diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml index ed137168..a6a04ac7 100644 --- a/config/prometheus/kustomization.yaml +++ b/config/prometheus/kustomization.yaml @@ -1,2 +1,3 @@ resources: - monitor.yaml + diff --git a/sample-network/config/cas/kustomization.yaml b/sample-network/config/cas/kustomization.yaml index 0d354cf4..3135920c 100644 --- a/sample-network/config/cas/kustomization.yaml +++ b/sample-network/config/cas/kustomization.yaml @@ -19,6 +19,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: ${NS} + resources: - org0-ca.yaml - org1-ca.yaml diff --git a/sample-network/config/console/kustomization.yaml b/sample-network/config/console/kustomization.yaml index 1f7ec5bd..140b32ec 100644 --- a/sample-network/config/console/kustomization.yaml +++ b/sample-network/config/console/kustomization.yaml @@ -1,5 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: ${NS} + resources: - hlf-operations-console.yaml diff --git a/sample-network/config/manager/kustomization.yaml b/sample-network/config/manager/kustomization.yaml index 9bc57c5e..34cb2444 100644 --- a/sample-network/config/manager/kustomization.yaml +++ b/sample-network/config/manager/kustomization.yaml @@ -18,5 +18,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: ${NS} + resources: - hlf-operator-manager.yaml diff --git a/sample-network/config/orderers/kustomization.yaml b/sample-network/config/orderers/kustomization.yaml index 91c9041d..75fcf393 100644 --- a/sample-network/config/orderers/kustomization.yaml +++ b/sample-network/config/orderers/kustomization.yaml @@ -19,6 +19,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: ${NS} + resources: - org0-orderers.yaml diff --git a/sample-network/config/orderers/org0-orderers.yaml b/sample-network/config/orderers/org0-orderers.yaml index 3251afc1..088d12bc 100644 --- a/sample-network/config/orderers/org0-orderers.yaml +++ b/sample-network/config/orderers/org0-orderers.yaml @@ -43,7 +43,7 @@ spec: - enrollment: component: caname: ca - cahost: test-network-org0-ca-ca.${INGRESS_DOMAIN} + cahost: ${NS}-org0-ca-ca.${INGRESS_DOMAIN} caport: "443" catls: cacert: "${ORG0_CA_CERT}" @@ -51,7 +51,7 @@ spec: enrollsecret: "orderer1pw" tls: caname: tlsca - cahost: test-network-org0-ca-ca.${INGRESS_DOMAIN} + cahost: ${NS}-org0-ca-ca.${INGRESS_DOMAIN} caport: "443" catls: cacert: "${ORG0_CA_CERT}" @@ -64,7 +64,7 @@ spec: - enrollment: component: caname: ca - cahost: test-network-org0-ca-ca.${INGRESS_DOMAIN} + cahost: ${NS}-org0-ca-ca.${INGRESS_DOMAIN} caport: "443" catls: cacert: "${ORG0_CA_CERT}" @@ -72,7 +72,7 @@ spec: enrollsecret: "orderer2pw" tls: caname: tlsca - cahost: test-network-org0-ca-ca.${INGRESS_DOMAIN} + cahost: ${NS}-org0-ca-ca.${INGRESS_DOMAIN} caport: "443" catls: cacert: "${ORG0_CA_CERT}" @@ -85,7 +85,7 @@ spec: - enrollment: component: caname: ca - cahost: test-network-org0-ca-ca.${INGRESS_DOMAIN} + cahost: ${NS}-org0-ca-ca.${INGRESS_DOMAIN} caport: "443" catls: cacert: "${ORG0_CA_CERT}" @@ -93,7 +93,7 @@ spec: enrollsecret: "orderer3pw" tls: caname: tlsca - cahost: test-network-org0-ca-ca.${INGRESS_DOMAIN} + cahost: ${NS}-org0-ca-ca.${INGRESS_DOMAIN} caport: "443" catls: cacert: "${ORG0_CA_CERT}" diff --git a/sample-network/config/peers/kustomization.yaml b/sample-network/config/peers/kustomization.yaml index a962324c..6d91ba75 100644 --- a/sample-network/config/peers/kustomization.yaml +++ b/sample-network/config/peers/kustomization.yaml @@ -19,6 +19,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: ${NS} + resources: - org1-peer1.yaml - org1-peer2.yaml diff --git a/sample-network/config/peers/org1-peer1.yaml b/sample-network/config/peers/org1-peer1.yaml index ce07ca30..513d16c6 100644 --- a/sample-network/config/peers/org1-peer1.yaml +++ b/sample-network/config/peers/org1-peer1.yaml @@ -23,7 +23,7 @@ metadata: spec: version: "${FABRIC_VERSION}" domain: "${INGRESS_DOMAIN}" - peerExternalEndpoint: "test-network-org1-peer1-peer.${INGRESS_DOMAIN}:443" + peerExternalEndpoint: "${NS}-org1-peer1-peer.${INGRESS_DOMAIN}:443" license: accept: true action: @@ -33,6 +33,8 @@ spec: peer: keepalive: minInterval: 61s + metrics: + provider: prometheus customNames: pvc: {} images: @@ -48,7 +50,7 @@ spec: enrollment: component: caname: ca - cahost: "test-network-org1-ca-ca.${INGRESS_DOMAIN}" + cahost: "${NS}-org1-ca-ca.${INGRESS_DOMAIN}" caport: "443" catls: cacert: "${ORG1_CA_CERT}" @@ -56,7 +58,7 @@ spec: enrollsecret: "peer1pw" tls: caname: tlsca - cahost: "test-network-org1-ca-ca.${INGRESS_DOMAIN}" + cahost: "${NS}-org1-ca-ca.${INGRESS_DOMAIN}" caport: "443" catls: cacert: "${ORG1_CA_CERT}" diff --git a/sample-network/config/peers/org1-peer2.yaml b/sample-network/config/peers/org1-peer2.yaml index 0cbb0ce1..e8e64bed 100644 --- a/sample-network/config/peers/org1-peer2.yaml +++ b/sample-network/config/peers/org1-peer2.yaml @@ -23,7 +23,7 @@ metadata: spec: version: "${FABRIC_VERSION}" domain: "${INGRESS_DOMAIN}" - peerExternalEndpoint: "test-network-org1-peer2-peer.${INGRESS_DOMAIN}:443" + peerExternalEndpoint: "${NS}-org1-peer2-peer.${INGRESS_DOMAIN}:443" license: accept: true action: @@ -48,7 +48,7 @@ spec: enrollment: component: caname: ca - cahost: "test-network-org1-ca-ca.${INGRESS_DOMAIN}" + cahost: "${NS}-org1-ca-ca.${INGRESS_DOMAIN}" caport: "443" catls: cacert: "${ORG1_CA_CERT}" @@ -56,7 +56,7 @@ spec: enrollsecret: "peer2pw" tls: caname: tlsca - cahost: "test-network-org1-ca-ca.${INGRESS_DOMAIN}" + cahost: "${NS}-org1-ca-ca.${INGRESS_DOMAIN}" caport: "443" catls: cacert: "${ORG1_CA_CERT}" diff --git a/sample-network/config/peers/org2-peer1.yaml b/sample-network/config/peers/org2-peer1.yaml index 8e93282e..b9fef501 100644 --- a/sample-network/config/peers/org2-peer1.yaml +++ b/sample-network/config/peers/org2-peer1.yaml @@ -23,7 +23,7 @@ metadata: spec: version: "${FABRIC_VERSION}" domain: "${INGRESS_DOMAIN}" - peerExternalEndpoint: "test-network-org2-peer1-peer.${INGRESS_DOMAIN}:443" + peerExternalEndpoint: "${NS}-org2-peer1-peer.${INGRESS_DOMAIN}:443" license: accept: true action: @@ -48,7 +48,7 @@ spec: enrollment: component: caname: ca - cahost: "test-network-org2-ca-ca.${INGRESS_DOMAIN}" + cahost: "${NS}-org2-ca-ca.${INGRESS_DOMAIN}" caport: "443" catls: cacert: "${ORG2_CA_CERT}" @@ -56,7 +56,7 @@ spec: enrollsecret: "peer1pw" tls: caname: tlsca - cahost: "test-network-org2-ca-ca.${INGRESS_DOMAIN}" + cahost: "${NS}-org2-ca-ca.${INGRESS_DOMAIN}" caport: "443" catls: cacert: "${ORG2_CA_CERT}" diff --git a/sample-network/config/peers/org2-peer2.yaml b/sample-network/config/peers/org2-peer2.yaml index c5f00a5c..3321b46d 100644 --- a/sample-network/config/peers/org2-peer2.yaml +++ b/sample-network/config/peers/org2-peer2.yaml @@ -23,7 +23,7 @@ metadata: spec: version: "${FABRIC_VERSION}" domain: "${INGRESS_DOMAIN}" - peerExternalEndpoint: "test-network-org2-peer2-peer.${INGRESS_DOMAIN}:443" + peerExternalEndpoint: "${NS}-org2-peer2-peer.${INGRESS_DOMAIN}:443" license: accept: true action: @@ -48,7 +48,7 @@ spec: enrollment: component: caname: ca - cahost: "test-network-org2-ca-ca.${INGRESS_DOMAIN}" + cahost: "${NS}-org2-ca-ca.${INGRESS_DOMAIN}" caport: "443" catls: cacert: "${ORG2_CA_CERT}" @@ -56,7 +56,7 @@ spec: enrollsecret: "peer2pw" tls: caname: tlsca - cahost: "test-network-org2-ca-ca.${INGRESS_DOMAIN}" + cahost: "${NS}-org2-ca-ca.${INGRESS_DOMAIN}" caport: "443" catls: cacert: "${ORG2_CA_CERT}" diff --git a/sample-network/config/prometheus/ingress-grafana.yaml b/sample-network/config/prometheus/ingress-grafana.yaml new file mode 100644 index 00000000..becb3eab --- /dev/null +++ b/sample-network/config/prometheus/ingress-grafana.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s + nginx.ingress.kubernetes.io/ssl-passthrough: "false" + labels: + app: grafana + name: grafana + namespace: monitoring +spec: + ingressClassName: nginx + rules: + - host: grafana.${INGRESS_DOMAIN} + http: + paths: + - backend: + service: + name: grafana + port: + name: http + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - prometheus.${INGRESS_DOMAIN} diff --git a/sample-network/config/prometheus/ingress-prometheus.yaml b/sample-network/config/prometheus/ingress-prometheus.yaml new file mode 100644 index 00000000..2aef1748 --- /dev/null +++ b/sample-network/config/prometheus/ingress-prometheus.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s + nginx.ingress.kubernetes.io/ssl-passthrough: "false" + labels: + app: prometheus-k8s + name: prometheus-k8s + namespace: monitoring +spec: + ingressClassName: nginx + rules: + - host: prometheus.${INGRESS_DOMAIN} + http: + paths: + - backend: + service: + name: prometheus-k8s + port: + name: web + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - prometheus.${INGRESS_DOMAIN} diff --git a/sample-network/config/prometheus/kustomization.yaml b/sample-network/config/prometheus/kustomization.yaml new file mode 100644 index 00000000..720467a8 --- /dev/null +++ b/sample-network/config/prometheus/kustomization.yaml @@ -0,0 +1,30 @@ +# +# Copyright contributors to the Hyperledger Fabric Operator project +# +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: monitoring + +resources: + - servicemonitor-org0-orderersnode1.yaml + - servicemonitor-org0-orderersnode2.yaml + - servicemonitor-org0-orderersnode3.yaml + - servicemonitor-org1-peer1.yaml + - servicemonitor-org1-peer2.yaml + - servicemonitor-org2-peer1.yaml + - servicemonitor-org2-peer2.yaml diff --git a/sample-network/config/prometheus/servicemonitor-org0-orderersnode1.yaml b/sample-network/config/prometheus/servicemonitor-org0-orderersnode1.yaml new file mode 100644 index 00000000..e71c5c34 --- /dev/null +++ b/sample-network/config/prometheus/servicemonitor-org0-orderersnode1.yaml @@ -0,0 +1,40 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: org0-orderersnode1 + namespace: monitoring +spec: + namespaceSelector: + # todo: establish RBAC for visibility from system:serviceaccount:monitoring:prometheus-k8s + matchNames: + - ${NS} + selector: + matchLabels: + app: org0-orderersnode1 + endpoints: + - port: operations + scheme: https + + # The operations /metrics endpoint is secured by mTLS, and must be presented with a client certificate + # and key signed by the org CA. In this example we will use the org admin TLS enrollment to connect + # to the endpoint. See https://cloud.ibm.com/docs/blockchain?topic=blockchain-ibp-monitoring-prometheus + # for an example of creating a custom org enrollment for external monitors via ingress. + # + # tlsca-signcert.pem : temp/cas/$org-ca/tlsca-signcert.pem + # cert.pem : temp/enrollments/$org/users/org0admin/tls/signcerts/cert.pem + # key.pem : temp/enrollments/$org/users/org0admin/tls/keystore/key.pem + tlsConfig: + serverName: org0-orderersnode1 + ca: + secret: + name: org0-servicemonitor-tls-secret + key: tlsca-signcert.pem + cert: + secret: + name: org0-servicemonitor-tls-secret + key: cert.pem + keySecret: + name: org0-servicemonitor-tls-secret + key: key.pem + + diff --git a/sample-network/config/prometheus/servicemonitor-org0-orderersnode2.yaml b/sample-network/config/prometheus/servicemonitor-org0-orderersnode2.yaml new file mode 100644 index 00000000..1d07cd12 --- /dev/null +++ b/sample-network/config/prometheus/servicemonitor-org0-orderersnode2.yaml @@ -0,0 +1,40 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: org0-orderersnode2 + namespace: monitoring +spec: + namespaceSelector: + # todo: establish RBAC for visibility from system:serviceaccount:monitoring:prometheus-k8s + matchNames: + - ${NS} + selector: + matchLabels: + app: org0-orderersnode2 + endpoints: + - port: operations + scheme: https + + # The operations /metrics endpoint is secured by mTLS, and must be presented with a client certificate + # and key signed by the org CA. In this example we will use the org admin TLS enrollment to connect + # to the endpoint. See https://cloud.ibm.com/docs/blockchain?topic=blockchain-ibp-monitoring-prometheus + # for an example of creating a custom org enrollment for external monitors via ingress. + # + # tlsca-signcert.pem : temp/cas/$org-ca/tlsca-signcert.pem + # cert.pem : temp/enrollments/$org/users/org0admin/tls/signcerts/cert.pem + # key.pem : temp/enrollments/$org/users/org0admin/tls/keystore/key.pem + tlsConfig: + serverName: org0-orderersnode2 + ca: + secret: + name: org0-servicemonitor-tls-secret + key: tlsca-signcert.pem + cert: + secret: + name: org0-servicemonitor-tls-secret + key: cert.pem + keySecret: + name: org0-servicemonitor-tls-secret + key: key.pem + + diff --git a/sample-network/config/prometheus/servicemonitor-org0-orderersnode3.yaml b/sample-network/config/prometheus/servicemonitor-org0-orderersnode3.yaml new file mode 100644 index 00000000..ce27f605 --- /dev/null +++ b/sample-network/config/prometheus/servicemonitor-org0-orderersnode3.yaml @@ -0,0 +1,40 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: org0-orderersnode3 + namespace: monitoring +spec: + namespaceSelector: + # todo: establish RBAC for visibility from system:serviceaccount:monitoring:prometheus-k8s + matchNames: + - ${NS} + selector: + matchLabels: + app: org0-orderersnode3 + endpoints: + - port: operations + scheme: https + + # The operations /metrics endpoint is secured by mTLS, and must be presented with a client certificate + # and key signed by the org CA. In this example we will use the org admin TLS enrollment to connect + # to the endpoint. See https://cloud.ibm.com/docs/blockchain?topic=blockchain-ibp-monitoring-prometheus + # for an example of creating a custom org enrollment for