ZeroDownTime
/
kubezero
3
0
Fork 0
Code Issues 1 Pull Requests 23 Releases Wiki Activity

cert-manager version bump, updated dashboards

This commit is contained in:
Stefan Reimer 2023-11-27 12:24:10 +00:00
parent 1db90d4e28
commit ea2d531719
10 changed files with 94 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/kubezero-cert-manager/README.md
View File

@ -1,6 +1,6 @@
# kubezero-cert-manager
![Version: 0.9.5](https://img.shields.io/badge/Version-0.9.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.9.6](https://img.shields.io/badge/Version-0.9.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for cert-manager
@ -19,7 +19,7 @@ Kubernetes: `>= 1.26.0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://charts.jetstack.io | cert-manager | v1.12.3 |
| https://charts.jetstack.io | cert-manager | v1.13.2 |
## AWS - OIDC IAM roles

18
charts/kubezero-cert-manager/jsonnetfile.json
View File

@ -1,6 +1,15 @@
{
"version": 1,
"dependencies": [
{
"source": {
"git": {
"remote": "https://github.com/imusmanmalik/cert-manager-mixin.git",
"subdir": ""
}
},
"version": "main"
},
{
"source": {
"git": {
@ -9,15 +18,6 @@
}
},
"version": "main"
},
{
"source": {
"git": {
"remote": "https://gitlab.com/uneeq-oss/cert-manager-mixin.git",
"subdir": ""
}
},
"version": "master"
}
],
"legacyImports": true

97
charts/kubezero-cert-manager/jsonnetfile.lock.json
View File

@ -18,8 +18,8 @@
"subdir": "contrib/mixin"
}
},
"version": "e2e17c75fe1006ea44b6ad793fa7b23f5e3546f4",
"sum": "GdePvMDfLQcVhwzk/Ephi/jC27ywGObLB5t0eC0lXd4="
"version": "e1d79097d53709813bae0195e71f4bee53ecab2d",
"sum": "xuUBd2vqF7asyVDe5CE08uPT/RxAdy8O75EjFJoMXXU="
},
{
"source": {
@ -51,6 +51,16 @@
"version": "a1d61cce1da59c71409b99b5c7568511fec661ea",
"sum": "gCtR9s/4D5fxU9aKXg0Bru+/njZhA0YjLjPiASc61FM="
},
{
"source": {
"git": {
"remote": "https://github.com/grafana/grafonnet.git",
"subdir": "gen/grafonnet-v10.0.0"
}
},
"version": "bb2afaffbcefeae1035cd691ab06a486e0022002",
"sum": "gj/20VIGucG2vDGjG7YdHLC4yUUfrpuaneUYaRmymOM="
},
{
"source": {
"git": {
@ -58,8 +68,38 @@
"subdir": "grafana-builder"
}
},
"version": "62aec8403a5c38d5dc97ba596703753289b1c33b",
"sum": "xEFMv4+ObwP5L1Wu0XK5agWci4AJzNApys6iKAQxLlQ="
"version": "32685d75e4ae753e06ab3bea13df9d59bb5da46a",
"sum": "VmOxvg9FuY9UYr3lN6ZJe2HhuIErJoWimPybQr3S3yQ="
},
{
"source": {
"git": {
"remote": "https://github.com/imusmanmalik/cert-manager-mixin.git",
"subdir": ""
}
},
"version": "72a094ff162bbd93921803994241d73900592c9a",
"sum": "h+YvBTXL5A02165i3yt3SxSAbFftChtXYJ0nYFnOAqo="
},
{
"source": {
"git": {
"remote": "https://github.com/jsonnet-libs/docsonnet.git",
"subdir": "doc-util"
}
},
"version": "503e5c8fe96d6b55775037713ac10b184709ad93",
"sum": "BY4u0kLF3Qf/4IB4HnX9S5kEQIpHb4MUrppp6WLDtlU="
},
{
"source": {
"git": {
"remote": "https://github.com/jsonnet-libs/xtd.git",
"subdir": ""
}
},
"version": "c1a315a7dbead0335a5e0486acc5583395b22a24",
"sum": "UVdL+uuFI8BSQgLfMJEJk2WDKsQXNT3dRHcr2Ti9rLI="
},
{
"source": {
@ -68,8 +108,8 @@
"subdir": ""
}
},
"version": "46fc905d5b2981642043088ac7902ea50db2903e",
"sum": "8FAie1MXww5Ip9F8hQWkU9Fio1Af+hO4weQuuexioIQ="
"version": "2dbe4f9625a811b8b89f0495e74509c74779da82",
"sum": "Fe7bN9E6qeKNUdENjQvYttgf4S1DDqXRVB80wdmQgHQ="
},
{
"source": {
@ -78,7 +118,7 @@
"subdir": "jsonnet/kube-state-metrics"
}
},
"version": "570970378edf10655dd81e662658359eb10d9329",
"version": "98b38ba9bbfdff27b359c58adecab30cc1311a78",
"sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g="
},
{
@ -88,7 +128,7 @@
"subdir": "jsonnet/kube-state-metrics-mixin"
}
},
"version": "570970378edf10655dd81e662658359eb10d9329",
"version": "98b38ba9bbfdff27b359c58adecab30cc1311a78",
"sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
},
{
@ -98,8 +138,8 @@
"subdir": "jsonnet/kube-prometheus"
}
},
"version": "4b5b94347dd71b3649fef612ab3b8cf237ac48b9",
"sum": "8AeC579AWxP6VzLTxQ/ccIrwOY0G782ZceLlWmOL5/o="
"version": "0fe6411003b3b9a969a61220fc17a94e2c0be94f",
"sum": "paNe3vjoMkCzrTCW1RCPLcXo+ymOPi9AxA98C/1nbrY="
},
{
"source": {
@ -108,7 +148,7 @@
"subdir": "jsonnet/mixin"
}
},
"version": "8b947d4ff1329440a46903c16f05717b24170061",
"version": "ffd2f20e64114e07bdfe1ed20181cdb1cd25168a",
"sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=",
"name": "prometheus-operator-mixin"
},
@ -119,8 +159,8 @@
"subdir": "jsonnet/prometheus-operator"
}
},
"version": "8b947d4ff1329440a46903c16f05717b24170061",
"sum": "LLGbS2uangsA5enNpZKxwdCAPZnO1Bj+W+o8Esk0QLw="
"version": "ffd2f20e64114e07bdfe1ed20181cdb1cd25168a",
"sum": "IGuHwz77oTKx9Vi1dnTng/RBV/QQ2YfAdB+WPqK/w5g="
},
{
"source": {
@ -129,8 +169,8 @@
"subdir": "doc/alertmanager-mixin"
}
},
"version": "6fe1a24df07eed6f6818abd500708040beee7d7b",
"sum": "1d7ZKYArJKacAWXLUz0bRC1uOkozee/PPw97/W5zGhc=",
"version": "4494abfce419d1bbd3cb1a2c0b6584da88ac9b64",
"sum": "IpF46ZXsm+0wJJAPtAre8+yxTNZA57mBqGpBP/r7/kw=",
"name": "alertmanager"
},
{
@ -140,8 +180,8 @@
"subdir": "docs/node-mixin"
}
},
"version": "f2b274350a07bfd8afcad1a62ef561f8a303fcc2",
"sum": "By6n6U10hYDogUsyhsaKZehbhzxBZZobJloiKyKadgM="
"version": "12f1744e799e04373c7a29b42bf8b8a332c82790",
"sum": "QZwFBpulndqo799gkR5rP2/WdcQKQkNnaBwhaOI8Jeg="
},
{
"source": {
@ -150,8 +190,8 @@
"subdir": "documentation/prometheus-mixin"
}
},
"version": "4d8e380269da5912265274469ff873142bbbabc3",
"sum": "8OngT76gVXOUROOOeP9yTe6E/dn+2D2J34Dn690QCG0=",
"version": "965e603fa792bca0900ac76eb45ae84c81af1cdf",
"sum": "rNvddVTMNfaguOGzEGoeKjUsfhlXJBUImC+SIFNNCiM=",
"name": "prometheus"
},
{
@ -161,8 +201,9 @@
"subdir": "config/crd/bases"
}
},
"version": "2b8c6d372d90942c3b53a9b225a82441be8c5b7b",
"sum": "L3lljFFoFB+nhXnyo8Yl1hKqe60nhHXY0IZCO3H2iVk="
"version": "551856d42dff02ec38c5b0ea6a2d99c4cb127e82",
"sum": "bY/Pcrrbynguq8/HaI88cQ3B2hLv/xc+76QILY7IL+g=",
"name": "pyrra"
},
{
"source": {
@ -171,19 +212,9 @@
"subdir": "mixin"
}
},
"version": "8fcd30ffcedf9e2728518dc2970d070d4c301302",
"sum": "WhheqsiX0maUXByZFsb9xhCEsGXK2955bPmPPf1x+Cs=",
"version": "9d6f82e55d13c162c00620045f109dbff5cb9344",
"sum": "HhSSbGGCNHCMy1ee5jElYDm0yS9Vesa7QB2/SHKdjsY=",
"name": "thanos-mixin"
},
{
"source": {
"git": {
"remote": "https://gitlab.com/uneeq-oss/cert-manager-mixin.git",
"subdir": ""
}
},
"version": "eae22f642aaa5d422e4766f6811df2158fc05539",
"sum": "DOg3fzS0OWrjjRPVsKgxID/rk9AC3ESQ4gDELc2RNgM="
}
],
"legacyImports": false

