mirrors/prometheus-operator
mirrors/prometheus-operator
1
0
Fork 0
mirror of https://github.com/prometheus-operator/prometheus-operator.git synced 2025-04-21 11:48:53 +00:00
Code Activity

*: Allow listening locally and specifying additional containers

Browse source
This commit is contained in:
Frederic Branczyk 2018-03-07 14:45:08 +01:00
parent d8fa6d5d5f
commit ca15e870da
No known key found for this signature in database
GPG key ID: 7741A52782A90069
11 changed files with 1671 additions and 61 deletions

4
Documentation/api.md
View file

@ -100,6 +100,8 @@ Specification of the desired behavior of the Alertmanager cluster. More info: ht
| tolerations | If specified, the pod's tolerations. | []v1.Toleration | false |
| securityContext | SecurityContext holds pod-level security attributes and common container settings. This defaults to non root user with uid 1000 and gid 2000. | *v1.PodSecurityContext | false |
| serviceAccountName | ServiceAccountName is the name of the ServiceAccount to use to run the Prometheus Pods. | string | false |
| listenLocal | ListenLocal makes the Alertmanager server listen on loopback, so that it does not bind against the Pod IP. Note this is only for the Alertmanager UI, not the gossip communication. | bool | false |
| containers | Containers allows injecting additional containers. This is meant to allow adding an authentication proxy to an Alertmanager pod. | []v1.Container | false |
[Back to TOC](#table-of-contents)
@ -215,6 +217,8 @@ Specification of the desired behavior of the Prometheus cluster. More info: http
| remoteWrite | If specified, the remote_write spec. This is an experimental feature, it may change in any upcoming release in a breaking way. | [][RemoteWriteSpec](#remotewritespec) | false |
| remoteRead | If specified, the remote_read spec. This is an experimental feature, it may change in any upcoming release in a breaking way. | [][RemoteReadSpec](#remotereadspec) | false |
| securityContext | SecurityContext holds pod-level security attributes and common container settings. This defaults to non root user with uid 1000 and gid 2000 for Prometheus >v2.0 and default PodSecurityContext for other versions. | *v1.PodSecurityContext | false |
| listenLocal | ListenLocal makes the Prometheus server listen on loopback, so that it does not bind against the Pod IP. | bool | false |
| containers | Containers allows injecting additional containers. This is meant to allow adding an authentication proxy to a Prometheus pod. | []v1.Container | false |
[Back to TOC](#table-of-contents)

