feat(chart): add servicemonitor (#2335)

Signed-off-by: Steve Hipwell <[email protected]>

Author: stevehipwell

helm/aws-load-balancer-controller/README.md

@@ -72,12 +72,27 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create the name of the webhook service
+*/}}
+{{- define "aws-load-balancer-controller.webhookService" -}}
+{{- printf "%s-webhook-service" (include "aws-load-balancer-controller.namePrefix" .) -}}
+{{- end -}}
+
+{{/*
+Create the name of the webhook cert secret
+*/}}
+{{- define "aws-load-balancer-controller.webhookCertSecret" -}}
+{{- printf "%s-tls" (include "aws-load-balancer-controller.namePrefix" .) -}}
+{{- end -}}
+
 {{/*
 Generate certificates for webhook
 */}}
-{{- define "aws-load-balancer-controller.webhook-certs" -}}
-{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" $namePrefix) -}}
+{{- define "aws-load-balancer-controller.webhookCerts" -}}
+{{- $serviceName := (include "aws-load-balancer-controller.webhookService" .) -}}
+{{- $secretName := (include "aws-load-balancer-controller.webhookCertSecret" .) -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
 {{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}}
 caCert: {{ .Values.webhookTLS.caCert | b64enc }}
 clientCert: {{ .Values.webhookTLS.cert | b64enc }}
@@ -87,9 +102,9 @@ caCert: {{ index $secret.data "ca.crt" }}
 clientCert: {{ index $secret.data "tls.crt" }}
 clientKey: {{ index $secret.data "tls.key" }}
 {{- else -}}
-{{- $altNames := list ( printf "%s-%s.%s" $namePrefix "webhook-service" .Release.Namespace ) ( printf "%s-%s.%s.svc" $namePrefix "webhook-service" .Release.Namespace ) -}}
+{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.cluster.local" $serviceName .Release.Namespace) -}}
 {{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}}
-{{- $cert := genSignedCert ( include "aws-load-balancer-controller.fullname" . ) nil $altNames 3650 $ca -}}
+{{- $cert := genSignedCert (include "aws-load-balancer-controller.fullname" .) nil $altNames 3650 $ca -}}
 caCert: {{ $ca.Cert | b64enc }}
 clientCert: {{ $cert.Cert | b64enc }}
 clientKey: {{ $cert.Key | b64enc }}
@@ -99,6 +114,6 @@ clientKey: {{ $cert.Key | b64enc }}
 {{/*
 Convert map to comma separated key=value string
 */}}
-{{- define "aws-load-balancer-controller.convert-map-to-csv" -}}
+{{- define "aws-load-balancer-controller.convertMapToCsv" -}}
 {{- range $key, $value := . -}} {{ $key }}={{ $value }}, {{- end -}}
 {{- end -}}

helm/aws-load-balancer-controller/templates/_helpers.tpl

@@ -37,7 +37,7 @@ spec:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: {{ template "aws-load-balancer-controller.namePrefix" . }}-tls
+          secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
       {{- with .Values.extraVolumes }}
       {{ toYaml . | nindent 6 }}
       {{- end }}
@@ -120,7 +120,7 @@ spec:
         - --external-managed-tags={{ join "," .Values.externalManagedTags }}
         {{- end }}
         {{- if .Values.defaultTags }}
-        - --default-tags={{ include "aws-load-balancer-controller.convert-map-to-csv" .Values.defaultTags | trimSuffix "," }}
+        - --default-tags={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.defaultTags | trimSuffix "," }}
         {{- end }}
         {{- if kindIs "bool" .Values.enableEndpointSlices }}
         - --enable-endpoint-slices={{ .Values.enableEndpointSlices }}

helm/aws-load-balancer-controller/templates/deployment.yaml

@@ -1,17 +1,41 @@
+{{- if.Values.serviceMonitor.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "aws-load-balancer-controller.namePrefix" . }}-webhook-service
+  name: {{ template "aws-load-balancer-controller.fullname" . }}
   namespace: {{ .Release.Namespace }}
   {{- with .Values.serviceAnnotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   labels:
-{{ include "aws-load-balancer-controller.labels" . | indent 4 }}
+    {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 8080
+      name: metrics-server
+      targetPort: metrics-server
+  selector:
+    {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 4 }}
+---
+{{- end }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "aws-load-balancer-controller.webhookService" . }}
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.serviceAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
+    app.kubernetes.io/component: webhook
+    prometheus.io/service-monitor: "false"
 spec:
   ports:
   - port: 443
+    name: webhook-server
     targetPort: webhook-server
   selector:
     {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 4 }}

helm/aws-load-balancer-controller/templates/service.yaml

@@ -0,0 +1,30 @@
+{{- if.Values.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "aws-load-balancer-controller.fullname" . }}
+  labels:
+    {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  jobLabel: {{ .Release.Name }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }}
+    matchExpressions:
+      - key: prometheus.io/service-monitor
+        operator: NotIn
+        values:
+          - "false"
+  endpoints:
+    - port: metrics-server
+      path: /metrics
+      {{- with .Values.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+{{- end -}}

helm/aws-load-balancer-controller/templates/servicemonitor.yaml

@@ -1,4 +1,4 @@
-{{ $tls := fromYaml ( include "aws-load-balancer-controller.webhook-certs" . ) }}
+{{ $tls := fromYaml ( include "aws-load-balancer-controller.webhookCerts" . ) }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -14,7 +14,7 @@ webhooks:
 - clientConfig:
     caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
     service:
-      name: {{ template "aws-load-balancer-controller.namePrefix" . }}-webhook-service
+      name: {{ template "aws-load-balancer-controller.webhookService" . }}
       namespace: {{ $.Release.Namespace }}
       path: /mutate-v1-pod
   failurePolicy: Fail
@@ -53,7 +53,7 @@ webhooks:
 - clientConfig:
     caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
     service:
-      name: {{ template "aws-load-balancer-controller.namePrefix" . }}-webhook-service
+      name: {{ template "aws-load-balancer-controller.webhookService" . }}
       namespace: {{ $.Release.Namespace }}
       path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding
   failurePolicy: Fail
@@ -86,7 +86,7 @@ webhooks:
 - clientConfig:
     caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
     service:
-      name: {{ template "aws-load-balancer-controller.namePrefix" . }}-webhook-service
+      name: {{ template "aws-load-balancer-controller.webhookService" . }}
       namespace: {{ $.Release.Namespace }}
       path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding
   failurePolicy: Fail
@@ -107,7 +107,7 @@ webhooks:
 - clientConfig:
     caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
     service:
-      name: {{ template "aws-load-balancer-controller.namePrefix" . }}-webhook-service
+      name: {{ template "aws-load-balancer-controller.webhookService" . }}
       namespace: {{ $.Release.Namespace }}
       path: /validate-networking-v1-ingress
   failurePolicy: Fail
@@ -131,7 +131,7 @@ webhooks:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ template "aws-load-balancer-controller.namePrefix" . }}-tls
+  name: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
   namespace: {{ .Release.Namespace }}
   labels:
 {{ include "aws-load-balancer-controller.labels" . | indent 4 }}
@@ -154,12 +154,12 @@ metadata:
 {{ include "aws-load-balancer-controller.labels" . | indent 4 }}
 spec:
   dnsNames:
-  - {{ template "aws-load-balancer-controller.namePrefix" . }}-webhook-service.{{ .Release.Namespace }}.svc
-  - {{ template "aws-load-balancer-controller.namePrefix" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc
+  - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
-  secretName: {{ template "aws-load-balancer-controller.namePrefix" . }}-tls
+  secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
 ---
 {{- if .Capabilities.APIVersions.Has "cert-manager.io/v1" }}
 apiVersion: cert-manager.io/v1

helm/aws-load-balancer-controller/templates/webhook.yaml

@@ -241,4 +241,12 @@ objectSelector:
   #   values:
   #   - <value>
   matchLabels:
-  #   key: value
+  #   key: value
+
+serviceMonitor:
+  # Specifies whether a service monitor should be created
+  enabled: false
+  # Labels to add to the service account
+  additionalLabels: {}
+  # Prometheus scrape interval
+  interval: 1m