/01-serviceaccount.yaml deleted file mode 100644 index 58db6211b1..0000000000 --- a/assets/optional/node-exporter/01-serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: node-exporter - namespace: openshift-monitoring diff --git a/assets/optional/node-exporter/02-clusterrole.yaml b/assets/optional/node-exporter/02-clusterrole.yaml deleted file mode 100644 index 433a3330b3..0000000000 --- a/assets/optional/node-exporter/02-clusterrole.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: node-exporter -rules: - - apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: - - create - - apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: ["security.openshift.io"] - resources: - - securitycontextconstraints - resourceNames: - - privileged - verbs: - - use diff --git a/assets/optional/node-exporter/03-clusterrolebinding.yaml b/assets/optional/node-exporter/03-clusterrolebinding.yaml deleted file mode 100644 index 64285d9f06..0000000000 --- a/assets/optional/node-exporter/03-clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: node-exporter -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: node-exporter -subjects: - - kind: ServiceAccount - name: node-exporter - namespace: openshift-monitoring diff --git a/assets/optional/node-exporter/04-daemonset.yaml b/assets/optional/node-exporter/04-daemonset.yaml deleted file mode 100644 index 23ba97c406..0000000000 --- a/assets/optional/node-exporter/04-daemonset.yaml +++ /dev/null @@ -1,100 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: node-exporter - namespace: openshift-monitoring - labels: - app.kubernetes.io/name: node-exporter -spec: - selector: - matchLabels: - app.kubernetes.io/name: node-exporter - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - app.kubernetes.io/name: node-exporter - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: privileged - spec: - serviceAccountName: node-exporter - hostNetwork: true - hostPID: true - containers: - - name: node-exporter - image: quay.io/openshift/node-exporter:latest - imagePullPolicy: IfNotPresent - args: - - --web.listen-address=127.0.0.1:9100 - - --path.sysfs=/host/sys - - --path.rootfs=/host/root - - --path.udev.data=/host/root/run/udev/data - - --no-collector.wifi - ports: - - containerPort: 9100 - hostPort: 9100 - name: http - protocol: TCP - resources: - requests: - cpu: 8m - memory: 32Mi - securityContext: - privileged: true - readOnlyRootFilesystem: true - volumeMounts: - - name: sys - mountPath: /host/sys - mountPropagation: HostToContainer - readOnly: true - - name: root - mountPath: /host/root - mountPropagation: HostToContainer - readOnly: true - - name: kube-rbac-proxy - image: quay.io/openshift/kube-rbac-proxy:latest - imagePullPolicy: IfNotPresent - args: - - --secure-listen-address=:9101 - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - --tls-min-version=VersionTLS12 - - --upstream=http://127.0.0.1:9100/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - ports: - - containerPort: 9101 - hostPort: 9101 - name: https - protocol: TCP - resources: - requests: - cpu: 10m - memory: 40Mi - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - name: metrics-tls - mountPath: /etc/tls/private - readOnly: true - - name: tmp - mountPath: /tmp - volumes: - - name: sys - hostPath: - path: /sys - - name: root - hostPath: - path: / - - name: metrics-tls - secret: - secretName: node-exporter-tls - - name: tmp - emptyDir: {} - nodeSelector: - kubernetes.io/os: linux - tolerations: - - operator: Exists diff --git a/assets/optional/node-exporter/05-service.yaml b/assets/optional/node-exporter/05-service.yaml deleted file mode 100644 index 80d45d0663..0000000000 --- a/assets/optional/node-exporter/05-service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: node-exporter - namespace: openshift-monitoring - annotations: - service.beta.openshift.io/serving-cert-secret-name: node-exporter-tls - labels: - app.kubernetes.io/name: node-exporter -spec: - clusterIP: None - selector: - app.kubernetes.io/name: node-exporter - ports: - - name: https - port: 9101 - targetPort: https - protocol: TCP diff --git a/assets/optional/node-exporter/accelerators-collector-configmap.yaml b/assets/optional/node-exporter/accelerators-collector-configmap.yaml new file mode 100644 index 0000000000..05984b7fb9 --- /dev/null +++ b/assets/optional/node-exporter/accelerators-collector-configmap.yaml @@ -0,0 +1,139 @@ +apiVersion: v1 +data: + config.yaml: |- + - "models": + - "modelName": "NVIDIA A800 PCIe 80GB" + "pciID": "0x20f5" + - "modelName": "NVIDIA A800 40GB PCIe active cooled" + "pciID": "0x20f6" + - "modelName": "NVIDIA AX800" + "pciID": "0x20fd" + - "modelName": "NVIDIA A100 PCIe 40GB" + "pciID": "0x20f1" + - "modelName": "NVIDIA A100 PCIe 80GB" + "pciID": "0x20b5" + - "modelName": "NVIDIA A40" + "pciID": "0x2235" + - "modelName": "NVIDIA A30" + "pciID": "0x20b7" + - "modelName": "NVIDIA A10" + "pciID": "0x2236" + - "modelName": "NVIDIA A16" + "pciID": "0x25b6" + - "modelName": "H800 NVL" + "pciID": "0x2322" + - "modelName": "NVIDIA H100 NVL" + "pciID": "0x2321" + - "modelName": "NVIDIA H100 PCIe 80GB" + "pciID": "0x2331" + - "modelName": "NVIDIA L40" + "pciID": "0x26b5" + - "modelName": "NVIDIA L40S" + "pciID": "0x26b9" + - "modelName": "NVIDIA L20 liquid cooled" + "pciID": "0x26bA" + - "modelName": "NVIDIA L4" + "pciID": "0x27b8" + - "modelName": "NVIDIA L2" + "pciID": "0x27b6" + - "modelName": "NVIDIA RTX 6000 Ada" + "pciID": "0x26b1" + - "modelName": "NVIDIA RTX 5880 Ada" + "pciID": "0x26b3" + - "modelName": "NVIDIA RTX 5000 Ada" + "pciID": "0x2231" + - "modelName": "NVIDIA RTX A6000" + "pciID": "0x2230" + - "modelName": "NVIDIA RTX A5500" + "pciID": "0x2233" + - "modelName": "NVIDIA RTX 8000 passive" + "pciID": "0x1e30" + - "modelName": "NVIDIA RTX A2000" + "pciID": "0x2531" + - "modelName": "NVIDIA A100 SXM4 40GB" + "pciID": "0x20b0" + - "modelName": "NVIDIA H800 NVL" + "pciID": "0x233a" + - "modelName": "NVIDIA H200 NVL" + "pciID": "0x233b" + - "modelName": "NVIDIA A100 SXM4 80GB" + "pciID": "0x20b2" + - "modelName": "NVIDIA A100 SXM 64GB" + "pciID": "0x20b3" + - "modelName": "NVIDIA A800 SXM4 40GB" + "pciID": "0x20bd" + - "modelName": "NVIDIA A800 SXM4 80GB" + "pciID": "0x20f3" + - "modelName": "NVIDIA RTX A1000" + "pciID": "0x25b0" + - "modelName": "Blackwell RTX PRO 6000" + "pciID": "0x2bb5" + - "modelName": "Blackwell GB100" + "pciID": "0x2941" + "vendorID": "0x10de" + "vendorName": "NVIDIA" + - "models": + - "modelName": "AMD MI210" + "pciID": "0x740f" + - "modelName": "AMD MI250" + "pciID": "0x740c" + - "modelName": "AMD MI250X" + "pciID": "0x7408" + - "modelName": "AMD MI300" + "pciID": "0x74a0" + - "modelName": "AMD MI300X" + "pciID": "0x74a1" + - "modelName": "AMD MI325X" + "pciID": "0x74a5" + - "modelName": "AMD MI308X" + "pciID": "0x7aa2" + - "modelName": "AMD MI300X VF" + "pciID": "0x74b5" + - "modelName": "AMD MI210 VF" + "pciID": "0x7410" + "vendorID": "0x1002" + "vendorName": "AMD" + - "models": + - "modelName": "Gaudi 1" + "pciID": "0x1000" + - "modelName": "Gaudi 2" + "pciID": "0x1020" + "vendorID": "0x1da3" + "vendorName": "GAUDI" + - "models": + - "modelName": "Intel Data Center GPU Max 1550" + "pciID": "0x0bd5" + - "modelName": "Intel Data Center GPU Max 1100" + "pciID": "0x0bda" + - "modelName": "Intel Data Center GPU Flex 170" + "pciID": "0x56c0" + - "modelName": "Intel Data Center GPU Flex 140" + "pciID": "0x56c1" + - "modelName": "Intel IPU Data Path" + "pciID": "0x1452" + "vendorID": "0x8086" + "vendorName": "Intel" + - "models": + - "modelName": "Qualcomm AI 100" + "pciID": "0xa100" + - "modelName": "Qualcomm AI 80" + "pciID": "0xa080" + "vendorID": "0x17cb" + "vendorName": "Qualcomm" + - "models": + - "modelName": "Marvell OCTEON 10 CN10XXX" + "pciID": "0xb900" + "vendorID": "0x177d" + "vendorName": "Marvell" + - "models": + - "modelName": "BlueField-3 integrated ConnectX-7" + "pciID": "0xa2dc" + "vendorID": "0x15b3" + "vendorName": "Mellanox" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: node-exporter-accelerators-collector-config + namespace: openshift-monitoring diff --git a/assets/optional/node-exporter/cluster-role-binding.yaml b/assets/optional/node-exporter/cluster-role-binding.yaml new file mode 100644 index 0000000000..b6790fa9b4 --- /dev/null +++ b/assets/optional/node-exporter/cluster-role-binding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 1.11.1 + name: node-exporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-exporter +subjects: +- kind: ServiceAccount + name: node-exporter + namespace: openshift-monitoring diff --git a/assets/optional/node-exporter/cluster-role.yaml b/assets/optional/node-exporter/cluster-role.yaml new file mode 100644 index 0000000000..50d7a5e755 --- /dev/null +++ b/assets/optional/node-exporter/cluster-role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 1.11.1 + name: node-exporter +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - security.openshift.io + resourceNames: + - node-exporter + resources: + - securitycontextconstraints + verbs: + - use diff --git a/assets/optional/node-exporter/daemonset.yaml b/assets/optional/node-exporter/daemonset.yaml new file mode 100644 index 0000000000..295ea1ee65 --- /dev/null +++ b/assets/optional/node-exporter/daemonset.yaml @@ -0,0 +1,191 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 1.11.1 + name: node-exporter + namespace: openshift-monitoring +spec: + selector: + matchLabels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: openshift-monitoring + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" + kubectl.kubernetes.io/default-container: node-exporter + openshift.io/required-scc: node-exporter + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 1.11.1 + spec: + automountServiceAccountToken: true + containers: + - args: + - --web.listen-address=127.0.0.1:9101 + - --path.sysfs=/host/sys + - --path.rootfs=/host/root + - --path.procfs=/host/root/proc + - --path.udev.data=/host/root/run/udev/data + - --no-collector.wifi + - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run/k3s/containerd/.