diff --git a/prometheus-alertmanager/Chart.yaml b/prometheus-alertmanager/Chart.yaml
index abd0284d3..8c7898a38 100644
--- a/prometheus-alertmanager/Chart.yaml
+++ b/prometheus-alertmanager/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
appVersion: v0.20.0
description: OpenStack-Helm Alertmanager for Prometheus
name: prometheus-alertmanager
-version: 0.1.2
+version: 0.1.3
home: https://prometheus.io/docs/alerting/alertmanager/
sources:
- https://github.com/prometheus/alertmanager
diff --git a/prometheus-alertmanager/templates/bin/_apache.sh.tpl b/prometheus-alertmanager/templates/bin/_apache.sh.tpl
new file mode 100644
index 000000000..f2f55dacd
--- /dev/null
+++ b/prometheus-alertmanager/templates/bin/_apache.sh.tpl
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -exv
+
+COMMAND="${@:-start}"
+
+function start () {
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/httpd/apache2/envvars
+ fi
+ # Apache gets grumpy about PID files pre-existing
+ rm -f /etc/httpd/logs/httpd.pid
+
+ if [ -f /usr/local/apache2/conf/.htpasswd ]; then
+ htpasswd -b /usr/local/apache2/conf/.htpasswd "$ALERTMANAGER_USERNAME" "$ALERTMANAGER_PASSWORD"
+ else
+ htpasswd -cb /usr/local/apache2/conf/.htpasswd "$ALERTMANAGER_USERNAME" "$ALERTMANAGER_PASSWORD"
+ fi
+
+ #Launch Apache on Foreground
+ exec httpd -DFOREGROUND
+}
+
+function stop () {
+ apachectl -k graceful-stop
+}
+
+$COMMAND
diff --git a/prometheus-alertmanager/templates/configmap-bin.yaml b/prometheus-alertmanager/templates/configmap-bin.yaml
index 381e38a20..63abf91f5 100644
--- a/prometheus-alertmanager/templates/configmap-bin.yaml
+++ b/prometheus-alertmanager/templates/configmap-bin.yaml
@@ -18,8 +18,10 @@ limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
- name: alertmanager-bin
+ name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-bin" | quote }}
data:
+ apache.sh: |
+{{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
alertmanager.sh: |
{{ tuple "bin/_alertmanager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
image-repo-sync.sh: |
diff --git a/prometheus-alertmanager/templates/configmap-etc.yaml b/prometheus-alertmanager/templates/configmap-etc.yaml
index e9ff07ab8..b7a1f4ef4 100644
--- a/prometheus-alertmanager/templates/configmap-etc.yaml
+++ b/prometheus-alertmanager/templates/configmap-etc.yaml
@@ -16,13 +16,13 @@ limitations under the License.
{{- $envAll := . }}
---
apiVersion: v1
-kind: ConfigMap
+kind: Secret
metadata:
- name: alertmanager-etc
+ name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-etc" | quote }}
data:
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alertmanager "key" "config.yml") | indent 2 }}
- alert-templates.tmpl: |
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alertmanager "key" "config.yml" "format" "Secret") | indent 2 }}
{{- if .Values.conf.alert_templates }}
-{{ .Values.conf.alert_templates | indent 4 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alert_templates "key" "alert-templates.tmpl" "format" "Secret") | indent 2 }}
{{- end }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
{{- end }}
diff --git a/prometheus-alertmanager/templates/ingress-alertmanager.yaml b/prometheus-alertmanager/templates/ingress-alertmanager.yaml
index 8d3049255..bd4475bf6 100644
--- a/prometheus-alertmanager/templates/ingress-alertmanager.yaml
+++ b/prometheus-alertmanager/templates/ingress-alertmanager.yaml
@@ -13,6 +13,6 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress .Values.network.alertmanager.ingress.public }}
-{{- $ingressOpts := dict "envAll" . "backendService" "alertmanager" "backendServiceType" "alertmanager" "backendPort" "alerts-api" -}}
+{{- $ingressOpts := dict "envAll" . "backendService" "alertmanager" "backendServiceType" "alertmanager" "backendPort" "http" -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/prometheus-alertmanager/templates/secret-admin-user.yaml b/prometheus-alertmanager/templates/secret-admin-user.yaml
new file mode 100644
