Hugo · Hugo · Hugo · Hugo · Tim · Hugo
--- a/.gitignore
+++ b/.gitignore
@@ -25,4 +25,4 @@ Dockerfile.cross
 *.swo
 *~

-tilt_bin
\ No newline at end of file
+.tilt
\ No newline at end of file
--- a/Tiltfile
+++ b/Tiltfile
-# v1alpha1.extension_repo(name='default', url='https://github.com/hrenard/tilt-extensions', ref='develop')
-load('ext://kubebuilder', 'kubebuilder')
-kubebuilder(IMG="registry.libre.sh/keydb-operator:latest", DISABLE_SAMPLES=True)
\ No newline at end of file
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -73,6 +73,17 @@ rules:
  - get
  - patch
  - update
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - podmonitors
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
  - policy
  resources:

--- a/controllers/redis_controller.go
+++ b/controllers/redis_controller.go
@@ -39,12 +39,14 @@ const finalizer = "keydb.libre.sh/finalizer"
 // RedisReconciler reconciles a Redis object
 type RedisReconciler struct {
 	client.Client
+	PodMonitorEnabled bool
 }

 //+kubebuilder:rbac:groups=core.libre.sh,resources=redis,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=core.libre.sh,resources=redis/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=core.libre.sh,resources=redis/finalizers,verbs=update

+//+kubebuilder:rbac:groups=monitoring.coreos.com,resources=podmonitors,verbs=get;list;watch;create;update;patch
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;patch
 //+kubebuilder:rbac:groups="apps",resources=statefulsets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete
@@ -133,6 +135,13 @@ func (r *RedisReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 		return ctrl.Result{}, err
 	}

+	if r.PodMonitorEnabled {
+		_, err = r.ReconcilePodMonitor(ctx, &redis)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
 	sts, err := r.ReconcileStatefulSet(ctx, &redis, service, secret)
 	if err != nil {
 		if err, ok := err.(*errors.StatusError); ok && err.Status().Code == http.StatusUnprocessableEntity {

--- a/controllers/redis_controller_pod_monitor.go
+++ b/controllers/redis_controller_pod_monitor.go
+/*
+Copyright 2023 IndieHosters.
+
+Licensed under the EUPL, Version 1.2 or later (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"context"
+
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	lshcore "libre.sh/api/core/v1alpha1"
+	lshr "libre.sh/pkg/controller-runtime"
+)
+
+func (r *RedisReconciler) ReconcilePodMonitor(ctx context.Context, redis *lshcore.Redis) (*monitoringv1.PodMonitor, error) {
+	var podMonitor monitoringv1.PodMonitor
+	lshr.SetResourceNamespacedName(redis, &podMonitor)
+	err := lshr.CreateOrPatch(ctx, r, &podMonitor, func() error {
+		lshr.ApplyLabels(redis, &podMonitor, nil)
+		podMonitor.Spec.Selector = metav1.LabelSelector{
+			MatchLabels: lshr.GetLabelSelector(redis, nil),
+		}
+		podMonitor.Spec.PodMetricsEndpoints = []monitoringv1.PodMetricsEndpoint{
+			{
+				Port: "metrics",
+			},
+		}
+		return controllerutil.SetControllerReference(redis, &podMonitor, r.Scheme())
+	})
+	return &podMonitor, err
+}
--- a/controllers/redis_controller_statefulset.go
+++ b/controllers/redis_controller_statefulset.go
@@ -11,6 +11,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

 	lshcore "libre.sh/api/core/v1alpha1"
+	lshmeta "libre.sh/api/meta/v1alpha1"
 	lshr "libre.sh/pkg/controller-runtime"
 )

@@ -97,6 +98,50 @@ func (r *RedisReconciler) ReconcileStatefulSet(ctx context.Context, redis *lshco
 			},
 		}

+		allowPrivilegeEscalation := false
+		user := int64(59000)
+		resourceList := corev1.ResourceList{
+			corev1.ResourceCPU:    resource.MustParse("100m"),
+			corev1.ResourceMemory: resource.MustParse("100Mi"),
+		}
+		exporterContainer := corev1.Container{
+			Name:  "exporter",
+			Image: "docker.io/oliver006/redis_exporter:v1.52.0",
+			Env: []corev1.EnvVar{
+				{
+					Name: "REDIS_ADDR",
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: redis.SecretName(),
+							},
+							Key: "url",
+						},
+					},
+				},
+			},
+			Ports: []corev1.ContainerPort{
+				{
+					Name:          "metrics",
+					ContainerPort: 9121,
+				},
+			},
+			SecurityContext: &corev1.SecurityContext{
+				RunAsUser:                &user,
+				RunAsGroup:               &user,
+				AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{
+						"ALL",
+					},
+				},
+			},
+			Resources: corev1.ResourceRequirements{
+				Requests: resourceList,
+				Limits:   resourceList,
+			},
+		}
+
 		if !redis.Spec.DisableAuth {
 			env := corev1.EnvVar{
 				Name: "PASS",
@@ -146,13 +191,20 @@ func (r *RedisReconciler) ReconcileStatefulSet(ctx context.Context, redis *lshco
 			keydbContainer.Args = append(keydbContainer.Args, "--save", "")
 		}

