Add cilium service monitors, update external-ddns to only allow istio…

… resources, update dashboards Signed-off-by: Michael Fornaro <[email protected]> update chart with registry Signed-off-by: Michael Fornaro <[email protected]> fix dashboard link and increase limits Signed-off-by: Michael Fornaro <[email protected]> reverting metric server Signed-off-by: Michael Fornaro <[email protected]>
xunholy · Nov 16, 2020 · 33f7adf · 33f7adf
1 parent 12436eb
commit 33f7adf
Show file tree

Hide file tree

Showing 10 changed files with 91 additions and 40 deletions.
diff --git a/cilium/install/values.yaml b/cilium/install/values.yaml
@@ -8,12 +8,14 @@ autoDirectNodeRoutes: true
 
 hubble:
   enabled: true
+  # Enables the provided list of Hubble metrics.
   metrics:
     enabled:
       - dns:query;ignoreAAAA
       - drop
       - tcp
       - flow
+      - port-distribution
       - icmp
       - http
   listenAddress: ':4244'
@@ -53,6 +55,7 @@ kubeProxyReplacement: strict
 kubeProxyReplacementHealthzBindAddr: '0.0.0.0:10256'
 
 # prometheus enables serving metrics on the configured port at /metrics
+# Enables metrics for cilium-agent.
 prometheus:
   enabled: true
   port: 9090
@@ -64,6 +67,7 @@ operator:
   image:
     repository: cilium/operator-dev
     tag: v1.9.0
+  # Enables metrics for cilium-operator.
   prometheus:
     enabled: true
     serviceMonitor:

diff --git a/cluster/kube-system/cilium/servicemonitor.yaml b/cluster/kube-system/cilium/servicemonitor.yaml
@@ -0,0 +1,60 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: cilium-agent
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cilium
+  namespaceSelector:
+    matchNames:
+      - kube-system
+  endpoints:
+    - port: metrics
+      interval: 10s
+      honorLabels: true
+      path: /metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: hubble
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cilium
+  namespaceSelector:
+    matchNames:
+      - kube-system
+  endpoints:
+    - port: hubble-metrics
+      interval: 10s
+      honorLabels: true
+      path: /metrics
+      relabelings:
+        - replacement: ${1}
+          sourceLabels:
+            - __meta_kubernetes_pod_node_name
+          targetLabel: node
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: cilium-operator
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      io.cilium/app: operator
+      name: cilium-operator
+  namespaceSelector:
+    matchNames:
+      - kube-system
+  endpoints:
+    - port: metrics
+      interval: 10s
+      honorLabels: true
+      path: /metrics
diff --git a/...er/kube-system/hubble/virtualservice.yaml → ...er/kube-system/cilium/virtualservice.yaml b/...er/kube-system/hubble/virtualservice.yaml → ...er/kube-system/cilium/virtualservice.yaml
diff --git a/cluster/kube-system/metrics-server/metrics-server.yaml b/cluster/kube-system/metrics-server/metrics-server.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: metrics-server
-      version: '>=2.11.1 <3.0.0'
+      version: '>=5.0.1 <6.0.0'
       sourceRef:
         kind: HelmRepository
         name: kubernetes-stable-charts

diff --git a/cluster/network/external-dns/external-dns.yaml b/cluster/network/external-dns/external-dns.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: external-dns
-      version: '>=3.5.1 <4.0.0'
+      version: '>=4.0.0 <5.0.0'
       sourceRef:
         kind: HelmRepository
         name: bitnami-charts
@@ -33,7 +33,7 @@ spec:
     image:
       registry: docker.io
       repository: raspbernetes/external-dns
-      tag: v0.7.3
+      tag: v0.7.4
       pullPolicy: IfNotPresent
     provider: cloudflare
     policy: upsert-only
@@ -50,10 +50,11 @@ spec:
     crd:
       create: true
     sources:
-      - service
-      - ingress
+      # Disable service and ingress to avoid exposing services externally that are not routed through istio
+      # - service
+      # - ingress
       - istio-virtualservice
-      # Remove istio gateway as it adds a wildcard CNAME which is not able to be proxied in cloudflare
+      # Disable istio gateway as it adds a wildcard CNAME which is not able to be proxied in cloudflare
       # - istio-gateway
     domainFilters:
       - raspbernetes.com

diff --git a/cluster/network/external-dns/servicemonitor.yaml b/cluster/network/external-dns/servicemonitor.yaml
@@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: external-dns
-  namespace: observability
+  namespace: network
 spec:
   endpoints:
     - path: /metrics

diff --git a/cluster/network/metallb/metallb.yaml b/cluster/network/metallb/metallb.yaml
@@ -9,10 +9,10 @@ spec:
   chart:
     spec:
       chart: metallb
-      version: '>=0.12.1 <1.0.0'
+      version: '>=1.0.1 <2.0.0'
       sourceRef:
         kind: HelmRepository
-        name: kubernetes-stable-charts
+        name: bitnami-charts
         namespace: flux-system
       interval: 10m
   test:
@@ -33,11 +33,11 @@ spec:
     controller:
       image:
         repository: metallb/controller
-        tag: v0.9.3
+        tag: v0.9.5
     speaker:
       image:
         repository: metallb/speaker
-        tag: v0.9.3
+        tag: v0.9.5
     prometheus:
       serviceMonitor:
         enabled: false

diff --git a/cluster/observability/kube-prometheus-stack/kube-prometheus-stack.yaml b/cluster/observability/kube-prometheus-stack/kube-prometheus-stack.yaml
@@ -130,6 +130,15 @@ spec:
           cert-manager:
             url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/raw/master/dashboards/cert-manager.json
             datasource: Prometheus
+          cilium-dashboard:
+            url: https://raw.githubusercontent.com/cilium/cilium/v1.9.0/examples/kubernetes/addons/prometheus/files/grafana-dashboards/cilium-dashboard.json
+            datasource: Prometheus
+          cilium-operator-dashboard:
+            url: https://raw.githubusercontent.com/cilium/cilium/v1.9.0/examples/kubernetes/addons/prometheus/files/grafana-dashboards/cilium-operator-dashboard.json
+            datasource: Prometheus
+          hubble-dashboard:
+            url: https://raw.githubusercontent.com/cilium/cilium/v1.9.0/examples/kubernetes/addons/prometheus/files/grafana-dashboards/hubble-dashboard.json
+            datasource: Prometheus
           # Istio dashboards must be kept in parity with the version deployed
           # https://grafana.com/grafana/dashboards/7639/revisions
           istio-mesh:
@@ -148,10 +157,10 @@ spec:
             url: https://grafana.com/api/dashboards/7645/revisions/38/download
             datasource: Prometheus
           openebs:
-            url: https://grafana.com/api/dashboards/12171/revisions/1/download
+            url: https://grafana.com/api/dashboards/12171/revisions/2/download
             datasource: Prometheus
           openebs-pg-dashboard:
-            url: https://raw.githubusercontent.com/openebs/openebs/master/k8s/openebs-pg-dashboard.json
+            url: https://raw.githubusercontent.com/openebs/openebs/v2.3.0/k8s/openebs-pg-dashboard.json
             datasource: Prometheus
           sealed-secrets:
             url: https://raw.githubusercontent.com/bitnami-labs/sealed-secrets/master/contrib/prometheus-mixin/dashboards/sealed-secrets-controller.json
@@ -285,8 +294,8 @@ spec:
             memory: '1024Mi'
             cpu: '125m'
           limits:
-            memory: 1536Mi
-            cpu: '500m'
+            memory: 2048Mi
+            cpu: '1000m'
         storageSpec:
           volumeClaimTemplate:
             spec:

diff --git a/cluster/openebs/openebs/openebs.yaml b/cluster/openebs/openebs/openebs.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: openebs
-      version: '>=2.2.1 <3.0.0'
+      version: '>=2.3.0 <3.0.0'
       sourceRef:
         kind: HelmRepository
         name: openebs-charts
@@ -33,30 +33,6 @@ spec:
     ndm:
       sparse:
         count: '1'
-    webhook:
-      image: 'openebs/admission-server-arm64'
     apiserver:
-      image: 'openebs/m-apiserver-arm64'
       sparse:
         enabled: true
-    localprovisioner:
-      image: 'openebs/provisioner-localpv-arm64'
-    snapshotOperator:
-      controller:
-        image: 'openebs/snapshot-controller-arm64'
-      provisioner:
-        image: 'openebs/snapshot-provisioner-arm64'
-    provisioner:
-      image: 'openebs/openebs-k8s-provisioner-arm64'
-    cstor:
-      pool:
-        image: 'openebs/cstor-pool-arm64'
-      poolMgmt:
-        image: 'openebs/cstor-pool-mgmt-arm64'
-      target:
-        image: 'openebs/cstor-istgt-arm64'
-      volumeMgmt:
-        image: 'openebs/cstor-volume-mgmt-arm64'
-    policies:
-      monitoring:
-        image: 'openebs/m-exporter-arm64'
diff --git a/cluster/openebs/openebs/servicemonitor.yaml b/cluster/openebs/openebs/servicemonitor.yaml
@@ -1,3 +1,4 @@
+# https://github.com/openebs/openebs/blob/v2.3.0/k8s/openebs-servicemonitor.yaml
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor