diff --git a/charts/csm-authorization-v2.0/templates/_helpers.tpl b/charts/csm-authorization-v2.0/templates/_helpers.tpl index 918bda1e..f2614d9a 100644 --- a/charts/csm-authorization-v2.0/templates/_helpers.tpl +++ b/charts/csm-authorization-v2.0/templates/_helpers.tpl @@ -7,3 +7,18 @@ By default this is not set so the helm release namespace will be used {{- define "custom.namespace" -}} {{ .Values.namespace | default .Release.Namespace }} {{- end -}} + +{{/* +Check if metrics are enabled +*/}} +{{- define "csm-authorization.isMetricsEnabled" -}} + {{- if hasKey .Values "metrics" -}} + {{- if hasKey .Values.metrics "enabled" -}} + {{- printf "%t" .Values.metrics.enabled -}} + {{- else -}} + false + {{- end -}} + {{- else -}} + false + {{- end -}} +{{- end -}} diff --git a/charts/csm-authorization-v2.0/templates/proxy-server.yaml b/charts/csm-authorization-v2.0/templates/proxy-server.yaml index a16755dc..f3d10466 100644 --- a/charts/csm-authorization-v2.0/templates/proxy-server.yaml +++ b/charts/csm-authorization-v2.0/templates/proxy-server.yaml @@ -120,6 +120,9 @@ spec: metadata: labels: app: proxy-server + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + csm-authorization: enabled + {{- end }} {{- if or (hasKey $redisSecretProviderClass "conjur") (hasKey $configSecretProviderClass "conjur") }} annotations: conjur.org/secrets: | @@ -157,6 +160,20 @@ spec: secretKeyRef: name: {{ $redisSecretName | default "redis-csm-secret" }} key: {{ $redisSecretProviderClass.redisPasswordKey | default "password" }} + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + - name: X_CSI_METRICS_ENABLED + value: "true" + - name: X_CSI_METRICS_PORT + value: "{{ .Values.metrics.port | default 8443 }}" + {{- if .Values.metrics.tlsCertSecret }} + - name: X_CSI_METRICS_TLS_CERT_FILE + value: "/etc/metrics-tls/tls.crt" + - name: X_CSI_METRICS_TLS_KEY_FILE + value: "/etc/metrics-tls/tls.key" + {{- end }} + - name: X_CSI_METRICS_COLLECTION_INTERVAL + value: "{{ .Values.metrics.collection.interval | default "30s" }}" + {{- end }} args: - "--redis-sentinel={{ $str }}" - "--redis-password=$(REDIS_PASSWORD)" @@ -165,6 +182,10 @@ spec: - "--storage-service=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" ports: - containerPort: 8080 + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + - name: metrics + containerPort: {{ .Values.metrics.port | default 8443 }} + {{- end }} volumeMounts: - name: config-volume mountPath: /etc/karavi-authorization/config @@ -176,6 +197,11 @@ spec: mountPath: /etc/csm-authorization/{{ $name }} readOnly: true {{- end }} + {{- if and (eq (include "csm-authorization.isMetricsEnabled" .) "true") .Values.metrics.tlsCertSecret }} + - name: authorization-metrics-tls + mountPath: /etc/metrics-tls + readOnly: true + {{- end }} - name: opa image: {{ required "Must provide the openpolicyagent image." .Values.authorization.images.opa.image }} imagePullPolicy: IfNotPresent @@ -209,12 +235,21 @@ spec: volumeAttributes: secretProviderClass: "{{ $name }}" {{- end }} + {{- if and (eq (include "csm-authorization.isMetricsEnabled" .) "true") .Values.metrics.tlsCertSecret }} + - name: authorization-metrics-tls + secret: + secretName: {{ .Values.metrics.tlsCertSecret }} + {{- end }} --- apiVersion: v1 kind: Service metadata: name: proxy-server namespace: {{ include "custom.namespace" . }} + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + labels: + csm-authorization: enabled + {{- end }} spec: selector: app: proxy-server @@ -223,3 +258,9 @@ spec: protocol: TCP port: 8080 targetPort: 8080 + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + - name: metrics + protocol: TCP + port: {{ .Values.metrics.port | default 8443 }} + targetPort: {{ .Values.metrics.port | default 8443 }} + {{- end }} diff --git a/charts/csm-authorization-v2.0/templates/servicemonitor.yaml b/charts/csm-authorization-v2.0/templates/servicemonitor.yaml new file mode 100644 index 00000000..22d6f1e1 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/servicemonitor.yaml @@ -0,0 +1,31 @@ +{{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} +{{- if hasKey .Values.metrics "serviceMonitor" }} +{{- if eq .Values.metrics.serviceMonitor.enabled true }} +--- +# ServiceMonitor for Prometheus Operator integration with authorization services. +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Release.Name }}-authorization-metrics + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }}-authorization +spec: + selector: + matchLabels: + csm-authorization: enabled + endpoints: + - port: metrics + interval: {{ .Values.metrics.serviceMonitor.interval | default "30s" }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + path: /metrics + {{- if .Values.metrics.tlsCertSecret }} + scheme: https + tlsConfig: + insecureSkipVerify: {{ .Values.metrics.serviceMonitor.insecureSkipVerify | default false }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/csm-authorization-v2.0/templates/storage-service.yaml b/charts/csm-authorization-v2.0/templates/storage-service.yaml index d766f07a..53adbde2 100644 --- a/charts/csm-authorization-v2.0/templates/storage-service.yaml +++ b/charts/csm-authorization-v2.0/templates/storage-service.yaml @@ -106,6 +106,9 @@ spec: metadata: labels: app: storage-service + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + csm-authorization: enabled + {{- end }} {{- if or (hasKey $storageSecretProviderClasses "conjur") (hasKey $redisSecretProviderClass "conjur") (hasKey $configSecretProviderClass "conjur") }} annotations: conjur.org/secrets: | @@ -151,6 +154,20 @@ spec: secretKeyRef: name: {{ $redisSecretName | default "redis-csm-secret" }} key: {{ $redisSecretProviderClass.redisPasswordKey | default "password" }} + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + - name: X_CSI_METRICS_ENABLED + value: "true" + - name: X_CSI_METRICS_PORT + value: "{{ .Values.metrics.port | default 8443 }}" + {{- if .Values.metrics.tlsCertSecret }} + - name: X_CSI_METRICS_TLS_CERT_FILE + value: "/etc/metrics-tls/tls.crt" + - name: X_CSI_METRICS_TLS_KEY_FILE + value: "/etc/metrics-tls/tls.key" + {{- end }} + - name: X_CSI_METRICS_COLLECTION_INTERVAL + value: "{{ .Values.metrics.collection.interval | default "30s" }}" + {{- end }} args: - "--redis-sentinel={{ $str }}" - "--redis-password=$(REDIS_PASSWORD)" @@ -161,6 +178,10 @@ spec: name: grpc - containerPort: 2112 name: promhttp + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + - name: metrics + containerPort: {{ .Values.metrics.port | default 8443 }} + {{- end }} volumeMounts: - name: config-volume mountPath: /etc/karavi-authorization/config @@ -180,6 +201,11 @@ spec: readOnly: true {{- end }} {{- end }} + {{- if and (eq (include "csm-authorization.isMetricsEnabled" .) "true") .Values.metrics.tlsCertSecret }} + - name: authorization-metrics-tls + mountPath: /etc/metrics-tls + readOnly: true + {{- end }} volumes: - name: config-volume secret: @@ -204,12 +230,21 @@ spec: secretName: {{ . }} {{- end }} {{- end }} + {{- if and (eq (include "csm-authorization.isMetricsEnabled" .) "true") .Values.metrics.tlsCertSecret }} + - name: authorization-metrics-tls + secret: + secretName: {{ .Values.metrics.tlsCertSecret }} + {{- end }} --- apiVersion: v1 kind: Service metadata: name: storage-service namespace: {{ include "custom.namespace" . }} + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + labels: + csm-authorization: enabled + {{- end }} spec: selector: app: storage-service @@ -220,3 +255,8 @@ spec: - port: 2112 targetPort: 2112 name: promhttp + {{- if eq (include "csm-authorization.isMetricsEnabled" .) "true" }} + - name: metrics + port: {{ .Values.metrics.port | default 8443 }} + targetPort: {{ .Values.metrics.port | default 8443 }} + {{- end }} diff --git a/charts/csm-authorization-v2.0/values.yaml b/charts/csm-authorization-v2.0/values.yaml index c0faad0f..896ad542 100644 --- a/charts/csm-authorization-v2.0/values.yaml +++ b/charts/csm-authorization-v2.0/values.yaml @@ -156,3 +156,52 @@ storageSystemCredentials: # - secret-1 # - secret-2 # - secret-3 + +# metrics: configuration for authorization metrics and monitoring +metrics: + # enabled: Enable/Disable the shared Prometheus metrics HTTP server. + # Type: bool + # Default: false + # Effect: When true, the authorization services receive metrics configuration + # and a metrics Service is created. + enabled: false + + # port: Port on which the shared authorization metrics endpoint is exposed. + # Type: integer + # Default: 8443 + # Effect: Used as targetPort in the Service. + port: 8443 + + # tlsCertSecret: Name of a Kubernetes TLS Secret whose "tls.crt" and "tls.key" entries + # are used to serve the metrics endpoint over HTTPS instead of plain HTTP. + # Leave empty (the default) to use plain HTTP. + # Type: string + # Default: "" (disabled - plain HTTP) + tlsCertSecret: "" + + # collection: Controls how frequently metrics are collected. + collection: + # interval: How often the authorization services collect metrics. + # Type: string (duration, e.g. "30s", "1m") + interval: "30s" + + # serviceMonitor: Controls optional Prometheus Operator ServiceMonitor creation. + serviceMonitor: + # enabled: When true, a ServiceMonitor CR is created for automatic Prometheus Operator integration. + # Type: bool + # Default: false + # Effect: Requires the Prometheus Operator CRDs to be installed in the cluster. + enabled: false + # interval: Prometheus scrape interval for the metrics endpoint. + # Type: string (Prometheus duration, e.g. "30s", "1m") + # Default: "30s" + interval: "30s" + # scrapeTimeout: Prometheus scrape timeout for the metrics endpoint. + # Type: string (Prometheus duration, e.g. "10s") + # Default: "" (unset) + scrapeTimeout: "" + # insecureSkipVerify: Controls TLS certificate verification when scraping metrics. + # Only used when metrics.tlsCertSecret is set (HTTPS endpoint). + # Type: bool + # Default: false + insecureSkipVerify: false