{{- if or .Values.metrics.serviceMonitor.enabled .Values.metrics.podMonitor.enabled }} {{- $fullName := include "minio.fullname" . -}} {{ $scheme := "http" }} {{- if .Values.tls.enabled }} {{ $scheme = "https" }} {{ end }} apiVersion: batch/v1 kind: Job metadata: name: {{ $fullName }}-update-prometheus-secret labels: app: {{ template "minio.name" . }}-update-prometheus-secret chart: {{ template "minio.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation {{ toYaml .Values.updatePrometheusJob.annotations | indent 4 }} spec: template: metadata: labels: app: {{ template "minio.name" . }}-update-prometheus-secret release: {{ .Release.Name }} {{- if .Values.podLabels }} {{ toYaml .Values.podLabels | indent 8 }} {{- end }} {{- if .Values.updatePrometheusJob.podAnnotations }} annotations: {{ toYaml .Values.updatePrometheusJob.podAnnotations | indent 8 }} {{- end }} spec: {{- if .Values.serviceAccount.create }} serviceAccountName: {{ $fullName }}-update-prometheus-secret {{- end }} restartPolicy: OnFailure {{- include "minio.imagePullSecrets" . | indent 6 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} {{- with .Values.affinity }} affinity: {{ toYaml . | indent 8 }} {{- end }} {{- with .Values.tolerations }} tolerations: {{ toYaml . | indent 8 }} {{- end }} {{- if .Values.updatePrometheusJob.securityContext.enabled }} securityContext: runAsUser: {{ .Values.updatePrometheusJob.securityContext.runAsUser }} runAsGroup: {{ .Values.updatePrometheusJob.securityContext.runAsGroup }} fsGroup: {{ .Values.updatePrometheusJob.securityContext.fsGroup }} {{- end }} volumes: - name: workdir emptyDir: {} initContainers: - name: minio-mc image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" imagePullPolicy: {{ .Values.mcImage.pullPolicy }} command: - /bin/sh - "-c" - mc --config-dir {{ .Values.configPathmc }} admin prometheus generate target --json --no-color -q > /workdir/mc.json env: - name: MINIO_ACCESS_KEY valueFrom: secretKeyRef: name: {{ template "minio.secretName" . }} key: accesskey - name: MINIO_SECRET_KEY valueFrom: secretKeyRef: name: {{ template "minio.secretName" . }} key: secretkey # mc admin prometheus generate don't really connect to remote server, TLS cert isn't required - name: MC_HOST_target value: {{ $scheme }}://$(MINIO_ACCESS_KEY):$(MINIO_SECRET_KEY)@{{ $fullName }}:{{ .Values.service.port }} volumeMounts: - name: workdir mountPath: /workdir resources: {{ toYaml .Values.resources | indent 12 }} # extract bearerToken from mc admin output - name: jq image: "{{ .Values.helmKubectlJqImage.repository }}:{{ .Values.helmKubectlJqImage.tag }}" imagePullPolicy: {{ .Values.helmKubectlJqImage.pullPolicy }} command: - /bin/sh - "-c" - jq -e -c -j -r .bearerToken < /workdir/mc.json > /workdir/token volumeMounts: - name: workdir mountPath: /workdir resources: {{ toYaml .Values.resources | indent 12 }} - name: kubectl-create image: "{{ .Values.helmKubectlJqImage.repository }}:{{ .Values.helmKubectlJqImage.tag }}" imagePullPolicy: {{ .Values.helmKubectlJqImage.pullPolicy }} command: ["/bin/sh", "-c"] args: # The following script does: # - get the servicemonitor that need this secret and copy some metadata and create the ownerreference for the secret file # - create the secret # - merge both json {{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.podMonitor.enabled }} - | mkdir -p /workdir/secrets && kubectl -n {{ .Release.Namespace }} get servicemonitor {{ $fullName }} -o json | jq -c '{metadata: {name: "{{ $fullName }}-servicemonitor-prometheus", namespace: .metadata.namespace, labels: {app: .metadata.labels.app, release: .metadata.labels.release}, ownerReferences: [{apiVersion: .apiVersion, kind: .kind, blockOwnerDeletion: true, controller: true, uid: .metadata.uid, name: .metadata.name}]}}' > /workdir/servicemonitormetadata.json && kubectl create secret generic {{ $fullName }}-servicemonitor-prometheus --from-file=token=/workdir/token --dry-run -o json > /workdir/servicemonitorsecret.json && cat /workdir/servicemonitorsecret.json /workdir/servicemonitormetadata.json | jq -s add > /workdir/secrets/servicemonitorobject.json; mkdir -p /workdir/secrets && kubectl -n {{ .Release.Namespace }} get podmonitor {{ $fullName }} -o json | jq -c '{metadata: {name: "{{ $fullName }}-podmonitor-prometheus", namespace: .metadata.namespace, labels: {app: .metadata.labels.app, release: .metadata.labels.release}, ownerReferences: [{apiVersion: .apiVersion, kind: .kind, blockOwnerDeletion: true, controller: true, uid: .metadata.uid, name: .metadata.name}]}}' > /workdir/podmonitormetadata.json && kubectl create secret generic {{ $fullName }}-podmonitor-prometheus --from-file=token=/workdir/token --dry-run -o json > /workdir/podmonitorsecret.json && cat /workdir/podmonitorsecret.json /workdir/podmonitormetadata.json | jq -s add > /workdir/secrets/podmonitorobject.json {{- else if .Values.metrics.podMonitor.enabled }} - | mkdir -p /workdir/secrets && kubectl -n {{ .Release.Namespace }} get podmonitor {{ $fullName }} -o json | jq -c '{metadata: {name: "{{ $fullName }}-podmonitor-prometheus", namespace: .metadata.namespace, labels: {app: .metadata.labels.app, release: .metadata.labels.release}, ownerReferences: [{apiVersion: .apiVersion, kind: .kind, blockOwnerDeletion: true, controller: true, uid: .metadata.uid, name: .metadata.name}]}}' > /workdir/podmonitormetadata.json && kubectl create secret generic {{ $fullName }}-podmonitor-prometheus --from-file=token=/workdir/token --dry-run -o json > /workdir/podmonitorsecret.json && cat /workdir/podmonitorsecret.json /workdir/podmonitormetadata.json | jq -s add > /workdir/secrets/podmonitorobject.json {{- else if .Values.metrics.serviceMonitor.enabled }} - | mkdir -p /workdir/secrets && kubectl -n {{ .Release.Namespace }} get servicemonitor {{ $fullName }} -o json | jq -c '{metadata: {name: "{{ $fullName }}-servicemonitor-prometheus", namespace: .metadata.namespace, labels: {app: .metadata.labels.app, release: .metadata.labels.release}, ownerReferences: [{apiVersion: .apiVersion, kind: .kind, blockOwnerDeletion: true, controller: true, uid: .metadata.uid, name: .metadata.name}]}}' > /workdir/servicemonitormetadata.json && kubectl create secret generic {{ $fullName }}-servicemonitor-prometheus --from-file=token=/workdir/token --dry-run -o json > /workdir/servicemonitorsecret.json && cat /workdir/servicemonitorsecret.json /workdir/servicemonitormetadata.json | jq -s add > /workdir/secrets/servicemonitorobject.json {{- end }} volumeMounts: - name: workdir mountPath: /workdir resources: {{ toYaml .Values.resources | indent 12 }} containers: - name: kubectl-apply image: "{{ .Values.helmKubectlJqImage.repository }}:{{ .Values.helmKubectlJqImage.tag }}" imagePullPolicy: {{ .Values.helmKubectlJqImage.pullPolicy }} command: - kubectl - apply - "-f" - /workdir/secrets volumeMounts: - name: workdir mountPath: /workdir resources: {{ toYaml .Values.resources | indent 12 }} {{- end }}