Skip to content

Instantly share code, notes, and snippets.

@JasonMorgan

JasonMorgan/buoyant-agent-manifest.yaml

Created November 30, 2021 17:18
Show Gist options
  • Save JasonMorgan/1cbffc92b5b0acafccc7a62a52274410 to your computer and use it in GitHub Desktop.
Save JasonMorgan/1cbffc92b5b0acafccc7a62a52274410 to your computer and use it in GitHub Desktop.
Download ZIP
BCloud Manifest
Raw
buoyant-agent-manifest.yaml
---
#
# Buoyant Cloud Agent manifest for NYC1
#
---
kind: Namespace
apiVersion: v1
metadata:
name: buoyant-cloud
annotations:
linkerd.io/inject: enabled
labels:
app.kubernetes.io/part-of: buoyant-cloud
linkerd.io/extension: buoyant
---
#
# Secrets to identify and authenticate this agent
#
---
kind: Secret
apiVersion: v1
metadata:
name: buoyant-cloud-id
namespace: buoyant-cloud
labels:
app.kubernetes.io/part-of: buoyant-cloud
type: Opaque
data:
id: someid
key: somestring
downloadKey: someotherstring
name: somename
---
#
# RBAC
#
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: buoyant-cloud-agent
namespace: buoyant-cloud
labels:
app.kubernetes.io/part-of: buoyant-cloud
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: buoyant-cloud-agent
labels:
app.kubernetes.io/part-of: buoyant-cloud
rules:
- apiGroups: [""]
resources: ["services", "pods", "events", "nodes", "nodes/proxy", "pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: ["policy.linkerd.io"]
resources: ["servers", "serverauthorizations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["split.smi-spec.io"]
resources: ["trafficsplits"]
verbs: ["list", "get", "watch"]
- apiGroups: ["multicluster.linkerd.io"]
resources: ["links"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["linkerd-config", "linkerd-identity-trust-roots"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["metrics.k8s.io"]
resources: ["pods"]
verbs: ["list", "get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: buoyant-cloud-agent
labels:
app.kubernetes.io/part-of: buoyant-cloud
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: buoyant-cloud-agent
subjects:
- kind: ServiceAccount
name: buoyant-cloud-agent
namespace: buoyant-cloud
---
#
# Buoyant Cloud Agent
#
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: buoyant-cloud-agent
namespace: buoyant-cloud
annotations:
buoyant.cloud/is-agent: "true"
buoyant.cloud/version: v0.5.1
buoyant.cloud/service-name: agent
labels:
app.kubernetes.io/name: agent
app.kubernetes.io/version: v0.5.1
app.kubernetes.io/part-of: buoyant-cloud
linkerd.io/extension: buoyant
spec:
replicas: 1
selector:
matchLabels:
app: buoyant-cloud-agent
template:
metadata:
labels:
app: buoyant-cloud-agent
annotations:
config.linkerd.io/skip-outbound-ports: "4191"
spec:
securityContext:
fsGroup: 1000
serviceAccount: buoyant-cloud-agent
containers:
- name: buoyant-cloud-agent
image: ghcr.io/buoyantio/linkerd-buoyant:v0.5.1
imagePullPolicy: Always
args:
- "-grpc-addr=api.buoyant.cloud:443"
- "-log-level=info"
env:
- name: BUOYANT_CLOUD_ID
valueFrom:
secretKeyRef:
key: id
name: buoyant-cloud-id
- name: BUOYANT_CLOUD_KEY
valueFrom:
secretKeyRef:
key: key
name: buoyant-cloud-id
ports:
- name: admin
containerPort: 9990
livenessProbe:
httpGet:
path: /ping
port: 9990
readinessProbe:
httpGet:
path: /ready
port: 9990
resources:
requests:
cpu: 10m
memory: 10Mi
limits:
cpu: "2"
memory: 5000Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
---
#
# Metrics Agent
#
---
kind: ConfigMap
metadata:
name: buoyant-cloud-metrics
namespace: buoyant-cloud
labels:
app.kubernetes.io/part-of: buoyant-cloud
apiVersion: v1
data:
agent.yml: |
server:
log_level: info
http_listen_port: 9991
metrics:
wal_directory: /tmp/wal
global:
scrape_interval: 10s
external_labels:
cluster_id: ${BUOYANT_CLOUD_ID}
cluster_name: ${BUOYANT_CLOUD_NAME}
configs:
- host_filter: true
name: buoyant-cloud-metrics
wal_truncate_frequency: "1m"
remote_write:
- url: https://api.buoyant.cloud:443/remote-write
basic_auth:
username: ${BUOYANT_CLOUD_ID}
password: ${BUOYANT_CLOUD_KEY}
queue_config:
capacity: 1500
max_shards: 20
