From a3cf876c2af5be00d3c55b2f3dcb0e5d8d48ca0e Mon Sep 17 00:00:00 2001
From: Camil Blanaru <camil@me.com>
Date: Thu, 15 Jun 2017 17:16:35 +0200
Subject: [PATCH] Add RBAC config for "kube-state-metrics". Make EC2 monitoring
 optional. (#13)

* Fix RBAC for "kube-state-metrics".Make  EC2 monitoring optional.
---
 cleanup.sh                                    | 11 +---
 init.sh                                       | 61 ++++++++++++-------
 .../{deployment.yml => deployment.yaml}       |  1 +
 .../03-kube-state-metrics-rbac-config.yaml    | 41 +++++++++++++
 remove.sh                                     |  1 +
 5 files changed, 84 insertions(+), 31 deletions(-)
 rename k8s/kube-state-metrics/{deployment.yml => deployment.yaml} (94%)
 create mode 100644 k8s/rbac/03-kube-state-metrics-rbac-config.yaml

diff --git a/cleanup.sh b/cleanup.sh
index 5c82dc7..bb63ae6 100755
--- a/cleanup.sh
+++ b/cleanup.sh
@@ -1,10 +1,3 @@
-git checkout  k8s/ingress/01-basic-auth.secret.yaml
-git checkout  k8s/ingress/03-prometheus.ing.yaml
-git checkout  k8s/prometheus/01-prometheus.configmap.yaml
-git checkout  k8s/prometheus/02-prometheus.svc.statefulset.yaml
-git checkout  k8s/prometheus/03-alertmanager.configmap.yaml
-git checkout  k8s/prometheus/04-alertmanager.svc.deployment.yaml
-git checkout  k8s/prometheus/05-node-exporter.svc.daemonset.yaml
-git checkout  k8s/grafana/grafana.svc.deployment.yaml
-git checkout  grafana/Dockerfile
+git checkout  k8s/*
+git checkout  grafana/*
 rm auth
diff --git a/init.sh b/init.sh
index 2730dfb..719b4ff 100755
--- a/init.sh
+++ b/init.sh
@@ -89,34 +89,48 @@ if [[ $use_slack =~ ^([yY][eE][sS]|[yY])$ ]]; then
   sed -i -e 's/your_slack_channel/'"$slack_channel"'/g' k8s/prometheus/03-alertmanager.configmap.yaml
 fi
 
-#try to figure out AWS credentials for EC2 monitoring, if not...ask.
+
+#Do you want to monitor EC2 instances in your AWS account?
 echo
-echo -e "${BLUE}Detecting AWS access keys."
+echo -e "${BLUE}Do you want to monitor EC2 instances in your AWS account?"
 tput sgr0
-if [ ! -z $AWS_ACCESS_KEY_ID ] && [ ! -z $AWS_SECRET_ACCESS_KEY ]; then
-  aws_access_key=$AWS_ACCESS_KEY_ID
-  aws_secret_key=$AWS_SECRET_ACCESS_KEY
-  echo -e "${ORANGE}AWS_ACCESS_KEY_ID found, using $aws_access_key."
-  tput sgr0
-elif [ ! -z $AWS_ACCESS_KEY ] && [ ! -z $AWS_SECRET_KEY ]; then
-  aws_access_key=$AWS_ACCESS_KEY
-  aws_secret_key=$AWS_SECRET_KEY
-  echo -e "${ORANGE}AWS_ACCESS_KEY found, using $aws_access_key."
+read -p "Y/N [N]: " monitor_aws
+
+#if so, fill out this form...
+if [[ $monitor_aws =~ ^([yY][eE][sS]|[yY])$ ]]; then
+
+  #try to figure out AWS credentials for EC2 monitoring, if not...ask.
+  echo
+  echo -e "${BLUE}Detecting AWS access keys."
   tput sgr0
+  if [ ! -z $AWS_ACCESS_KEY_ID ] && [ ! -z $AWS_SECRET_ACCESS_KEY ]; then
+    aws_access_key=$AWS_ACCESS_KEY_ID
+    aws_secret_key=$AWS_SECRET_ACCESS_KEY
+    echo -e "${ORANGE}AWS_ACCESS_KEY_ID found, using $aws_access_key."
+    tput sgr0
+  elif [ ! -z $AWS_ACCESS_KEY ] && [ ! -z $AWS_SECRET_KEY ]; then
+    aws_access_key=$AWS_ACCESS_KEY
+    aws_secret_key=$AWS_SECRET_KEY
+    echo -e "${ORANGE}AWS_ACCESS_KEY found, using $aws_access_key."
+    tput sgr0
+  else
+    echo -e "${RED}Unable to determine AWS credetials from environment variables."
+    tput sgr0
+    #aws access key
+    read -p "AWS Access Key ID: " aws_access_key
+    #aws secret access key
+    read -p "AWS Secret Access Key: " aws_secret_key
+  fi
+
+  #sed in the AWS credentials. this looks odd because aws secret access keys can have '/' as a valid character
+  #so we use ',' as a delimiter for sed, since that won't appear in the secret key
+  sed -i -e 's/aws_access_key/'"$aws_access_key"'/g' k8s/prometheus/01-prometheus.configmap.yaml
+  sed -i -e 's,aws_secret_key,'"$aws_secret_key"',g' k8s/prometheus/01-prometheus.configmap.yaml
+
 else
-  echo -e "${RED}Unable to determine AWS credetials from environment variables."
-  tput sgr0
-  #aws access key
-  read -p "AWS Access Key ID: " aws_access_key
-  #aws secret access key
-  read -p "AWS Secret Access Key: " aws_secret_key
+  rm grafana/grafana-dashboards/ec2-instances.json
 fi
 