2
charts/kubezero-cert-manager/rules.jsonnet
View File

@ -2,7 +2,7 @@ local addMixin = (import 'kube-prometheus/lib/mixin.libsonnet');
local certManagerMixin = addMixin({
name: 'cert-manager',
mixin: (import 'gitlab.com/uneeq-oss/cert-manager-mixin/mixin.libsonnet')
mixin: (import 'github.com/imusmanmalik/cert-manager-mixin/mixin.libsonnet')
});
{ 'cert-manager-mixin-prometheusRule': certManagerMixin.prometheusRules }

10
charts/kubezero-cert-manager/rules/cert-manager-mixin-prometheusRule
View File

@ -17,8 +17,8 @@
"alert": "CertManagerAbsent",
"annotations": {
"description": "New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.",
"runbook_url": "https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent",
"summary": "Cert Manager has dissapeared from Prometheus service discovery."
"runbook_url": "https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagerabsent",
"summary": "Cert Manager has disappeared from Prometheus service discovery."
},
"expr": "absent(up{job=\"cert-manager\"})",
"for": "10m",
@ -36,7 +36,7 @@
"annotations": {
"dashboard_url": "https://grafana.example.com/d/TvuRo2iMk/cert-manager",
"description": "The domain that this cert covers will be unavailable after {{ $value | humanizeDuration }}. Clients using endpoints that this cert protects will start to fail in {{ $value | humanizeDuration }}.",
"runbook_url": "https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon",
"runbook_url": "https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagercertexpirysoon",
"summary": "The cert `{{ $labels.name }}` is {{ $value | humanizeDuration }} from expiry, it should have renewed over a week ago."
},
"expr": "avg by (exported_namespace, namespace, name) (\n certmanager_certificate_expiration_timestamp_seconds - time()\n) < (21 * 24 * 3600) # 21 days in seconds\n",
@ -50,7 +50,7 @@
"annotations": {
"dashboard_url": "https://grafana.example.com/d/TvuRo2iMk/cert-manager",
"description": "This certificate has not been ready to serve traffic for at least 10m. If the cert is being renewed or there is another valid cert, the ingress controller _may_ be able to serve that instead.",
"runbook_url": "https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready",
"runbook_url": "https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagercertnotready",
"summary": "The cert `{{ $labels.name }}` is not ready to serve traffic."
},
"expr": "max by (name, exported_namespace, namespace, condition) (\n certmanager_certificate_ready_status{condition!=\"True\"} == 1\n)\n",
@ -64,7 +64,7 @@
"annotations": {
"dashboard_url": "https://grafana.example.com/d/TvuRo2iMk/cert-manager",
"description": "Depending on the rate limit, cert-manager may be unable to generate certificates for up to a week.",
"runbook_url": "https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits",
"runbook_url": "https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagerhittingratelimits",
"summary": "Cert manager hitting LetsEncrypt rate limits."
},
"expr": "sum by (host) (\n rate(certmanager_http_acme_client_request_count{status=\"429\"}[5m])\n) > 0\n",