max_backoff: 10s
scrape_configs:
- job_name: 'buoyant-cloud-agent'
kubernetes_sd_configs:
- role: pod
namespaces:
names:
- 'buoyant-cloud'
relabel_configs:
- source_labels: [__meta_kubernetes_pod_container_port_name]
regex: ^admin$
action: keep
- source_labels: [__meta_kubernetes_pod_container_name]
regex: ^buoyant-cloud-agent|buoyant-cloud-metrics$
action: keep
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
# scrape_configs copied from `linkerd install`
- job_name: 'kubernetes-nodes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
metric_relabel_configs:
- source_labels: [__name__]
regex: ^container_cpu_usage_seconds_total|container_memory_working_set_bytes|machine_cpu_cores|machine_memory_bytes$
action: keep
- source_labels: [pod]
target_label: workload_kind
regex: ^(.*)-[bcdfghjklmnpqrstvwxz2456789]{5,15}$
action: replace
replacement: Deployment
- source_labels: [pod]
target_label: workload_kind
regex: ^(.*)-[0-9]+$
action: replace
replacement: StatefulSet
- source_labels: [pod]
target_label: workload_kind
regex: ^(.*)-[bcdfghjklmnpqrstvwxz2456789]{5}$
action: replace
replacement: DaemonSet
- source_labels: [pod]
target_label: workload_kind
regex: ^(.*)-[456789bcdf]{1,10}-[bcdfghjklmnpqrstvwxz2456789]{5}$
action: replace
replacement: Deployment
- source_labels: [pod]
target_label: workload_name
regex: ^(.*)-[bcdfghjklmnpqrstvwxz2456789]{5,15}$
action: replace
replacement: $1
- source_labels: [pod]
target_label: workload_name
regex: ^(.*)-[0-9]+$
action: replace
replacement: $1
- source_labels: [pod]
target_label: workload_name
regex: ^(.*)-[bcdfghjklmnpqrstvwxz2456789]{5}$
action: replace
replacement: $1
- source_labels: [pod]
target_label: workload_name
regex: ^(.*)-[456789bcdf]{1,10}-[bcdfghjklmnpqrstvwxz2456789]{5}$
action: replace
replacement: $1
- job_name: 'linkerd-proxy'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_container_name
- __meta_kubernetes_pod_container_port_name
action: keep
regex: ^linkerd-proxy;linkerd-admin$
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
# special case k8s' "job" label, to not interfere with prometheus' "job"
# label
# __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo =>
# k8s_job=foo
- source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job]
action: replace
target_label: k8s_job
# drop __meta_kubernetes_pod_label_linkerd_io_proxy_job
- action: labeldrop
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job
# __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo =>
# deployment=foo
- action: labelmap
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
# drop all labels that we just made copies of in the previous labelmap
- action: labeldrop
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
# __meta_kubernetes_pod_label_linkerd_io_foo=bar =>
# foo=bar
- action: labelmap
regex: __meta_kubernetes_pod_label_linkerd_io_(.+)
# __meta_kubernetes_pod_controller_kind=DaemonSet => workload_kind=DaemonSet
# __meta_kubernetes_pod_controller_name=foo => workload_name=foo
- source_labels: [__meta_kubernetes_pod_controller_kind]
action: replace
target_label: workload_kind
- source_labels: [__meta_kubernetes_pod_controller_name]
action: replace
target_label: workload_name
# __meta_kubernetes_pod_controller_kind=ReplicaSet => workload_kind=Deployment
# __meta_kubernetes_pod_controller_name=foo-bar-123 => workload_name=foo-bar
- source_labels: [__meta_kubernetes_pod_controller_kind]
action: replace
regex: ^ReplicaSet$
target_label: workload_kind
replacement: Deployment
- source_labels:
- __meta_kubernetes_pod_controller_kind
- __meta_kubernetes_pod_controller_name
action: replace
regex: ^ReplicaSet;(.*)-[^-]+$
target_label: workload_name
metric_relabel_configs:
# keep linkerd metrics relevant to buoyant cloud
- source_labels: [__name__]
regex: ^response_total|response_latency_ms_bucket|route_response_total|route_response_latency_ms_bucket|tcp_open_connections|tcp_read_bytes_total|tcp_write_bytes_total|inbound_http_authz_allow_total|inbound_http_authz_deny_total|inbound_tcp_authz_allow_total|inbound_tcp_authz_deny_total$