720
example/prometheus-operator-crd/alertmanager.crd.yaml
View file

@ -535,6 +535,721 @@ spec:
baseImage:
description: Base image that is used to deploy pods.
type: string
containers:
description: Containers allows injecting additional containers. This
is meant to allow adding an authentication proxy to an Alertmanager
pod.
items:
description: A single application container that you want to run within
a pod.
properties:
args:
description: 'Arguments to the entrypoint. The docker image''s
CMD is used if this is not provided. Variable references $(VAR_NAME)
are expanded using the container''s environment. If a variable
cannot be resolved, the reference in the input string will be
unchanged. The $(VAR_NAME) syntax can be escaped with a double
$$, ie: $$(VAR_NAME). Escaped references will never be expanded,
regardless of whether the variable exists or not. Cannot be
updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
command:
description: 'Entrypoint array. Not executed within a shell. The
docker image''s ENTRYPOINT is used if this is not provided.
Variable references $(VAR_NAME) are expanded using the container''s
environment. If a variable cannot be resolved, the reference
in the input string will be unchanged. The $(VAR_NAME) syntax
can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references
will never be expanded, regardless of whether the variable exists
or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
env:
description: List of environment variables to set in the container.
Cannot be updated.
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must be a
C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded
using the previous defined environment variables in the
container and any service environment variables. If a
variable cannot be resolved, the reference in the input
string will be unchanged. The $(VAR_NAME) syntax can be
escaped with a double $$, ie: $$(VAR_NAME). Escaped references
will never be expanded, regardless of whether the variable
exists or not. Defaults to "".'
type: string
valueFrom:
description: EnvVarSource represents a source for the value
of an EnvVar.
properties:
configMapKeyRef:
description: Selects a key from a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the ConfigMap or it's
key must be defined
type: boolean
required:
- key
fieldRef:
description: ObjectFieldSelector selects an APIVersioned
field of an object.
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the
specified API version.
type: string
required:
- fieldPath
resourceFieldRef:
description: ResourceFieldSelector represents container
resources (cpu, memory) and their output format
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor: {}
resource:
description: 'Required: resource to select'
type: string
required:
- resource
secretKeyRef:
description: SecretKeySelector selects a key of a Secret.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the Secret or it's
key must be defined
type: boolean
required:
- key
required:
- name
type: array
envFrom:
description: List of sources to populate environment variables
in the container. The keys defined within a source must be a
C_IDENTIFIER. All invalid keys will be reported as an event
when the container is starting. When a key exists in multiple
sources, the value associated with the last source will take
precedence. Values defined by an Env with a duplicate key will
take precedence. Cannot be updated.
items:
description: EnvFromSource represents the source of a set of
ConfigMaps
properties:
configMapRef:
description: |-
ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.
The contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the ConfigMap must be defined
type: boolean
prefix:
description: An optional identifer to prepend to each key
in the ConfigMap. Must be a C_IDENTIFIER.
type: string
secretRef:
description: |-
SecretEnvSource selects a Secret to populate the environment variables with.
The contents of the target Secret's Data field will represent the key-value pairs as environment variables.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the Secret must be defined
type: boolean
type: array
image:
description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images
This field is optional to allow higher level config management
to default or override container images in workload controllers
like Deployments and StatefulSets.'
type: string
imagePullPolicy:
description: 'Image pull policy. One of Always, Never, IfNotPresent.
Defaults to Always if :latest tag is specified, or IfNotPresent
otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
type: string
lifecycle:
description: Lifecycle describes actions that the management system
should take in response to container lifecycle events. For the
PostStart and PreStop lifecycle handlers, management of the
container blocks until the action is complete, unless the container
process fails, in which case the handler is aborted.
properties:
postStart:
description: Handler defines a specific action that should
be taken
properties:
exec:
description: ExecAction describes a "run in container"
action.
properties:
command:
description: Command is the command line to execute
inside the container, the working directory for
the command is root ('/') in the container's filesystem.
The command is simply exec'd, it is not run inside
a shell, so traditional shell instructions ('|',
etc) won't work. To use a shell, you need to explicitly
call out to that shell. Exit status of 0 is treated
as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
httpGet:
description: HTTPGetAction describes an action based on
HTTP Get requests.
properties:
host:
description: Host name to connect to, defaults to
the pod IP. You probably want to set "Host" in httpHeaders
instead.
type: string
httpHeaders:
description: Custom headers to set in the request.
HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header
to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: array
path:
description: Path to access on the HTTP server.
type: string
port: {}
scheme:
description: Scheme to use for connecting to the host.
Defaults to HTTP.
type: string
required:
- port
tcpSocket:
description: TCPSocketAction describes an action based
on opening a socket
properties:
host:
description: 'Optional: Host name to connect to, defaults
to the pod IP.'
type: string
port: {}
required:
- port
preStop:
description: Handler defines a specific action that should
be taken
properties:
exec:
description: ExecAction describes a "run in container"
action.
properties:
command:
description: Command is the command line to execute
inside the container, the working directory for
the command is root ('/') in the container's filesystem.
The command is simply exec'd, it is not run inside
a shell, so traditional shell instructions ('|',
etc) won't work. To use a shell, you need to explicitly
call out to that shell. Exit status of 0 is treated
as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
httpGet:
description: HTTPGetAction describes an action based on
HTTP Get requests.
properties:
host:
description: Host name to connect to, defaults to
the pod IP. You probably want to set "Host" in httpHeaders
instead.
type: string
httpHeaders:
description: Custom headers to set in the request.
HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header
to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: array
path:
description: Path to access on the HTTP server.
type: string
port: {}
scheme:
description: Scheme to use for connecting to the host.
Defaults to HTTP.
type: string
required:
- port
tcpSocket:
description: TCPSocketAction describes an action based
on opening a socket
properties:
host:
description: 'Optional: Host name to connect to, defaults
to the pod IP.'
type: string
port: {}
required:
- port
livenessProbe:
description: Probe describes a health check to be performed against
a container to determine whether it is alive or ready to receive
traffic.
properties:
exec:
description: ExecAction describes a "run in container" action.
properties:
command:
description: Command is the command line to execute inside
the container, the working directory for the command is
root ('/') in the container's filesystem. The command
is simply exec'd, it is not run inside a shell, so traditional
shell instructions ('|', etc) won't work. To use a shell,
you need to explicitly call out to that shell. Exit
status of 0 is treated as live/healthy and non-zero
is unhealthy.
items:
type: string
type: array
failureThreshold:
description: Minimum consecutive failures for the probe to
be considered failed after having succeeded. Defaults to
3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGetAction describes an action based on HTTP
Get requests.
properties:
host:
description: Host name to connect to, defaults to the
pod IP. You probably want to set "Host" in httpHeaders
instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP
allows repeated headers.
items:
description: HTTPHeader describes a custom header to
be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: array
path:
description: Path to access on the HTTP server.
type: string
port: {}
scheme:
description: Scheme to use for connecting to the host.
Defaults to HTTP.
type: string
required:
- port
initialDelaySeconds:
description: 'Number of seconds after the container has started
before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to
be considered successful after having failed. Defaults to
1. Must be 1 for liveness. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: TCPSocketAction describes an action based on
