github.com/solo-io/cue@v0.4.7/doc/tutorial/kubernetes/quick/services/mon/prometheus/configmap.cue

github.com/solo-io/cue@v0.4.7/doc/tutorial/kubernetes/quick/services/mon/prometheus/configmap.cue (about)

     1  package kube
     2  
     3  import yaml656e63 "encoding/yaml"
     4  
     5  configMap: prometheus: {
     6  	apiVersion: "v1"
     7  	kind:       "ConfigMap"
     8  	data: {
     9  		"alert.rules": yaml656e63.Marshal(_cue_alert_rules)
    10  		let _cue_alert_rules = {
    11  			groups: [{
    12  				name: "rules.yaml"
    13  				rules: [{
    14  					alert: "InstanceDown"
    15  					expr:  "up == 0"
    16  					for:   "30s"
    17  					labels: severity: "page"
    18  					annotations: {
    19  						description: "{{$labels.app}} of job {{ $labels.job }} has been down for more than 30 seconds."
    20  
    21  						summary: "Instance {{$labels.app}} down"
    22  					}
    23  				}, {
    24  					alert: "InsufficientPeers"
    25  					expr:  "count(up{job=\"etcd\"} == 0) > (count(up{job=\"etcd\"}) / 2 - 1)"
    26  					for:   "3m"
    27  					labels: severity: "page"
    28  					annotations: {
    29  						description: "If one more etcd peer goes down the cluster will be unavailable"
    30  						summary:     "etcd cluster small"
    31  					}
    32  				}, {
    33  					alert: "EtcdNoMaster"
    34  					expr:  "sum(etcd_server_has_leader{app=\"etcd\"}) == 0"
    35  					for:   "1s"
    36  					labels: severity:     "page"
    37  					annotations: summary: "No ETCD master elected."
    38  				}, {
    39  					alert: "PodRestart"
    40  					expr:  "(max_over_time(pod_container_status_restarts_total[5m]) - min_over_time(pod_container_status_restarts_total[5m])) > 2"
    41  					for:   "1m"
    42  					labels: severity: "page"
    43  					annotations: {
    44  						description: "{{$labels.app}} {{ $labels.container }} resturted {{ $value }} times in 5m."
    45  						summary:     "Pod for {{$labels.container}} restarts too often"
    46  					}
    47  				}]
    48  			}]
    49  		}
    50  
    51  		"prometheus.yml": yaml656e63.Marshal(_cue_prometheus_yml)
    52  		let _cue_prometheus_yml = {
    53  			global: scrape_interval: "15s"
    54  			rule_files: [
    55  				"/etc/prometheus/alert.rules",
    56  			]
    57  			alerting: alertmanagers: [{
    58  				scheme: "http"
    59  				static_configs: [{
    60  					targets: [
    61  						"alertmanager:9093",
    62  					]
    63  				}]
    64  			}]
    65  			scrape_configs: [{
    66  				job_name: "kubernetes-apiservers"
    67  
    68  				kubernetes_sd_configs: [{
    69  					role: "endpoints"
    70  				}]
    71  
    72  				// Default to scraping over https. If required, just disable this or change to
    73  				// `http`.
    74  				scheme: "https"
    75  
    76  				// This TLS & bearer token file config is used to connect to the actual scrape
    77  				// endpoints for cluster components. This is separate to discovery auth
    78  				// configuration because discovery & scraping are two separate concerns in
    79  				// Prometheus. The discovery auth config is automatic if Prometheus runs inside
    80  				// the cluster. Otherwise, more config options have to be provided within the
    81  				// <kubernetes_sd_config>.
    82  				tls_config: {
    83  					ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
    84  				}
    85  				// If your node certificates are self-signed or use a different CA to the
    86  				// master CA, then disable certificate verification below. Note that
    87  				// certificate verification is an integral part of a secure infrastructure
    88  				// so this should only be disabled in a controlled environment. You can
    89  				// disable certificate verification by uncommenting the line below.
    90  				//
    91  				// insecure_skip_verify: true
    92  				bearer_token_file: "/var/run/secrets/kubernetes.io/serviceaccount/token"
    93  
    94  				// Keep only the default/kubernetes service endpoints for the https port. This
    95  				// will add targets for each API server which Kubernetes adds an endpoint to
    96  				// the default/kubernetes service.
    97  				relabel_configs: [{
    98  					source_labels: ["__meta_kubernetes_namespace", "__meta_kubernetes_service_name", "__meta_kubernetes_endpoint_port_name"]
    99  					action: "keep"
   100  					regex:  "default;kubernetes;https"
   101  				}]
   102  			}, {
   103  				// Scrape config for nodes (kubelet).
   104  				//
   105  				// Rather than connecting directly to the node, the scrape is proxied though the
   106  				// Kubernetes apiserver.  This means it will work if Prometheus is running out of
   107  				// cluster, or can't connect to nodes for some other reason (e.g. because of
   108  				// firewalling).
   109  				job_name: "kubernetes-nodes"
   110  
   111  				// Default to scraping over https. If required, just disable this or change to
   112  				// `http`.
   113  				scheme: "https"
   114  
   115  				// This TLS & bearer token file config is used to connect to the actual scrape
   116  				// endpoints for cluster components. This is separate to discovery auth
   117  				// configuration because discovery & scraping are two separate concerns in
   118  				// Prometheus. The discovery auth config is automatic if Prometheus runs inside
   119  				// the cluster. Otherwise, more config options have to be provided within the
   120  				// <kubernetes_sd_config>.
   121  				tls_config: {
   122  					ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
   123  				}
   124  				bearer_token_file: "/var/run/secrets/kubernetes.io/serviceaccount/token"
   125  
   126  				kubernetes_sd_configs: [{
   127  					role: "node"
   128  				}]
   129  
   130  				relabel_configs: [{
   131  					action: "labelmap"
   132  					regex:  "__meta_kubernetes_node_label_(.+)"
   133  				}, {
   134  					target_label: "__address__"
   135  					replacement:  "kubernetes.default.svc:443"
   136  				}, {
   137  					source_labels: ["__meta_kubernetes_node_name"]
   138  					regex:        "(.+)"
   139  					target_label: "__metrics_path__"
   140  					replacement:  "/api/v1/nodes/${1}/proxy/metrics"
   141  				}]
   142  			}, {
   143  				// Scrape config for Kubelet cAdvisor.
   144  				//
   145  				// This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
   146  				// (those whose names begin with 'container_') have been removed from the
   147  				// Kubelet metrics endpoint.  This job scrapes the cAdvisor endpoint to
   148  				// retrieve those metrics.
   149  				//
   150  				// In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
   151  				// HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
   152  				// in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
   153  				// the --cadvisor-port=0 Kubelet flag).
   154  				//
   155  				// This job is not necessary and should be removed in Kubernetes 1.6 and
   156  				// earlier versions, or it will cause the metrics to be scraped twice.
   157  				job_name: "kubernetes-cadvisor"
   158  
   159  				// Default to scraping over https. If required, just disable this or change to
   160  				// `http`.
   161  				scheme: "https"
   162  
   163  				// This TLS & bearer token file config is used to connect to the actual scrape
   164  				// endpoints for cluster components. This is separate to discovery auth
   165  				// configuration because discovery & scraping are two separate concerns in
   166  				// Prometheus. The discovery auth config is automatic if Prometheus runs inside
   167  				// the cluster. Otherwise, more config options have to be provided within the
   168  				// <kubernetes_sd_config>.