action: keep
# drop high-cardinality outbound latency histograms
- source_labels:
- __name__
- direction
regex: 'response_latency_ms_bucket;outbound'
action: drop
# drop high-cardinality outbound tcp open connections
- source_labels:
- __name__
- direction
regex: 'tcp_open_connections;outbound'
action: drop
# drop high-cardinality outbound tcp read bytes
- source_labels:
- __name__
- direction
regex: 'tcp_read_bytes_total;outbound'
action: drop
# drop high-cardinality outbound tcp write bytes
- source_labels:
- __name__
- direction
regex: 'tcp_write_bytes_total;outbound'
action: drop
# drop linkerd workload labels (superseded by workload_kind, workload_name)
- action: labeldrop
regex: 'deployment'
- action: labeldrop
regex: 'daemonset'
- action: labeldrop
regex: 'statefulset'
# foo{direction="outbound"} => outbound_foo{}
- source_labels:
- __name__
- direction
regex: ^(.+);(inbound|outbound)$
action: replace
target_label: __name__
replacement: $${2}_$${1}
- action: labeldrop
regex: direction
# dst_daemonset=foo => dst_workload_name=foo
# dst_daemonset=foo => dst_workload_kind=DaemonSet
- source_labels: [dst_daemonset]
regex: (.+)
action: replace
target_label: dst_workload_name
- source_labels: [dst_daemonset]
regex: (.+)
action: replace
target_label: dst_workload_kind
replacement: DaemonSet
- action: labeldrop
regex: 'dst_daemonset'
# dst_deployment=foo => dst_workload_name=foo
# dst_deployment=foo => dst_workload_kind=Deployment
- source_labels: [dst_deployment]
regex: (.+)
action: replace
target_label: dst_workload_name
- source_labels: [dst_deployment]
regex: (.+)
action: replace
target_label: dst_workload_kind
replacement: Deployment
- action: labeldrop
regex: 'dst_deployment'
# dst_statefulset=foo => dst_workload_name=foo
# dst_statefulset=foo => dst_workload_kind=StatefulSet
- source_labels: [dst_statefulset]
regex: (.+)
action: replace
target_label: dst_workload_name
- source_labels: [dst_statefulset]
regex: (.+)
action: replace
target_label: dst_workload_kind
replacement: StatefulSet
- action: labeldrop
regex: 'dst_statefulset'
# drop remaining high-cardinality linkerd metrics and labels
- action: labeldrop
regex: 'pod_template_hash'
- action: labeldrop
regex: 'dst_pod_template_hash'
- action: labeldrop
regex: 'dst_serviceaccount'
- action: labeldrop
regex: 'server_id'
- action: labeldrop
regex: 'control_plane_ns'
- action: labeldrop
regex: 'dst_control_plane_ns'
- action: labeldrop
regex: 'workload_ns'
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: buoyant-cloud-metrics
namespace: buoyant-cloud
annotations:
buoyant.cloud/is-metrics: "true"
buoyant.cloud/version: v0.5.1
buoyant.cloud/service-name: metrics
labels:
app.kubernetes.io/name: metrics
app.kubernetes.io/version: v0.5.1
app.kubernetes.io/part-of: buoyant-cloud
linkerd.io/extension: buoyant
spec:
selector:
matchLabels:
app: buoyant-cloud-metrics
template:
metadata:
labels:
app: buoyant-cloud-metrics
spec:
securityContext:
fsGroup: 1000
serviceAccount: buoyant-cloud-agent
tolerations:
- operator: Exists
effect: NoSchedule
containers:
- name: buoyant-cloud-metrics
image: grafana/agent:v0.20.0
args:
- -config.file=/buoyant-cloud-metrics/agent.yml
- -config.expand-env
ports:
- name: admin
containerPort: 9991
livenessProbe:
httpGet:
path: /-/healthy
port: 9991
readinessProbe:
httpGet:
path: /-/ready
port: 9991
resources:
requests:
cpu: 10m
memory: 10Mi
limits:
cpu: "2"
memory: 5000Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: BUOYANT_CLOUD_ID
valueFrom:
secretKeyRef:
key: id
name: buoyant-cloud-id
- name: BUOYANT_CLOUD_KEY
valueFrom:
secretKeyRef:
key: key
name: buoyant-cloud-id
- name: BUOYANT_CLOUD_NAME
valueFrom:
secretKeyRef:
key: name
name: buoyant-cloud-id
volumeMounts:
- mountPath: /buoyant-cloud-metrics
name: buoyant-cloud-metrics
- mountPath: /tmp
name: tmp
volumes:
- configMap:
name: buoyant-cloud-metrics
name: buoyant-cloud-metrics
- name: tmp
emptyDir: {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment