add node exporter daemonset (#194)

Author: ggilmore

TEST.md

@@ -12,7 +12,19 @@ helm lint charts/sourcegraph/.
 
 ## Unit testing
 
-We utilize [helm-unittest], a BDD styled unit test framework, to validate our helm chart.
+We utilize [helm-unittest](https://github.com/quintush/helm-unittest/), a BDD styled unit test framework, to validate our helm chart.
+
+helm-unittest can be installed with:
+
+```bash
+helm plugin install https://github.com/quintush/helm-unittest
+```
+
+Once the plugin is installed, you can run the unit tests using the following:
+
+```bash
+helm unittest --helm3 ./charts/sourcegraph/.
+```
 
 We currently do not have testing best practices or require unit tests for new changes, so add test cases at your best judgement if possible.
 

charts/sourcegraph/CHANGELOG.md

@@ -13,6 +13,14 @@ Use `**BREAKING**:` to denote a breaking change
 Sourcegraph 4.1.0 is now available!
 - [Changelog](https://sourcegraph.com/github.com/sourcegraph/sourcegraph/-/blob/CHANGELOG.md#4-1-0)
 - Added `allowedTopologies` support to storageclass [#188](https://github.com/sourcegraph/deploy-sourcegraph-helm/pull/188). This is useful to restrict provisioning of PV in specific zones or regions. In some cloud providers (e.g. GCP), this can be used to provision regional disks with only one worker node present.
+- Added a node-exporter daemonset, which collects crucial machine-level metrics that help Sourcegraph scale your deployment. See [#194](https://github.com/sourcegraph/deploy-sourcegraph-helm/pull/194) for more information
+
+🚨 **WARNING**: Similarly to cadvisor,  `node-exporter`:
+  - runs as a daemonset 
+  - needs to mount various read-only directories from the host machine (`/`, `/proc`, and `/sys`)
+  - ideally shares the machine's PID and Network namespaces
+
+If necessary, node-exporter can be disabled by setting `nodeExporter.enabled: false` in your `override.yaml` configuration file.
 
 ## 4.0.1
 

charts/sourcegraph/README.md

@@ -181,6 +181,19 @@ In addition to the documented values, all services also support the following va
 | minio.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `minio` |
 | minio.serviceAccount.name | string | `""` | Name of the ServiceAccount to be created or an existing ServiceAccount |
 | minio.storageSize | string | `"100Gi"` | PVC Storage Request for `minio` data volume |
+| nodeExporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsUser":65534}` | Security context for the `node-exporter` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
+| nodeExporter.enabled | bool | `true` | Enable `node-exporter` |
+| nodeExporter.extraArgs | list | `[]` |  |
+| nodeExporter.hostNetwork | bool | `true` |  |
+| nodeExporter.hostPID | bool | `true` |  |
+| nodeExporter.image.defaultTag | string | `"179720_2022-10-25_4d925e87cfb8@sha256:2d9dcdf0b2226f0c3d550a64d2667710265462350a3ba9ebe37d0302bc64af0f"` | Docker image tag for the `node-exporter` image |
+| nodeExporter.image.name | string | `"node-exporter"` | Docker image name for the `node-exporter` image |
+| nodeExporter.name | string | `"node-exporter"` | Name used by resources. Does not affect service names or PVCs. |
+| nodeExporter.podSecurityContext | object | `{"fsGroup":65534,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534}` | Security context for the `node-exporter` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| nodeExporter.podSecurityPolicy.enabled | bool | `false` | Enable [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for `node-exporter` pods |
+| nodeExporter.resources | object | `{"limits":{"cpu":"1","memory":"1Gi"},"requests":{"cpu":".2","memory":"100Mi"}}` | Resource requests & limits for the `node-exporter` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| nodeExporter.serviceAccount.create | bool | `true` | Enable creation of ServiceAccount for `node-exporter` |
+| nodeExporter.serviceAccount.name | string | `"node-exporter"` | Name of the ServiceAccount to be created or an existing ServiceAccount |
 | openTelemetry.agent.name | string | `"otel-agent"` | Name used by resources. Does not affect service names or PVCs. |
 | openTelemetry.agent.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Resource requests & limits for the `otel-agent` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | openTelemetry.enabled | bool | `true` |  |

charts/sourcegraph/templates/NOTES.txt

@@ -28,4 +28,38 @@ Such metric provides critical information to help you scale the Sourcegraph depl
 If you would like to bring your own infrastructure monitoring & alerting solution,
 you may want to disable the `cadvisor` DaemonSet completely by setting `cadvisor.enabled=false` in your override file.
 
