feat: add prometheus exporters (particuleio#18)

- add prometheus-adapter - add prometheus-blackbox-exporter - add prometheus-cloudwatch-exporter Signed-off-by: Kevin Lefevre <[email protected]>
Clarifai · Mar 5, 2021 · 08993d2 · 08993d2
1 parent becf205
commit 08993d2
Show file tree

Hide file tree

Showing 12 changed files with 426 additions and 29 deletions.
diff --git a/README.md b/README.md
diff --git a/modules/aws/README.md b/modules/aws/README.md
@@ -56,6 +56,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | iam_assumable_role_kube-prometheus-stack_grafana | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 3.0 |
 | iam_assumable_role_kube-prometheus-stack_thanos | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 3.0 |
 | iam_assumable_role_loki-stack | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 3.0 |
+| iam_assumable_role_prometheus-cloudwatch-exporter | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 3.0 |
 | iam_assumable_role_thanos | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 3.0 |
 | iam_assumable_role_thanos-storegateway | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 3.0 |
 | kube-prometheus-stack_thanos_bucket | terraform-aws-modules/s3-bucket/aws | ~> 1.0 |
@@ -129,6 +130,9 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | npd | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
 | priority-class | Customize a priority class for addons | `any` | `{}` | no |
 | priority-class-ds | Customize a priority class for addons daemonsets | `any` | `{}` | no |
+| prometheus-adapter | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
+| prometheus-blackbox-exporter | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
+| prometheus-cloudwatch-exporter | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |
 | promtail | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
 | sealed-secrets | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
 | strimzi-kafka-operator | Customize strimzi-kafka-operator chart, see `strimzi-kafka-operator.tf` for supported values | `any` | `{}` | no |

diff --git a/modules/aws/prometheus-adapter.tf b/modules/aws/prometheus-adapter.tf
@@ -0,0 +1 @@
+../../prometheus-adapter.tf
diff --git a/modules/aws/prometheus-blackbox-exporter.tf b/modules/aws/prometheus-blackbox-exporter.tf
@@ -0,0 +1 @@
+../../prometheus-blackbox-exporter.tf
diff --git a/modules/aws/prometheus-cloudwatch-exporter.tf b/modules/aws/prometheus-cloudwatch-exporter.tf
@@ -0,0 +1,148 @@
+locals {
+  prometheus-cloudwatch-exporter = merge(
+    local.helm_defaults,
+    {
+      name                      = "prometheus-cloudwatch-exporter"
+      namespace                 = "monitoring"
+      chart                     = "prometheus-cloudwatch-exporter"
+      repository                = "https://prometheus-community.github.io/helm-charts"
+      create_ns                 = false
+      enabled                   = false
+      chart_version             = "0.14.1"
+      default_network_policy    = true
+      service_account_name      = "prometheus-cloudwatch-exporter"
+      create_iam_resources_irsa = true
+      iam_policy_override       = null
+    },
+    var.prometheus-cloudwatch-exporter
+  )
+
+  values_prometheus-cloudwatch-exporter = <<-VALUES
+    serviceMonitor:
+      enabled: ${local.kube-prometheus-stack["enabled"]}
+    aws:
+      role: "${local.prometheus-cloudwatch-exporter["enabled"] && local.prometheus-cloudwatch-exporter["create_iam_resources_irsa"] ? module.iam_assumable_role_prometheus-cloudwatch-exporter.this_iam_role_arn : ""}"
+    serviceAccount:
+      name: ${local.prometheus-cloudwatch-exporter["service_account_name"]}
+      annotations:
+        eks.amazonaws.com/role-arn: "${local.prometheus-cloudwatch-exporter["enabled"] && local.prometheus-cloudwatch-exporter["create_iam_resources_irsa"] ? module.iam_assumable_role_prometheus-cloudwatch-exporter.this_iam_role_arn : ""}"
+    VALUES
+}
+
+module "iam_assumable_role_prometheus-cloudwatch-exporter" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "~> 3.0"
+  create_role                   = local.prometheus-cloudwatch-exporter["enabled"] && local.prometheus-cloudwatch-exporter["create_iam_resources_irsa"]
+  role_name                     = "tf-${var.cluster-name}-${local.prometheus-cloudwatch-exporter["name"]}-irsa"
+  provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
+  role_policy_arns              = local.prometheus-cloudwatch-exporter["enabled"] && local.prometheus-cloudwatch-exporter["create_iam_resources_irsa"] ? [aws_iam_policy.prometheus-cloudwatch-exporter[0].arn] : []
+  number_of_role_policy_arns    = 1
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${local.prometheus-cloudwatch-exporter["namespace"]}:${local.prometheus-cloudwatch-exporter["service_account_name"]}"]
+  tags                          = local.tags
+}
+
+resource "aws_iam_policy" "prometheus-cloudwatch-exporter" {
+  count  = local.prometheus-cloudwatch-exporter["enabled"] && local.prometheus-cloudwatch-exporter["create_iam_resources_irsa"] ? 1 : 0
+  name   = "tf-${var.cluster-name}-${local.prometheus-cloudwatch-exporter["name"]}"
+  policy = local.prometheus-cloudwatch-exporter["iam_policy_override"] == null ? data.aws_iam_policy_document.prometheus-cloudwatch-exporter.json : local.prometheus-cloudwatch-exporter["iam_policy_override"]
+}
+
+data "aws_iam_policy_document" "prometheus-cloudwatch-exporter" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "cloudwatch:ListMetrics",
+      "cloudwatch:GetMetricStatistics",
+      "tag:GetResources"
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "kubernetes_namespace" "prometheus-cloudwatch-exporter" {
+  count = local.prometheus-cloudwatch-exporter["enabled"] && local.prometheus-cloudwatch-exporter["create_ns"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name                               = local.prometheus-cloudwatch-exporter["namespace"]
+      "${local.labels_prefix}/component" = "monitoring"
+    }
+
+    name = local.prometheus-cloudwatch-exporter["namespace"]
+  }
+}
+
+resource "helm_release" "prometheus-cloudwatch-exporter" {
+  count                 = local.prometheus-cloudwatch-exporter["enabled"] ? 1 : 0
+  repository            = local.prometheus-cloudwatch-exporter["repository"]
+  name                  = local.prometheus-cloudwatch-exporter["name"]
+  chart                 = local.prometheus-cloudwatch-exporter["chart"]
+  version               = local.prometheus-cloudwatch-exporter["chart_version"]
+  timeout               = local.prometheus-cloudwatch-exporter["timeout"]
+  force_update          = local.prometheus-cloudwatch-exporter["force_update"]
+  recreate_pods         = local.prometheus-cloudwatch-exporter["recreate_pods"]
+  wait                  = local.prometheus-cloudwatch-exporter["wait"]
+  atomic                = local.prometheus-cloudwatch-exporter["atomic"]
+  cleanup_on_fail       = local.prometheus-cloudwatch-exporter["cleanup_on_fail"]
+  dependency_update     = local.prometheus-cloudwatch-exporter["dependency_update"]
+  disable_crd_hooks     = local.prometheus-cloudwatch-exporter["disable_crd_hooks"]
+  disable_webhooks      = local.prometheus-cloudwatch-exporter["disable_webhooks"]
+  render_subchart_notes = local.prometheus-cloudwatch-exporter["render_subchart_notes"]
+  replace               = local.prometheus-cloudwatch-exporter["replace"]
+  reset_values          = local.prometheus-cloudwatch-exporter["reset_values"]
+  reuse_values          = local.prometheus-cloudwatch-exporter["reuse_values"]
+  skip_crds             = local.prometheus-cloudwatch-exporter["skip_crds"]
+  verify                = local.prometheus-cloudwatch-exporter["verify"]
+  values = [
+    local.values_prometheus-cloudwatch-exporter,
+    local.prometheus-cloudwatch-exporter["extra_values"]
+  ]
+  namespace = local.prometheus-cloudwatch-exporter["create_ns"] ? kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index] : local.prometheus-cloudwatch-exporter["namespace"]
+
+  depends_on = [
+    helm_release.kube-prometheus-stack
+  ]
+}
+
+resource "kubernetes_network_policy" "prometheus-cloudwatch-exporter_default_deny" {
+  count = local.prometheus-cloudwatch-exporter["create_ns"] && local.prometheus-cloudwatch-exporter["enabled"] && local.prometheus-cloudwatch-exporter["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]}-default-deny"
+    namespace = kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "prometheus-cloudwatch-exporter_allow_namespace" {
+  count = local.prometheus-cloudwatch-exporter["create_ns"] && local.prometheus-cloudwatch-exporter["enabled"] && local.prometheus-cloudwatch-exporter["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]}-allow-namespace"
+    namespace = kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
diff --git a/modules/aws/variables-aws.tf b/modules/aws/variables-aws.tf
@@ -52,6 +52,12 @@ variable "eks" {
   default     = {}
 }
 
+variable "prometheus-cloudwatch-exporter" {
+  description = "Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values"
+  type        = any
+  default     = {}
+}
+
 variable "tags" {
   description = "Map of tags for AWS resources"
   type        = map(any)

diff --git a/modules/scaleway/README.md b/modules/scaleway/README.md
@@ -94,6 +94,8 @@ No Modules.
 | npd | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
 | priority-class | Customize a priority class for addons | `any` | `{}` | no |
 | priority-class-ds | Customize a priority class for addons daemonsets | `any` | `{}` | no |
+| prometheus-adapter | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
+| prometheus-blackbox-exporter | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
 | promtail | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
 | scaleway | Scaleway provider customization | `any` | `{}` | no |
 | sealed-secrets | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |

diff --git a/modules/scaleway/prometheus-adapter.tf b/modules/scaleway/prometheus-adapter.tf
@@ -0,0 +1 @@
+../../prometheus-adapter.tf
diff --git a/modules/scaleway/prometheus-blackbox-exporter.tf b/modules/scaleway/prometheus-blackbox-exporter.tf
@@ -0,0 +1 @@
+../../prometheus-blackbox-exporter.tf
diff --git a/prometheus-adapter.tf b/prometheus-adapter.tf
@@ -0,0 +1,108 @@
+locals {
+  prometheus-adapter = merge(
+    local.helm_defaults,
+    {
+      name                   = "prometheus-adapter"
+      namespace              = "monitoring"
+      chart                  = "prometheus-adapter"
+      repository             = "https://prometheus-community.github.io/helm-charts"
+      create_ns              = false
+      enabled                = false
+      chart_version          = "2.11.1"
+      default_network_policy = true
+    },
+    var.prometheus-adapter
+  )
+
+  values_prometheus-adapter = <<VALUES
+prometheus:
+  url: http://"${local.kube-prometheus-stack["name"]}-prometheus:9090".${local.kube-prometheus-stack["namespace"]}.svc
+VALUES
+
+}
+
+resource "kubernetes_namespace" "prometheus-adapter" {
+  count = local.prometheus-adapter["enabled"] && local.prometheus-adapter["create_ns"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name                               = local.prometheus-adapter["namespace"]
+      "${local.labels_prefix}/component" = "monitoring"
+    }
+
+    name = local.prometheus-adapter["namespace"]
+  }
+}
+
+resource "helm_release" "prometheus-adapter" {
+  count                 = local.prometheus-adapter["enabled"] ? 1 : 0
+  repository            = local.prometheus-adapter["repository"]
+  name                  = local.prometheus-adapter["name"]
+  chart                 = local.prometheus-adapter["chart"]
+  version               = local.prometheus-adapter["chart_version"]
+  timeout               = local.prometheus-adapter["timeout"]
+  force_update          = local.prometheus-adapter["force_update"]
+  recreate_pods         = local.prometheus-adapter["recreate_pods"]
+  wait                  = local.prometheus-adapter["wait"]
+  atomic                = local.prometheus-adapter["atomic"]
+  cleanup_on_fail       = local.prometheus-adapter["cleanup_on_fail"]
+  dependency_update     = local.prometheus-adapter["dependency_update"]
+  disable_crd_hooks     = local.prometheus-adapter["disable_crd_hooks"]
+  disable_webhooks      = local.prometheus-adapter["disable_webhooks"]
+  render_subchart_notes = local.prometheus-adapter["render_subchart_notes"]
+  replace               = local.prometheus-adapter["replace"]
+  reset_values          = local.prometheus-adapter["reset_values"]
+  reuse_values          = local.prometheus-adapter["reuse_values"]
+  skip_crds             = local.prometheus-adapter["skip_crds"]
+  verify                = local.prometheus-adapter["verify"]
+  values = [
+    local.values_prometheus-adapter,
+    local.prometheus-adapter["extra_values"]
+  ]
+  namespace = local.prometheus-adapter["create_ns"] ? kubernetes_namespace.prometheus-adapter.*.metadata.0.name[count.index] : local.prometheus-adapter["namespace"]
+
+  depends_on = [
+    helm_release.kube-prometheus-stack
+  ]
+}
+
+resource "kubernetes_network_policy" "prometheus-adapter_default_deny" {
+  count = local.prometheus-adapter["create_ns"] && local.prometheus-adapter["enabled"] && local.prometheus-adapter["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.prometheus-adapter.*.metadata.0.name[count.index]}-default-deny"
+    namespace = kubernetes_namespace.prometheus-adapter.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "prometheus-adapter_allow_namespace" {
+  count = local.prometheus-adapter["create_ns"] && local.prometheus-adapter["enabled"] && local.prometheus-adapter["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.prometheus-adapter.*.metadata.0.name[count.index]}-allow-namespace"
+    namespace = kubernetes_namespace.prometheus-adapter.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = kubernetes_namespace.prometheus-adapter.*.metadata.0.name[count.index]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}