+|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/) + - --collector.netclass.ignored-devices=^.*$ + - --collector.netdev.device-exclude=^.*$ + - --collector.cpu.info + - --collector.textfile.directory=/var/node_exporter/textfile + - --no-collector.btrfs + command: + - /bin/sh + - -c + - | + export GOMAXPROCS=4 + # We don't take CPU affinity into account as the container doesn't have integer CPU requests. + # In case of error, fallback to the default value. + NUM_CPUS=$(grep -c '^processor' "/proc/cpuinfo" 2>/dev/null || echo "0") + if [ "$NUM_CPUS" -lt "$GOMAXPROCS" ]; then + export GOMAXPROCS="$NUM_CPUS" + fi + echo "ts=$(date --iso-8601=seconds) num_cpus=$NUM_CPUS gomaxprocs=$GOMAXPROCS" + exec /bin/node_exporter "$0" "$@" + env: + - name: DBUS_SYSTEM_BUS_ADDRESS + value: unix:path=/host/root/var/run/dbus/system_bus_socket + image: "" + name: node-exporter + resources: + requests: + cpu: 8m + memory: 32Mi + securityContext: {} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/sys + mountPropagation: HostToContainer + name: sys + readOnly: true + - mountPath: /host/root + mountPropagation: HostToContainer + name: root + readOnly: true + - mountPath: /var/node_exporter/textfile + name: node-exporter-textfile + readOnly: true + - mountPath: /var/node_exporter/accelerators_collector_config + name: node-exporter-accelerators-collector-config + readOnly: true + workingDir: /var/node_exporter/textfile + - args: + - --secure-listen-address=[$(IP)]:9100 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:9101/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --config-file=/etc/kube-rbac-policy/config.yaml + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: "" + name: kube-rbac-proxy + ports: + - containerPort: 9100 + hostPort: 9100 + name: https + resources: + requests: + cpu: 1m + memory: 15Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: node-exporter-tls + readOnly: false + - mountPath: /etc/kube-rbac-policy + name: node-exporter-kube-rbac-proxy-config + readOnly: true + hostNetwork: true + hostPID: true + initContainers: + - command: + - /bin/sh + - -c + - '[[ ! -d /node_exporter/collectors/init ]] || find /node_exporter/collectors/init -perm /111 -type f -exec {} \;' + env: + - name: TMPDIR + value: /tmp + image: "" + name: init-textfile + resources: + requests: + cpu: 1m + memory: 1Mi + securityContext: + privileged: true + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/node_exporter/textfile + name: node-exporter-textfile + readOnly: false + - mountPath: /var/log/wtmp + name: node-exporter-wtmp + readOnly: true + workingDir: /var/node_exporter/textfile + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: {} + serviceAccountName: node-exporter + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /sys + name: sys + - hostPath: + path: / + name: root + - emptyDir: {} + name: node-exporter-textfile + - name: node-exporter-tls + secret: + secretName: node-exporter-tls + - hostPath: + path: /var/log/wtmp + type: File + name: node-exporter-wtmp + - name: node-exporter-kube-rbac-proxy-config + secret: + secretName: node-exporter-kube-rbac-proxy-config + - configMap: + items: + - key: config.yaml + path: config.yaml + name: node-exporter-accelerators-collector-config + name: node-exporter-accelerators-collector-config + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate diff --git a/assets/optional/node-exporter/kube-rbac-proxy-secret.yaml b/assets/optional/node-exporter/kube-rbac-proxy-secret.yaml new file mode 100644 index 0000000000..23cd9660ed --- /dev/null +++ b/assets/optional/node-exporter/kube-rbac-proxy-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +data: {} +kind: Secret +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: node-exporter-kube-rbac-proxy-config + namespace: openshift-monitoring +stringData: + config.yaml: |- + "authorization": + "static": + - "path": "/metrics" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" +type: Opaque diff --git a/assets/optional/node-exporter/kustomization.yaml b/assets/optional/node-exporter/kustomization.yaml index f024ac8941..e85a4e8254 100644 --- a/assets/optional/node-exporter/kustomization.yaml +++ b/assets/optional/node-exporter/kustomization.yaml @@ -1,8 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - 01-serviceaccount.yaml - - 02-clusterrole.yaml - - 03-clusterrolebinding.yaml - - 04-daemonset.yaml - - 05-service.yaml + - service-account.yaml + - cluster-role.yaml + - cluster-role-binding.yaml + - security-context-constraints.yaml + - kube-rbac-proxy-secret.yaml + - accelerators-collector-configmap.yaml + - daemonset.yaml + - service.yaml diff --git a/assets/optional/node-exporter/security-context-constraints.yaml b/assets/optional/node-exporter/security-context-constraints.yaml new file mode 100644 index 0000000000..1caaf72fcd --- /dev/null +++ b/assets/optional/node-exporter/security-context-constraints.yaml @@ -0,0 +1,22 @@ +allowHostDirVolumePlugin: true +allowHostNetwork: true +allowHostPID: true +allowHostPorts: true +allowPrivilegedContainer: true +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: node-exporter scc is used for the Prometheus node exporter + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: node-exporter +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: +- runtime/default +users: [] diff --git a/assets/optional/node-exporter/service-account.yaml b/assets/optional/node-exporter/service-account.yaml new file mode 100644 index 0000000000..c3d1dc95c9 --- /dev/null +++ b/assets/optional/node-exporter/service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 1.11.1 + name: node-exporter + namespace: openshift-monitoring diff --git a/assets/optional/node-exporter/service.yaml b/assets/optional/node-exporter/service.yaml new file mode 100644 index 0000000000..37b420ccdb --- /dev/null +++ b/assets/optional/node-exporter/service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + openshift.io/description: Expose the `/metrics` endpoint on port 9100. This port is for internal use, and no other usage is guaranteed. + service.beta.openshift.io/serving-cert-secret-name: node-exporter-tls + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 1.11.1 + name: node-exporter + namespace: openshift-monitoring +spec: + clusterIP: None + ports: + - name: https + port: 9100 + targetPort: https + selector: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: openshift-monitoring diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index e8a0f739b9..9d0d08ea5d 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -622,7 +622,18 @@ install -p -m644 assets/optional/cert-manager/release-cert-manager-{x86_64,aarch # metrics-server install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/0*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/00-namespace.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/cluster-role-binding-auth-delegator.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/role-binding-auth-reader.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/configmap-audit-profiles.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/deployment.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/api-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/network-policy-downstream.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/pod-disruption-budget.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server install -p -m644 assets/optional/metrics-server/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server %ifarch %{arm} aarch64 @@ -646,7 +657,14 @@ cat assets/optional/kube-state-metrics/kustomization.x86_64.yaml >> %{buildroot} # node-exporter install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/0*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/security-context-constraints.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/kube-rbac-proxy-secret.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/accelerators-collector-configmap.