kube/skia-public/prom.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: prometheus
rules:
- apiGroups: [""]
  resources:
  - nodes
  - nodes/proxy
  - services
  - endpoints
  - pods
  verbs: ["get", "list", "watch"]
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs: ["get", "list", "watch"]
- nonResourceURLs: ["/metrics"]
  verbs: ["get"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: prometheus
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: prometheus
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: prometheus
subjects:
- kind: ServiceAccount
  name: prometheus
  namespace: default
---
apiVersion: v1
kind: Service
metadata:
  name: prometheus
spec:
  selector:
    app: prometheus
  type: NodePort
  ports:
    - port: 8000
      name: http
    - port: 9090
      name: internal-http
    - port: 10000
      name: iap-proxy-metrics
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: prometheus
spec:
  replicas: 1
  updateStrategy:
    type: RollingUpdate
  serviceName: "prometheus"
  template:
    metadata:
      labels:
        app: prometheus
    spec:
      securityContext:
        runAsUser: 2000 # aka skia
        fsGroup: 2000   # aka skia
      serviceAccountName: prometheus
      automountServiceAccountToken: true
      containers:
        - name: prometheus
          image: prom/prometheus:v2.2.1
          args:
            - "--config.file=/etc/prometheus/prometheus.yml"
            - "--storage.tsdb.path=/mnt/prometheus/"
            - "--web.enable-lifecycle"
            - "--web.listen-address=:9090"
            - "--web.external-url=https://prom2.skia.org"
          ports:
            - containerPort: 9090
          volumeMounts:
            - name: prometheus-config-volume
              mountPath: /etc/prometheus/
            - name: prometheus-storage-volume-claim2
              mountPath: /mnt/prometheus/
          resources:
            requests:
              memory: "1Gi"
              cpu: "2"
          livenessProbe:
            httpGet:
              path: /
              port: 9090
            initialDelaySeconds: 3
            periodSeconds: 3
        - name: configmap-reload
          args:
            - "--volume-dir=/etc/prometheus/"
            - "--webhook-method=POST"
            - "--webhook-url=http://localhost:9090/-/reload"
          image: gcr.io/skia-public/configmap-reload:2018-05-16T14_13_33Z-jcgregorio-80445ff-clean
          volumeMounts:
            - name: prometheus-config-volume
              mountPath: /etc/prometheus/
          resources:
            requests:
              memory: "30Mi"
              cpu: "10m"
        - name: iap-proxy
          args:
            - "--logtostderr"
            - "--aud=/projects/145247227042/global/backendServices/3954240095155401855"
            - "--port=:8000"
            - "--target_port=:9090"
            - "--prom_port=:10000"
          image: gcr.io/skia-public/iap-proxy:2018-05-16T14_13_55Z-jcgregorio-80445ff-clean
          ports:
            - containerPort: 8000
            - containerPort: 10000
          volumeMounts:
            - name: skia-public-auth
              mountPath: /var/secrets/skia-public-auth
          resources:
            requests:
              memory: "30Mi"
              cpu: "200m"
      volumes:
        - name: prometheus-config-volume
          configMap:
            defaultMode: 420
            name: prometheus-server-conf
        - name: skia-public-auth
          secret:
            secretName: skia-public-auth
  volumeClaimTemplates:
    - metadata:
       name: prometheus-storage-volume-claim2
      spec:
        accessModes: [ "ReadWriteOnce" ]
        resources:
          requests:
            storage: 1000Gi