external monitors via ingress. + # + # tlsca-signcert.pem : temp/cas/$org-ca/tlsca-signcert.pem + # cert.pem : temp/enrollments/$org/users/org0admin/tls/signcerts/cert.pem + # key.pem : temp/enrollments/$org/users/org0admin/tls/keystore/key.pem + tlsConfig: + serverName: org0-orderersnode3 + ca: + secret: + name: org0-servicemonitor-tls-secret + key: tlsca-signcert.pem + cert: + secret: + name: org0-servicemonitor-tls-secret + key: cert.pem + keySecret: + name: org0-servicemonitor-tls-secret + key: key.pem + + diff --git a/sample-network/config/prometheus/servicemonitor-org1-peer1.yaml b/sample-network/config/prometheus/servicemonitor-org1-peer1.yaml new file mode 100644 index 00000000..346c692a --- /dev/null +++ b/sample-network/config/prometheus/servicemonitor-org1-peer1.yaml @@ -0,0 +1,40 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: org1-peer1 + namespace: monitoring +spec: + namespaceSelector: + # todo: establish RBAC for visibility from system:serviceaccount:monitoring:prometheus-k8s + matchNames: + - ${NS} + selector: + matchLabels: + app: org1-peer1 + endpoints: + - port: operations + scheme: https + + # The operations /metrics endpoint is secured by mTLS, and must be presented with a client certificate + # and key signed by the org CA. In this example we will use the org admin TLS enrollment to connect + # to the endpoint. See https://cloud.ibm.com/docs/blockchain?topic=blockchain-ibp-monitoring-prometheus + # for an example of creating a custom org enrollment for external monitors via ingress. + # + # tlsca-signcert.pem : temp/cas/$org-ca/tlsca-signcert.pem + # cert.pem : temp/enrollments/$org/users/org0admin/tls/signcerts/cert.pem + # key.pem : temp/enrollments/$org/users/org0admin/tls/keystore/key.pem + tlsConfig: + serverName: org1-peer1 + ca: + secret: + name: org1-servicemonitor-tls-secret + key: tlsca-signcert.pem + cert: + secret: + name: org1-servicemonitor-tls-secret + key: cert.pem + keySecret: + name: org1-servicemonitor-tls-secret + key: key.pem + + diff --git a/sample-network/config/prometheus/servicemonitor-org1-peer2.yaml b/sample-network/config/prometheus/servicemonitor-org1-peer2.yaml new file mode 100644 index 00000000..716c56f8 --- /dev/null +++ b/sample-network/config/prometheus/servicemonitor-org1-peer2.yaml @@ -0,0 +1,40 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: org1-peer2 + namespace: monitoring +spec: + namespaceSelector: + # todo: establish RBAC for visibility from system:serviceaccount:monitoring:prometheus-k8s + matchNames: + - ${NS} + selector: + matchLabels: + app: org1-peer2 + endpoints: + - port: operations + scheme: https + + # The operations /metrics endpoint is secured by mTLS, and must be presented with a client certificate + # and key signed by the org CA. In this example we will use the org admin TLS enrollment to connect + # to the endpoint. See https://cloud.ibm.com/docs/blockchain?topic=blockchain-ibp-monitoring-prometheus + # for an example of creating a custom org enrollment for external monitors via ingress. + # + # tlsca-signcert.pem : temp/cas/$org-ca/tlsca-signcert.pem + # cert.pem : temp/enrollments/$org/users/org0admin/tls/signcerts/cert.pem + # key.pem : temp/enrollments/$org/users/org0admin/tls/keystore/key.pem + tlsConfig: + serverName: org1-peer2 + ca: + secret: + name: org1-servicemonitor-tls-secret + key: tlsca-signcert.pem + cert: + secret: + name: org1-servicemonitor-tls-secret + key: cert.pem + keySecret: + name: org1-servicemonitor-tls-secret + key: key.pem + + diff --git a/sample-network/config/prometheus/servicemonitor-org2-peer1.yaml b/sample-network/config/prometheus/servicemonitor-org2-peer1.yaml new file mode 100644 index 00000000..e1ea4889 --- /dev/null +++ b/sample-network/config/prometheus/servicemonitor-org2-peer1.yaml @@ -0,0 +1,40 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: org2-peer1 + namespace: monitoring +spec: + namespaceSelector: + # todo: establish RBAC for visibility from system:serviceaccount:monitoring:prometheus-k8s + matchNames: + - ${NS} + selector: + matchLabels: + app: org2-peer1 + endpoints: + - port: operations + scheme: https + + # The operations /metrics endpoint is secured by mTLS, and must be presented with a client certificate + # and key signed by the org CA. In this example we will use the org admin TLS enrollment to connect + # to the endpoint. See https://cloud.ibm.com/docs/blockchain?topic=blockchain-ibp-monitoring-prometheus + # for an example of creating a custom org enrollment for external monitors via ingress. + # + # tlsca-signcert.pem : temp/cas/$org-ca/tlsca-signcert.pem + # cert.pem : temp/enrollments/$org/users/org0admin/tls/signcerts/cert.pem + # key.pem : temp/enrollments/$org/users/org0admin/tls/keystore/key.pem + tlsConfig: + serverName: org2-peer1 + ca: + secret: + name: org2-servicemonitor-tls-secret + key: tlsca-signcert.pem + cert: + secret: + name: org2-servicemonitor-tls-secret + key: cert.pem + keySecret: + name: org2-servicemonitor-tls-secret + key: key.pem + + diff --git a/sample-network/config/prometheus/servicemonitor-org2-peer2.yaml b/sample-network/config/prometheus/servicemonitor-org2-peer2.yaml new file mode 100644 index 00000000..a1ae56a4 --- /dev/null +++ b/sample-network/config/prometheus/servicemonitor-org2-peer2.yaml @@ -0,0 +1,40 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: org2-peer2 + namespace: monitoring +spec: + namespaceSelector: + # todo: establish RBAC for visibility from system:serviceaccount:monitoring:prometheus-k8s + matchNames: + - ${NS} + selector: + matchLabels: + app: org2-peer2 + endpoints: + - port: operations + scheme: https + + # The operations /metrics endpoint is secured by mTLS, and must be presented with a client certificate + # and key signed by the org CA. In this example we will use the org admin TLS enrollment to connect + # to the endpoint. See https://cloud.ibm.com/docs/blockchain?topic=blockchain-ibp-monitoring-prometheus + # for an example of creating a custom org enrollment for external monitors via ingress. + # + # tlsca-signcert.pem : temp/cas/$org-ca/tlsca-signcert.pem + # cert.pem : temp/enrollments/$org/users/org0admin/tls/signcerts/cert.pem + # key.pem : temp/enrollments/$org/users/org0admin/tls/keystore/key.pem + tlsConfig: + serverName: org2-peer2 + ca: + secret: + name: org2-servicemonitor-tls-secret + key: tlsca-signcert.pem + cert: + secret: + name: org2-servicemonitor-tls-secret + key: cert.pem + keySecret: + name: org2-servicemonitor-tls-secret + key: key.pem + + diff --git a/sample-network/config/rbac/hlf-operator-rolebinding.yaml b/sample-network/config/rbac/hlf-operator-rolebinding.yaml index 04f948e8..afec3c5a 100644 --- a/sample-network/config/rbac/hlf-operator-rolebinding.yaml +++ b/sample-network/config/rbac/hlf-operator-rolebinding.yaml @@ -16,4 +16,4 @@ # limitations under the License. # --- -kubectl -n $NS create rolebinding hlf-operator-rolebinding --clusterrole=hlf-operator-role --group=system:serviceaccounts:test-network -- +kubectl -n $NS create rolebinding hlf-operator-rolebinding --clusterrole=hlf-operator-role --group=system:serviceaccounts:$NS -- diff --git a/sample-network/config/rbac/kustomization.yaml b/sample-network/config/rbac/kustomization.yaml index 9a5132c7..6d79975f 100644 --- a/sample-network/config/rbac/kustomization.yaml +++ b/sample-network/config/rbac/kustomization.yaml @@ -18,6 +18,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: ${NS} + resources: - hlf-psp.yaml - hlf-operator-serviceaccount.yaml diff --git a/sample-network/network b/sample-network/network index 933dc5f5..e8383bfe 100755 --- a/sample-network/network +++ b/sample-network/network @@ -48,6 +48,7 @@ context CLUSTER_NAME $CLUSTER_RUNTIME context KUBE_DNS_DOMAIN ${NS}.svc.cluster.local context INGRESS_DOMAIN localho.st context COREDNS_DOMAIN_OVERRIDE true +context PROMETHEUS_MONITORING false context LOG_FILE network.log context DEBUG_FILE network-debug.log context LOG_ERROR_LINES 1 diff --git a/sample-network/scripts/channel.sh b/sample-network/scripts/channel.sh index 36fe802e..0a276c80 100644 --- a/sample-network/scripts/channel.sh +++ b/sample-network/scripts/channel.sh @@ -38,10 +38,6 @@ function channel_command_group() { } function channel_up() { - set -x - - enroll_org_admins - create_channel_msp create_genesis_block @@ -120,6 +116,7 @@ function enroll_org_admin() { CA_URL=https://${CA_AUTH}@${CA_HOST}:${CA_PORT} jq -r .tls.cert $CONNECTION_PROFILE | base64 -d >& $CA_DIR/tls-cert.pem + jq -r .tlsca.signcerts $CONNECTION_PROFILE | base64 -d >& $CA_DIR/tlsca-signcert.pem # enroll the admin user FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_DIR} fabric-ca-client enroll --url ${CA_URL} --tls.certfiles ${CA_DIR}/tls-cert.pem diff --git a/sample-network/scripts/cluster.sh b/sample-network/scripts/cluster.sh index af464a55..91aafa18 100644 --- a/sample-network/scripts/cluster.sh +++ b/sample-network/scripts/cluster.sh @@ -101,6 +101,10 @@ function cluster_init() { pull_docker_images kind_load_images fi + + if [ "${PROMETHEUS_MONITORING}" == true ]; then + apply_prometheus + fi } function apply_fabric_crds() { @@ -151,6 +155,40 @@ function wait_for_nginx_ingress() { pop_fn } +# https://prometheus-operator.dev/docs/prologue/quick-start/#deploy-kube-prometheus +function apply_prometheus() { + push_fn "Applying prometheus operator" + + set -x + + git clone https://github.com/prometheus-operator/kube-prometheus.git $TEMP_DIR/kube-prometheus || true + + # Create the namespace and CRDs, and then wait for them to be availble before creating the remaining resources + kubectl create -f $TEMP_DIR/kube-prometheus/manifests/setup || true + + # Wait until the "servicemonitors" CRD is created. The message "No resources found" means success in this context. + until kubectl get servicemonitors --all-namespaces ; do date; sleep 1; echo ""; done + + kubectl create -f $TEMP_DIR/kube-prometheus/manifests/ || true + + # create ingress for prometheus and grafana at $INGRESS_DOMAIN + cat config/prometheus/ingress-prometheus.yaml | envsubst | kubectl apply -f - + cat config/prometheus/ingress-grafana.yaml | envsubst | kubectl apply -f - + + # TODO: override grafana root_url in server.ini (secret) + + pop_fn +} + +function delete_prometheus() { + push_fn "Deleting prometheus operator" + + kubectl delete --ignore-not-found=true -f $TEMP_DIR/kube-prometheus/manifests/setup + kubectl delete --ignore-not-found=true -f $TEMP_DIR/kube-prometheus/manifests/ + + pop_fn +} + # Allow pods running in kubernetes to access services at the ingress domain *.localho.st. # # This function identifies the CLUSTER-IP for the ingress controller and overrides the coredns @@ -207,6 +245,10 @@ EOF function cluster_clean() { delete_fabric_crds delete_nginx_ingress + + if [ "${PROMETHEUS_MONITORING}" == true ]; then + delete_prometheus + fi } diff --git a/sample-network/scripts/test_network.sh b/sample-network/scripts/test_network.sh index 20f0c10f..24f3abb8 100644 --- a/sample-network/scripts/test_network.sh +++ b/sample-network/scripts/test_network.sh @@ -35,6 +35,7 @@ function network_up() { launch_operator launch_network_CAs + enroll_org_admins apply_network_peers apply_network_orderers @@ -47,6 +48,10 @@ function network_up() { wait_for ibporderer org0-orderersnode1 wait_for ibporderer org0-orderersnode2 wait_for ibporderer org0-orderersnode3 + + if [ "${PROMETHEUS_MONITORING}" == true ]; then + apply_service_monitors + fi } function init_namespace() { @@ -56,7 +61,7 @@ function init_namespace() { apiVersion: v1 kind: Namespace metadata: - name: test-network + name: ${NS} EOF pop_fn @@ -123,6 +128,34 @@ function apply_network_orderers() { pop_fn } +# Create kube secrets to store the monitoring client TLS certificate and key for access +# to the operations/metrics endpoint. +function create_servicemonitor_tls_secret() { + local org=$1 + local secret_name=${org}-servicemonitor-tls-secret + + kubectl -n monitoring delete secret ${secret_name} --ignore-not-found + + kubectl -n monitoring \ + create secret \ + generic ${secret_name} \ + --from-file=temp/cas/${org}-ca/tlsca-signcert.pem \ + --from-file=temp/enrollments/${org}/users/${org}admin/tls/signcerts/cert.pem \ + --from-file=temp/enrollments/${org}/users/${org}admin/tls/keystore/key.pem +} + +function apply_service_monitors() { + push_fn "Creating Prometheus service monitors" + + create_servicemonitor_tls_secret org0 + create_servicemonitor_tls_secret org1 + create_servicemonitor_tls_secret org2 + + apply_kustomization config/prometheus + + pop_fn +} + function stop_services() { push_fn "Stopping Fabric Services" @@ -131,6 +164,11 @@ function stop_services() { undo_kustomization config/peers undo_kustomization config/orderers + if [ "${PROMETHEUS_MONITORING}" == true ]; then + undo_kustomization config/prometheus + fi + + # give the operator a chance to reconcile the deletion and then shut down the operator. sleep 10 diff --git a/sample-network/scripts/utils.sh b/sample-network/scripts/utils.sh index db7d60f5..db9b3b8e 100644 --- a/sample-network/scripts/utils.sh +++ b/sample-network/scripts/utils.sh @@ -109,11 +109,11 @@ function absolute_path() { } function apply_kustomization() { - $KUSTOMIZE_BUILD $1 | envsubst | kubectl -n $NS apply -f - + $KUSTOMIZE_BUILD $1 | envsubst | kubectl apply -f - } function undo_kustomization() { - $KUSTOMIZE_BUILD $1 | envsubst | kubectl -n $NS delete --ignore-not-found=true -f - + $KUSTOMIZE_BUILD $1 | envsubst | kubectl delete --ignore-not-found=true -f - } function create_image_pull_secret() {