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/daemonset.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter install -p -m644 assets/optional/node-exporter/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter %ifarch %{arm} aarch64 diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml index a8f73bc3c2..2acc3001bc 100644 --- a/scripts/auto-rebase/assets_metrics.yaml +++ b/scripts/auto-rebase/assets_metrics.yaml @@ -4,23 +4,23 @@ assets: src: cluster-monitoring-operator/assets/metrics-server/ files: - file: 00-namespace.yaml - git_restore: True - - file: 01-serviceaccount.yaml - src: service-account.yaml - - file: 02-clusterrole.yaml - src: cluster-role.yaml - - file: 03-clusterrolebinding.yaml - src: cluster-role-binding.yaml - git_restore: True - - file: 04-rolebinding.yaml - src: role-binding-auth-reader.yaml - - file: 05-deployment.yaml - src: deployment.yaml - git_restore: True - - file: 06-service.yaml - src: service.yaml - - file: 07-apiservice.yaml - src: api-service.yaml + ignore: "Provided by MicroShift" + - file: service-account.yaml + ignore: "Provided by MicroShift" + - file: cluster-role.yaml + ignore: "Provided by MicroShift" + - file: clusterrole-aggregated-metrics-reader.yaml + ignore: "Provided by MicroShift" + - file: cluster-role-binding.yaml + ignore: "MicroShift adds User: system:metrics-server subject for dedicated kubelet client cert" + - file: cluster-role-binding-auth-delegator.yaml + - file: role-binding-auth-reader.yaml + - file: configmap-audit-profiles.yaml + - file: deployment.yaml + ignore: "MicroShift customizes replicas, strategy, image placeholder, and cert volumes" + - file: service.yaml + ignore: "MicroShift uses service-ca annotation for serving cert" + - file: api-service.yaml - file: kustomization.yaml ignore: "Provided by MicroShift" - file: kustomization.x86_64.yaml @@ -36,17 +36,15 @@ assets: no_clean: True src: cluster-monitoring-operator/assets/node-exporter/ files: - - file: 01-serviceaccount.yaml - src: service-account.yaml - - file: 02-clusterrole.yaml - src: cluster-role.yaml - - file: 03-clusterrolebinding.yaml - src: cluster-role-binding.yaml - - file: 04-daemonset.yaml - src: daemonset.yaml - git_restore: True - - file: 05-service.yaml - src: service.yaml + - file: service-account.yaml + - file: cluster-role.yaml + - file: cluster-role-binding.yaml + - file: security-context-constraints.yaml + - file: kube-rbac-proxy-secret.yaml + - file: accelerators-collector-configmap.yaml + - file: daemonset.yaml + ignore: "MicroShift removes metrics-client-ca volume/mount/arg (populated by CMO at runtime)" + - file: service.yaml - file: kustomization.yaml ignore: "Provided by MicroShift" - file: kustomization.x86_64.yaml @@ -66,7 +64,7 @@ assets: src: cluster-role-binding.yaml - file: 04-deployment.yaml src: deployment.yaml - git_restore: True + ignore: "MicroShift customizes replicas, strategy, image placeholders, and security context" - file: 05-service.yaml src: service.yaml - file: kustomization.yaml From 0533cc63e63585cd826521f954362bb30ff3d2ed Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Wed, 3 Jun 2026 15:05:56 -0500 Subject: [PATCH 08/12] USHIFT-6951: Add numeric prefixes to metrics-server manifests Add type-grouped numeric prefixes to metrics-server manifest files to enforce correct deployment ordering via kustomize. Grouping: 00-namespace, 01-RBAC/SA, 02-configmap, 03-workload, 04-service. Co-Authored-By: Claude Opus 4.6 --- ...1-cluster-role-binding-auth-delegator.yaml} | 0 ...nding.yaml => 01-cluster-role-binding.yaml} | 0 ...{cluster-role.yaml => 01-cluster-role.yaml} | 0 ...r.yaml => 01-role-binding-auth-reader.yaml} | 0 ...ce-account.yaml => 01-service-account.yaml} | 0 ...s.yaml => 02-configmap-audit-profiles.yaml} | 0 .../{deployment.yaml => 03-deployment.yaml} | 0 .../{api-service.yaml => 04-api-service.yaml} | 0 .../{service.yaml => 04-service.yaml} | 0 .../optional/metrics-server/kustomization.yaml | 18 +++++++++--------- scripts/auto-rebase/assets_metrics.yaml | 18 +++++++++--------- 11 files changed, 18 insertions(+), 18 deletions(-) rename assets/optional/metrics-server/{cluster-role-binding-auth-delegator.yaml => 01-cluster-role-binding-auth-delegator.yaml} (100%) rename assets/optional/metrics-server/{cluster-role-binding.yaml => 01-cluster-role-binding.yaml} (100%) rename assets/optional/metrics-server/{cluster-role.yaml => 01-cluster-role.yaml} (100%) rename assets/optional/metrics-server/{role-binding-auth-reader.yaml => 01-role-binding-auth-reader.yaml} (100%) rename assets/optional/metrics-server/{service-account.yaml => 01-service-account.yaml} (100%) rename assets/optional/metrics-server/{configmap-audit-profiles.yaml => 02-configmap-audit-profiles.yaml} (100%) rename assets/optional/metrics-server/{deployment.yaml => 03-deployment.yaml} (100%) rename assets/optional/metrics-server/{api-service.yaml => 04-api-service.yaml} (100%) rename assets/optional/metrics-server/{service.yaml => 04-service.yaml} (100%) diff --git a/assets/optional/metrics-server/cluster-role-binding-auth-delegator.yaml b/assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml similarity index 100% rename from assets/optional/metrics-server/cluster-role-binding-auth-delegator.yaml rename to assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml diff --git a/assets/optional/metrics-server/cluster-role-binding.yaml b/assets/optional/metrics-server/01-cluster-role-binding.yaml similarity index 100% rename from assets/optional/metrics-server/cluster-role-binding.yaml rename to assets/optional/metrics-server/01-cluster-role-binding.yaml diff --git a/assets/optional/metrics-server/cluster-role.yaml b/assets/optional/metrics-server/01-cluster-role.yaml similarity index 100% rename from assets/optional/metrics-server/cluster-role.yaml rename to assets/optional/metrics-server/01-cluster-role.yaml diff --git a/assets/optional/metrics-server/role-binding-auth-reader.yaml b/assets/optional/metrics-server/01-role-binding-auth-reader.yaml similarity index 100% rename from assets/optional/metrics-server/role-binding-auth-reader.yaml rename to assets/optional/metrics-server/01-role-binding-auth-reader.yaml diff --git a/assets/optional/metrics-server/service-account.yaml b/assets/optional/metrics-server/01-service-account.yaml similarity index 100% rename from assets/optional/metrics-server/service-account.yaml rename to assets/optional/metrics-server/01-service-account.yaml diff --git a/assets/optional/metrics-server/configmap-audit-profiles.yaml b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml similarity index 100% rename from assets/optional/metrics-server/configmap-audit-profiles.yaml rename to assets/optional/metrics-server/02-configmap-audit-profiles.yaml diff --git a/assets/optional/metrics-server/deployment.yaml b/assets/optional/metrics-server/03-deployment.yaml similarity index 100% rename from assets/optional/metrics-server/deployment.yaml rename to assets/optional/metrics-server/03-deployment.yaml diff --git a/assets/optional/metrics-server/api-service.yaml b/assets/optional/metrics-server/04-api-service.yaml similarity index 100% rename from assets/optional/metrics-server/api-service.yaml rename to assets/optional/metrics-server/04-api-service.yaml diff --git a/assets/optional/metrics-server/service.yaml b/assets/optional/metrics-server/04-service.yaml similarity index 100% rename from assets/optional/metrics-server/service.yaml rename to assets/optional/metrics-server/04-service.yaml diff --git a/assets/optional/metrics-server/kustomization.yaml b/assets/optional/metrics-server/kustomization.yaml index c6c1f1f54e..ca034994ff 100644 --- a/assets/optional/metrics-server/kustomization.yaml +++ b/assets/optional/metrics-server/kustomization.yaml @@ -2,12 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - 00-namespace.yaml - - service-account.yaml - - cluster-role.yaml - - cluster-role-binding.yaml - - cluster-role-binding-auth-delegator.yaml - - role-binding-auth-reader.yaml - - configmap-audit-profiles.yaml - - deployment.yaml - - service.yaml - - api-service.yaml + - 01-service-account.yaml + - 01-cluster-role.yaml + - 01-cluster-role-binding.yaml + - 01-cluster-role-binding-auth-delegator.yaml + - 01-role-binding-auth-reader.yaml + - 02-configmap-audit-profiles.yaml + - 03-deployment.yaml + - 04-service.yaml + - 04-api-service.yaml diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml index 2acc3001bc..a6bd25ad05 100644 --- a/scripts/auto-rebase/assets_metrics.yaml +++ b/scripts/auto-rebase/assets_metrics.yaml @@ -5,22 +5,22 @@ assets: files: - file: 00-namespace.yaml ignore: "Provided by MicroShift" - - file: service-account.yaml + - file: 01-service-account.yaml ignore: "Provided by MicroShift" - - file: cluster-role.yaml + - file: 01-cluster-role.yaml ignore: "Provided by MicroShift" - file: clusterrole-aggregated-metrics-reader.yaml ignore: "Provided by MicroShift" - - file: cluster-role-binding.yaml + - file: 01-cluster-role-binding.yaml ignore: "MicroShift adds User: system:metrics-server