   169  				tls_config: {
   170  					ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
   171  				}
   172  				bearer_token_file: "/var/run/secrets/kubernetes.io/serviceaccount/token"
   173  
   174  				kubernetes_sd_configs: [{
   175  					role: "node"
   176  				}]
   177  
   178  				relabel_configs: [{
   179  					action: "labelmap"
   180  					regex:  "__meta_kubernetes_node_label_(.+)"
   181  				}, {
   182  					target_label: "__address__"
   183  					replacement:  "kubernetes.default.svc:443"
   184  				}, {
   185  					source_labels: ["__meta_kubernetes_node_name"]
   186  					regex:        "(.+)"
   187  					target_label: "__metrics_path__"
   188  					replacement:  "/api/v1/nodes/${1}/proxy/metrics/cadvisor"
   189  				}]
   190  			}, {
   191  				// Scrape config for service endpoints.
   192  				//
   193  				// The relabeling allows the actual service scrape endpoint to be configured
   194  				// via the following annotations:
   195  				//
   196  				// * `prometheus.io/scrape`: Only scrape services that have a value of `true`
   197  				// * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
   198  				// to set this to `https` & most likely set the `tls_config` of the scrape config.
   199  				// * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
   200  				// * `prometheus.io/port`: If the metrics are exposed on a different port to the
   201  				// service then set this appropriately.
   202  				job_name: "kubernetes-service-endpoints"
   203  
   204  				kubernetes_sd_configs: [{
   205  					role: "endpoints"
   206  				}]
   207  
   208  				relabel_configs: [{
   209  					source_labels: ["__meta_kubernetes_service_annotation_prometheus_io_scrape"]
   210  					action: "keep"
   211  					regex:  true
   212  				}, {
   213  					source_labels: ["__meta_kubernetes_service_annotation_prometheus_io_scheme"]
   214  					action:       "replace"
   215  					target_label: "__scheme__"
   216  					regex:        "(https?)"
   217  				}, {
   218  					source_labels: ["__meta_kubernetes_service_annotation_prometheus_io_path"]
   219  					action:       "replace"
   220  					target_label: "__metrics_path__"
   221  					regex:        "(.+)"
   222  				}, {
   223  					source_labels: ["__address__", "__meta_kubernetes_service_annotation_prometheus_io_port"]
   224  					action:       "replace"
   225  					target_label: "__address__"
   226  					regex:        "([^:]+)(?::\\d+)?;(\\d+)"
   227  					replacement:  "$1:$2"
   228  				}, {
   229  					action: "labelmap"
   230  					regex:  "__meta_kubernetes_service_label_(.+)"
   231  				}, {
   232  					source_labels: ["__meta_kubernetes_namespace"]
   233  					action:       "replace"
   234  					target_label: "kubernetes_namespace"
   235  				}, {
   236  					source_labels: ["__meta_kubernetes_service_name"]
   237  					action:       "replace"
   238  					target_label: "kubernetes_name"
   239  				}]
   240  			}, {
   241  				// Example scrape config for probing services via the Blackbox Exporter.
   242  				//
   243  				// The relabeling allows the actual service scrape endpoint to be configured
   244  				// via the following annotations:
   245  				//
   246  				// * `prometheus.io/probe`: Only probe services that have a value of `true`
   247  				job_name: "kubernetes-services"
   248  
   249  				metrics_path: "/probe"
   250  				params: module: ["http_2xx"]
   251  
   252  				kubernetes_sd_configs: [{
   253  					role: "service"
   254  				}]
   255  
   256  				relabel_configs: [{
   257  					source_labels: ["__meta_kubernetes_service_annotation_prometheus_io_probe"]
   258  					action: "keep"
   259  					regex:  true
   260  				}, {
   261  					source_labels: ["__address__"]
   262  					target_label: "__param_target"
   263  				}, {
   264  					target_label: "__address__"
   265  					replacement:  "blackbox-exporter.example.com:9115"
   266  				}, {
   267  					source_labels: ["__param_target"]
   268  					target_label: "app"
   269  				}, {
   270  					action: "labelmap"
   271  					regex:  "__meta_kubernetes_service_label_(.+)"
   272  				}, {
   273  					source_labels: ["__meta_kubernetes_namespace"]
   274  					target_label: "kubernetes_namespace"
   275  				}, {
   276  					source_labels: ["__meta_kubernetes_service_name"]
   277  					target_label: "kubernetes_name"
   278  				}]
   279  			}, {
   280  				// Example scrape config for probing ingresses via the Blackbox Exporter.
