[azure-keyvault-exporter] initial revision

mblaschke · mblaschke · commit bab7f7d840a5 · 2022-11-05T17:27:48.000+01:00
Signed-off-by: Markus Blaschke &lt;mblaschke82@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -27,9 +27,10 @@ dependencies:
 
 ## charts
 
-| Chart                                                                     | Description                                                                                                                                                                              | Project                                                                                                                                                   |
+| Chart                                                                     | Description                                                                                                                                                                              | GitHub project                                                                                                                                            |
 |---------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
 | [azure-janitor](./charts/azure-janitor)                                   | Automated removal of Azure resources based on ttl tag                                                                                                                                    | [![](https://img.shields.io/badge/github-webdevops%2Fazure--janitor-blue)](https://github.com/webdevops/azure-janitor)                                    |
+| [azure-keyvault-exporter](./charts/azure-keyvault-exporter)               | Prometheus exporter for Azure KeyVault metrics (secrets, certificates, ...) eg expiry time                                                                                               | [![](https://img.shields.io/badge/github-webdevops%2Fazure--keyvault--exporter-blue)](https://github.com/webdevops/azure-keyvault-exporter)               |
 | [azure-metrics-exporter](./charts/azure-metrics-exporter)                 | Prometheus exporter for Azure Monitor metrics                                                                                                                                            | [![](https://img.shields.io/badge/github-webdevops%2Fazure--metrics--exporter-blue)](https://github.com/webdevops/azure-metrics-exporter)                 |
 | [azure-resourcemanager-exporter](./charts/azure-resourcemanager-exporter) | Prometheus exporter for Azure ResourceManager information                                                                                                                                | [![](https://img.shields.io/badge/github-webdevops%2Fazure--resourcemanager--exporter-blue)](https://github.com/webdevops/azure-resourcemanager-exporter) |
 | [azure-scheduledevents-manager](./charts/azure-scheduledevents-manager)   | Manages [Azure ScheduledEvents](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/scheduled-events) (drain nodes) and provides metrics for upcoming Azure ScheduledEvents | [![](https://img.shields.io/badge/github-webdevops%2Fazure--scheduledevents--manager-blue)](https://github.com/webdevops/azure-scheduledevents-manager)   |
diff --git a/charts/azure-keyvault-exporter/Chart.yaml b/charts/azure-keyvault-exporter/Chart.yaml
@@ -0,0 +1,15 @@
+apiVersion: v2
+name: azure-keyvault-exporter
+type: application
+description: A Helm chart for azure-keyvault-exporter
+home: https://github.com/webdevops/azure-keyvault-exporter
+version: 1.0.0
+appVersion: 22.9.0
+keywords:
+- azure-keyvault-exporter
+maintainers:
+- email: mblaschke82@gmail.com
+  name: mblaschke
+sources:
+- https://github.com/webdevops/azure-keyvault-exporter/
+
diff --git a/charts/azure-keyvault-exporter/templates/_helpers.tpl b/charts/azure-keyvault-exporter/templates/_helpers.tpl
@@ -0,0 +1,109 @@
+{{/* vim: set filetype=mustache: */}}
+{{/* Expand the name of the chart. */}}
+{{- define "azure-keyvault-exporter.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 50 | trimSuffix "-" -}}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "azure-keyvault-exporter.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 26 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 26 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "azure-keyvault-exporter.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "azure-keyvault-exporter.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/* Generate basic labels */}}