opening a socket
properties:
host:
description: 'Optional: Host name to connect to, defaults
to the pod IP.'
type: string
port: {}
required:
- port
timeoutSeconds:
description: 'Number of seconds after which the probe times
out. Defaults to 1 second. Minimum value is 1. More info:
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
name:
description: Name of the container specified as a DNS_LABEL. Each
container in a pod must have a unique name (DNS_LABEL). Cannot
be updated.
type: string
ports:
description: List of ports to expose from the container. Exposing
a port here gives the system additional information about the
network connections a container uses, but is primarily informational.
Not specifying a port here DOES NOT prevent that port from being
exposed. Any port which is listening on the default "0.0.0.0"
address inside a container will be accessible from the network.
Cannot be updated.
items:
description: ContainerPort represents a network port in a single
container.
properties:
containerPort:
description: Number of port to expose on the pod's IP address.
This must be a valid port number, 0 < x < 65536.
format: int32
type: integer
hostIP:
description: What host IP to bind the external port to.
type: string
hostPort:
description: Number of port to expose on the host. If specified,
this must be a valid port number, 0 < x < 65536. If HostNetwork
is specified, this must match ContainerPort. Most containers
do not need this.
format: int32
type: integer
name:
description: If specified, this must be an IANA_SVC_NAME
and unique within the pod. Each named port in a pod must
have a unique name. Name for the port that can be referred
to by services.
type: string
protocol:
description: Protocol for port. Must be UDP or TCP. Defaults
to "TCP".
type: string
required:
- containerPort
type: array
readinessProbe:
description: Probe describes a health check to be performed against
a container to determine whether it is alive or ready to receive
traffic.
properties:
exec:
description: ExecAction describes a "run in container" action.
properties:
command:
description: Command is the command line to execute inside
the container, the working directory for the command is
root ('/') in the container's filesystem. The command
is simply exec'd, it is not run inside a shell, so traditional
shell instructions ('|', etc) won't work. To use a shell,
you need to explicitly call out to that shell. Exit
status of 0 is treated as live/healthy and non-zero
is unhealthy.
items:
type: string
type: array
failureThreshold:
description: Minimum consecutive failures for the probe to
be considered failed after having succeeded. Defaults to
3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGetAction describes an action based on HTTP
Get requests.
properties:
host:
description: Host name to connect to, defaults to the
pod IP. You probably want to set "Host" in httpHeaders
instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP
allows repeated headers.
items:
description: HTTPHeader describes a custom header to
be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: array
path:
description: Path to access on the HTTP server.
type: string
port: {}
scheme:
description: Scheme to use for connecting to the host.
Defaults to HTTP.
type: string
required:
- port
initialDelaySeconds:
description: 'Number of seconds after the container has started
before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to
be considered successful after having failed. Defaults to
1. Must be 1 for liveness. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: TCPSocketAction describes an action based on
opening a socket
properties:
host:
description: 'Optional: Host name to connect to, defaults
to the pod IP.'
type: string
port: {}
required:
- port
timeoutSeconds:
description: 'Number of seconds after which the probe times
out. Defaults to 1 second. Minimum value is 1. More info:
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
resources:
description: ResourceRequirements describes the compute resource
requirements.
properties:
limits:
description: 'Limits describes the maximum amount of compute
resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
securityContext:
description: SecurityContext holds security configuration that
will be applied to a container. Some fields are present in both
SecurityContext and PodSecurityContext. When both are set,
the values in SecurityContext take precedence.
properties:
allowPrivilegeEscalation:
description: 'AllowPrivilegeEscalation controls whether a
process can gain more privileges than its parent process.
This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN'
type: boolean
capabilities:
description: Adds and removes POSIX capabilities from running
containers.
properties:
add:
description: Added capabilities
items:
type: string
type: array
drop:
description: Removed capabilities
items:
type: string
type: array
privileged:
description: Run container in privileged mode. Processes in
privileged containers are essentially equivalent to root
on the host. Defaults to false.
type: boolean
readOnlyRootFilesystem:
description: Whether this container has a read-only root filesystem.
Default is false.
type: boolean
runAsNonRoot:
description: Indicates that the container must run as a non-root
user. If true, the Kubelet will validate the image at runtime
to ensure that it does not run as UID 0 (root) and fail
to start the container if it does. If unset or false, no
such validation will be performed. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process. Defaults to user specified in image metadata if
unspecified. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
format: int64
type: integer
seLinuxOptions:
description: SELinuxOptions are the labels to be applied to
the container
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
stdin:
description: Whether this container should allocate a buffer for
stdin in the container runtime. If this is not set, reads from
stdin in the container will always result in EOF. Default is
false.
type: boolean
stdinOnce:
description: Whether the container runtime should close the stdin
channel after it has been opened by a single attach. When stdin
is true the stdin stream will remain open across multiple attach
sessions. If stdinOnce is set to true, stdin is opened on container
start, is empty until the first client attaches to stdin, and
then remains open and accepts data until the client disconnects,
at which time stdin is closed and remains closed until the container
is restarted. If this flag is false, a container processes that
reads from stdin will never receive an EOF. Default is false
type: boolean
terminationMessagePath:
description: 'Optional: Path at which the file to which the container''s
termination message will be written is mounted into the container''s
filesystem. Message written is intended to be brief final status,
such as an assertion failure message. Will be truncated by the
node if greater than 4096 bytes. The total message length across
all containers will be limited to 12kb. Defaults to /dev/termination-log.
Cannot be updated.'
type: string
terminationMessagePolicy:
description: Indicate how the termination message should be populated.
File will use the contents of terminationMessagePath to populate
the container status message on both success and failure. FallbackToLogsOnError
will use the last chunk of container log output if the termination
message file is empty and the container exited with an error.
The log output is limited to 2048 bytes or 80 lines, whichever
is smaller. Defaults to File. Cannot be updated.
type: string
tty:
description: Whether this container should allocate a TTY for
itself, also requires 'stdin' to be true. Default is false.
type: boolean
volumeMounts:
description: Pod volumes to mount into the container's filesystem.
Cannot be updated.
items:
description: VolumeMount describes a mounting of a Volume within
a container.
properties:
mountPath:
description: Path within the container at which the volume
should be mounted. Must not contain ':'.
type: string
mountPropagation:
description: mountPropagation determines how mounts are
propagated from the host to container and the other way
around. When not set, MountPropagationHostToContainer
is used. This field is alpha in 1.8 and can be reworked
or removed in a future release.
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
description: Mounted read-only if true, read-write otherwise
(false or unspecified). Defaults to false.
type: boolean
subPath:
description: Path within the volume from which the container's
volume should be mounted. Defaults to "" (volume's root).
type: string
required:
- name
- mountPath
type: array
workingDir:
description: Container's working directory. If not specified,
the container runtime's default will be used, which might be
configured in the container image. Cannot be updated.
type: string
required:
- name
type: array
externalUrl:
description: The external URL the Alertmanager instances will be available
under. This is necessary to generate correct URLs. This is necessary
@ -552,6 +1267,11 @@ spec:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
type: array
listenLocal:
description: ListenLocal makes the Alertmanager server listen on loopback,
so that it does not bind against the Pod IP. Note this is only for
the Alertmanager UI, not the gossip communication.
type: boolean
nodeSelector:
description: Define which Nodes the Pods are scheduled on.
type: object

718
example/prometheus-operator-crd/prometheus.crd.yaml
View file

@ -567,6 +567,720 @@ spec:
baseImage:
description: Base image to use for a Prometheus deployment.
type: string
containers:
description: Containers allows injecting additional containers. This
is meant to allow adding an authentication proxy to a Prometheus pod.
items:
description: A single application container that you want to run within
a pod.
properties:
args:
description: 'Arguments to the entrypoint. The docker image''s
CMD is used if this is not provided. Variable references $(VAR_NAME)
are expanded using the container''s environment. If a variable
cannot be resolved, the reference in the input string will be
unchanged. The $(VAR_NAME) syntax can be escaped with a double
$$, ie: $$(VAR_NAME). Escaped references will never be expanded,
regardless of whether the variable exists or not. Cannot be
updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
command:
description: 'Entrypoint array. Not executed within a shell. The
docker image''s ENTRYPOINT is used if this is not provided.
Variable references $(VAR_NAME) are expanded using the container''s
environment. If a variable cannot be resolved, the reference
in the input string will be unchanged. The $(VAR_NAME) syntax
can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references
will never be expanded, regardless of whether the variable exists
or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
env:
description: List of environment variables to set in the container.
Cannot be updated.
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must be a
C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded
using the previous defined environment variables in the
container and any service environment variables. If a
variable cannot be resolved, the reference in the input
string will be unchanged. The $(VAR_NAME) syntax can be
escaped with a double $$, ie: $$(VAR_NAME). Escaped references
will never be expanded, regardless of whether the variable
exists or not. Defaults to "".'
type: string
valueFrom:
description: EnvVarSource represents a source for the value
of an EnvVar.
properties:
configMapKeyRef:
description: Selects a key from a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the ConfigMap or it's
key must be defined
type: boolean
required:
- key
fieldRef:
description: ObjectFieldSelector selects an APIVersioned
field of an object.
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the
specified API version.
type: string
required:
- fieldPath
resourceFieldRef:
description: ResourceFieldSelector represents container
resources (cpu, memory) and their output format
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor: {}
resource:
description: 'Required: resource to select'
type: string
required:
- resource
secretKeyRef:
description: SecretKeySelector selects a key of a Secret.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the Secret or it's
key must be defined
type: boolean
required:
- key
required:
- name
type: array
envFrom:
description: List of sources to populate environment variables
in the container. The keys defined within a source must be a
C_IDENTIFIER. All invalid keys will be reported as an event
when the container is starting. When a key exists in multiple
sources, the value associated with the last source will take
precedence. Values defined by an Env with a duplicate key will
take precedence. Cannot be updated.
items:
description: EnvFromSource represents the source of a set of
ConfigMaps
properties:
configMapRef:
description: |-
ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.
The contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the ConfigMap must be defined
type: boolean
prefix:
description: An optional identifer to prepend to each key
in the ConfigMap. Must be a C_IDENTIFIER.
type: string
secretRef:
description: |-
SecretEnvSource selects a Secret to populate the environment variables with.
The contents of the target Secret's Data field will represent the key-value pairs as environment variables.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the Secret must be defined
type: boolean
type: array
image:
description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images
This field is optional to allow higher level config management
to default or override container images in workload controllers
like Deployments and StatefulSets.'
type: string
imagePullPolicy:
description: 'Image pull policy. One of Always, Never, IfNotPresent.
Defaults to Always if :latest tag is specified, or IfNotPresent
otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
type: string
lifecycle:
description: Lifecycle describes actions that the management system
should take in response to container lifecycle events. For the
PostStart and PreStop lifecycle handlers, management of the
container blocks until the action is complete, unless the container
process fails, in which case the handler is aborted.
properties:
postStart:
description: Handler defines a specific action that should
be taken
properties:
exec:
description: ExecAction describes a "run in container"
action.
properties:
command:
description: Command is the command line to execute
inside the container, the working directory for
the command is root ('/') in the container's filesystem.
The command is simply exec'd, it is not run inside
a shell, so traditional shell instructions ('|',
etc) won't work. To use a shell, you need to explicitly
call out to that shell. Exit status of 0 is treated
as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
httpGet:
description: HTTPGetAction describes an action based on
HTTP Get requests.
properties:
host:
description: Host name to connect to, defaults to
the pod IP. You probably want to set "Host" in httpHeaders
instead.
type: string
httpHeaders:
description: Custom headers to set in the request.
HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header
to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: array
path:
description: Path to access on the HTTP server.
type: string
port: {}
scheme:
description: Scheme to use for connecting to the host.
Defaults to HTTP.
type: string
required:
- port
tcpSocket:
description: TCPSocketAction describes an action based
on opening a socket
properties:
host:
description: 'Optional: Host name to connect to, defaults
to the pod IP.'
type: string
port: {}
required:
- port
preStop:
description: Handler defines a specific action that should
be taken
properties:
exec:
description: ExecAction describes a "run in container"
action.
properties:
command:
description: Command is the command line to execute
inside the container, the working directory for
the command is root ('/') in the container's filesystem.
The command is simply exec'd, it is not run inside
a shell, so traditional shell instructions ('|',
etc) won't work. To use a shell, you need to explicitly
call out to that shell. Exit status of 0 is treated
as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
httpGet:
description: HTTPGetAction describes an action based on
HTTP Get requests.
properties:
host:
description: Host name to connect to, defaults to
the pod IP. You probably want to set "Host" in httpHeaders
instead.
type: string
httpHeaders:
description: Custom headers to set in the request.
HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header
to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: array
path:
description: Path to access on the HTTP server.
type: string
port: {}
scheme:
description: Scheme to use for connecting to the host.
Defaults to HTTP.
type: string
required:
- port
tcpSocket:
description: TCPSocketAction describes an action based
on opening a socket
properties:
host:
description: 'Optional: Host name to connect to, defaults
to the pod IP.'
type: string
port: {}
required:
- port
livenessProbe:
description: Probe describes a health check to be performed against
a container to determine whether it is alive or ready to receive
traffic.
properties:
exec:
description: ExecAction describes a "run in container" action.
properties:
command:
description: Command is the command line to execute inside
the container, the working directory for the command is
root ('/') in the container's filesystem. The command
is simply exec'd, it is not run inside a shell, so traditional
shell instructions ('|', etc) won't work. To use a shell,
you need to explicitly call out to that shell. Exit
status of 0 is treated as live/healthy and non-zero
is unhealthy.
items:
type: string
type: array
failureThreshold:
description: Minimum consecutive failures for the probe to
be considered failed after having succeeded. Defaults to
3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGetAction describes an action based on HTTP
Get requests.
properties:
host:
description: Host name to connect to, defaults to the
pod IP. You probably want to set "Host" in httpHeaders
instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP
allows repeated headers.
items:
description: HTTPHeader describes a custom header to
be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: array
path:
description: Path to access on the HTTP server.
type: string
port: {}
scheme:
description: Scheme to use for connecting to the host.
Defaults to HTTP.
type: string
required:
- port
initialDelaySeconds:
description: 'Number of seconds after the container has started
before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to
be considered successful after having failed. Defaults to
1. Must be 1 for liveness. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: TCPSocketAction describes an action based on
opening a socket
properties:
host:
description: 'Optional: Host name to connect to, defaults
to the pod IP.'
type: string
port: {}
required:
- port
timeoutSeconds:
description: 'Number of seconds after which the probe times
out. Defaults to 1 second. Minimum value is 1. More info:
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
name:
description: Name of the container specified as a DNS_LABEL. Each
container in a pod must have a unique name (DNS_LABEL). Cannot
be updated.
type: string
ports:
description: List of ports to expose from the container. Exposing
a port here gives the system additional information about the
network connections a container uses, but is primarily informational.
Not specifying a port here DOES NOT prevent that port from being
exposed. Any port which is listening on the default "0.0.0.0"
address inside a container will be accessible from the network.
Cannot be updated.
items:
description: ContainerPort represents a network port in a single
container.
properties:
containerPort:
description: Number of port to expose on the pod's IP address.
This must be a valid port number, 0 < x < 65536.
format: int32
type: integer
hostIP:
description: What host IP to bind the external port to.
type: string
hostPort:
description: Number of port to expose on the host. If specified,
this must be a valid port number, 0 < x < 65536. If HostNetwork
is specified, this must match ContainerPort. Most containers
do not need this.
format: int32
type: integer
name:
description: If specified, this must be an IANA_SVC_NAME
and unique within the pod. Each named port in a pod must
have a unique name. Name for the port that can be referred
to by services.
type: string
protocol:
description: Protocol for port. Must be UDP or TCP. Defaults
to "TCP".
type: string
required:
- containerPort
type: array
readinessProbe:
description: Probe describes a health check to be performed against
a container to determine whether it is alive or ready to receive
traffic.
properties:
exec:
description: ExecAction describes a "run in container" action.
properties:
command:
description: Command is the command line to execute inside
the container, the working directory for the command is
root ('/') in the container's filesystem. The command
is simply exec'd, it is not run inside a shell, so traditional
shell instructions ('|', etc) won't work. To use a shell,
you need to explicitly call out to that shell. Exit
status of 0 is treated as live/healthy and non-zero
is unhealthy.
items:
type: string
type: array
failureThreshold:
description: Minimum consecutive failures for the probe to
be considered failed after having succeeded. Defaults to
3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGetAction describes an action based on HTTP
Get requests.
properties:
host:
description: Host name to connect to, defaults to the
pod IP. You probably want to set "Host" in httpHeaders
instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP
allows repeated headers.
items:
description: HTTPHeader describes a custom header to
be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: array
path:
description: Path to access on the HTTP server.
type: string
port: {}
scheme:
description: Scheme to use for connecting to the host.
Defaults to HTTP.
type: string
required:
- port
initialDelaySeconds:
description: 'Number of seconds after the container has started
before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to
be considered successful after having failed. Defaults to
1. Must be 1 for liveness. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: TCPSocketAction describes an action based on
opening a socket
properties:
host:
description: 'Optional: Host name to connect to, defaults
to the pod IP.'
type: string
port: {}
required:
- port
timeoutSeconds:
description: 'Number of seconds after which the probe times
out. Defaults to 1 second. Minimum value is 1. More info:
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
resources:
description: ResourceRequirements describes the compute resource
requirements.
properties:
limits:
description: 'Limits describes the maximum amount of compute
resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
securityContext:
description: SecurityContext holds security configuration that
will be applied to a container. Some fields are present in both
SecurityContext and PodSecurityContext. When both are set,
the values in SecurityContext take precedence.
properties:
allowPrivilegeEscalation:
description: 'AllowPrivilegeEscalation controls whether a
process can gain more privileges than its parent process.
This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN'
type: boolean
capabilities:
description: Adds and removes POSIX capabilities from running
containers.
properties:
add:
description: Added capabilities
items:
type: string
type: array
drop:
description: Removed capabilities
items:
type: string
type: array
privileged:
description: Run container in privileged mode. Processes in
privileged containers are essentially equivalent to root
on the host. Defaults to false.
type: boolean
readOnlyRootFilesystem:
description: Whether this container has a read-only root filesystem.
Default is false.
type: boolean
runAsNonRoot:
description: Indicates that the container must run as a non-root
user. If true, the Kubelet will validate the image at runtime
to ensure that it does not run as UID 0 (root) and fail
to start the container if it does. If unset or false, no
such validation will be performed. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process. Defaults to user specified in image metadata if
unspecified. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
format: int64
type: integer
seLinuxOptions:
description: SELinuxOptions are the labels to be applied to
the container
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
stdin:
description: Whether this container should allocate a buffer for
stdin in the container runtime. If this is not set, reads from
stdin in the container will always result in EOF. Default is
false.
type: boolean
stdinOnce:
description: Whether the container runtime should close the stdin
channel after it has been opened by a single attach. When stdin
is true the stdin stream will remain open across multiple attach
sessions. If stdinOnce is set to true, stdin is opened on container
start, is empty until the first client attaches to stdin, and
then remains open and accepts data until the client disconnects,
at which time stdin is closed and remains closed until the container
is restarted. If this flag is false, a container processes that
reads from stdin will never receive an EOF. Default is false
type: boolean
terminationMessagePath:
description: 'Optional: Path at which the file to which the container''s
termination message will be written is mounted into the container''s
filesystem. Message written is intended to be brief final status,
such as an assertion failure message. Will be truncated by the
node if greater than 4096 bytes. The total message length across
all containers will be limited to 12kb. Defaults to /dev/termination-log.
Cannot be updated.'
type: string
terminationMessagePolicy:
description: Indicate how the termination message should be populated.
File will use the contents of terminationMessagePath to populate
the container status message on both success and failure. FallbackToLogsOnError
will use the last chunk of container log output if the termination
message file is empty and the container exited with an error.
The log output is limited to 2048 bytes or 80 lines, whichever
is smaller. Defaults to File. Cannot be updated.
type: string
tty:
description: Whether this container should allocate a TTY for
itself, also requires 'stdin' to be true. Default is false.
type: boolean
volumeMounts:
description: Pod volumes to mount into the container's filesystem.
Cannot be updated.
items:
description: VolumeMount describes a mounting of a Volume within
a container.
properties:
mountPath:
description: Path within the container at which the volume
should be mounted. Must not contain ':'.
type: string
mountPropagation:
description: mountPropagation determines how mounts are
propagated from the host to container and the other way
around. When not set, MountPropagationHostToContainer
is used. This field is alpha in 1.8 and can be reworked
or removed in a future release.
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
description: Mounted read-only if true, read-write otherwise
(false or unspecified). Defaults to false.
type: boolean
subPath:
description: Path within the volume from which the container's
volume should be mounted. Defaults to "" (volume's root).
type: string
required:
- name
- mountPath
type: array
workingDir:
description: Container's working directory. If not specified,
the container runtime's default will be used, which might be
configured in the container image. Cannot be updated.
type: string
required:
- name
type: array
evaluationInterval:
description: Interval between consecutive evaluations.
type: string
@ -591,6 +1305,10 @@ spec:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
type: array
listenLocal:
description: ListenLocal makes the Prometheus server listen on loopback,
so that it does not bind against the Pod IP.
type: boolean
logLevel:
description: Log level for Prometheus be configured in.
type: string

2
helm/kube-prometheus/Chart.yaml
View file

@ -9,4 +9,4 @@ maintainers:
name: kube-prometheus
sources:
- https://github.com/coreos/prometheus-operator
version: 0.0.27
version: 0.0.28

75
pkg/alertmanager/statefulset.go
View file

@ -173,11 +173,16 @@ func makeStatefulSetSpec(a *monitoringv1.Alertmanager, config Config) (*v1beta1.
amArgs := []string{
fmt.Sprintf("-config.file=%s", alertmanagerConfFile),
fmt.Sprintf("-web.listen-address=:%d", 9093),
fmt.Sprintf("-mesh.listen-address=:%d", 6783),
fmt.Sprintf("-storage.path=%s", alertmanagerStorageDir),
}
if a.Spec.ListenLocal {
amArgs = append(amArgs, "-web.listen-address=127.0.0.1:9093")
} else {
amArgs = append(amArgs, "-web.listen-address=:9093")
}
if a.Spec.ExternalURL != "" {
amArgs = append(amArgs, "-web.external-url="+a.Spec.ExternalURL)
}
@ -200,6 +205,24 @@ func makeStatefulSetSpec(a *monitoringv1.Alertmanager, config Config) (*v1beta1.
},
}
var livenessProbe *v1.Probe
var readinessProbe *v1.Probe
if !a.Spec.ListenLocal {
livenessProbe = &v1.Probe{
Handler: probeHandler,
TimeoutSeconds: probeTimeoutSeconds,
FailureThreshold: 10,
}
readinessProbe = &v1.Probe{
Handler: probeHandler,
InitialDelaySeconds: 3,
TimeoutSeconds: 3,
PeriodSeconds: 5,
FailureThreshold: 10,
}
}
podAnnotations := map[string]string{}
podLabels := map[string]string{}
if a.Spec.PodMetadata != nil {
@ -221,6 +244,23 @@ func makeStatefulSetSpec(a *monitoringv1.Alertmanager, config Config) (*v1beta1.
amArgs = append(amArgs, fmt.Sprintf("-mesh.peer=%s-%d.%s.%s.svc", prefixedName(a.Name), i, governingServiceName, a.Namespace))
}
ports := []v1.ContainerPort{
{
Name: "mesh",
ContainerPort: 6783,
Protocol: v1.ProtocolTCP,
},
}
if !a.Spec.ListenLocal {
ports = append([]v1.ContainerPort{
{
Name: "web",
ContainerPort: 9093,
Protocol: v1.ProtocolTCP,
},
}, ports...)
}
gid := int64(2000)
uid := int64(1000)
nr := true
@ -265,23 +305,12 @@ func makeStatefulSetSpec(a *monitoringv1.Alertmanager, config Config) (*v1beta1.
Spec: v1.PodSpec{
NodeSelector: a.Spec.NodeSelector,
TerminationGracePeriodSeconds: &terminationGracePeriod,
Containers: []v1.Container{
Containers: append([]v1.Container{
{
Args: amArgs,
Name: "alertmanager",
Image: image,
Ports: []v1.ContainerPort{
{
Name: "web",
ContainerPort: 9093,
Protocol: v1.ProtocolTCP,
},
{
Name: "mesh",
ContainerPort: 6783,
Protocol: v1.ProtocolTCP,
},
},
Ports: ports,
VolumeMounts: []v1.VolumeMount{
{
Name: "config-volume",
@ -293,19 +322,9 @@ func makeStatefulSetSpec(a *monitoringv1.Alertmanager, config Config) (*v1beta1.
SubPath: subPathForStorage(a.Spec.Storage),
},
},
LivenessProbe: &v1.Probe{
Handler: probeHandler,
TimeoutSeconds: probeTimeoutSeconds,
FailureThreshold: 10,
},
ReadinessProbe: &v1.Probe{
Handler: probeHandler,
InitialDelaySeconds: 3,
TimeoutSeconds: 3,
PeriodSeconds: 5,
FailureThreshold: 10,
},
Resources: a.Spec.Resources,
LivenessProbe: livenessProbe,
ReadinessProbe: readinessProbe,
Resources: a.Spec.Resources,
}, {
Name: "config-reloader",
Image: config.ConfigReloaderImage,
@ -327,7 +346,7 @@ func makeStatefulSetSpec(a *monitoringv1.Alertmanager, config Config) (*v1beta1.
},
},
},
},
}, a.Spec.Containers...),
Volumes: []v1.Volume{
{
Name: "config-volume",

40
pkg/alertmanager/statefulset_test.go
View file

@ -15,13 +15,14 @@
package alertmanager
import (
"reflect"
"strings"
"testing"
monitoringv1 "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1"
"github.com/stretchr/testify/require"
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"reflect"
"strings"
"testing"
)
var (
@ -176,3 +177,36 @@ func TestStatefulEmptyDir(t *testing.T) {
t.Fatal("Error adding EmptyDir Spec to StatefulSetSpec")
}
}
func TestListenLocal(t *testing.T) {
sset, err := makeStatefulSet(&monitoringv1.Alertmanager{
Spec: monitoringv1.AlertmanagerSpec{
ListenLocal: true,
},
}, nil, defaultTestConfig)
if err != nil {
t.Fatalf("Unexpected error while making StatefulSet: %v", err)
}
found := false
for _, flag := range sset.Spec.Template.Spec.Containers[0].Args {
if flag == "--web.listen-address=127.0.0.1:9093" {
found = true
}
}
if !found {
t.Fatal("Alertmanager not listening on loopback when it should.")
}
if sset.Spec.Template.Spec.Containers[0].ReadinessProbe != nil {
t.Fatal("Alertmanager readiness probe expected to be empty")
}
if sset.Spec.Template.Spec.Containers[0].LivenessProbe != nil {
t.Fatal("Alertmanager readiness probe expected to be empty")
}
if len(sset.Spec.Template.Spec.Containers[0].Ports) != 1 {
t.Fatal("Alertmanager container should only have one port defined")
}
}

44
pkg/client/monitoring/v1/openapi_generated.go
View file

@ -304,11 +304,31 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
Format: "",
},
},
"listenLocal": {
SchemaProps: spec.SchemaProps{
Description: "ListenLocal makes the Alertmanager server listen on loopback, so that it does not bind against the Pod IP. Note this is only for the Alertmanager UI, not the gossip communication.",
Type: []string{"boolean"},
Format: "",
},
},
"containers": {
SchemaProps: spec.SchemaProps{
Description: "Containers allows injecting additional containers. This is meant to allow adding an authentication proxy to an Alertmanager pod.",
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Ref: ref("k8s.io/api/core/v1.Container"),
},
},
},
},
},
},
},
},
Dependencies: []string{
"github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.StorageSpec", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
"github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.StorageSpec", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.Container", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
},
"github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.AlertmanagerStatus": {
Schema: spec.Schema{
@ -829,11 +849,31 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
Ref: ref("k8s.io/api/core/v1.PodSecurityContext"),
},
},
"listenLocal": {
SchemaProps: spec.SchemaProps{
Description: "ListenLocal makes the Prometheus server listen on loopback, so that it does not bind against the Pod IP.",
Type: []string{"boolean"},
Format: "",
},
},
"containers": {
SchemaProps: spec.SchemaProps{
Description: "Containers allows injecting additional containers. This is meant to allow adding an authentication proxy to a Prometheus pod.",
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Ref: ref("k8s.io/api/core/v1.Container"),
},
},
},
},
},
},
},
},
Dependencies: []string{
"github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.AlertingSpec", "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.RemoteReadSpec", "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.RemoteWriteSpec", "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.StorageSpec", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
"github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.AlertingSpec", "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.RemoteReadSpec", "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.RemoteWriteSpec", "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.StorageSpec", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.Container", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
},
"github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.PrometheusStatus": {
Schema: spec.Schema{

13
pkg/client/monitoring/v1/types.go
View file

@ -126,6 +126,12 @@ type PrometheusSpec struct {
// This defaults to non root user with uid 1000 and gid 2000 for Prometheus >v2.0 and
// default PodSecurityContext for other versions.
SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty"`
// ListenLocal makes the Prometheus server listen on loopback, so that it
// does not bind against the Pod IP.
ListenLocal bool `json:"listenLocal,omitempty"`
// Containers allows injecting additional containers. This is meant to
// allow adding an authentication proxy to a Prometheus pod.
Containers []v1.Container `json:"containers,omitempty"`
}
// Most recent observed status of the Prometheus cluster. Read-only. Not
@ -418,6 +424,13 @@ type AlertmanagerSpec struct {
// ServiceAccountName is the name of the ServiceAccount to use to run the
// Prometheus Pods.
ServiceAccountName string `json:"serviceAccountName,omitempty"`
// ListenLocal makes the Alertmanager server listen on loopback, so that it
// does not bind against the Pod IP. Note this is only for the Alertmanager
// UI, not the gossip communication.
ListenLocal bool `json:"listenLocal,omitempty"`
// Containers allows injecting additional containers. This is meant to
// allow adding an authentication proxy to an Alertmanager pod.
Containers []v1.Container `json:"containers,omitempty"`
}
// A list of Alertmanagers.

14
pkg/client/monitoring/v1/zz_generated.deepcopy.go
View file

@ -284,6 +284,13 @@ func (in *AlertmanagerSpec) DeepCopyInto(out *AlertmanagerSpec) {
(*in).DeepCopyInto(*out)
}
}
if in.Containers != nil {
in, out := &in.Containers, &out.Containers
*out = make([]core_v1.Container, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
@ -625,6 +632,13 @@ func (in *PrometheusSpec) DeepCopyInto(out *PrometheusSpec) {
(*in).DeepCopyInto(*out)
}
}
if in.Containers != nil {
in, out := &in.Containers, &out.Containers
*out = make([]core_v1.Container, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}

68
pkg/prometheus/statefulset.go
View file

@ -394,6 +394,19 @@ func makeStatefulSetSpec(p monitoringv1.Prometheus, c *Config, ruleConfigMaps []
promArgs = append(promArgs, fmt.Sprintf("-log.level=%s", p.Spec.LogLevel))
}
var ports []v1.ContainerPort
if p.Spec.ListenLocal {
promArgs = append(promArgs, "-web.listen-address=127.0.0.1:9090")
} else {
ports = []v1.ContainerPort{
{
Name: "web",
ContainerPort: 9090,
Protocol: v1.ProtocolTCP,
},
}
}
if version.Major == 2 {
for i, a := range promArgs {
promArgs[i] = "-" + a
@ -505,6 +518,24 @@ func makeStatefulSetSpec(p monitoringv1.Prometheus, c *Config, ruleConfigMaps []
livenessProbeInitialDelaySeconds = 300
}
var livenessProbe *v1.Probe
var readinessProbe *v1.Probe
if !p.Spec.ListenLocal {
livenessProbe = &v1.Probe{
Handler: livenessProbeHandler,
InitialDelaySeconds: livenessProbeInitialDelaySeconds,
PeriodSeconds: 5,
TimeoutSeconds: probeTimeoutSeconds,
FailureThreshold: 10,
}
readinessProbe = &v1.Probe{
Handler: readinessProbeHandler,
TimeoutSeconds: probeTimeoutSeconds,
PeriodSeconds: 5,
FailureThreshold: 6,
}
}
podAnnotations := map[string]string{}
podLabels := map[string]string{}
if p.Spec.PodMetadata != nil {
@ -534,33 +565,16 @@ func makeStatefulSetSpec(p monitoringv1.Prometheus, c *Config, ruleConfigMaps []
Annotations: podAnnotations,
},
Spec: v1.PodSpec{
Containers: []v1.Container{
Containers: append([]v1.Container{
{
Name: "prometheus",
Image: fmt.Sprintf("%s:%s", p.Spec.BaseImage, p.Spec.Version),
Ports: []v1.ContainerPort{
{
Name: "web",
ContainerPort: 9090,
Protocol: v1.ProtocolTCP,
},
},
Args: promArgs,
VolumeMounts: promVolumeMounts,
LivenessProbe: &v1.Probe{
Handler: livenessProbeHandler,
InitialDelaySeconds: livenessProbeInitialDelaySeconds,
PeriodSeconds: 5,
TimeoutSeconds: probeTimeoutSeconds,
FailureThreshold: 10,
},
ReadinessProbe: &v1.Probe{
Handler: readinessProbeHandler,
TimeoutSeconds: probeTimeoutSeconds,
PeriodSeconds: 5,
FailureThreshold: 6,
},
Resources: p.Spec.Resources,
Name: "prometheus",
Image: fmt.Sprintf("%s:%s", p.Spec.BaseImage, p.Spec.Version),
Ports: ports,
Args: promArgs,
VolumeMounts: promVolumeMounts,
LivenessProbe: livenessProbe,
ReadinessProbe: readinessProbe,
Resources: p.Spec.Resources,
}, {
Name: "prometheus-config-reloader",
Image: c.PrometheusConfigReloader,
@ -573,7 +587,7 @@ func makeStatefulSetSpec(p monitoringv1.Prometheus, c *Config, ruleConfigMaps []
},
},
},
},
}, p.Spec.Containers...),
SecurityContext: securityContext,
ServiceAccountName: p.Spec.ServiceAccountName,
NodeSelector: p.Spec.NodeSelector,

34
pkg/prometheus/statefulset_test.go
View file

@ -302,6 +302,40 @@ func TestMemoryRequestAdjustedWhenOnlyLimitGiven(t *testing.T) {
}
}
func TestListenLocal(t *testing.T) {
sset, err := makeStatefulSet(monitoringv1.Prometheus{
Spec: monitoringv1.PrometheusSpec{
ListenLocal: true,
},
}, nil, defaultTestConfig, []*v1.ConfigMap{})
if err != nil {
t.Fatalf("Unexpected error while making StatefulSet: %v", err)
}
found := false
for _, flag := range sset.Spec.Template.Spec.Containers[0].Args {
if flag == "--web.listen-address=127.0.0.1:9090" {
found = true
}
}
if !found {
t.Fatal("Prometheus not listening on loopback when it should.")
}
if sset.Spec.Template.Spec.Containers[0].ReadinessProbe != nil {
t.Fatal("Prometheus readiness probe expected to be empty")
}
if sset.Spec.Template.Spec.Containers[0].LivenessProbe != nil {
t.Fatal("Prometheus readiness probe expected to be empty")
}
if len(sset.Spec.Template.Spec.Containers[0].Ports) != 0 {
t.Fatal("Prometheus container should have 0 ports defined")
}
}
func makeConfigMap() *v1.ConfigMap {
res := &v1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{