+{{- end }}
+
+{{- if not .Values.nodeExporter.enabled }}
+
+🚧 Warning 🚧
+
+You have set 'nodeExporter.enabled' to 'false', which completely disables node exporter. Node exporter provides 
+critical machine-level metrics that help you scale your Sourcegraph deployments. Without node-exporter, you might have 
+to rely on the (possibility limited) tooling that your cloud provider provides to have insight into your machines.
+
+{{- end }}
+
+{{- if not .Values.nodeExporter.hostPID }}
+
+🚧 Warning 🚧
+
+You have set 'nodeExporter.hostPID' to 'false' which greatly limits the metrics that node-exporter is able to provide. Many of the 
+metrics that Sourcegraph uses to help you scale your deployment might be broken as a result.
+
+If you would like to bring your own infrastructure monitoring & alerting solution,
+you may want to disable the `node-exporter` DaemonSet completely by setting `nodeExporter.enabled=false` in your override file.
+
+{{- end }}
+
+{{- if not .Values.nodeExporter.hostNetwork }}
+
+🚧 Warning 🚧
+
+You have set 'nodeExporter.hostNetwork' to 'false' which greatly limits the metrics that node-exporter is able to provide. Many of the 
+metrics that Sourcegraph uses to help you scale your deployment might be broken as a result.
+
+If you would like to bring your own infrastructure monitoring & alerting solution,
+you may want to disable the `node-exporter` DaemonSet completely by setting `nodeExporter.enabled=false` in your override file.
+
 {{- end }}

charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRole.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.nodeExporter.enabled -}}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: node-exporter
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: node-exporter
+  name: {{ .Values.nodeExporter.name }}
+rules:
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+    - {{ .Values.nodeExporter.name }}
+{{- end }}

charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRoleBinding.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.nodeExporter.enabled -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: node-exporter
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: node-exporter
+  name: {{ .Values.nodeExporter.name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.nodeExporter.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "sourcegraph.serviceAccountName" (list . "nodeExporter") }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/sourcegraph/templates/node-exporter/node-exporter.DaemonSet.yaml

@@ -0,0 +1,141 @@
+{{- if .Values.nodeExporter.enabled -}}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  annotations:
+    description: DaemonSet to ensure all nodes run a node-exporter pod.
+    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+  labels:
+    {{- include "sourcegraph.labels" . | nindent 4 }}
+    {{- if .Values.nodeExporter.labels }}
+      {{- toYaml .Values.nodeExporter.labels | nindent 4 }}
+    {{- end }}
+    deploy: sourcegraph
+    app: node-exporter
+    app.kubernetes.io/component: node-exporter
+  name: {{ .Values.nodeExporter.name }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "sourcegraph.selectorLabels" . | nindent 6 }}
+      app: node-exporter
+  template:
+    metadata:
+      annotations:
+        description: Collects and exports machine metrics.
+        kubectl.kubernetes.io/default-container: node-exporter
+      {{- if .Values.sourcegraph.podAnnotations }}
+      {{- toYaml .Values.sourcegraph.podAnnotations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeExporter.podAnnotations }}
+      {{- toYaml .Values.nodeExporter.podAnnotations | nindent 8 }}
+      {{- end }}
+      labels:
+      {{- include "sourcegraph.selectorLabels" . | nindent 8 }}
+      {{- if .Values.sourcegraph.podLabels }}
+      {{- toYaml .Values.sourcegraph.podLabels | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeExporter.podLabels }}
+      {{- toYaml .Values.nodeExporter.podLabels | nindent 8 }}
+      {{- end }}
+        deploy: sourcegraph
+        app: node-exporter
+    spec:
+      {{- include "sourcegraph.renderServiceAccountName" (list . "nodeExporter") | trim | nindent 6 }}
+      containers:
+      - name: node-exporter
+        image: {{ include "sourcegraph.image" (list . "nodeExporter" ) }}
+        imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
+        args:
+          - --web.listen-address=:9100
+          - --path.sysfs=/host/sys
+          - --path.rootfs=/host/root
+          - --path.procfs=/host/proc
+          - --no-collector.wifi
+          - --no-collector.hwmon
+          - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
+          - --collector.netclass.ignored-devices=^(veth.*)$
+          - --collector.netdev.device-exclude=^(veth.*)$
+{{- if .Values.nodeExporter.extraArgs }}
+{{ toYaml .Values.nodeExporter.extraArgs | indent 10 }}
+{{- end }}
+        env:
+        {{- range $name, $item := .Values.nodeExporter.env}}
+        - name: {{ $name }}
+          {{- $item | toYaml | nindent 10 }}
+        {{- end }}
+        {{- if not .Values.sourcegraph.localDevMode }}
+        resources:
+          {{- toYaml .Values.nodeExporter.resources | nindent 10 }}
+        {{- end }}
+        securityContext:
+          {{- toYaml .Values.nodeExporter.containerSecurityContext | nindent 10 }}
+        volumeMounts:
+        - name: rootfs
+          mountPath: /host/root
+          mountPropagation: HostToContainer
+          readOnly: true
+        - name: sys
+          mountPath: /host/sys
+          mountPropagation: HostToContainer
+          readOnly: true
+        - name: proc
+          mountPath: /host/proc
+          mountPropagation: HostToContainer
+          readOnly: true
+        {{- if .Values.nodeExporter.extraVolumeMounts }}
+        {{- toYaml .Values.nodeExporter.extraVolumeMounts | nindent 8 }}
+        {{- end }}
+        ports:
+        - name: metrics
+          containerPort: 9100
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            scheme: HTTP
+            port: metrics
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            scheme: HTTP
+            port: metrics
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        terminationMessagePolicy: FallbackToLogsOnError
+      automountServiceAccountToken: false
+      terminationGracePeriodSeconds: 30
+      {{- if .Values.nodeExporter.extraContainers }}
+        {{- toYaml .Values.nodeExporter.extraContainers | nindent 6 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.nodeExporter.podSecurityContext | nindent 8 }}
+      {{- include "sourcegraph.nodeSelector" (list . "nodeExporter" ) | trim | nindent 6 }}
+      {{- include "sourcegraph.affinity" (list . "nodeExporter" ) | trim | nindent 6 }}
+      {{- include "sourcegraph.tolerations" (list . "nodeExporter" ) | trim | nindent 6 }}
+      {{- with .Values.sourcegraph.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      hostNetwork: {{ .Values.nodeExporter.hostNetwork }}
+      hostPID: {{ .Values.nodeExporter.hostPID }}
+      volumes:
+      - name: rootfs
+        hostPath:
+          path: /
+      - name: sys
+        hostPath:
+          path: /sys
+      - name: proc
+        hostPath:
+          path: /proc
+      {{- if .Values.nodeExporter.extraVolumes }}
+      {{- toYaml .Values.nodeExporter.extraVolumes | nindent 6 }}
+      {{- end }}
+{{- end }}