+{{- define "azure-keyvault-exporter.labels" }}
+helm.sh/chart: {{ template "azure-keyvault-exporter.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: metrics
+app.kubernetes.io/part-of: {{ template "azure-keyvault-exporter.name" . }}
+{{- include "azure-keyvault-exporter.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if .Values.podLabels}}
+{{ toYaml .Values.podLabels }}
+{{- end }}
+{{- if .Values.releaseLabel }}
+release: {{ .Release.Name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "azure-keyvault-exporter.selectorLabels" }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/name: {{ template "azure-keyvault-exporter.name" . }}
+{{- end }}
+
+{{/*
+The image to use
+*/}}
+{{- define "azure-keyvault-exporter.image" -}}
+{{- if .Values.image.sha -}}
+{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }}
+{{- else -}}
+{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (default (printf "%s" .Chart.AppVersion) .Values.image.tag) }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "azure-keyvault-exporter.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "azure-keyvault-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/* Sets default scrape limits for servicemonitor */}}
+{{- define "servicemonitor.scrapeLimits" -}}
+{{- if .sampleLimit }}
+sampleLimit: {{ .sampleLimit }}
+{{- end }}
+{{- if .targetLimit }}
+targetLimit: {{ .targetLimit }}
+{{- end }}
+{{- if .labelLimit }}
+labelLimit: {{ .labelLimit }}
+{{- end }}
+{{- if .labelNameLengthLimit }}
+labelNameLengthLimit: {{ .labelNameLengthLimit }}
+{{- end }}
+{{- if .labelValueLengthLimit }}
+labelValueLengthLimit: {{ .labelValueLengthLimit }}
+{{- end }}
+{{- end }}
diff --git a/charts/azure-keyvault-exporter/templates/deployment.yaml b/charts/azure-keyvault-exporter/templates/deployment.yaml
@@ -0,0 +1,89 @@
+{{- $secretHash := include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "azure-keyvault-exporter.fullname" . }}
+  namespace: {{ template "azure-keyvault-exporter.namespace" . }}
+  labels: {{ include "azure-keyvault-exporter.labels" . | indent 4 }}
+spec:
+  {{- with .Values.replicas }}
+  replicas: {{ . }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy: {{ toYaml . | nindent 4 }}
+  {{- end }}
+
+  selector:
+    matchLabels: {{- include "azure-keyvault-exporter.selectorLabels" . | nindent 6 }}
+
+  minReadySeconds: {{ .minReadySeconds }}
+  template:
+    metadata:
+      labels:
+{{ include "azure-keyvault-exporter.labels" . | indent 8 }}
+{{- with .Values.podLabels }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+      annotations:
+        checksum/secret: {{ $secretHash | quote }}
+{{- with .Values.podAnnotations }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name | quote }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+
+      securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+
+      containers:
+        #######################
+        # Kube pool manager
+        #######################
+        - name: azure-keyvault-exporter
+          image: {{ include "azure-keyvault-exporter.image" . | quote }}
+          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+
+          securityContext: {{ toYaml .Values.containerSecurityContext | nindent 12 }}
+
+          env:
+{{- range $index, $val := .Values.secrets }}
+          - name: {{ $index | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "azure-keyvault-exporter.fullname" . }}
+                key: {{ $index | quote }}
+{{- end }}
+{{ with .Values.env }}
+{{ toYaml . | nindent 12 }}
+{{end}}
+
+          ports:
+            - containerPort: 8080
+              name: http-metrics
+              protocol: TCP
+
+{{- with .Values.resources }}
+          resources: {{ toYaml . | nindent 12 }}
+{{- end }}
+{{- with .Values.startupProbe }}
+          startupProbe: {{ toYaml . | nindent 12 }}
+{{- end }}
+{{- with .Values.livenessProbe }}
+          livenessProbe: {{ toYaml . | nindent 12 }}
+{{- end }}
+{{- with .Values.readinessProbe }}
+          readinessProbe: {{ toYaml . | nindent 12 }}
+{{- end }}
+
+{{- with .Values.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+{{- end }}
diff --git a/charts/azure-keyvault-exporter/templates/networkpolicy.yaml b/charts/azure-keyvault-exporter/templates/networkpolicy.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.netpol.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "azure-keyvault-exporter.fullname" . }}
+  namespace: {{ template "azure-keyvault-exporter.namespace" . }}
+  labels: {{ include "azure-keyvault-exporter.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels: {{- include "azure-keyvault-exporter.selectorLabels" . | nindent 6 }}
+  policyTypes: {{ toYaml .Values.netpol.policyTypes | nindent 4 }}
+  ingress: {{ toYaml .Values.netpol.ingress | nindent 4 }}
+  egress: {{ toYaml .Values.netpol.egress | nindent 4 }}
+{{- end }}
diff --git a/charts/azure-keyvault-exporter/templates/prometheus/servicemonitor.yaml b/charts/azure-keyvault-exporter/templates/prometheus/servicemonitor.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.prometheus.monitor.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "azure-keyvault-exporter.fullname" . }}
+  namespace: {{ template "azure-keyvault-exporter.namespace" . }}
+  labels: {{ include "azure-keyvault-exporter.labels" . | indent 4 }}
+spec:
+  jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }}
+  {{ include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | indent 2 }}
+  selector:
+    matchLabels: {{- include "azure-keyvault-exporter.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - port: {{ .Values.service.portName }}
+      scheme: {{ .Values.prometheus.monitor.scheme }}
+    {{- with .Values.prometheus.monitor.basicAuth }}
+      basicAuth: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.prometheus.monitor.bearerTokenFile }}
+      bearerTokenFile: {{ . }}
+    {{- end }}
+    {{- with .Values.prometheus.monitor.tlsConfig }}
+      tlsConfig: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.prometheus.monitor.proxyUrl }}
+      proxyUrl: {{ . }}
+    {{- end }}
+    {{- with .Values.prometheus.monitor.interval }}
+      interval: {{ . }}
+    {{- end }}
+    {{- with .Values.prometheus.monitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+    {{- end }}
+    {{- with .Values.prometheus.monitor.relabelings }}
+      relabelings: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.prometheus.monitor.metricRelabelings }}
+      metricRelabelings: {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{ end }}
diff --git a/charts/azure-keyvault-exporter/templates/secret.yaml b/charts/azure-keyvault-exporter/templates/secret.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.secrets }}
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ template "azure-keyvault-exporter.fullname" . }}
+  namespace: {{ template "azure-keyvault-exporter.namespace" . }}
+  labels: {{ include "azure-keyvault-exporter.labels" . | indent 4 }}
+data:
+{{- range $index, $val := .Values.secrets }}
+  {{ $index | quote }}: {{ $val | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/azure-keyvault-exporter/templates/service.yaml b/charts/azure-keyvault-exporter/templates/service.yaml
@@ -0,0 +1,26 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ template "azure-keyvault-exporter.fullname" . }}
+  namespace: {{ template "azure-keyvault-exporter.namespace" . }}
+  labels:
+{{ include "azure-keyvault-exporter.labels" . | indent 4 }}
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels | indent 4 }}
+{{- end }}
+{{- if .Values.service.annotations }}
+  annotations: {{ toYaml .Values.service.annotations | nindent 4 }}
+{{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+    {{- if ( and (eq .Values.service.type "NodePort" ) (not (empty .Values.service.nodePort)) ) }}
+      nodePort: {{ .Values.service.nodePort }}
+    {{- end }}
+      targetPort: {{ .Values.service.targetPort }}
+      protocol: TCP
+      name: {{ .Values.service.portName }}
+      appProtocol: http
+  selector: {{- include "azure-keyvault-exporter.selectorLabels" . | nindent 4 }}
diff --git a/charts/azure-keyvault-exporter/templates/serviceaccount.yaml b/charts/azure-keyvault-exporter/templates/serviceaccount.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | quote }}
+  namespace: {{ template "azure-keyvault-exporter.namespace" . }}
+  labels:
+{{ include "azure-keyvault-exporter.labels" . | indent 4 }}
+{{- if .Values.serviceAccount.labels }}
+{{ toYaml .Values.serviceAccount.labels | indent 4 }}
+{{- end }}
+{{- if .Values.serviceAccount.annotations }}
+  annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
+{{- end }}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{ include "azure-keyvault-exporter.imagePullSecrets" . | trim | indent 2 }}
+{{- end }}
diff --git a/charts/azure-keyvault-exporter/values.yaml b/charts/azure-keyvault-exporter/values.yaml