-#sed in the AWS credentials. this looks odd because aws secret access keys can have '/' as a valid character
-#so we use ',' as a delimiter for sed, since that won't appear in the secret key
-sed -i -e 's/aws_access_key/'"$aws_access_key"'/g' k8s/prometheus/01-prometheus.configmap.yaml
-sed -i -e 's,aws_secret_key,'"$aws_secret_key"',g' k8s/prometheus/01-prometheus.configmap.yaml
-
 echo
 echo -e "${BLUE}Creating ${ORANGE}'monitoring' ${BLUE}namespace."
 tput sgr0
@@ -130,7 +144,9 @@ read -p "[y/N]: " response
 if [[ $response =~ ^([yY][eE][sS]|[yY])$ ]]
 then
     kubectl create -f ./k8s/rbac/01-prometheus-rbac-config.yaml
+    kubectl create -f ./k8s/rbac/03-kube-state-metrics-rbac-config.yaml
     sed -i -e 's/default/'prometheus'/g' k8s/prometheus/02-prometheus.svc.statefulset.yaml
+    sed -i -e 's/default/'kube-state-metrics'/g' k8s/kube-state-metrics/deployment.yaml
 else
     echo -e "${GREEN}Skipping RBAC configuration"
 fi
@@ -304,6 +320,7 @@ else
   fi
   #remove  "sed" generated files
   rm k8s/ingress/*.yaml-e
+  rm k8s/kube-state-metrics/*.yaml-e
 fi
 
 
diff --git a/k8s/kube-state-metrics/deployment.yml b/k8s/kube-state-metrics/deployment.yaml
similarity index 94%
rename from k8s/kube-state-metrics/deployment.yml
rename to k8s/kube-state-metrics/deployment.yaml
index 0d4b591..0c351cf 100644
--- a/k8s/kube-state-metrics/deployment.yml
+++ b/k8s/kube-state-metrics/deployment.yaml
@@ -11,6 +11,7 @@ spec:
         app: kube-state-metrics
         version: "v0.5.0"
     spec:
+      serviceAccountName: default
       containers:
       - name: kube-state-metrics
         image: gcr.io/google_containers/kube-state-metrics:v0.5.0
diff --git a/k8s/rbac/03-kube-state-metrics-rbac-config.yaml b/k8s/rbac/03-kube-state-metrics-rbac-config.yaml
new file mode 100644
index 0000000..9660fd5
--- /dev/null
+++ b/k8s/rbac/03-kube-state-metrics-rbac-config.yaml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kube-state-metrics
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - pods
+  - services
+  - resourcequotas
+  - replicationcontrollers
+  - limitranges
+  verbs: ["list", "watch"]
+- apiGroups: ["extensions"]
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  verbs: ["list", "watch"]
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: kube-state-metrics
+  namespace: monitoring
diff --git a/remove.sh b/remove.sh
index 29d030a..e68dfb3 100755
--- a/remove.sh
+++ b/remove.sh
@@ -4,6 +4,7 @@ kubectl delete -f ./k8s/grafana
 kubectl delete -R -f ./k8s/prometheus
 kubectl delete -f ./k8s/kube-state-metrics
 kubectl delete -f ./k8s/rbac/01-prometheus-rbac-config.yaml
+kubectl delete -f ./k8s/rbac/03-kube-state-metrics-rbac-config.yaml
 
 #Remove the Nginx Ingress Controller
 echo