update openshift haproxy router install guide

Author: Mak0tin

resources/openshift-haproxy-router/INSTALL.v3.11.md

@@ -1,21 +1,22 @@
-# Getting the authentication of the HAProxy router
-The metrics endpoint of the HAProxy router in OpenShift 3.11 has a basic HTTP authentication configuration with username and password.
+# Integrating HAProxy router in the Prometheus Cluster Monitoring
+The HAProxy router metrics endpoint is not included in the Prometheus Cluster Monitoring in version 3.11 so you need to create a prometheus job and add some permissions to prometheus service account
 
-To retrieve the username and password, run the following commands:
-```
-# USER
-export USER=`kubectl -n default get deploymentConfig router -o json | jq -r '.spec.template.spec.containers[].env[] | select( .name | contains("STATS_USERNAME")) | .value'`
+Steps to execute:
+
+1. Create the prometheus job for the HAProxy router executing the following command:
 
-# PASSWORD
-export PASS=`kubectl -n default get deploymentConfig router -o json | jq -r '.spec.template.spec.containers[].env[] | select( .name | contains("STATS_PASSWORD")) | .value'`
+```
+oc create -n openshift-monitoring -f haproxy-router-job.yaml
 ```
 
->Note: to execute these commands ou will need the tool [jq](https://stedolan.github.io/jq/)
+2. Give permission to prometheus to scrape router metrics using bearer token:
 
-The Prometheus Monitoring stack is installed with OpenShift Container Platform by default so there is no need of additional configuration in prometheus.yml file
+```
+oc create -n openshift-monitoring -f router-clusterrolebinding-okd3.yaml
+```
 
-You can now check haproxy router metrics (remember to port-forward port 1936):
+Now you can curl the metrics from prometheus pod or from the prometheus console
 
 ```
-curl -u $USER:$PASS http://ROUTERIP:1936/metrics
+curl -v -s -k -H "Authorization: Bearer `cat /var/run/secrets/kubernetes.io/serviceaccount/token`" https://router.default.svc:1936/metrics
 ```

resources/openshift-haproxy-router/INSTALL.v4.7.md

@@ -1,21 +1,2 @@
-# Getting the authentication of the HAProxy router
-The metrics endpoint of the HAProxy router in OpenShift 4.7 has a basic HTTP authentication configuration with username and password.
-
-To retrieve the username and password, run the following commands:
-```
-# USER
-export USER=`echo $(kubectl -n openshift-ingress get secret router-stats-default -o json | jq -r '.data.statsUsername') | base64 --decode`
-
-# PASSWORD
-export PASS=`echo $(kubectl -n openshift-ingress get secret router-stats-default -o json | jq -r '.data.statsPassword') | base64 --decode`
-```
-
->Note: to execute these commands ou will need the tool [jq](https://stedolan.github.io/jq/)
-
-The Prometheus Monitoring stack is installed with OpenShift Container Platform by default so there is no need of additional configuration in prometheus.yml file
-
-You can now check haproxy router metrics (remember to port-forward port 1936):
-
-```
-curl -u $USER:$PASS http://ROUTERIP:1936/metrics
-```
+# Integrating HAProxy router in the Prometheus Cluster Monitoring
+The HAProxy router metrics endpoint is included in the Prometheus Cluster Monitoring stack in versions 4.X so you don't need to apply any special configuration. You can see the metrics from the Prometheus console

resources/openshift-haproxy-router/README.md

@@ -2,7 +2,7 @@
 OpenShift offers different options as ingress router, one of them is based in HAProxy 2.0.
 
 # Metrics
-The HAProxy ingress router instruments Prometheus metrics, in OpenShift the endpoint is protected with user and password by default.
+The HAProxy ingress router instruments Prometheus metrics, in OpenShift the endpoint is protected with RBAC security by default.
 
 ## Number of time series generated
 The HAProxy ingress router generates ~400 time series per HAProxy router pod.

resources/openshift-haproxy-router/include/haproxy-router-job.yaml

@@ -0,0 +1,24 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: router-metrics
+  metadata:
+  labels:
+    k8s-app: haproxy-router
+  namespace: openshift-monitoring
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 5s
+    path: /metrics
+    port: 1936-tcp
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
+    jobLabel: k8s-app
+  namespaceSelector:
+    matchNames:
+    - default
+  selector:
+    matchLabels:
+      router: router

resources/openshift-haproxy-router/include/router-clusterrolebinding-okd3.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: haproxy-router-monitoring
+rules:
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routers/metrics
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: prometheus-k8s
+  name: prometheus-k8s-monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: haproxy-router-monitoring
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: openshift-monitoring

resources/openshift-haproxy-router/setup-guide.v3.11.yaml

@@ -4,5 +4,9 @@ app: 'OpenShift HAProxy Router'
 version: 1.0.0
 appVersion:
   - "3.11"
-configurations: []
+configurations:
+- name: haproxy-router-job.yaml
+  file: include/haproxy-router-job.yaml
+- name: router-clusterrolebinding-okd3.yaml
+  file: include/router-clusterrolebinding-okd3.yaml
 descriptionFile: INSTALL.v3.11.md