+		containers := []corev1.Container{keydbContainer, managerContainer}
+
+		if r.PodMonitorEnabled {
+			containers = append(containers, exporterContainer)
+		}
+
 		sts.Spec.Template = corev1.PodTemplateSpec{
 			ObjectMeta: metav1.ObjectMeta{
 				Labels: sts.Labels,
 			},
 			Spec: corev1.PodSpec{
 				ServiceAccountName: ServiceAccountName,
-				Containers:         []corev1.Container{keydbContainer, managerContainer},
+				Containers:         containers,
+				PriorityClassName:  lshmeta.PriorityClassAppCritical,
 			},
 		}


--- a/controllers/redis_endpoints_controller.go
+++ b/controllers/redis_endpoints_controller.go
@@ -29,7 +29,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"

 	lshcore "libre.sh/api/core/v1alpha1"
 	lshr "libre.sh/pkg/controller-runtime"
@@ -98,7 +97,7 @@ func (r *RedisEndpointsReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&lshcore.Redis{}).
 		Watches(
-			&source.Kind{Type: &corev1.Pod{}},
+			&corev1.Pod{},
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForPod),
 			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
 		).
@@ -113,7 +112,7 @@ func (r *RedisEndpointsReconciler) OwnedConditions() []string {
 	return []string{}
 }

-func (r *RedisEndpointsReconciler) findObjectsForPod(pod client.Object) []reconcile.Request {
+func (r *RedisEndpointsReconciler) findObjectsForPod(ctx context.Context, pod client.Object) []reconcile.Request {
 	requests := []reconcile.Request{}
 	labels := pod.GetLabels()
 	if labels["app.kubernetes.io/managed-by"] == "libre.sh" &&

--- a/go.mod
+++ b/go.mod
@@ -3,16 +3,17 @@ module libre.sh/keydb-operator
 go 1.20

 require (
-	github.com/fluxcd/pkg/apis/meta v1.0.0
-	github.com/fluxcd/pkg/runtime v0.35.0
-	github.com/onsi/ginkgo/v2 v2.9.2
-	github.com/onsi/gomega v1.27.5
-	k8s.io/api v0.26.3
-	k8s.io/apimachinery v0.26.3
-	k8s.io/client-go v0.26.3
-	libre.sh/api v0.2.0-rc.3
-	libre.sh/pkg v0.1.3
-	sigs.k8s.io/controller-runtime v0.14.6
+	github.com/fluxcd/pkg/apis/meta v1.1.2
+	github.com/fluxcd/pkg/runtime v0.42.0
+	github.com/onsi/ginkgo/v2 v2.11.0
+	github.com/onsi/gomega v1.27.10
+	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.64.1
+	k8s.io/api v0.28.0
+	k8s.io/apimachinery v0.28.0
+	k8s.io/client-go v0.28.0
+	libre.sh/api v0.2.2
+	libre.sh/pkg v0.2.0
+	sigs.k8s.io/controller-runtime v0.15.1
 )

 require (
@@ -20,26 +21,26 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/distribution/distribution v2.8.1+incompatible // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
+	github.com/distribution/distribution v2.8.2+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-logr/zapr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/zapr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/gnostic v0.6.9 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -49,33 +50,32 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.14.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.40.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.11.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.9.0 // indirect
-	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/net v0.8.0 // indirect
-	golang.org/x/oauth2 v0.5.0 // indirect
-	golang.org/x/sys v0.6.0 // indirect
-	golang.org/x/term v0.6.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.25.0 // indirect
+	golang.org/x/net v0.14.0 // indirect
+	golang.org/x/oauth2 v0.11.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/term v0.11.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.7.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.26.1 // indirect
-	k8s.io/component-base v0.26.3 // indirect
-	k8s.io/klog/v2 v2.90.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230227204213-929b88f6cb43 // indirect
-	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
+	k8s.io/apiextensions-apiserver v0.28.0 // indirect
+	k8s.io/component-base v0.28.0 // indirect
+	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230816210353-14e408962443 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/main.go
+++ b/main.go
@@ -10,8 +10,10 @@ import (

 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
+	"k8s.io/client-go/discovery"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"

+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -32,6 +34,7 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(lshcore.AddToScheme(scheme))
+	utilruntime.Must(monitoringv1.AddToScheme(scheme))

 	//+kubebuilder:scaffold:scheme
 }
@@ -77,8 +80,16 @@ func main() {
 		os.Exit(1)
 	}

+	discoveryClient := discovery.NewDiscoveryClientForConfigOrDie(mgr.GetConfig())
+	podMonitorEnabled, err := discovery.IsResourceEnabled(discoveryClient, monitoringv1.SchemeGroupVersion.WithResource("podmonitors"))
+	if err != nil {
+		setupLog.Error(err, "unable to check if resource is enabled")
+		os.Exit(1)
+	}
+
 	if err = (&controllers.RedisReconciler{
-		Client: mgr.GetClient(),
+		Client:            mgr.GetClient(),
+		PodMonitorEnabled: podMonitorEnabled,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Redis")
 		os.Exit(1)