index 000000000..a80f85647
--- /dev/null
+++ b/prometheus-alertmanager/templates/secret-admin-user.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_admin_user }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
+type: Opaque
+data:
+ ALERTMANAGER_USERNAME: {{ .Values.endpoints.alertmanager.auth.admin.username | b64enc }}
+ ALERTMANAGER_PASSWORD: {{ .Values.endpoints.alertmanager.auth.admin.password | b64enc }}
+{{- end }}
diff --git a/prometheus-alertmanager/templates/service.yaml b/prometheus-alertmanager/templates/service.yaml
index 19d51befe..aa08fa0c6 100644
--- a/prometheus-alertmanager/templates/service.yaml
+++ b/prometheus-alertmanager/templates/service.yaml
@@ -21,11 +21,11 @@ metadata:
name: {{ tuple "alertmanager" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
spec:
ports:
- - name: alerts-api
+ - name: http
+ port: {{ tuple "alertmanager" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.alertmanager.node_port.enabled }}
nodePort: {{ .Values.network.alertmanager.node_port.port }}
{{ end }}
- port: {{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
selector:
{{ tuple $envAll "prometheus-alertmanager" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{ if .Values.network.alertmanager.node_port.enabled }}
diff --git a/prometheus-alertmanager/templates/statefulset.yaml b/prometheus-alertmanager/templates/statefulset.yaml
index 86bf4fe3b..453eec153 100644
--- a/prometheus-alertmanager/templates/statefulset.yaml
+++ b/prometheus-alertmanager/templates/statefulset.yaml
@@ -70,6 +70,40 @@ spec:
- name: alertmanager-data
mountPath: /var/lib/alertmanager/data
containers:
+ - name: apache-proxy
+{{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "apache_proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/apache.sh
+ - start
+ ports:
+ - name: http
+ containerPort: 80
+ env:
+ - name: ALERTMANAGER_PORT
+ value: {{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+ - name: ALERTMANAGER_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
+ key: ALERTMANAGER_USERNAME
+ - name: ALERTMANAGER_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
+ key: ALERTMANAGER_PASSWORD
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: alertmanager-bin
+ mountPath: /tmp/apache.sh
+ subPath: apache.sh
+ readOnly: true
+ - name: alertmanager-etc
+ mountPath: /usr/local/apache2/conf/httpd.conf
+ subPath: httpd.conf
+ readOnly: true
- name: prometheus-alertmanager
{{ tuple $envAll "prometheus-alertmanager" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.alertmanager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -104,10 +138,12 @@ spec:
mountPath: /tmp
- name: etc-alertmanager
mountPath: /etc/config
+ {{- if .Values.conf.alert_templates }}
- name: alertmanager-etc
mountPath: /etc/alertmanager/template/alert-templates.tmpl
subPath: alert-templates.tmpl
readOnly: true
+ {{- end }}
- name: alertmanager-etc
mountPath: /etc/alertmanager/config.yml
subPath: config.yml
@@ -125,11 +161,12 @@ spec:
- name: etc-alertmanager
emptyDir: {}
- name: alertmanager-etc
- configMap:
- name: alertmanager-etc
+ secret:
+ secretName: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-etc" | quote }}
+ defaultMode: 0444
- name: alertmanager-bin
configMap:
- name: alertmanager-bin
+ name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-bin" | quote }}
defaultMode: 0555
{{ if $mounts_alertmanager.volumes }}{{ toYaml $mounts_alertmanager.volumes | indent 8 }}{{ end }}
{{- if not .Values.storage.alertmanager.enabled }}
diff --git a/prometheus-alertmanager/values.yaml b/prometheus-alertmanager/values.yaml
index 54845d058..2837ca183 100644
--- a/prometheus-alertmanager/values.yaml
+++ b/prometheus-alertmanager/values.yaml
@@ -18,6 +18,7 @@
---
images:
tags:
+ apache_proxy: docker.io/httpd:2.4
prometheus-alertmanager: docker.io/prom/alertmanager:v0.20.0
snmpnotifier: docker.io/maxwo/snmp-notifier:v1.0.0
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
@@ -49,6 +50,9 @@ pod:
prometheus_alertmanager_perms:
runAsUser: 0
readOnlyRootFilesystem: true
+ apache_proxy:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
prometheus_alertmanager:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
@@ -83,6 +87,13 @@ pod:
timeout: 30
resources:
enabled: false
+ apache_proxy:
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
alertmanager:
limits:
memory: "1024Mi"
@@ -123,6 +134,10 @@ endpoints:
alertmanager:
name: prometheus-alertmanager
namespace: null
+ auth:
+ admin:
+ username: admin
+ password: changeme
hosts:
default: alerts-engine
public: prometheus-alertmanager
@@ -146,6 +161,24 @@ endpoints:
public: 80
mesh:
default: 9094
+ http:
+ default: 80
+ ldap:
+ hosts:
+ default: ldap
+ auth:
+ admin:
+ bind: "cn=admin,dc=cluster,dc=local"
+ password: password
+ host_fqdn_override:
+ default: null
+ path:
+ default: "/ou=People,dc=cluster,dc=local"
+ scheme:
+ default: ldap
+ port:
+ ldap:
+ default: 389
snmpnotifier:
name: snmpnotifier
namespace: null
@@ -231,6 +264,7 @@ manifests:
ingress: true
job_image_repo_sync: true
network_policy: false
+ secret_admin_user: true
secret_ingress_tls: true
service: true
service_discovery: true
@@ -248,6 +282,105 @@ network_policy:
- {}
conf:
+ httpd: |
+ ServerRoot "/usr/local/apache2"
+
+ Listen 80
+
+ LoadModule mpm_event_module modules/mod_mpm_event.so
+ LoadModule authn_file_module modules/mod_authn_file.so
+ LoadModule authn_core_module modules/mod_authn_core.so
+ LoadModule authz_host_module modules/mod_authz_host.so
+ LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+ LoadModule authz_user_module modules/mod_authz_user.so
+ LoadModule authz_core_module modules/mod_authz_core.so
+ LoadModule access_compat_module modules/mod_access_compat.so
+ LoadModule auth_basic_module modules/mod_auth_basic.so
+ LoadModule ldap_module modules/mod_ldap.so
+ LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+ LoadModule reqtimeout_module modules/mod_reqtimeout.so
+ LoadModule filter_module modules/mod_filter.so
+ LoadModule proxy_html_module modules/mod_proxy_html.so
+ LoadModule log_config_module modules/mod_log_config.so
+ LoadModule env_module modules/mod_env.so
+ LoadModule headers_module modules/mod_headers.so
+ LoadModule setenvif_module modules/mod_setenvif.so
+ LoadModule version_module modules/mod_version.so
+ LoadModule proxy_module modules/mod_proxy.so
+ LoadModule proxy_connect_module modules/mod_proxy_connect.so
+ LoadModule proxy_http_module modules/mod_proxy_http.so
+ LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+ LoadModule remoteip_module modules/mod_remoteip.so
+ LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+ LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+ LoadModule unixd_module modules/mod_unixd.so
+ LoadModule status_module modules/mod_status.so
+ LoadModule autoindex_module modules/mod_autoindex.so
+
+
+ User daemon
+ Group daemon
+
+
+
+ AllowOverride none
+ Require all denied
+
+
+
+ Require all denied
+
+
+ ErrorLog /dev/stderr
+
+ LogLevel warn
+
+
+ LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+
+ LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout common
+ CustomLog /dev/stdout combined
+ CustomLog /dev/stdout proxy env=forwarded
+
+
+
+ AllowOverride None
+ Options None
+ Require all granted
+
+
+
+ RequestHeader unset Proxy early
+
+
+
+ Include conf/extra/proxy-html.conf
+
+
+
+ RemoteIPHeader X-Original-Forwarded-For
+
+ ProxyPass http://localhost:{{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+ ProxyPassReverse http://localhost:{{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+
+
+ AuthName "Alertmanager"
+ AuthType Basic
+ AuthBasicProvider file ldap
+ AuthUserFile /usr/local/apache2/conf/.htpasswd
+ AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
+ AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
+ AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+ Require valid-user
+
+
command_flags:
alertmanager:
storage.path: /var/lib/alertmanager/data