Resolve "Add Anchore/Prometheus Integration"

e0f3ed74 · Micah Nagel · Jason Krause · ec16633a · e0f3ed74 · e0f3ed74
Commit e0f3ed74 authored Mar 01, 2021 by Micah Nagel 💰 Committed by Jason Krause Mar 01, 2021
7 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [1.11.0-bb.1]
+### Added
+- Prometheus monitoring capability (ServiceMonitor, RoleBinding, Role)
+
+## [1.11.0-bb.0]
+### Changed
+- Bumped upstream chart version to 1.11.0.
+- Bumped anchore engine version to v0.9.0 from registry1.
+
 ## [1.9.5-bb.2]
 ### Fixed
 - Fixed a bug that appeared in RKE2 with the postgres deployment not having access to the data directory
@@ -11,4 +20,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ## [1.9.5-bb.1]
 ### Added
 - Pointing to upstream helm chart v1.9.5
- Added Ironbank images, VirtualServices, automated license secret creation and SSO integration with Keycloak
\ No newline at end of file
+- Added Ironbank images, VirtualServices, automated license secret creation and SSO integration with Keycloak
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.11.0-bb.0
+version: 1.11.0-bb.1
 appVersion: 0.9.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

--- a/chart/templates/bigbang/role.yaml
+++ b/chart/templates/bigbang/role.yaml
+{{- if .Values.monitoring.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleList
+items:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: prometheus-k8s
+    namespace: {{ .Release.Namespace }}
+    labels:
+      app.kubernetes.io/component: "monitoring"
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - services
+    - endpoints
+    - pods
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
--- a/chart/templates/bigbang/rolebinding.yaml
+++ b/chart/templates/bigbang/rolebinding.yaml
+{{- if .Values.monitoring.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBindingList
+items:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: prometheus-k8s
+    namespace: {{ .Release.Namespace }}
+    labels:
+      app.kubernetes.io/component: "monitoring"
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: prometheus-k8s
+  subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: {{ .Values.monitoring.namespace }}
+{{- end }}
--- a/chart/templates/bigbang/serviceMonitor.yaml
+++ b/chart/templates/bigbang/serviceMonitor.yaml
+{{ if .Values.monitoring.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    prometheus: k8s
+  name: anchore-metrics
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "anchore-engine.fullname" . }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  endpoints:
+    - interval: 30s
+      path: /metrics
+      params:
+        format:
+          - prometheus
+      port: anchore-external-api
+      scheme: http
+      #jobLabel: anchore-metrics-external-api
+
+    - interval: 30s
+      path: /metrics
+      params:
+        format:
+          - prometheus
+      port: anchore-catalog-api
+      scheme: http
+      #jobLabel: anchore-metrics-catalog-api
+
+    - interval: 30s
+      path: /metrics
+      params:
+        format:
+          - prometheus
+      port: anchore-policy-api
+      scheme: http
+      #jobLabel: anchore-metrics-policy-api
+
+    - interval: 30s
+      path: /metrics
+      params:
+        format:
+          - prometheus
+      port: anchore-simplequeue-api
+      scheme: http
+      #jobLabel: anchore-metrics-simplequeue-api
+{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -7,6 +7,11 @@ hostname: bigbang.dev
 istio:
  enabled: false 

+# Enable Prometheus Monitoring - requires anchoreGlobal.enableMetrics & anchoreGlobal.metricsAuthDisabled
+monitoring:
+  enabled: false
+  namespace: monitoring
+
 # Enterprise license: Specify your multiline license
 # enterpriseLicenseYaml: |
 #   License YAML

--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -7,8 +7,30 @@ hostname: bigbang.dev
 istio:
  enabled: true

-enterpriseLicenseYaml: |
-  FULL LICENSE YAML (must be indented)
+# Enable Prometheus Monitoring - requires anchoreGlobal.enableMetrics & anchoreGlobal.metricsAuthDisabled
+monitoring:
+  enabled: false
+  namespace: monitoring
+
+# Enterprise license: Specify your multiline license
+# enterpriseLicenseYaml: |
+#   License YAML
+enterpriseLicenseYaml: "" # Full multiline license yaml
+
+# Enable/disable Keycloak SSO integration
+# If enabled, also enable OAuth - anchoreGlobal.oauthEnabled
+sso:
+  enabled: false
+  name: "keycloak"
+  acsHttpsPort: -1
+  spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore"
+  acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak"
+  defaultAccount: "user"
+  defaultRole: "read-write" # If roleAttribute is passed, defaultRole will be ignored
+  roleAttribute: "" # Optional, defines the Keycloak attribute to use to map roles/permissions
+  requireSignedAssertions: false
+  requireSignedResponse: true
+  idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor"


 # Upstream Anchore Values