From efd2f446d95b9e8e027545ed097b4f214668faab Mon Sep 17 00:00:00 2001 From: QuentinBisson Date: Tue, 17 Oct 2023 11:57:50 +0200 Subject: [PATCH] Simplify observability configuration for customers Signed-off-by: QuentinBisson --- CHANGELOG.md | 9 + helm/observability-bundle/Chart.yaml | 2 +- helm/observability-bundle/templates/apps.yaml | 46 +-- .../prometheus-agent-extraconfig.yaml | 10 - .../prometheus-operator-extraconfig.yaml | 50 ---- .../templates/promtail-extraconfig.yaml | 18 -- helm/observability-bundle/values.schema.json | 276 +++++++++++++++--- helm/observability-bundle/values.yaml | 100 ++++--- 8 files changed, 330 insertions(+), 181 deletions(-) delete mode 100644 helm/observability-bundle/templates/prometheus-agent-extraconfig.yaml delete mode 100644 helm/observability-bundle/templates/prometheus-operator-extraconfig.yaml delete mode 100644 helm/observability-bundle/templates/promtail-extraconfig.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e12572..348f55a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Add `grafana-agent-app` to `observability-bundle`. +### Changed + +- *!Breaking change*: Simplify configuration for the bundled apps + - Move all user configs from under `apps.appName.userConfig` from string to regular helm values to `appName.userConfig` + - Rename `prometheus-operator-app` to `kube-prometheus-stack` + - Rename `promtail-app` to `promtail` +- Enforce `Cilium Network Policy` by default. +- Enforce `Pod Security Standard` by default. + ## [0.8.9] - 2023-10-18 ### Fixed diff --git a/helm/observability-bundle/Chart.yaml b/helm/observability-bundle/Chart.yaml index 949342f..ae163ac 100644 --- a/helm/observability-bundle/Chart.yaml +++ b/helm/observability-bundle/Chart.yaml @@ -5,7 +5,7 @@ home: https://github.com/giantswarm/observability-bundle kubeVersion: ">=1.19.0-0" sources: - https://github.com/giantswarm/observability-bundle -version: 0.8.9 +version: 1.0.0 annotations: application.giantswarm.io/app-type: bundle application.giantswarm.io/in-cluster-app: "true" diff --git a/helm/observability-bundle/templates/apps.yaml b/helm/observability-bundle/templates/apps.yaml index 65af828..cb73409 100644 --- a/helm/observability-bundle/templates/apps.yaml +++ b/helm/observability-bundle/templates/apps.yaml @@ -1,6 +1,6 @@ {{- range $key, $value := .Values.apps }} {{- $appName := include "app.name" (dict "app" .appName "cluster" $.Values.clusterID "ns" $.Release.Namespace) }} -{{- if .enabled }} +{{- if and .enabled $appName }} --- apiVersion: application.giantswarm.io/v1alpha1 kind: App @@ -16,7 +16,6 @@ metadata: {{- end }} {{- end }} labels: - app.kubernetes.io/name: {{ .appName }} {{- include "labels.common" $ | nindent 4 }} name: {{ $appName }} namespace: {{ $.Release.Namespace }} @@ -30,7 +29,7 @@ spec: namespace: {{ $.Release.Namespace }} {{- end }} install: - skipCRDs: {{.skipCRDs | default false }} + skipCRDs: {{ .skipCRDs | default false }} timeout: 10m upgrade: timeout: 10m @@ -51,57 +50,62 @@ spec: version: {{ .version }} {{- if .extraConfigs }} extraConfigs: - {{- range $extraConfig := .extraConfigs }} - - kind: {{ $extraConfig.kind }} - name: {{ tpl $extraConfig.name $ }} - namespace: {{ tpl $extraConfig.namespace $ }} - {{- if $extraConfig.priority }} - priority: {{ $extraConfig.priority }} + {{- range $extraConfig := .extraConfigs }} + - kind: {{ $extraConfig.kind }} + name: {{ tpl $extraConfig.name $ }} + namespace: {{ tpl $extraConfig.namespace $ }} + {{- if $extraConfig.priority }} + priority: {{ $extraConfig.priority }} + {{- end }} {{- end }} {{- end }} - {{- end }} - {{- if .userConfig }} - {{- if or .userConfig.configMap .userConfig.secret }} + {{- if $.Values.userConfig }} + {{- with (get $.Values.userConfig $key) }} + {{- if or .configMap .secret }} userConfig: - {{- if .userConfig.configMap }} + {{- if .configMap }} configMap: name: {{ $appName }}-user-values namespace: {{ $.Release.Namespace }} {{- end }} - {{- if .userConfig.secret }} + {{- if .secret }} secret: name: {{ $appName }}-user-secrets namespace: {{ $.Release.Namespace }} {{- end }} {{- end }} {{- end }} + {{- end }} {{- end }} -{{- if .userConfig }} -{{- if .userConfig.configMap }} + +{{- if $.Values.userConfig }} +{{- with (get $.Values.userConfig $key) }} +{{- if ((.configMap).values) }} --- apiVersion: v1 kind: ConfigMap metadata: labels: - app.kubernetes.io/name: {{ .appName }} {{- include "labels.common" $ | nindent 4 }} name: {{ $appName }}-user-values namespace: {{ $.Release.Namespace }} data: - {{- (tpl (.userConfig.configMap | toYaml | toString) $) | nindent 2 }} + values: | + {{- (tpl (.configMap.values | toYaml | toString) $) | nindent 4 }} {{- end }} -{{- if .userConfig.secret }} +{{- if ((.secret).values) }} --- apiVersion: v1 kind: Secret metadata: labels: - app.kubernetes.io/name: {{ .appName }} {{- include "labels.common" $ | nindent 4 }} name: {{ $appName }}-user-secrets namespace: {{ $.Release.Namespace }} stringData: - {{- (tpl (.userConfig.secret | toYaml | toString) $) | nindent 2 }} + values: | + {{- (tpl (.secret.values | toYaml | toString) $) | nindent 4 }} {{- end }} {{- end }} {{- end }} +{{- end -}} diff --git a/helm/observability-bundle/templates/prometheus-agent-extraconfig.yaml b/helm/observability-bundle/templates/prometheus-agent-extraconfig.yaml deleted file mode 100644 index 4358354..0000000 --- a/helm/observability-bundle/templates/prometheus-agent-extraconfig.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - values: | - prometheus-agent: - psp: - enabled: {{ not .Values.global.podSecurityStandards.enforced }} -kind: ConfigMap -metadata: - name: "{{ $.Values.clusterID }}-prometheus-agent-extraconfig" - namespace: "{{ $.Release.Namespace }}" diff --git a/helm/observability-bundle/templates/prometheus-operator-extraconfig.yaml b/helm/observability-bundle/templates/prometheus-operator-extraconfig.yaml deleted file mode 100644 index a519856..0000000 --- a/helm/observability-bundle/templates/prometheus-operator-extraconfig.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -data: - values: | - {{- if .Values.global.podSecurityStandards.enforced }} - global: - rbac: - pspEnabled: false - {{- end }} - prometheus-operator-app: - defaultRules: - create: false - alertmanager: - enabled: false - grafana: - enabled: false - {{- if .Values.global.podSecurityStandards.enforced }} - rbac: - pspEnabled: false - {{- end }} - {{- if or .Values.global.podSecurityStandards.enforced .Values.ciliumNetworkPolicy.enabled }} - kube-state-metrics: - {{- if .Values.global.podSecurityStandards.enforced }} - podSecurityPolicy: - enabled: false - {{- end }} - {{- if .Values.ciliumNetworkPolicy.enabled }} - networkPolicy: - flavor: cilium - {{- end }} - {{- end }} - {{- if .Values.global.podSecurityStandards.enforced }} - prometheus-node-exporter: - rbac: - pspEnabled: false - {{- end }} - prometheus: - enabled: false - {{- if .Values.ciliumNetworkPolicy.enabled }} - prometheusOperator: - networkPolicy: - flavor: cilium - matchLabels: - app.kubernetes.io/instance: prometheus-operator-app - app.kubernetes.io/part-of: prometheus-operator-app - application.giantswarm.io/team: atlas - {{- end }} -kind: ConfigMap -metadata: - name: "{{ $.Values.clusterID }}-prometheus-operator" - namespace: "{{ $.Release.Namespace }}" diff --git a/helm/observability-bundle/templates/promtail-extraconfig.yaml b/helm/observability-bundle/templates/promtail-extraconfig.yaml deleted file mode 100644 index df60393..0000000 --- a/helm/observability-bundle/templates/promtail-extraconfig.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -data: - values: | - ciliumNetworkPolicy: - enabled: {{ .Values.ciliumNetworkPolicy.enabled }} - promtail: - {{- if .Values.global.podSecurityStandards.enforced }} - rbac: - pspEnabled: false - {{- end }} - {{- if not .Values.ciliumNetworkPolicy.enabled }} - networkPolicy: - enabled: true - {{- end }} -kind: ConfigMap -metadata: - name: "{{ $.Values.clusterID }}-promtail-app-extraconfig" - namespace: "{{ $.Release.Namespace }}" diff --git a/helm/observability-bundle/values.schema.json b/helm/observability-bundle/values.schema.json index 30dbdaf..01edec2 100644 --- a/helm/observability-bundle/values.schema.json +++ b/helm/observability-bundle/values.schema.json @@ -5,7 +5,7 @@ "apps": { "type": "object", "properties": { - "prometheus-agent": { + "grafanaAgent": { "type": "object", "properties": { "appName": { @@ -17,9 +17,6 @@ "chartName": { "type": "string" }, - "dependsOn": { - "type": "string" - }, "enabled": { "type": "boolean" }, @@ -43,15 +40,41 @@ "namespace": { "type": "string" }, - "userConfig": { - "type": "object" + "version": { + "type": "string" + } + } + }, + "kubePrometheusStack": { + "type": "object", + "properties": { + "appName": { + "type": "string" + }, + "catalog": { + "type": "string" + }, + "chartName": { + "type": "string" + }, + "dependsOn": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "namespace": { + "type": "string" + }, + "skipCRDs": { + "type": "boolean" }, "version": { "type": "string" } } }, - "prometheus-operator-app": { + "prometheusAgent": { "type": "object", "properties": { "appName": { @@ -89,18 +112,12 @@ "namespace": { "type": "string" }, - "skipCRDs": { - "type": "boolean" - }, - "userConfig": { - "type": "object" - }, "version": { "type": "string" } } }, - "prometheus-operator-crd": { + "prometheusOperatorCrd": { "type": "object", "properties": { "appName": { @@ -115,21 +132,15 @@ "enabled": { "type": "boolean" }, - "extraConfigs": { - "type": "array" - }, "namespace": { "type": "string" }, - "userConfig": { - "type": "object" - }, "version": { "type": "string" } } }, - "promtail-app": { + "promtail": { "type": "object", "properties": { "appName": { @@ -164,9 +175,6 @@ "namespace": { "type": "string" }, - "userConfig": { - "type": "object" - }, "version": { "type": "string" } @@ -174,32 +182,222 @@ } } }, - "ciliumNetworkPolicy": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, "clusterID": { "type": "string" }, - "global": { + "organization": { + "type": "string" + }, + "userConfig": { "type": "object", "properties": { - "podSecurityStandards": { + "kubePrometheusStack": { "type": "object", "properties": { - "enforced": { - "type": "boolean" + "configMap": { + "type": "object", + "properties": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object", + "properties": { + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + }, + "kube-prometheus-stack": { + "type": "object", + "properties": { + "alertmanager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "defaultRules": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "grafana": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + }, + "kube-state-metrics": { + "type": "object", + "properties": { + "networkPolicy": { + "type": "object", + "properties": { + "flavor": { + "type": "string" + } + } + }, + "podSecurityPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } + }, + "prometheus": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "prometheus-node-exporter": { + "type": "object", + "properties": { + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + }, + "prometheusOperator": { + "type": "object", + "properties": { + "networkPolicy": { + "type": "object", + "properties": { + "flavor": { + "type": "string" + }, + "matchLabels": { + "type": "object", + "properties": { + "app.kubernetes.io/instance": { + "type": "string" + }, + "app.kubernetes.io/part-of": { + "type": "string" + }, + "application.giantswarm.io/team": { + "type": "string" + } + } + } + } + } + } + } + } + } + } + } + } + } + } + }, + "prometheusAgent": { + "type": "object", + "properties": { + "configMap": { + "type": "object", + "properties": { + "values": { + "type": "object", + "properties": { + "prometheus-agent": { + "type": "object", + "properties": { + "psp": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } + } + } + } + } + } + } + }, + "promtail": { + "type": "object", + "properties": { + "configMap": { + "type": "object", + "properties": { + "values": { + "type": "object", + "properties": { + "ciliumNetworkPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "promtail": { + "type": "object", + "properties": { + "networkPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + } + } + } + } } } } } - }, - "organization": { - "type": "string" } } } diff --git a/helm/observability-bundle/values.yaml b/helm/observability-bundle/values.yaml index 6c52f38..a8571b0 100644 --- a/helm/observability-bundle/values.yaml +++ b/helm/observability-bundle/values.yaml @@ -1,15 +1,58 @@ clusterID: "" organization: "" -global: - podSecurityStandards: - enforced: false - -ciliumNetworkPolicy: - enabled: false +userConfig: + kubePrometheusStack: + configMap: + values: + global: + rbac: + pspEnabled: false + kube-prometheus-stack: + defaultRules: + create: false + alertmanager: + enabled: false + grafana: + enabled: false + rbac: + pspEnabled: false + kube-state-metrics: + podSecurityPolicy: + enabled: false + networkPolicy: + flavor: cilium + prometheus-node-exporter: + rbac: + pspEnabled: false + prometheus: + enabled: false + prometheusOperator: + networkPolicy: + flavor: cilium + matchLabels: + app.kubernetes.io/instance: kube-prometheus-stack + app.kubernetes.io/part-of: kube-prometheus-stack + application.giantswarm.io/team: atlas + prometheusAgent: + configMap: + values: + prometheus-agent: + psp: + enabled: false + promtail: + configMap: + values: + ciliumNetworkPolicy: + enabled: true + promtail: + rbac: + pspEnabled: false + networkPolicy: + enabled: false apps: - prometheus-operator-crd: + prometheusOperatorCrd: appName: prometheus-operator-crd chartName: prometheus-operator-crd catalog: default @@ -18,34 +61,20 @@ apps: # used by renovate # repo: giantswarm/prometheus-operator-crd version: 6.1.0 - # User values can be provided via a ConfigMap or Secret for each individual app - userConfig: {} - # a list of extraConfigs for the App, - # It can be secret or configmap - # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example - extraConfigs: [] - prometheus-operator-app: - appName: prometheus-operator-app - chartName: prometheus-operator-app + kubePrometheusStack: + appName: kube-prometheus-stack + chartName: kube-prometheus-stack catalog: default dependsOn: prometheus-operator-crd enabled: true namespace: kube-system skipCRDs: true # used by renovate - # repo: giantswarm/prometheus-operator-app - version: 6.2.1 - userConfig: {} - # a list of extraConfigs for the App, - # It can be secret or configmap - # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example - extraConfigs: - - kind: configMap - name: "{{ $.Values.clusterID }}-prometheus-operator" - namespace: "{{ $.Release.Namespace }}" + # repo: giantswarm/kube-prometheus-stack + version: 7.0.0 - prometheus-agent: + prometheusAgent: appName: prometheus-agent chartName: prometheus-agent catalog: default @@ -55,16 +84,10 @@ apps: # used by renovate # repo: giantswarm/prometheus-agent-app version: 0.6.5 - # User values can be provided via a ConfigMap or Secret for each individual app - # using the structure shown below. - userConfig: {} # a list of extraConfigs for the App, # It can be secret or configmap # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example extraConfigs: - - kind: configMap - name: "{{ $.Values.clusterID }}-prometheus-agent-extraconfig" - namespace: "{{ $.Release.Namespace }}" - kind: secret name: "{{ $.Values.clusterID }}-remote-write-secret" namespace: "{{ $.Release.Namespace }}" @@ -72,8 +95,8 @@ apps: name: "{{ $.Values.clusterID }}-remote-write-config" namespace: "{{ $.Release.Namespace }}" - promtail-app: - appName: promtail-app + promtail: + appName: promtail chartName: promtail catalog: giantswarm enabled: false @@ -81,8 +104,6 @@ apps: # used by renovate # repo: giantswarm/promtail-app version: 1.4.0 - # User values can be provided via a ConfigMap or Secret for each individual app - userConfig: {} # a list of extraConfigs for the App, # It can be secret or configmap # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example @@ -93,9 +114,6 @@ apps: - kind: configMap name: "{{ $.Values.clusterID }}-logging-config" namespace: "{{ $.Release.Namespace }}" - - kind: configMap - name: "{{ $.Values.clusterID }}-promtail-app-extraconfig" - namespace: "{{ $.Release.Namespace }}" grafanaAgent: appName: grafana-agent @@ -106,8 +124,6 @@ apps: # used by renovate # repo: giantswarm/grafana-agent-app version: 0.2.0 - # User values can be provided via a ConfigMap or Secret for each individual app - userConfig: {} # a list of extraConfigs for the App, # It can be secret or configmap # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example