diff --git a/infra-ingress/templates/configmap_init_crd.yaml b/infra-ingress/templates/configmap_init_crd.yaml index 2cf4834..fbb96fb 100644 --- a/infra-ingress/templates/configmap_init_crd.yaml +++ b/infra-ingress/templates/configmap_init_crd.yaml @@ -7,6 +7,7 @@ metadata: data: {{- $isMonitoring := and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }} monitoring: {{ $isMonitoring | quote }} {{- $isTraefik := and diff --git a/infra-ingress/templates/traefik/release.yaml b/infra-ingress/templates/traefik/release.yaml index 6c5e4e8..8dd8736 100644 --- a/infra-ingress/templates/traefik/release.yaml +++ b/infra-ingress/templates/traefik/release.yaml @@ -30,6 +30,60 @@ spec: {{- if .Values.hostNetwork }} dnsPolicy: ClusterFirstWithHostNet {{- end }} + podAnnotations: + {{- if .Values.traefik.logs.metrics }} + checksum/vector-config: {{ include (print $.Template.BasePath "/traefik/vector/configmap.yaml") $ | sha256sum }} + {{- if .Values.traefik.logs.geoip.enabled }} + initContainers: + - name: "download-geoip" + image: "alpine" + command: + - sh + - -c + - | + cd /usr/share/GeoIP + wget -O geoip-db.mmdb {{ .Values.traefik.logs.geoip.url | quote}} + # gunzip geoip-db.mmdb.gz + volumeMounts: + - mountPath: "/usr/share/GeoIP" + name: geoip + {{- end }} + additionalContainers: + - name: "vector" + image: docker.io/timberio/vector:0.45.0-debian + args: + - --watch-config + - --watch-config-method + - poll + livenessProbe: + httpGet: + path: /health + port: vector-api + volumeMounts: + - mountPath: "/etc/vector/vector.yaml" + subPath: "vector.yaml" + name: vector-config + readOnly: true + {{- if .Values.traefik.logs.geoip.enabled }} + - mountPath: "/usr/share/GeoIP" + name: geoip + {{- end }} + ports: + - name: vector-api + containerPort: 8686 + protocol: TCP + - name: vector-metrics + containerPort: 9116 + protocol: TCP + additionalVolumes: + - name: vector-config + configMap: + name: traefik-vector + {{- if .Values.traefik.logs.geoip.enabled }} + - name: geoip + empty: {} + {{- end }} + {{- end }} hostNetwork: {{ .Values.hostNetwork }} updateStrategy: rollingUpdate: @@ -43,10 +97,18 @@ spec: - IPv6 - IPv4 - {{- with .Values.traefik.additionalArguments }} additionalArguments: + {{- with .Values.traefik.additionalArguments }} {{- toYaml . | nindent 6 }} - {{- end }} + {{- end }} + {{- if .Values.traefik.logs.metrics }} + - --experimental.otlpLogs=true + - --accesslog=true + - --accesslog.otlp=true + - --accesslog.otlp.grpc=true + - --accesslog.otlp.grpc.endpoint=localhost:4317 + - --accesslog.otlp.grpc.insecure=true + {{- end }} tolerations: - key: "CriticalAddonsOnly" @@ -60,6 +122,7 @@ spec: priorityClassName: "system-cluster-critical" + ports: metrics: port: 9111 @@ -80,6 +143,10 @@ spec: {{- with .Values.traefik.ports }} {{- toYaml . | nindent 6 }} {{- end }} + gateway: + listeners: + web: + port: 80 {{- if .Values.hostNetwork }} podSecurityContext: null securityContext: @@ -92,6 +159,8 @@ spec: kubernetesIngress: publishedService: enabled: true + kubernetesGateway: + enabled: true ingressRoute: dashboard: @@ -115,7 +184,7 @@ spec: format: "json" level: WARN access: - enabled: {{ toYaml .Values.logs.access }} + enabled: {{ toYaml (and .Values.logs.access (not .Values.traefik.logs.metrics)) }} format: "json" {{- end }} @@ -125,6 +194,7 @@ spec: service: enabled: true serviceMonitor: + enabled: true additionalLabels: {{- toYaml $.Values.commons.prometheus.monitor.labels | nindent 12 }} {{- end }} diff --git a/infra-ingress/templates/traefik/vector/configmap.yaml b/infra-ingress/templates/traefik/vector/configmap.yaml new file mode 100644 index 0000000..457a83b --- /dev/null +++ b/infra-ingress/templates/traefik/vector/configmap.yaml @@ -0,0 +1,117 @@ +{{- if and (eq .Values.controller "traefik") .Values.traefik.logs.metrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: traefik-vector +data: + vector.yaml: | + api: + enabled: true + address: "0.0.0.0:8686" + {{- if .Values.traefik.logs.geoip.enabled }} + enrichment_tables: + geoip: + type: "geoip" + path: "/usr/share/GeoIP/geoip-db.mmdb" + locale: "en" + {{- end }} + sources: + otlp: + type: opentelemetry + grpc: + address: 127.0.0.1:4317 + http: + address: 127.0.0.1:4318 + transforms: + {{- with .Values.traefik.logs.additionalTransforms }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{ $input := "otlp.logs" }} + {{- if .Values.traefik.logs.geoip.enabled }} + geolookup: + inputs: + - "otlp.logs" + type: "remap" + source: | + if ip_cidr_contains!([ + "10.0.0.0/8", + "100.64.0.0/10", + "172.16.0.0/12", + "192.168.0.0/16", + "fc00::/7", + ], .attributes.ClientHost) { + .geoip = { + "latitude": 0.0, + "longitude": 0.0, + "continent_code": "internal", + "country_code": "internal", + "country_name": "internal" + } + } else { + .geoip, .err = get_enrichment_table_record("geoip", {"ip": .attributes.ClientHost}, [ + "latitude", + "longitude", + "continent_code", + "country_code", + "country_name" + ]) + if .err != null { + log(.err, level: "error") + } + if !exists(.geoip.continent_code) { + .geoip = { + "latitude": 0.0, + "longitude": 0.0, + "continent_code": "unknown", + "country_code": "unknown", + "country_name": "unknown" + } + } + } + del(.err) + {{ $input = "geolookup"}} + {{- end }} + metrics: + inputs: + - {{ $input }} + type: log_to_metric + metrics: + - namespace: "traefik_logs" + name: "access" + field: "attributes.RequestHost" + type: counter + tags: + {{` + host: "{{ attributes.RequestHost }}" + entryPoint: "{{ attributes.entryPointName }}" + `}} + {{- if .Values.traefik.logs.geoip.enabled }} + {{` + latitude: "{{ geoip.latitude }}" + longitude: "{{ geoip.longitude }}" + continent_code: "{{ geoip.continent_code }}" + country_code: "{{ geoip.country_code }}" + country_name: "{{ geoip.country_name }}" + `}} + {{- end }} + {{- with .Values.traefik.logs.additionalMetrics }} + {{- toYaml . | nindent 10 }} + {{- end }} + sinks: + {{- if .Values.logs.access }} + console: + inputs: + - {{ $input }} + type: console + encoding: + codec: logfmt + {{- end }} + {{- with .Values.traefik.logs.additionalSinks }} + {{- toYaml . | nindent 6 }} + {{- end }} + prometheus: + inputs: + - metrics + type: prometheus_exporter + address: "[::]:9116" +{{- end }} diff --git a/infra-ingress/templates/traefik/vector/podmonitor.yaml b/infra-ingress/templates/traefik/vector/podmonitor.yaml new file mode 100644 index 0000000..5bbf502 --- /dev/null +++ b/infra-ingress/templates/traefik/vector/podmonitor.yaml @@ -0,0 +1,16 @@ +{{- if and (eq .Values.controller "traefik") .Values.traefik.logs.metrics (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: traefik-vector + labels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-ingress + podMetricsEndpoints: + - port: vector-metrics + path: /metrics +{{- end }} diff --git a/infra-ingress/values.yaml b/infra-ingress/values.yaml index f011b2b..db395ca 100644 --- a/infra-ingress/values.yaml +++ b/infra-ingress/values.yaml @@ -57,4 +57,14 @@ logs: traefik: ports: {} hostPath: /srv/k8s/pv/pvc-traefik-certs + logs: + # -- analyse logs to metrics + metrics: false + geoip: + enabled: false + url: "https://raw.githubusercontent.com/P3TERX/GeoLite.mmdb/download/GeoLite2-City.mmdb" + # -- you could use the source `otlp.logs` to recieve access-logs and work with them + additionalTransforms: {} + additionalMetrics: [] + additionalSinks: {} additionalArguments: []