From a0bac2630844284cf8912f4e7897d22320e1f4f4 Mon Sep 17 00:00:00 2001
From: Ahmed Waleed Malik <ahmedwaleedmalik@gmail.com>
Date: Sat, 24 Jul 2021 00:33:05 +0500
Subject: [PATCH] Add servicemonitor in helm chart (#1984)

---
 charts/kyverno/README.md                     | 11 +++++++
 charts/kyverno/templates/servicemonitor.yaml | 33 ++++++++++++++++++++
 charts/kyverno/values.yaml                   | 16 ++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 charts/kyverno/templates/servicemonitor.yaml

diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index a074583782..003fdd93af 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -104,6 +104,17 @@ The following table lists the configurable parameters of the kyverno chart and t
 | `service.nodePort`                 | node port                                                                                                                                                                                                                                                    | `nil`                                                                                                                                                                             |
 | `service.port`                     | port for the service                                                                                                                                                                                                                                         | `443`                                                                                                                                                                             |
 | `service.type`                     | type of service                                                                                                                                                                                                                                              | `ClusterIP`                                                                                                                                                                       |
+| `serviceMonitor.enabled`                     | create a ServiceMonitor(Requires Prometheus)                                                                                                                                                                                                                                            | `false`                                                                                                                                                                       |
+| `serviceMonitor.additionalLabels`                     | additional labels to add for ServiceMonitor                                                                                                                                                                                                                                           | `nil`                                                                                                                                                                       |
+
+| `serviceMonitor.interval`                     | interval to scrape metrics                                                                                                                                                                                                                                           | `30s`                                                                                                                                                                       |
+
+| `serviceMonitor.scrapeTimeout`                     | timeout if metrics can't be retrieved in given time interval                                                                                                                                                                                                                                           | `25s`                                                                                                                                                                       |
+
+| `serviceMonitor.secure`                     | is TLS required for endpoint                                                                                                                                                                                                                                          | `false`                                                                                                                                                                       |
+
+| `serviceMonitor.tlsConfig`                     | TLS Configuration for endpoint                                                                                                                                                                                                                                           | `[]`                                                                                                                                                                       |
+
 | `tolerations`                      | list of node taints to tolerate                                                                                                                                                                                                                              | `[]`                                                                                                                                                                              |
 | `securityContext`                  | security context configuration                                                                                                                                                                                                                               | `{}`                                                                                                                                                                              |
 | `podSecurityStandard`              | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/                                                                    | `baseline`                                                                                                                                                                         |
diff --git a/charts/kyverno/templates/servicemonitor.yaml b/charts/kyverno/templates/servicemonitor.yaml
new file mode 100644
index 0000000000..75fd648f1e
--- /dev/null
+++ b/charts/kyverno/templates/servicemonitor.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.serviceMonitor.enabled }}
+
+{{- if not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") -}}
+    {{- fail "Prometheus is not installed" }}
+{{ end }}
+
+apiVersion: "monitoring.coreos.com/v1"
+kind: ServiceMonitor
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+{{- if .Values.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
+{{- end }}
+  name: {{ template "kyverno.serviceName" . }}-service-monitor
+  namespace: {{ template "kyverno.namespace" . }}
+spec:
+  selector:
+    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
+      app: kyverno
+  namespaceSelector:
+    matchNames:
+    - {{ template "kyverno.namespace" . }}
+  endpoints:
+  - port: metrics-port
+    interval: {{ .Values.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
+  {{- if .Values.serviceMonitor.secure }}
+    scheme: https
+    tlsConfig:
+      {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
+    {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 332e250ea3..6c96174551 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -175,6 +175,22 @@ metricsService:
   ##
   annotations: {}
 
+# Service Monitor to collect Prometheus Metrics
+serviceMonitor:
+  enabled: false
+  # Additional labels
+  additionalLabels:
+    # key: value
+
+  # Interval to scrape metrics
+  interval: 30s
+  # Timeout if metrics can't be retrieved in given time interval
+  scrapeTimeout: 25s
+  # Is TLS required for endpoint
+  secure: false
+  # TLS Configuration for endpoint
+  tlsConfig: {}
+
 # Kyverno requires a certificate key pair and corresponding certificate authority
 # to properly register its webhooks. This can be done in one of 3 ways:
 # 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)