   281  				//
   282  				// The relabeling allows the actual ingress scrape endpoint to be configured
   283  				// via the following annotations:
   284  				//
   285  				// * `prometheus.io/probe`: Only probe services that have a value of `true`
   286  				job_name: "kubernetes-ingresses"
   287  
   288  				metrics_path: "/probe"
   289  				params: module: ["http_2xx"]
   290  
   291  				kubernetes_sd_configs: [{
   292  					role: "ingress"
   293  				}]
   294  
   295  				relabel_configs: [{
   296  					source_labels: ["__meta_kubernetes_ingress_annotation_prometheus_io_probe"]
   297  					action: "keep"
   298  					regex:  true
   299  				}, {
   300  					source_labels: ["__meta_kubernetes_ingress_scheme", "__address__", "__meta_kubernetes_ingress_path"]
   301  					regex:        "(.+);(.+);(.+)"
   302  					replacement:  "${1}://${2}${3}"
   303  					target_label: "__param_target"
   304  				}, {
   305  					target_label: "__address__"
   306  					replacement:  "blackbox-exporter.example.com:9115"
   307  				}, {
   308  					source_labels: ["__param_target"]
   309  					target_label: "app"
   310  				}, {
   311  					action: "labelmap"
   312  					regex:  "__meta_kubernetes_ingress_label_(.+)"
   313  				}, {
   314  					source_labels: ["__meta_kubernetes_namespace"]
   315  					target_label: "kubernetes_namespace"
   316  				}, {
   317  					source_labels: ["__meta_kubernetes_ingress_name"]
   318  					target_label: "kubernetes_name"
   319  				}]
   320  			}, {
   321  				// Example scrape config for pods
   322  				//
   323  				// The relabeling allows the actual pod scrape endpoint to be configured via the
   324  				// following annotations:
   325  				//
   326  				// * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
   327  				// * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
   328  				// * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
   329  				// pod's declared ports (default is a port-free target if none are declared).
   330  				job_name: "kubernetes-pods"
   331  
   332  				kubernetes_sd_configs: [{
   333  					role: "pod"
   334  				}]
   335  
   336  				relabel_configs: [{
   337  					source_labels: ["__meta_kubernetes_pod_annotation_prometheus_io_scrape"]
   338  					action: "keep"
   339  					regex:  true
   340  				}, {
   341  					source_labels: ["__meta_kubernetes_pod_annotation_prometheus_io_path"]
   342  					action:       "replace"
   343  					target_label: "__metrics_path__"
   344  					regex:        "(.+)"
   345  				}, {
   346  					source_labels: ["__address__", "__meta_kubernetes_pod_annotation_prometheus_io_port"]
   347  					action:       "replace"
   348  					regex:        "([^:]+)(?::\\d+)?;(\\d+)"
   349  					replacement:  "$1:$2"
   350  					target_label: "__address__"
   351  				}, {
   352  					action: "labelmap"
   353  					regex:  "__meta_kubernetes_pod_label_(.+)"
   354  				}, {
   355  					source_labels: ["__meta_kubernetes_namespace"]
   356  					action:       "replace"
   357  					target_label: "kubernetes_namespace"
   358  				}, {
   359  					source_labels: ["__meta_kubernetes_pod_name"]
   360  					action:       "replace"
   361  					target_label: "kubernetes_pod_name"
   362  				}]
   363  			}]
   364  		}
   365  	}
   366  }