10
charts/kubezero-cert-manager/templates/prometheus-rules.yaml
View File

@ -13,8 +13,8 @@ spec:
- alert: CertManagerAbsent
annotations:
description: New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
summary: Cert Manager has dissapeared from Prometheus service discovery.
runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagerabsent
summary: Cert Manager has disappeared from Prometheus service discovery.
expr: absent(up{job="cert-manager"})
for: 10m
labels:
@ -25,7 +25,7 @@ spec:
annotations:
dashboard_url: https://grafana.example.com/d/TvuRo2iMk/cert-manager
description: The domain that this cert covers will be unavailable after {{`{{`}} $value | humanizeDuration {{`}}`}}. Clients using endpoints that this cert protects will start to fail in {{`{{`}} $value | humanizeDuration {{`}}`}}.
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagercertexpirysoon
summary: The cert `{{`{{`}} $labels.name {{`}}`}}` is {{`{{`}} $value | humanizeDuration {{`}}`}} from expiry, it should have renewed over a week ago.
expr: "avg by (exported_namespace, namespace, name) (\n certmanager_certificate_expiration_timestamp_seconds - time()\n) < (21 * 24 * 3600) # 21 days in seconds\n"
for: 1h
@ -35,7 +35,7 @@ spec:
annotations:
dashboard_url: https://grafana.example.com/d/TvuRo2iMk/cert-manager
description: This certificate has not been ready to serve traffic for at least 10m. If the cert is being renewed or there is another valid cert, the ingress controller _may_ be able to serve that instead.
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagercertnotready
summary: The cert `{{`{{`}} $labels.name {{`}}`}}` is not ready to serve traffic.
expr: "max by (name, exported_namespace, namespace, condition) (\n certmanager_certificate_ready_status{condition!=\"True\"} == 1\n)\n"
for: 10m
@ -45,7 +45,7 @@ spec:
annotations:
dashboard_url: https://grafana.example.com/d/TvuRo2iMk/cert-manager
description: Depending on the rate limit, cert-manager may be unable to generate certificates for up to a week.
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagerhittingratelimits
summary: Cert manager hitting LetsEncrypt rate limits.
expr: "sum by (host) (\n rate(certmanager_http_acme_client_request_count{status=\"429\"}[5m])\n) > 0\n"
for: 5m

4
charts/kubezero-cert-manager/update.sh
View File

@ -8,7 +8,7 @@ update_helm
update_jsonnet
# Install cert-mamanger mixin
jb install gitlab.com/uneeq-oss/cert-manager-mixin@master
jb install github.com/imusmanmalik/cert-manager-mixin@main
# Install rules
rm -rf rules && mkdir -p rules
@ -17,3 +17,5 @@ jsonnet -J vendor -m rules rules.jsonnet
# Fetch dashboards from Grafana.com and update ZDT CM
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
update_docs

4
charts/kubezero-network/dashboards.yaml
View File

@ -4,12 +4,12 @@ condition: 'index .Values.cilium.prometheus.enabled'
folder: KubeZero
dashboards:
- name: cilium-agents
url: https://grafana.com/api/dashboards/16611/revisions/1/download
url: https://raw.githubusercontent.com/cilium/cilium/main/install/kubernetes/cilium/files/cilium-agent/dashboards/cilium-dashboard.json
tags:
- cilium
- network
- name: cilium-operator
url: https://grafana.com/api/dashboards/16612/revisions/1/download
url: https://raw.githubusercontent.com/cilium/cilium/main/install/kubernetes/cilium/files/cilium-operator/dashboards/cilium-operator-dashboard.json
tags:
- cilium
- network

4
charts/kubezero-network/templates/grafana-dashboards.yaml
View File

File diff suppressed because one or more lines are too long

2
charts/kubezero/values.yaml
View File

@ -37,7 +37,7 @@ network:
cert-manager:
enabled: false
namespace: cert-manager
targetRevision: 0.9.5
targetRevision: 0.9.6
storage:
enabled: false