-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
push-gateway_argocd_appset.yaml
355 lines (303 loc) · 13.6 KB
/
push-gateway_argocd_appset.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: prometheus-pushgateway-app-set
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "3"
spec:
# use go templating with our generator
goTemplate: true
# generator allows us to source specific values from an external secret
generators:
- plugin:
configMapRef:
name: secret-var-plugin-generator
input:
parameters:
secret_vars:
- vouch_hostname
- prometheus_push_gateway_hostname
template:
metadata:
name: prometheus-pushgateway
annotations:
argocd.argoproj.io/sync-wave: "3"
spec:
project: prometheus
syncPolicy:
syncOptions:
- ApplyOutOfSyncOnly=true
- Retry=true
automated:
selfHeal: true
destination:
server: https://kubernetes.default.svc
namespace: prometheus
source:
repoURL: https://prometheus-community.github.io/helm-charts
chart: prometheus-pushgateway
targetRevision: 2.16.0
helm:
releaseName: push-gateway
values: |
# Provide a name to substitute for the full names of resources
fullnameOverride: "push-gateway"
image:
repository: quay.io/prometheus/pushgateway
# if not set appVersion field from Chart.yaml is used
tag: ""
pullPolicy: IfNotPresent
# Optional pod imagePullSecrets
imagePullSecrets: []
service:
type: ClusterIP
port: 9091
targetPort: 9091
# nodePort: 32100
# Optional - Can be used for headless if value is "None"
clusterIP: ""
loadBalancerIP: ""
loadBalancerSourceRanges: []
# Optional pod annotations
podAnnotations: {}
# Optional pod labels
podLabels: {}
# Optional service annotations
serviceAnnotations: {}
# Optional service labels
serviceLabels: {}
# Optional serviceAccount labels
serviceAccountLabels: {}
# Optional persistentVolume labels
persistentVolumeLabels: {}
# Optional additional environment variables
extraVars: []
## Additional pushgateway container arguments
##
## example:
## extraArgs:
## - --persistence.file=/data/pushgateway.data
## - --persistence.interval=5m
extraArgs: []
## Additional InitContainers to initialize the pod
##
extraInitContainers: []
# Optional additional containers (sidecar)
extraContainers: []
# - name: oAuth2-proxy
# args:
# - -https-address=:9092
# - -upstream=http://localhost:9091
# - -skip-auth-regex=^/metrics
# - -openshift-delegate-urls={"/":{"group":"prometheus.coreos.com","resource":"prometheuses","verb":"get"}}
# image: openshift/oauth-proxy:v1.1.0
# ports:
# - containerPort: 9092
# name: proxy
# resources:
# limits:
# memory: 16Mi
# requests:
# memory: 4Mi
# cpu: 20m
# volumeMounts:
# - mountPath: /etc/prometheus/secrets/pushgateway-tls
# name: secret-pushgateway-tls
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 200m
# memory: 50Mi
# requests:
# cpu: 100m
# memory: 30Mi
liveness:
enabled: true
probe:
httpGet:
path: /-/healthy
port: 9091
initialDelaySeconds: 10
timeoutSeconds: 10
readiness:
enabled: true
probe:
httpGet:
path: /-/ready
port: 9091
initialDelaySeconds: 10
timeoutSeconds: 10
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
## Configure ingress resource that allow you to access the
## pushgateway installation. Set up the URL
## ref: http://kubernetes.io/docs/user-guide/ingress/
##
ingress:
## Enable Ingress.
##
enabled: true
# AWS ALB requires path of /*
className: "nginx"
path: /
pathType: ImplementationSpecific
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
extraPaths: []
# - path: /*
# backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
## Annotations.
##
annotations:
kubernetes.io/tls-acme: 'true'
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/auth-signin: "https://{{ .vouch_hostname }}/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err"
nginx.ingress.kubernetes.io/auth-url: https://{{ .vouch_hostname }}/validate
nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User
nginx.ingress.kubernetes.io/auth-snippet: |
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
hosts:
- {{ .prometheus_push_gateway_hostname }}
tls:
- secretName: pushgateway-tls
hosts:
- {{ .prometheus_push_gateway_hostname }}
tolerations: []
# - effect: NoSchedule
# operator: Exists
## Node labels for pushgateway pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
replicaCount: 1
## When running more than one replica alongside with persistence, different volumes are needed
## per replica, since sharing a `persistence.file` across replicas does not keep metrics synced.
## For this purpose, you can enable the `runAsStatefulSet` to deploy the pushgateway as a
## StatefulSet instead of as a Deployment.
runAsStatefulSet: false
## Security context to be added to push-gateway pods
##
securityContext:
fsGroup: 65534
runAsUser: 65534
runAsNonRoot: true
## Security context to be added to push-gateway containers
## Having a separate variable as securityContext differs for pods and containers.
containerSecurityContext: {}
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
# runAsUser: 65534
# runAsNonRoot: true
## Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
## Topology spread constraints for pods
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints: []
# Enable this if you're using https://github.com/coreos/prometheus-operator
serviceMonitor:
enabled: true
namespace: prometheus
# telemetryPath: HTTP resource path from which to fetch metrics.
# Telemetry path, default /metrics, has to be prefixed accordingly if pushgateway sets a route prefix at start-up.
#
telemetryPath: "/metrics"
# Fallback to the prometheus default unless specified
# interval: 10s
## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.
# scheme: ""
## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS.
## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
# tlsConfig: {}
# bearerTokenFile:
# Fallback to the prometheus default unless specified
# scrapeTimeout: 30s
## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
additionalLabels: {}
# Retain the job and instance labels of the metrics pushed to the Pushgateway
# [Scraping Pushgateway](https://github.com/prometheus/pushgateway#configure-the-pushgateway-as-a-target-to-scrape)
honorLabels: true
## Metric relabel configs to apply to samples before ingestion.
## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
## Relabel configs to apply to samples before ingestion.
## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
# The values to set in the PodDisruptionBudget spec (minAvailable/maxUnavailable)
# If not set then a PodDisruptionBudget will not be created
podDisruptionBudget: {}
priorityClassName:
# Deployment Strategy type
strategy:
type: Recreate
persistentVolume:
## If true, pushgateway will create/use a Persistent Volume Claim
## If false, use emptyDir
##
enabled: true
## pushgateway data Persistent Volume access modes
## Must match those of existing PV or dynamic provisioner
## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
accessModes:
- ReadWriteOnce
## pushgateway data Persistent Volume Claim annotations
##
annotations: {}
## pushgateway data Persistent Volume existing claim name
## Requires pushgateway.persistentVolume.enabled: true
## If defined, PVC must be created manually before volume will be bound
existingClaim: ""
## pushgateway data Persistent Volume mount root path
##
mountPath: /data
## pushgateway data Persistent Volume size
##
size: 2Gi
## pushgateway data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## Subdirectory of pushgateway data Persistent Volume to mount
## Useful if the volume's root directory is not empty
##
subPath: ""
# Configuration for clusters with restrictive network policies in place:
# - allowAll allows access to the PushGateway from any namespace
# - customSelector is a list of pod/namespaceSelectors to allow access from
# These options are mutually exclusive and the latter will take precedence.
networkPolicy: {}
# allowAll: true
# customSelectors:
# - namespaceSelector:
# matchLabels:
# type: admin
# - podSelector:
# matchLabels:
# app: myapp