charts/sourcegraph/templates/node-exporter/node-exporter.PodSecurityPolicy.yaml

@@ -0,0 +1,30 @@
+{{- if and .Values.nodeExporter.enabled .Values.nodeExporter.podSecurityPolicy.enabled  -}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: node-exporter
+    deploy: sourcegraph
+    app.kubernetes.io/component: node-exporter
+  name: {{ .Values.nodeExporter.name }}
+spec:
+  privileged: false
+  hostIPC: false
+  hostNetwork: {{ .Values.nodeExporter.hostNetwork }}
+  hostPID: {{ .Values.nodeExporter.hostPID }}
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+  - '*'
+  allowedHostPaths:
+  - pathPrefix: "/"
+  - pathPrefix: "/sys"
+  - pathPrefix: "/proc"
+  readOnlyRootFilesystem: true
+{{- end }}

charts/sourcegraph/templates/node-exporter/node-exporter.Service.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.nodeExporter.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    description: Prometheus exporter for hardware and OS metrics.
+    url: https://github.com/prometheus/node_exporter
+    prometheus.io/port: "9100"
+    sourcegraph.prometheus/scrape: "true"
+    {{- if .Values.nodeExporter.serviceAnnotations }}
+    {{- toYaml .Values.nodeExporter.serviceAnnotations | nindent 4 }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/component: node-exporter
+    app: node-exporter
+    deploy: sourcegraph
+    sourcegraph-resource-requires: no-cluster-admin
+    {{- if .Values.nodeExporter.serviceLabels }}
+      {{- toYaml .Values.nodeExporter.serviceLabels | nindent 4 }}
+    {{- end }}
+  name: node-exporter
+spec:
+  ports:
+  - name: metrics
+    port: 9100
+    targetPort: metrics
+  selector:
+    {{- include "sourcegraph.selectorLabels" . | nindent 4 }}
+    app: node-exporter
+  type: {{ .Values.nodeExporter.serviceType | default "ClusterIP" }}
+{{- end }}

charts/sourcegraph/templates/node-exporter/node-exporter.ServiceAccount.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.nodeExporter.enabled .Values.nodeExporter.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: node-exporter
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: node-exporter
+  {{- include "sourcegraph.serviceAccountAnnotations" (list . "nodeExporter") | trim | nindent 2 }}
+  name: {{ include "sourcegraph.serviceAccountName" (list . "nodeExporter") }}
+{{- end }}