Skip to content

Commit

Permalink
update telemetry-collector with v2 flags
Browse files Browse the repository at this point in the history
  • Loading branch information
@DanStough
DanStough committed Sep 13, 2023
1 parent 5cdf731 commit 3fff705
Show file tree
Hide file tree
Showing 4 changed files with 1,743 additions and 1 deletion.
2 changes: 1 addition & 1 deletion charts/consul/templates/telemetry-collector-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.telemetryCollector.enabled }}
{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }}
{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }}
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
Expand Down
379 changes: 379 additions & 0 deletions charts/consul/templates/telemetry-collector-v2-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,379 @@
{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }}
{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }}
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
{{ template "consul.validateCloudSecretKeys" . }}
{{ template "consul.validateTelemetryCollectorCloud" . }}
{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" . }}-telemetry-collector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: consul-telemetry-collector
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.telemetryCollector.replicas }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: consul-telemetry-collector
template:
metadata:
annotations:
"consul.hashicorp.com/mesh-inject": "false"
# This annotation tells the pod controller that this pod was injected even though it wasn't. The
# endpoints controller would then sync the endpoint into Consul
"consul.hashicorp.com/mesh-inject-status": "injected"
# We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar
# to gateways
"consul.hashicorp.com/transparent-proxy": "false"
"consul.hashicorp.com/transparent-proxy-overwrite-probes": "false"
"consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }}
"consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }}
{{- if .Values.telemetryCollector.customExporterConfig }}
# configmap checksum
"consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }}
{{- end }}
# vault annotations
{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }}
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/agent-inject": "true"
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
{{- end }}
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}

labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: consul-telemetry-collector
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 8 }}
{{- end }}
spec:
# This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane
# to forward metrics to it.
serviceAccountName: consul-telemetry-collector
initContainers:
# We're manually managing this init container instead of using the mesh injector so that we don't run into
# any race conditions on the mesh-injector deployment or upgrade
- name: consul-mesh-init
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_LOGIN_AUTH_METHOD
value: {{ template "consul.fullname" . }}-k8s-auth-method
- name: CONSUL_LOGIN_META
value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)"
{{- end }}
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }}
{{- if .Values.global.enableConsulNamespaces }}
- name: CONSUL_NAMESPACE
value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }}
{{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }}
- name: CONSUL_LOGIN_NAMESPACE
value: "default"
{{- else }}
- name: CONSUL_LOGIN_NAMESPACE
value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }}
{{- end }}
{{- end }}
command:
- /bin/sh
- -ec
- |-
consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \
-log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \
-log-json={{ .Values.global.logJSON }}
image: {{ .Values.global.imageK8S }}
imagePullPolicy: IfNotPresent
{{- if .Values.telemetryCollector.initContainer.resources }}
resources:
{{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }}
{{- else }}
resources:
limits:
cpu: 50m
memory: 150Mi
requests:
cpu: 50m
memory: 25Mi
{{- end }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /consul/mesh-inject
name: consul-mesh-inject-data
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
containers:
- name: consul-telemetry-collector
image: {{ .Values.telemetryCollector.image }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 9090
name: metrics
protocol: TCP
- containerPort: 9356
name: metricsserver
protocol: TCP
env:
# These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled.
# - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL,
# HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done.
# - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here
{{- if .Values.telemetryCollector.cloud.clientId.secretName }}
- name: HCP_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .Values.telemetryCollector.cloud.clientId.secretName }}
key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }}
{{- end }}
{{- if .Values.telemetryCollector.cloud.clientSecret.secretName }}
- name: HCP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }}
key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }}
{{- end}}
{{- if .Values.global.cloud.resourceId.secretName }}
- name: HCP_RESOURCE_ID
valueFrom:
secretKeyRef:
name: {{ .Values.global.cloud.resourceId.secretName }}
key: {{ .Values.global.cloud.resourceId.secretKey }}
{{- end }}
{{- if .Values.global.cloud.authUrl.secretName }}
- name: HCP_AUTH_URL
valueFrom:
secretKeyRef:
name: {{ .Values.global.cloud.authUrl.secretName }}
key: {{ .Values.global.cloud.authUrl.secretKey }}
{{- end}}
{{- if .Values.global.cloud.apiHost.secretName }}
- name: HCP_API_HOST
valueFrom:
secretKeyRef:
name: {{ .Values.global.cloud.apiHost.secretName }}
key: {{ .Values.global.cloud.apiHost.secretKey }}
{{- end}}
{{- if .Values.global.cloud.scadaAddress.secretName }}
- name: HCP_SCADA_ADDRESS
valueFrom:
secretKeyRef:
name: {{ .Values.global.cloud.scadaAddress.secretName }}
key: {{ .Values.global.cloud.scadaAddress.secretKey }}
{{- end}}
{{- if .Values.global.trustedCAs }}
- name: SSL_CERT_DIR
value: "/etc/ssl/certs:/trusted-cas"
{{- end }}
{{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }}
command:
- "/bin/sh"
- "-ec"
- |
{{- if .Values.global.trustedCAs }}
{{- range $i, $cert := .Values.global.trustedCAs }}
cat <<EOF > /trusted-cas/custom-ca-{{$i}}.pem
{{- $cert | nindent 10 }}
EOF
{{- end }}
{{- end }}
consul-telemetry-collector agent \
{{- if .Values.telemetryCollector.customExporterConfig }}
-config-file-path /consul/config/config.json \
{{ end }}
volumeMounts:
{{- if .Values.telemetryCollector.customExporterConfig }}
- name: config
mountPath: /consul/config
{{- end }}
{{- if .Values.global.trustedCAs }}
- name: trusted-cas
mountPath: /trusted-cas
readOnly: false
{{- end }}
resources:
{{- if .Values.telemetryCollector.resources }}
{{- toYaml .Values.telemetryCollector.resources | nindent 12 }}
{{- end }}
# consul-dataplane container
- name: consul-dataplane
image: "{{ .Values.global.imageConsulDataplane }}"
imagePullPolicy: IfNotPresent
command:
- consul-dataplane
args:
# addresses
{{- if .Values.externalServers.enabled }}
- -addresses={{ .Values.externalServers.hosts | first }}
{{- else }}
- -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc
{{- end }}
# grpc
{{- if .Values.externalServers.enabled }}
- -grpc-port={{ .Values.externalServers.grpcPort }}
{{- else }}
- -grpc-port=8502
{{- end }}
# tls
{{- if .Values.global.tls.enabled }}
{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }}
{{- if .Values.global.secretsBackend.vault.enabled }}
- -ca-certs=/vault/secrets/serverca.crt
{{- else }}
- -ca-certs=/consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }}
- -tls-server-name={{.Values.externalServers.tlsServerName }}
{{- else if .Values.global.cloud.enabled }}
- -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}}
{{- end }}
{{- else }}
- -tls-disabled
{{- end }}
# credentials
{{- if .Values.global.acls.manageSystemACLs }}
- -credential-type=login
- -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
- -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method
{{- if .Values.global.enableConsulNamespaces }}
{{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }}
- -login-namespace="default"
{{- else }}
- -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }}
{{- end }}
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
- foo
- -login-partition={{ .Values.global.adminPartitions.name }}
{{- end }}
{{- end }}
{{- if .Values.global.enableConsulNamespaces }}
- -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }}
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
- -service-partition={{ .Values.global.adminPartitions.name }}
{{- end }}
{{- if .Values.global.metrics.enabled }}
- -telemetry-prom-scrape-path=/metrics
{{- end }}
- -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }}
- -log-json={{ .Values.global.logJSON }}
- -envoy-concurrency=2
{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }}
- -server-watch-disabled=true
{{- end }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: DP_PROXY_ID
value: $(POD_NAME)
- name: DP_CREDENTIAL_LOGIN_META1
value: pod=$(NAMESPACE)/$(POD_NAME)
- name: DP_CREDENTIAL_LOGIN_META2
value: component=consul-telemetry-collector
- name: TMPDIR
value: /consul/mesh-inject
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 20000
timeoutSeconds: 1
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 5995
runAsNonRoot: true
runAsUser: 5995
# dataplane volume mounts
volumeMounts:
- mountPath: /consul/mesh-inject
name: consul-mesh-inject-data
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}

{{- if .Values.telemetryCollector.nodeSelector }}
nodeSelector:
{{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- if .Values.telemetryCollector.priorityClassName }}
priorityClassName: {{ .Values.telemetryCollector.priorityClassName }}
{{- end }}
volumes:
- emptyDir:
medium: Memory
name: consul-mesh-inject-data
{{- if .Values.global.trustedCAs }}
- name: trusted-cas
emptyDir:
medium: "Memory"
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- end }}
- name: config
configMap:
name: {{ template "consul.fullname" . }}-telemetry-collector
{{- end }}
Loading

0 comments on commit 3fff705

Please sign in to comment.