subject for dedicated kubelet client cert" - - file: cluster-role-binding-auth-delegator.yaml - - file: role-binding-auth-reader.yaml - - file: configmap-audit-profiles.yaml - - file: deployment.yaml + - file: 01-cluster-role-binding-auth-delegator.yaml + - file: 01-role-binding-auth-reader.yaml + - file: 02-configmap-audit-profiles.yaml + - file: 03-deployment.yaml ignore: "MicroShift customizes replicas, strategy, image placeholder, and cert volumes" - - file: service.yaml + - file: 04-service.yaml ignore: "MicroShift uses service-ca annotation for serving cert" - - file: api-service.yaml + - file: 04-api-service.yaml - file: kustomization.yaml ignore: "Provided by MicroShift" - file: kustomization.x86_64.yaml From ba8a5569a4068e589df9c381eb827d6d67eed3ac Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Wed, 3 Jun 2026 15:06:25 -0500 Subject: [PATCH 09/12] USHIFT-6951: Add numeric prefixes to kube-state-metrics manifests Rename KSM manifests from old sequential scheme (01-serviceaccount through 05-service) to type-grouped CMO filenames with prefixes: 01-RBAC/SA, 02-configmap/secret, 03-workload, 04-service. Add two new CMO files: kube-rbac-proxy-secret and custom-resource-state configmap. Update spec install loop for new naming pattern. Co-Authored-By: Claude Opus 4.6 --- .../01-cluster-role-binding.yaml | 18 + .../kube-state-metrics/01-cluster-role.yaml | 153 +++++ .../01-service-account.yaml | 12 + .../kube-state-metrics/01-serviceaccount.yaml | 5 - .../kube-state-metrics/02-clusterrole.yaml | 77 --- .../02-custom-resource-state-configmap.yaml | 544 ++++++++++++++++++ .../02-kube-rbac-proxy-secret.yaml | 19 + .../03-clusterrolebinding.yaml | 12 - .../kube-state-metrics/03-deployment.yaml | 143 +++++ .../kube-state-metrics/04-deployment.yaml | 111 ---- .../kube-state-metrics/04-service.yaml | 30 + .../kube-state-metrics/05-service.yaml | 22 - .../kube-state-metrics/kustomization.yaml | 12 +- packaging/rpm/microshift.spec | 5 +- scripts/auto-rebase/assets_metrics.yaml | 19 +- 15 files changed, 938 insertions(+), 244 deletions(-) create mode 100644 assets/optional/kube-state-metrics/01-cluster-role-binding.yaml create mode 100644 assets/optional/kube-state-metrics/01-cluster-role.yaml create mode 100644 assets/optional/kube-state-metrics/01-service-account.yaml delete mode 100644 assets/optional/kube-state-metrics/01-serviceaccount.yaml delete mode 100644 assets/optional/kube-state-metrics/02-clusterrole.yaml create mode 100644 assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml create mode 100644 assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml delete mode 100644 assets/optional/kube-state-metrics/03-clusterrolebinding.yaml create mode 100644 assets/optional/kube-state-metrics/03-deployment.yaml delete mode 100644 assets/optional/kube-state-metrics/04-deployment.yaml create mode 100644 assets/optional/kube-state-metrics/04-service.yaml delete mode 100644 assets/optional/kube-state-metrics/05-service.yaml diff --git a/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml b/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml new file mode 100644 index 0000000000..c8e3419960 --- /dev/null +++ b/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-state-metrics +subjects: +- kind: ServiceAccount + name: kube-state-metrics + namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/01-cluster-role.yaml b/assets/optional/kube-state-metrics/01-cluster-role.yaml new file mode 100644 index 0000000000..ab123ee6cd --- /dev/null +++ b/assets/optional/kube-state-metrics/01-cluster-role.yaml @@ -0,0 +1,153 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics +rules: +- apiGroups: + - "" + resources: + - configmaps + - secrets + - nodes + - pods + - services + - serviceaccounts + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + - daemonsets + - deployments + - replicasets + verbs: + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - list + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - ingressclasses + - ingresses + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalers + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + verbs: + - list + - watch diff --git a/assets/optional/kube-state-metrics/01-service-account.yaml b/assets/optional/kube-state-metrics/01-service-account.yaml new file mode 100644 index 0000000000..7f3fe4b1ce --- /dev/null +++ b/assets/optional/kube-state-metrics/01-service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics + namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/01-serviceaccount.yaml b/assets/optional/kube-state-metrics/01-serviceaccount.yaml deleted file mode 100644 index 719595d740..0000000000 --- a/assets/optional/kube-state-metrics/01-serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-state-metrics - namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/02-clusterrole.yaml b/assets/optional/kube-state-metrics/02-clusterrole.yaml deleted file mode 100644 index f9b04c0ab2..0000000000 --- a/assets/optional/kube-state-metrics/02-clusterrole.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kube-state-metrics -rules: - - apiGroups: [""] - resources: - - configmaps - - secrets - - nodes - - pods - - services - - serviceaccounts - - resourcequotas - - replicationcontrollers - - limitranges - - persistentvolumeclaims - - persistentvolumes - - namespaces - - endpoints - - events - verbs: ["list", "watch"] - - apiGroups: ["apps"] - resources: - - statefulsets - - daemonsets - - deployments - - replicasets - verbs: ["list", "watch"] - - apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: ["list", "watch"] - - apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: ["list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: - - storageclasses - - volumeattachments - verbs: ["list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: - - networkpolicies - - ingresses - verbs: ["list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: - - leases - verbs: ["list", "watch"] - - apiGroups: ["policy"] - resources: - - poddisruptionbudgets - verbs: ["list", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - certificatesigningrequests - verbs: ["list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: - - endpointslices - verbs: ["list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: ["list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml b/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml new file mode 100644 index 0000000000..4d0f548939 --- /dev/null +++ b/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml @@ -0,0 +1,544 @@ +apiVersion: v1 +data: + custom-resource-state-configmap.yaml: |- + "kind": "CustomResourceStateMetrics" + "spec": + "resources": + - "groupVersionKind": + "group": "autoscaling.k8s.io" + "kind": "VerticalPodAutoscaler" + "version": "v1" + "metrics": + - "commonLabels": null + "each": + "stateSet": + "labelName": "updatemode" + "list": + - "Off" + - "Initial" + - "Recreate" + - "Auto" + "path": + - "spec" + - "updatePolicy" + - "updateMode" + "type": "StateSet" + "help": "Update mode of the VerticalPodAutoscaler." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_updatepolicy_updatemode" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "lowerBound" + - "cpu" + "type": "Gauge" + "help": "Minimum cpu resources the container can use before the VerticalPodAutoscaler updater evicts it." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_lowerbound_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "lowerBound" + - "memory" + "type": "Gauge" + "help": "Minimum memory resources the container can use before the VerticalPodAutoscaler updater evicts it." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_lowerbound_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "upperBound" + - "cpu" + "type": "Gauge" + "help": "Maximum cpu resources the container can use before the VerticalPodAutoscaler updater evicts it." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_upperbound_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "upperBound" + - "memory" + "type": "Gauge" + "help": "Maximum memory resources the container can use before the VerticalPodAutoscaler updater evicts it." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_upperbound_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "target" + - "cpu" + "type": "Gauge" + "help": "Target cpu resources the VerticalPodAutoscaler recommends for the container." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_target_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "target" + - "memory" + "type": "Gauge" + "help": "Target memory resources the VerticalPodAutoscaler recommends for the container." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_target_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "uncappedTarget" + - "cpu" + "type": "Gauge" + "help": "Target cpu resources the VerticalPodAutoscaler recommends for the container ignoring bounds." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "uncappedTarget" + - "memory" + "type": "Gauge" + "help": "Target memory resources the VerticalPodAutoscaler recommends for the container ignoring bounds." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "spec" + - "resourcePolicy" + - "containerPolicies" + "valueFrom": + - "minAllowed" + - "cpu" + "type": "Gauge" + "help": "Minimum cpu resources the VerticalPodAutoscaler can set for containers matching the name." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_resourcepolicy_container_policies_minallowed_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "spec" + - "resourcePolicy" + - "containerPolicies" + "valueFrom": + - "minAllowed" + - "memory" + "type": "Gauge" + "help": "Minimum memory resources the VerticalPodAutoscaler can set for containers matching the name." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_resourcepolicy_container_policies_minallowed_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "spec" + - "resourcePolicy" + - "containerPolicies" + "valueFrom": + - "maxAllowed" + - "cpu" + "type": "Gauge" + "help": "Minimum cpu resources the VerticalPodAutoscaler can set for containers matching the name." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_resourcepolicy_container_policies_maxallowed_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "spec" + - "resourcePolicy" + - "containerPolicies" + "valueFrom": + - "maxAllowed" + - "memory" + "type": "Gauge" + "help": "Minimum memory resources the VerticalPodAutoscaler can set for containers matching the name." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_resourcepolicy_container_policies_maxallowed_memory" + - "groupVersionKind": + "group": "gateway.networking.k8s.io" + "kind": "GatewayClass" + "version": "v1" + "metrics": + - "each": + "info": + "labelsFromPath": + "accepted": + - "status" + - "conditions" + - "[type=Accepted]" + - "status" + "controller": + - "spec" + - "controllerName" + "gateway_class": + - "metadata" + - "name" + "type": "Info" + "help": "Information about GatewayClasses" + "name": "gateway_class_info" + - "groupVersionKind": + "group": "gateway.networking.k8s.io" + "kind": "Gateway" + "version": "v1" + "metrics": + - "each": + "info": + "labelsFromPath": + "gateway": + - "metadata" + - "name" + "gateway_class": + - "spec" + - "gatewayClassName" + "namespace": + - "metadata" + - "namespace" + "programmed": + - "status" + - "conditions" + - "[type=Programmed]" + - "status" + "type": "Info" + "help": "Information about Gateways" + "name": "gateway_info" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: kube-state-metrics-custom-resource-state-configmap + namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml b/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml new file mode 100644 index 0000000000..1cae041683 --- /dev/null +++ b/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +data: {} +kind: Secret +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: kube-state-metrics-kube-rbac-proxy-config + namespace: openshift-monitoring +stringData: + config.yaml: |- + "authorization": + "static": + - "path": "/metrics" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" +type: Opaque diff --git a/assets/optional/kube-state-metrics/03-clusterrolebinding.yaml b/assets/optional/kube-state-metrics/03-clusterrolebinding.yaml deleted file mode 100644 index 301822f5fe..0000000000 --- a/assets/optional/kube-state-metrics/03-clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-state-metrics -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kube-state-metrics -subjects: - - kind: ServiceAccount - name: kube-state-metrics - namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/03-deployment.yaml b/assets/optional/kube-state-metrics/03-deployment.yaml new file mode 100644 index 0000000000..f0cee6f54a --- /dev/null +++ b/assets/optional/kube-state-metrics/03-deployment.yaml @@ -0,0 +1,143 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics + namespace: openshift-monitoring +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + strategy: + type: Recreate + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: kube-state-metrics + openshift.io/required-scc: restricted-v2 + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + spec: + automountServiceAccountToken: true + containers: + - args: + - --host=127.0.0.1 + - --port=8081 + - --telemetry-host=127.0.0.1 + - --telemetry-port=8082 + - --custom-resource-state-config-file=/etc/kube-state-metrics/custom-resource-state-configmap.yaml + - | + --metric-denylist= + ^kube_secret_labels$, + ^kube_.+_annotations$, + ^kube_customresource_.+_annotations_info$, + ^kube_customresource_.+_labels_info$ + - --metric-labels-allowlist=pods=[*],nodes=[*],namespaces=[*],persistentvolumes=[*],persistentvolumeclaims=[*],poddisruptionbudgets=[*] + - | + --metric-denylist= + ^kube_.+_created$, + ^kube_.+_metadata_resource_version$, + ^kube_replicaset_metadata_generation$, + ^kube_replicaset_status_observed_generation$, + ^kube_pod_restart_policy$, + ^kube_pod_init_container_status_terminated$, + ^kube_pod_init_container_status_running$, + ^kube_pod_container_status_terminated$, + ^kube_pod_container_status_running$, + ^kube_pod_completion_time$, + ^kube_pod_status_scheduled$ + image: quay.io/openshift/kube-state-metrics + name: kube-state-metrics + resources: + requests: + cpu: 2m + memory: 80Mi + securityContext: {} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp + name: volume-directive-shadow + readOnly: false + - mountPath: /etc/kube-state-metrics + name: kube-state-metrics-custom-resource-state-configmap + readOnly: true + - args: + - --secure-listen-address=:8443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:8081/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --config-file=/etc/kube-rbac-policy/config.yaml + image: quay.io/openshift/kube-rbac-proxy + name: kube-rbac-proxy-main + ports: + - containerPort: 8443 + name: https-main + resources: + requests: + cpu: 1m + memory: 15Mi + securityContext: {} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: kube-state-metrics-tls + readOnly: false + - mountPath: /etc/kube-rbac-policy + name: kube-state-metrics-kube-rbac-proxy-config + readOnly: true + - args: + - --secure-listen-address=:9443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:8082/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --config-file=/etc/kube-rbac-policy/config.yaml + image: quay.io/openshift/kube-rbac-proxy + name: kube-rbac-proxy-self + ports: + - containerPort: 9443 + name: https-self + resources: + requests: + cpu: 1m + memory: 15Mi + securityContext: {} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: kube-state-metrics-tls + readOnly: false + - mountPath: /etc/kube-rbac-policy + name: kube-state-metrics-kube-rbac-proxy-config + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: {} + serviceAccountName: kube-state-metrics + volumes: + - emptyDir: {} + name: volume-directive-shadow + - name: kube-state-metrics-tls + secret: + secretName: kube-state-metrics-tls + - name: kube-state-metrics-kube-rbac-proxy-config + secret: + secretName: kube-state-metrics-kube-rbac-proxy-config + - configMap: + name: kube-state-metrics-custom-resource-state-configmap + name: kube-state-metrics-custom-resource-state-configmap diff --git a/assets/optional/kube-state-metrics/04-deployment.yaml b/assets/optional/kube-state-metrics/04-deployment.yaml deleted file mode 100644 index 998d579667..0000000000 --- a/assets/optional/kube-state-metrics/04-deployment.yaml +++ /dev/null @@ -1,111 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kube-state-metrics - namespace: openshift-monitoring - labels: - app.kubernetes.io/name: kube-state-metrics -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: kube-state-metrics - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: kube-state-metrics - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 - spec: - serviceAccountName: kube-state-metrics - priorityClassName: system-cluster-critical - containers: - - name: kube-state-metrics - image: quay.io/openshift/kube-state-metrics:latest - imagePullPolicy: IfNotPresent - args: - - --host=127.0.0.1 - - --port=8081 - - --telemetry-host=127.0.0.1 - - --telemetry-port=8082 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - - name: kube-rbac-proxy-main - image: quay.io/openshift/kube-rbac-proxy:latest - imagePullPolicy: IfNotPresent - args: - - --secure-listen-address=:8443 - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - --tls-min-version=VersionTLS12 - - --upstream=http://127.0.0.1:8081/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - ports: - - containerPort: 8443 - name: https-main - protocol: TCP - resources: - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - name: metrics-tls - mountPath: /etc/tls/private - readOnly: true - - name: tmp - mountPath: /tmp - - name: kube-rbac-proxy-self - image: quay.io/openshift/kube-rbac-proxy:latest - imagePullPolicy: IfNotPresent - args: - - --secure-listen-address=:9443 - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - --tls-min-version=VersionTLS12 - - --upstream=http://127.0.0.1:8082/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - ports: - - containerPort: 9443 - name: https-self - protocol: TCP - resources: - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - name: metrics-tls - mountPath: /etc/tls/private - readOnly: true - - name: tmp-self - mountPath: /tmp - volumes: - - name: metrics-tls - secret: - secretName: kube-state-metrics-tls - - name: tmp - emptyDir: {} - - name: tmp-self - emptyDir: {} - nodeSelector: - kubernetes.io/os: linux - node-role.kubernetes.io/master: "" - tolerations: - - key: node-role.kubernetes.io/master - operator: Exists diff --git a/assets/optional/kube-state-metrics/04-service.yaml b/assets/optional/kube-state-metrics/04-service.yaml new file mode 100644 index 0000000000..94b982309d --- /dev/null +++ b/assets/optional/kube-state-metrics/04-service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + openshift.io/description: |- + Expose kube-state-metrics `/metrics` endpoints within the cluster on the following ports: + * Port 8443 provides access to the Kubernetes resource metrics. This port is for internal use, and no other usage is guaranteed. + * Port 9443 provides access to the internal kube-state-metrics metrics. This port is for internal use, and no other usage is guaranteed. + service.beta.openshift.io/serving-cert-secret-name: kube-state-metrics-tls + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics + namespace: openshift-monitoring +spec: + clusterIP: None + ports: + - name: https-main + port: 8443 + targetPort: https-main + - name: https-self + port: 9443 + targetPort: https-self + selector: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/05-service.yaml b/assets/optional/kube-state-metrics/05-service.yaml deleted file mode 100644 index ee580822dc..0000000000 --- a/assets/optional/kube-state-metrics/05-service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: kube-state-metrics - namespace: openshift-monitoring - annotations: - service.beta.openshift.io/serving-cert-secret-name: kube-state-metrics-tls - labels: - app.kubernetes.io/name: kube-state-metrics -spec: - clusterIP: None - selector: - app.kubernetes.io/name: kube-state-metrics - ports: - - name: https-main - port: 8443 - targetPort: https-main - protocol: TCP - - name: https-self - port: 9443 - targetPort: https-self - protocol: TCP diff --git a/assets/optional/kube-state-metrics/kustomization.yaml b/assets/optional/kube-state-metrics/kustomization.yaml index 6a4e067254..6c72cc143d 100644 --- a/assets/optional/kube-state-metrics/kustomization.yaml +++ b/assets/optional/kube-state-metrics/kustomization.yaml @@ -1,8 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - 01-serviceaccount.yaml - - 02-clusterrole.yaml - - 03-clusterrolebinding.yaml - - 04-deployment.yaml - - 05-service.yaml + - 01-service-account.yaml + - 01-cluster-role.yaml + - 01-cluster-role-binding.yaml + - 02-kube-rbac-proxy-secret.yaml + - 02-custom-resource-state-configmap.yaml + - 03-deployment.yaml + - 04-service.yaml diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index 9d0d08ea5d..b4cc8ec482 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -645,7 +645,10 @@ cat assets/optional/metrics-server/kustomization.x86_64.yaml >> %{buildroot}/%{_ # kube-state-metrics install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics -install -p -m644 assets/optional/kube-state-metrics/0*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +for f in assets/optional/kube-state-metrics/*.yaml; do + case "$(basename "$f")" in kustomization*|release-*) continue;; esac + install -p -m644 "$f" %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +done install -p -m644 assets/optional/kube-state-metrics/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics %ifarch %{arm} aarch64 diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml index a6bd25ad05..67e2eddc48 100644 --- a/scripts/auto-rebase/assets_metrics.yaml +++ b/scripts/auto-rebase/assets_metrics.yaml @@ -56,17 +56,14 @@ assets: no_clean: True src: cluster-monitoring-operator/assets/kube-state-metrics/ files: - - file: 01-serviceaccount.yaml - src: service-account.yaml - - file: 02-clusterrole.yaml - src: cluster-role.yaml - - file: 03-clusterrolebinding.yaml - src: cluster-role-binding.yaml - - file: 04-deployment.yaml - src: deployment.yaml - ignore: "MicroShift customizes replicas, strategy, image placeholders, and security context" - - file: 05-service.yaml - src: service.yaml + - file: 01-service-account.yaml + - file: 01-cluster-role.yaml + - file: 01-cluster-role-binding.yaml + - file: 02-kube-rbac-proxy-secret.yaml + - file: 02-custom-resource-state-configmap.yaml + - file: 03-deployment.yaml + ignore: "MicroShift overrides: Recreate strategy, removes metrics-client-ca, image placeholders" + - file: 04-service.yaml - file: kustomization.yaml ignore: "Provided by MicroShift" - file: kustomization.x86_64.yaml From 167876ece637ae8ac0e246994cf56db9b9b47c51 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Wed, 3 Jun 2026 15:06:36 -0500 Subject: [PATCH 10/12] USHIFT-6951: Add numeric prefixes to node-exporter manifests Add type-grouped numeric prefixes to node-exporter manifest files: 01-RBAC/SA/SCC, 02-configmap/secret, 03-workload, 04-service. Co-Authored-By: Claude Opus 4.6 --- ...binding.yaml => 01-cluster-role-binding.yaml} | 0 .../{cluster-role.yaml => 01-cluster-role.yaml} | 0 ...yaml => 01-security-context-constraints.yaml} | 0 ...vice-account.yaml => 01-service-account.yaml} | 0 ... => 02-accelerators-collector-configmap.yaml} | 0 ...ecret.yaml => 02-kube-rbac-proxy-secret.yaml} | 0 .../{daemonset.yaml => 03-daemonset.yaml} | 0 .../{service.yaml => 04-service.yaml} | 0 assets/optional/node-exporter/kustomization.yaml | 16 ++++++++-------- scripts/auto-rebase/assets_metrics.yaml | 16 ++++++++-------- 10 files changed, 16 insertions(+), 16 deletions(-) rename assets/optional/node-exporter/{cluster-role-binding.yaml => 01-cluster-role-binding.yaml} (100%) rename assets/optional/node-exporter/{cluster-role.yaml => 01-cluster-role.yaml} (100%) rename assets/optional/node-exporter/{security-context-constraints.yaml => 01-security-context-constraints.yaml} (100%) rename assets/optional/node-exporter/{service-account.yaml => 01-service-account.yaml} (100%) rename assets/optional/node-exporter/{accelerators-collector-configmap.yaml => 02-accelerators-collector-configmap.yaml} (100%) rename assets/optional/node-exporter/{kube-rbac-proxy-secret.yaml => 02-kube-rbac-proxy-secret.yaml} (100%) rename assets/optional/node-exporter/{daemonset.yaml => 03-daemonset.yaml} (100%) rename assets/optional/node-exporter/{service.yaml => 04-service.yaml} (100%) diff --git a/assets/optional/node-exporter/cluster-role-binding.yaml b/assets/optional/node-exporter/01-cluster-role-binding.yaml similarity index 100% rename from assets/optional/node-exporter/cluster-role-binding.yaml rename to assets/optional/node-exporter/01-cluster-role-binding.yaml diff --git a/assets/optional/node-exporter/cluster-role.yaml b/assets/optional/node-exporter/01-cluster-role.yaml similarity index 100% rename from assets/optional/node-exporter/cluster-role.yaml rename to assets/optional/node-exporter/01-cluster-role.yaml diff --git a/assets/optional/node-exporter/security-context-constraints.yaml b/assets/optional/node-exporter/01-security-context-constraints.yaml similarity index 100% rename from assets/optional/node-exporter/security-context-constraints.yaml rename to assets/optional/node-exporter/01-security-context-constraints.yaml diff --git a/assets/optional/node-exporter/service-account.yaml b/assets/optional/node-exporter/01-service-account.yaml similarity index 100% rename from assets/optional/node-exporter/service-account.yaml rename to assets/optional/node-exporter/01-service-account.yaml diff --git a/assets/optional/node-exporter/accelerators-collector-configmap.yaml b/assets/optional/node-exporter/02-accelerators-collector-configmap.yaml similarity index 100% rename from assets/optional/node-exporter/accelerators-collector-configmap.yaml rename to assets/optional/node-exporter/02-accelerators-collector-configmap.yaml diff --git a/assets/optional/node-exporter/kube-rbac-proxy-secret.yaml b/assets/optional/node-exporter/02-kube-rbac-proxy-secret.yaml similarity index 100% rename from assets/optional/node-exporter/kube-rbac-proxy-secret.yaml rename to assets/optional/node-exporter/02-kube-rbac-proxy-secret.yaml diff --git a/assets/optional/node-exporter/daemonset.yaml b/assets/optional/node-exporter/03-daemonset.yaml similarity index 100% rename from assets/optional/node-exporter/daemonset.yaml rename to assets/optional/node-exporter/03-daemonset.yaml diff --git a/assets/optional/node-exporter/service.yaml b/assets/optional/node-exporter/04-service.yaml similarity index 100% rename from assets/optional/node-exporter/service.yaml rename to assets/optional/node-exporter/04-service.yaml diff --git a/assets/optional/node-exporter/kustomization.yaml b/assets/optional/node-exporter/kustomization.yaml index e85a4e8254..b26c8fd5b8 100644 --- a/assets/optional/node-exporter/kustomization.yaml +++ b/assets/optional/node-exporter/kustomization.yaml @@ -1,11 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - service-account.yaml - - cluster-role.yaml - - cluster-role-binding.yaml - - security-context-constraints.yaml - - kube-rbac-proxy-secret.yaml - - accelerators-collector-configmap.yaml - - daemonset.yaml - - service.yaml + - 01-service-account.yaml + - 01-cluster-role.yaml + - 01-cluster-role-binding.yaml + - 01-security-context-constraints.yaml + - 02-kube-rbac-proxy-secret.yaml + - 02-accelerators-collector-configmap.yaml + - 03-daemonset.yaml + - 04-service.yaml diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml index 67e2eddc48..b1aa8ad4ae 100644 --- a/scripts/auto-rebase/assets_metrics.yaml +++ b/scripts/auto-rebase/assets_metrics.yaml @@ -36,15 +36,15 @@ assets: no_clean: True src: cluster-monitoring-operator/assets/node-exporter/ files: - - file: service-account.yaml - - file: cluster-role.yaml - - file: cluster-role-binding.yaml - - file: security-context-constraints.yaml - - file: kube-rbac-proxy-secret.yaml - - file: accelerators-collector-configmap.yaml - - file: daemonset.yaml + - file: 01-service-account.yaml + - file: 01-cluster-role.yaml + - file: 01-cluster-role-binding.yaml + - file: 01-security-context-constraints.yaml + - file: 02-kube-rbac-proxy-secret.yaml + - file: 02-accelerators-collector-configmap.yaml + - file: 03-daemonset.yaml ignore: "MicroShift removes metrics-client-ca volume/mount/arg (populated by CMO at runtime)" - - file: service.yaml + - file: 04-service.yaml - file: kustomization.yaml ignore: "Provided by MicroShift" - file: kustomization.x86_64.yaml From e53c5d450289aab7c1d2f03e0b96a48e56817465 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Wed, 3 Jun 2026 15:06:47 -0500 Subject: [PATCH 11/12] USHIFT-6951: Fix healthcheck map collision for shared-namespace metrics Multiple metrics exporters deploy to the openshift-monitoring namespace. The previous code overwrote the workloads map entry on each iteration, so only the last component's workloads were checked. Add mergeWorkloads() to append workloads from all components sharing a namespace. Co-Authored-By: Claude Opus 4.6 --- pkg/healthcheck/microshift_optional_workloads.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkg/healthcheck/microshift_optional_workloads.go b/pkg/healthcheck/microshift_optional_workloads.go index f9944c971c..b7f4bea519 100644 --- a/pkg/healthcheck/microshift_optional_workloads.go +++ b/pkg/healthcheck/microshift_optional_workloads.go @@ -53,6 +53,16 @@ var optionalWorkloadPaths = map[string]optionalWorkloads{ }, } +// mergeWorkloads merges two NamespaceWorkloads, returning a new NamespaceWorkloads. This is helpful for cases +// where components from multiple sources are deployed to the same namespace. +func mergeWorkloads(existing, incoming NamespaceWorkloads) NamespaceWorkloads { + return NamespaceWorkloads{ + Deployments: append(existing.Deployments, incoming.Deployments...), + DaemonSets: append(existing.DaemonSets, incoming.DaemonSets...), + StatefulSets: append(existing.StatefulSets, incoming.StatefulSets...), + } +} + // fillOptionalMicroShiftWorkloads assembles list of optional MicroShift workloads // that are both present on the filesystem and included in the configured // kustomizePaths. This ensures the healthcheck only waits for optional @@ -86,7 +96,7 @@ func fillOptionalMicroShiftWorkloads(workloadsToCheck map[string]NamespaceWorklo } klog.Infof("Optional component path exists and is configured: %s - expecting %v in namespace %q", path, ow.Workloads.String(), ow.Namespace) - workloadsToCheck[ow.Namespace] = ow.Workloads + workloadsToCheck[ow.Namespace] = mergeWorkloads(workloadsToCheck[ow.Namespace], ow.Workloads) } return nil } From 765807bfc0c25325ad456b7de70846ddce07dc76 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Wed, 3 Jun 2026 15:40:41 -0500 Subject: [PATCH 12/12] USHIFT-6951: Split microshift-metrics into per-exporter RPMs Split the single microshift-metrics RPM into three independently installable packages to satisfy the USHIFT-6890 requirement that each exporter be enabled individually: - microshift-metrics-server - microshift-metrics-kube-state-metrics - microshift-metrics-node-exporter All three can be installed together with: dnf install microshift-metrics-* Split the combined otel-collector drop-in config into per-package configs so each RPM ships its own scrape configuration. Co-Authored-By: Claude Opus 4.6 --- ...microshift-metrics-kube-state-metrics.yaml | 25 ++++ .../microshift-metrics-node-exporter.yaml | 15 +++ .../otelcol.d/microshift-metrics-server.yaml | 25 ++++ .../otelcol.d/microshift-metrics.yaml | 59 ---------- packaging/rpm/microshift.spec | 110 +++++++++++------- 5 files changed, 134 insertions(+), 100 deletions(-) create mode 100644 packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml create mode 100644 packaging/observability/otelcol.d/microshift-metrics-node-exporter.yaml create mode 100644 packaging/observability/otelcol.d/microshift-metrics-server.yaml delete mode 100644 packaging/observability/otelcol.d/microshift-metrics.yaml diff --git a/packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml b/packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml new file mode 100644 index 0000000000..1ba74d3589 --- /dev/null +++ b/packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml @@ -0,0 +1,25 @@ +receivers: + prometheus/kube_state_metrics: + config: + scrape_configs: + - job_name: kube-state-metrics + scrape_interval: 30s + scheme: https + tls_config: + ca_file: /var/lib/microshift/certs/service-ca/ca.crt + kubernetes_sd_configs: + - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig + role: endpoints + namespaces: + names: [openshift-monitoring] + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kube-state-metrics;https-main + +service: + pipelines: + metrics/kube_state_metrics: + receivers: [prometheus/kube_state_metrics] + processors: [batch] + exporters: [otlp] diff --git a/packaging/observability/otelcol.d/microshift-metrics-node-exporter.yaml b/packaging/observability/otelcol.d/microshift-metrics-node-exporter.yaml new file mode 100644 index 0000000000..30a1ccf9e7 --- /dev/null +++ b/packaging/observability/otelcol.d/microshift-metrics-node-exporter.yaml @@ -0,0 +1,15 @@ +receivers: + prometheus/node_exporter: + config: + scrape_configs: + - job_name: node-exporter + scrape_interval: 30s + static_configs: + - targets: ["127.0.0.1:9100"] + +service: + pipelines: + metrics/node_exporter: + receivers: [prometheus/node_exporter] + processors: [batch] + exporters: [otlp] diff --git a/packaging/observability/otelcol.d/microshift-metrics-server.yaml b/packaging/observability/otelcol.d/microshift-metrics-server.yaml new file mode 100644 index 0000000000..7ac78523d0 --- /dev/null +++ b/packaging/observability/otelcol.d/microshift-metrics-server.yaml @@ -0,0 +1,25 @@ +receivers: + prometheus/metrics_server: + config: + scrape_configs: + - job_name: metrics-server + scrape_interval: 30s + scheme: https + tls_config: + ca_file: /var/lib/microshift/certs/service-ca/ca.crt + kubernetes_sd_configs: + - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig + role: endpoints + namespaces: + names: [openshift-monitoring] + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: metrics-server;https + +service: + pipelines: + metrics/metrics_server: + receivers: [prometheus/metrics_server] + processors: [batch] + exporters: [otlp] diff --git a/packaging/observability/otelcol.d/microshift-metrics.yaml b/packaging/observability/otelcol.d/microshift-metrics.yaml deleted file mode 100644 index 52aef522f0..0000000000 --- a/packaging/observability/otelcol.d/microshift-metrics.yaml +++ /dev/null @@ -1,59 +0,0 @@ -receivers: - prometheus/node_exporter: - config: - scrape_configs: - - job_name: node-exporter - scrape_interval: 30s - static_configs: - - targets: ["127.0.0.1:9100"] - - prometheus/kube_state_metrics: - config: - scrape_configs: - - job_name: kube-state-metrics - scrape_interval: 30s - scheme: https - tls_config: - ca_file: /var/lib/microshift/certs/service-ca/ca.crt - kubernetes_sd_configs: - - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig - role: endpoints - namespaces: - names: [openshift-monitoring] - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: kube-state-metrics;https-main - - prometheus/metrics_server: - config: - scrape_configs: - - job_name: metrics-server - scrape_interval: 30s - scheme: https - tls_config: - ca_file: /var/lib/microshift/certs/service-ca/ca.crt - kubernetes_sd_configs: - - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig - role: endpoints - namespaces: - names: [openshift-monitoring] - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: metrics-server;https - -service: - pipelines: - metrics/node_exporter: - receivers: [prometheus/node_exporter] - processors: [batch] - exporters: [otlp] - metrics/kube_state_metrics: - receivers: [prometheus/kube_state_metrics] - processors: [batch] - exporters: [otlp] - metrics/metrics_server: - receivers: [prometheus/metrics_server] - processors: [batch] - exporters: [otlp] diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index b4cc8ec482..000ddec769 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -261,25 +261,42 @@ The microshift-cert-manager-release-info package provides release information fi release. These files contain the list of container image references used by Cert Manager and can be used to embed those images into osbuilder blueprints or bootc containerfiles. -%package metrics -Summary: Kubernetes metrics exporters for MicroShift +%package metrics-server +Summary: Kubernetes metrics-server for MicroShift ExclusiveArch: x86_64 aarch64 Requires: microshift = %{version} -%description metrics -The microshift-metrics package provides metrics-server, node-exporter, and -kube-state-metrics for MicroShift. Install this package to enable kubectl top -and expose host and cluster metrics via secure endpoints. +%description metrics-server +The microshift-metrics-server package provides the metrics-server for MicroShift. +Install this package to enable kubectl top and resource metrics via the Metrics API. -%package metrics-release-info -Summary: Release information for metrics exporters for MicroShift +%package metrics-server-release-info +Summary: Release information for metrics-server for MicroShift BuildArch: noarch Requires: microshift-release-info = %{version} -%description metrics-release-info -The microshift-metrics-release-info package provides release information files for this -release. These files contain the list of container image references used by the metrics -exporters and can be used to embed those images into osbuilder blueprints or bootc containerfiles. +%description metrics-server-release-info +The microshift-metrics-server-release-info package provides release information files for this +release. These files contain the list of container image references used by the metrics-server +and can be used to embed those images into osbuilder blueprints or bootc containerfiles. + +%package metrics-kube-state-metrics +Summary: Kubernetes kube-state-metrics for MicroShift +ExclusiveArch: x86_64 aarch64 +Requires: microshift = %{version} + +%description metrics-kube-state-metrics +The microshift-metrics-kube-state-metrics package provides kube-state-metrics for MicroShift. +Install this package to expose Kubernetes object state metrics via a secure endpoint. + +%package metrics-node-exporter +Summary: Prometheus node-exporter for MicroShift +ExclusiveArch: x86_64 aarch64 +Requires: microshift = %{version} + +%description metrics-node-exporter +The microshift-metrics-node-exporter package provides the Prometheus node-exporter for MicroShift. +Install this package to expose host-level hardware and OS metrics. %package sriov Summary: SR-IOV Network Operator for MicroShift @@ -623,15 +640,15 @@ install -p -m644 assets/optional/cert-manager/release-cert-manager-{x86_64,aarch # metrics-server install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server install -p -m644 assets/optional/metrics-server/00-namespace.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/cluster-role-binding-auth-delegator.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/role-binding-auth-reader.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/configmap-audit-profiles.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/deployment.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server -install -p -m644 assets/optional/metrics-server/api-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-role-binding-auth-reader.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/02-configmap-audit-profiles.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/03-deployment.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/04-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/04-api-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server install -p -m644 assets/optional/metrics-server/network-policy-downstream.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server install -p -m644 assets/optional/metrics-server/pod-disruption-budget.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server install -p -m644 assets/optional/metrics-server/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server @@ -645,10 +662,13 @@ cat assets/optional/metrics-server/kustomization.x86_64.yaml >> %{buildroot}/%{_ # kube-state-metrics install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics -for f in assets/optional/kube-state-metrics/*.yaml; do - case "$(basename "$f")" in kustomization*|release-*) continue;; esac - install -p -m644 "$f" %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics -done +install -p -m644 assets/optional/kube-state-metrics/01-service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/01-cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/01-cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/03-deployment.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/04-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics install -p -m644 assets/optional/kube-state-metrics/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics %ifarch %{arm} aarch64 @@ -660,14 +680,14 @@ cat assets/optional/kube-state-metrics/kustomization.x86_64.yaml >> %{buildroot} # node-exporter install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/security-context-constraints.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/kube-rbac-proxy-secret.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/accelerators-collector-configmap.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/daemonset.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter -install -p -m644 assets/optional/node-exporter/service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/01-service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/01-cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/01-cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/01-security-context-constraints.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/02-kube-rbac-proxy-secret.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/02-accelerators-collector-configmap.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/03-daemonset.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter +install -p -m644 assets/optional/node-exporter/04-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter install -p -m644 assets/optional/node-exporter/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter %ifarch %{arm} aarch64 @@ -677,11 +697,13 @@ cat assets/optional/node-exporter/kustomization.aarch64.yaml >> %{buildroot}/%{_ cat assets/optional/node-exporter/kustomization.x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter/kustomization.yaml %endif -# otel-collector drop-in for metrics exporters +# otel-collector drop-ins for metrics exporters install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability/otelcol.d -install -p -m644 packaging/observability/otelcol.d/microshift-metrics.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ +install -p -m644 packaging/observability/otelcol.d/microshift-metrics-server.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ +install -p -m644 packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ +install -p -m644 packaging/observability/otelcol.d/microshift-metrics-node-exporter.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ -# metrics-release-info +# metrics-server-release-info mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release install -p -m644 assets/optional/metrics-server/release-metrics-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ @@ -889,17 +911,23 @@ fi %files cert-manager-release-info %{_datadir}/microshift/release/release-cert-manager-{x86_64,aarch64}.json -%files metrics +%files metrics-server %dir %{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server %{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/* +%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics-server.yaml + +%files metrics-server-release-info +%{_datadir}/microshift/release/release-metrics-{x86_64,aarch64}.json + +%files metrics-kube-state-metrics %dir %{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics %{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/* +%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml + +%files metrics-node-exporter %dir %{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter %{_prefix}/lib/microshift/manifests.d/082-microshift-node-exporter/* -%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics.yaml - -%files metrics-release-info -%{_datadir}/microshift/release/release-metrics-{x86_64,aarch64}.json +%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics-node-exporter.yaml %files sriov %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov