Add Openstack exporter

chart/Chart.yaml

@@ -15,7 +15,7 @@
 
 apiVersion: v2
 name: dnation-kubernetes-monitoring-stack
-version: 3.7.0
+version: 3.8.0
 appVersion: 2.7.1  # dnation-kubernetes-monitoring
 description: An umbrella helm chart for Kubernetes monitoring based on kube-prometheus-stack, thanos, loki, promtail and dnation-kubernetes-monitoring
 keywords:
@@ -65,6 +65,10 @@ dependencies:
   version: "9.1.*"
   repository: https://prometheus-community.github.io/helm-charts
   condition: prometheus-blackbox-exporter.enabled
+- name: prometheus-openstack-exporter
+  repository: oci://registry.scs.community/openstack-exporter
+  version: "0.4.5"
+  condition: prometheus-openstack-exporter.enabled
 icon: https://cdn.ifne.eu/public/icons/dnation_k8sm8g.png
 maintainers:
 - name: dNation

chart/values.yaml

@@ -668,3 +668,13 @@ loki-distributed:
       aws:
         s3: "s3://access_key:secret_access_key@custom_endpoint/bucket_name"
         s3forcepathstyle: true  # set to 'false' to enable virtual-hosted-style URLs
+
+prometheus-openstack-exporter:
+
+  ## Set to to true if you want to use Openstack exporter
+  enabled: false
+
+  ## Disable OpenStack exporter multicloud mode
+  ##
+  multicloud:
+    enabled: false

docs/iaas.md

@@ -29,25 +29,71 @@ the [k3s guide](k3s.md).
 
 #### Prometheus metrics and alerts
 
-The [OpenStack exporter for Prometheus](https://github.com/openstack-exporter) could be deployed using the [openstack-exporter-helm-chart](https://github.com/SovereignCloudStack/openstack-exporter-helm-charts).
+The [OpenStack exporter for Prometheus](https://github.com/openstack-exporter) can be enabled as a subchart, see [openstack-exporter-helm-chart](https://github.com/SovereignCloudStack/openstack-exporter-helm-charts).
+
 This exporter contains a bunch of [Prometheus alerts and rules](https://github.com/SovereignCloudStack/openstack-exporter-helm-charts/blob/master/charts/prometheus-openstack-exporter/templates/prometheusrule.yaml)
 that are deployed together with the exporter.
 Visit the `helpers/iaas/openstack-exporter-values.yaml` file to validate the Helm configuration options.
 Ensure valid OpenStack API credentials are set under the `clouds_yaml_config` section. This **MUST** be overridden!
 
-```bash
-helm upgrade --install prometheus-openstack-exporter oci://registry.scs.community/openstack-exporter/prometheus-openstack-exporter \
-  --version 0.4.5 \
-  -f helpers/iaas/openstack-exporter-values.yaml # --set "endpoint_type=public" --set "serviceMonitor.scrapeTimeout=1m"
-```
-
 Tip: If you want to test the exporter basic functionality with **public** OpenStack API, configure `endpoint_type`
-to `public` (`--set "endpoint_type=public"`). Note that configuring `endpoint_type` as `public` will result in
+to `public`. Note that configuring `endpoint_type` as `public` will result in
 incomplete functionality for the Grafana dashboard.
 
 Tip: Requesting and collecting metrics from the OpenStack API can be time-consuming, especially if the API is not
 performing well. In such cases, you may observe timeouts on the Prometheus server when it tries to fetch OpenStack
-metrics. To mitigate this, consider increasing the scrape interval to e.g. 1 minute (`--set "serviceMonitor.scrapeTimeout=1m"`).
+metrics. To mitigate this, consider increasing the scrape interval to e.g. 1 minute.
+
+#### SSL Certificates
+If you use a private CA to communicate with Openstack API, a secret containing certificates must be deployed in the same namespace
+as dNation k8s Monitoring Stack. 
+```yaml
+apiVersion: v1
+data:
+  ca.crt: <CA CERT BASE64>
+  tls.crt: <CERT BASE64>
+  tls.key: <KEY BASE64>
+kind: Secret
+metadata:
+  name: openstack-ca
+
+```
+This secret must be then mounted by openstack exporter, see example values below.
+
+```yaml
+# Example values.yaml for enabling openstack exporter
+prometheus-openstack-exporter:
+  enabled: true
+  commonLabels:
+    release: monitoring
+  serviceMonitor:
+    scrapeTimeout: "1m"
+  # endpoint_type: "public"
+  clouds_yaml_config: |
+    clouds.yaml: |
+        clouds:
+          default:
+            auth:
+            auth_url: <REPLACE_ME>
+            application_credential_id: <REPLACE_ME>
+            application_credential_secret: <REPLACE_ME>
+            region_name: <REPLACE_ME>
+            identity_api_version: 3
+            auth_type: "v3applicationcredential"
+            key: "/etc/ssl/certs/openstack-ca/tls.key"
+            cert: "/etc/ssl/certs/openstack-ca/tls.crt"
+            cacert: "/etc/ssl/certs/openstack-ca/ca.crt"
+## Secret containg SSL certificates for internal openstack API
+  extraVolumes:
+  - name: openstack-ca
+    secret:
+      secretName: openstack-ca
+
+  extraVolumeMounts:
+  - mountPath: /etc/ssl/certs/openstack-ca
+    name: openstack-ca
+```
+
 
 #### Grafana dashboards
 

helpers/iaas/openstack-ca.yaml

@@ -0,0 +1,10 @@
+## An examplesecret for Openstack internal API certs
+## deploy to the same namespace as k8s-monitoring-stack
+apiVersion: v1
+data:
+  ca.crt: <CA CERT BASE64>
+  tls.crt: <CERT BASE64>
+  tls.key: <KEY BASE64>
+kind: Secret
+metadata:
+  name: openstack-ca

helpers/iaas/openstack-exporter-values.yaml

@@ -1,26 +1,47 @@
 ---
-## Disable OpenStack exporter multicloud mode
-##
-multicloud:
-  enabled: false
+prometheus-openstack-exporter:
+  enabled: true
 
 ##  Label OpenStack exporter ServiceMonitor (and others) resource.
 ##  This ensures that Kubernetes monitoring's Prometheus discovers the OpenStack exporter ServiceMonitor
 ##
-commonLabels:
-  release: kubernetes-monitoring-servicemonitor
+  commonLabels:
+    release: monitoring
+
+## Optional: use public endpoint type e.g. if you want to test connectivity
+##    WARNING: if you use Grafana dashboard https://grafana.com/grafana/dashboards/21085.
+##      it will be incomplete
+##
+#   endpoint_type: "public"
+
+## Optional: Mittigate timeouts on Prometheus
+#   serviceMonitor:
+#     scrapeTimeout: "1m"
 
 ## OpenStack API access configuration
 ## Doc: https://github.com/openstack-exporter/openstack-exporter#openstack-configuration
 ##
-clouds_yaml_config: |
-  clouds.yaml: |
-      clouds:
-        default:
-          auth:
-            auth_url: <REPLACE_ME>
-            application_credential_id: <REPLACE_ME>
-            application_credential_secret: <REPLACE_ME>
-          region_name: <REPLACE_ME>
-          identity_api_version: 3
-          auth_type: "v3applicationcredential"
+
+  clouds_yaml_config: |
+    clouds.yaml: |
+        clouds:
+          default:
+            auth:
+              auth_url: <REPLACE_ME>
+              application_credential_id: <REPLACE_ME>
+              application_credential_secret: <REPLACE_ME>
+            region_name: <REPLACE_ME>
+            identity_api_version: 3
+            auth_type: "v3applicationcredential"
+            key: "/etc/ssl/certs/openstack-ca/tls.key"
+            cert: "/etc/ssl/certs/openstack-ca/tls.crt"
+            cacert: "/etc/ssl/certs/openstack-ca/ca.crt"
+## Secret containg SSL certificates for internal openstack API
+  extraVolumes:
+  - name: openstack-ca
+    secret:
+      secretName: openstack-ca
+
+  extraVolumeMounts:
+  - mountPath: /etc/ssl/certs/openstack-ca
+    name: openstack-ca