.gitea/workflows | ||
.vscode | ||
templates/prometheus-fail2ban-exporter | ||
unittests | ||
.editorconfig | ||
.gitignore | ||
.helmignore | ||
.markdownlint.yaml | ||
.markdownlintignore | ||
.npmrc | ||
.prettierignore | ||
.yamllint.yaml | ||
Chart.yaml | ||
CODEOWNERS | ||
CONTRIBUTING.md | ||
Makefile | ||
package-lock.json | ||
package.json | ||
README.md | ||
renovate.json | ||
values.yaml |
Prometheus Fail2Ban exporter
This helm chart enables the deployment of a Prometheus metrics exporter for Fail2Ban and allows the individual
configuration of additional containers/initContainers, mounting of volumes and defining additional environment variables,
apply a user-defined webConfig.yaml
and much more.
Chapter configuration and installation describes the basics how to configure helm and use it to deploy the exporter. It also contains further configuration examples.
Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this helm chart is tested for deployment scenarios with ArgoCD.
Helm: configuration and installation
- A helm chart repository must be configured, to pull the helm charts from.
- All available parameters are here in detail documented. The parameters can be defined via the helm
--set
flag or directly as part of avalues.yaml
file. The following example defines theprometheus-exporter
repository and use the--set
flag for a basic deployment.
Important
By default is neither a serviceMonitor nor a podMonitor enabled. Use
prometheus.metrics.serviceMonitor.enabled=true
orprometheus.metrics.podMonitor.enabled=true
to enable one monitor deployment. Deploying both monitors at the same time is not possible.
helm repo add prometheus-exporters https://charts.cryptic.systems/prometheus-exporters
helm repo update
helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
--set 'prometheus.metrics.enabled=true' \
--set 'prometheus.metrics.serviceMonitor.enabled=true'
Instead of passing all parameters via the set flag, it is also possible to define them as part of the values.yaml
.
The following command downloads the values.yaml
for a specific version of this chart. Please keep in mind, that the
version of the chart must be in sync with the values.yaml
. Newer minor versions can have new features. New major
versions can break something!
CHART_VERSION=0.1.0
helm show values prometheus-exporters/prometheus-fail2ban-exporter --version "${CHART_VERSION}" > values.yaml
A complete list of available helm chart versions can be displayed via the following command:
helm search repo prometheus-fail2ban-exporter --versions
The helm chart also contains some prometheusRules. These are deactivated by default and serve as examples/inspiration
for customizations. These can be configured in more detail via values.yaml
.
Examples
The following examples serve as individual configurations and as inspiration for how deployment problems can be solved.
Avoid CPU throttling by defining a CPU limit
If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but cannot use the available CPU time to perform computing operations.
The application must be informed that despite several CPUs only a part (limit) of the available computing time is
available. As this is a Golang application, this can be implemented using GOMAXPROCS
. The following example is one way
of defining GOMAXPROCS
automatically based on the defined CPU limit like 100m
. Please keep in mind, that the CFS
rate of 100ms
- default on each kubernetes node, is also very important to avoid CPU throttling.
Further information about this topic can be found here.
Note
The environment variable
GOMAXPROCS
is set automatically, when a CPU limit is defined. An explicit configuration is not anymore required.
helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
--set 'prometheus.metrics.enabled=true' \
--set 'prometheus.metrics.serviceMonitor.enabled=true' \
--set 'daemonSet.fail2banExporter.env.name=GOMAXPROCS' \
--set 'daemonSet.fail2banExporter.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
--set 'daemonSet.fail2banExporter.resources.limits.cpu=100m'
Grafana dashboard
The helm chart includes Grafana dashboards. These can be deployed as a configMap by activating Grafana integration. It is assumed that the dashboard is consumed by Grafana or a sidecar container itself and that the dashboard is stored in the Grafana container file system so that it is subsequently available to the user. The kube-prometheus-stack deployment makes this possible.
helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
--set 'grafana.enabled=true'
Avoid deploying on same node / bare metal host as PostgresDB
As a best practice, avoid running the fail2ban-exporter on the same node / bare-metal host as the PostgresDB. This is because if the fail2ban-exporter is running on the same node and this node fails, Prometheus can send an alert about the failure of the node or that the fail2ban-exporter cannot be reached. However, it is not possible to react based on the metrics that the fail2ban-exporter explicitly provides. Depending on the configuration of alerts, this may mean that the corresponding notifications are not sent to the right person or group of people.
The following example prevent the fail2ban-exporter from running on nodes with a PostgresDB. The PostgresDB nodes has an
additional label database=fail2ban
. The configuration is carried out in values.yaml
.
deployment:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: database
operator: NotIn
values:
- fail2ban
Parameters
Global
Name | Description | Value |
---|---|---|
nameOverride |
Individual release name suffix. | "" |
fullnameOverride |
Override the complete release name logic. | "" |
Configuration
Name | Description | Value |
---|---|---|
config.webConfig.existingSecret.enabled |
Mount an existing secret containing the key webConfig.yaml . |
false |
config.webConfig.existingSecret.secretName |
Name of the existing secret containing the key webConfig.yaml . |
"" |
config.webConfig.secret.annotations |
Additional annotations of the secret containing the webConfig.yaml . |
{} |
config.webConfig.secret.labels |
Additional labels of the secret containing the webConfig.yaml . |
{} |
config.webConfig.secret.webConfig |
Content of the webConfig.yaml . |
{} |
Daemonset
Name | Description | Value |
---|---|---|
daemonSet.annotations |
Additional deployment annotations. | {} |
daemonSet.labels |
Additional deployment labels. | {} |
daemonSet.additionalContainers |
List of additional containers. | [] |
daemonSet.affinity |
Affinity for the fail2ban-exporter daemonSet. | {} |
daemonSet.initContainers |
List of additional init containers. | [] |
daemonSet.dnsConfig |
dnsConfig of the fail2ban-exporter daemonSet. | {} |
daemonSet.dnsPolicy |
dnsPolicy of the fail2ban-exporter daemonSet. | "" |
daemonSet.hostname |
Individual hostname of the pod. | "" |
daemonSet.subdomain |
Individual domain of the pod. | "" |
daemonSet.hostNetwork |
Use the kernel network namespace of the host system. | false |
daemonSet.imagePullSecrets |
Secret to use for pulling the image. | [] |
daemonSet.fail2banExporter.args |
Arguments passed to the fail2ban-exporter container. | [] |
daemonSet.fail2banExporter.env |
List of environment variables for the fail2ban-exporter container. | [] |
daemonSet.fail2banExporter.envFrom |
List of environment variables mounted from configMaps or secrets for the fail2ban-exporter container. | [] |
daemonSet.fail2banExporter.image.registry |
Image registry, eg. docker.io . |
git.cryptic.systems |
daemonSet.fail2banExporter.image.repository |
Image repository, eg. library/busybox . |
volker.raschek/prometheus-fail2ban-exporter |
daemonSet.fail2banExporter.image.tag |
Custom image tag, eg. 0.1.0 . Defaults to appVersion . |
"" |
daemonSet.fail2banExporter.image.pullPolicy |
Image pull policy. | IfNotPresent |
daemonSet.fail2banExporter.resources |
CPU and memory resources of the pod. | {} |
daemonSet.fail2banExporter.securityContext |
Security context of the container of the daemonSet. | {} |
daemonSet.fail2banExporter.volumeMounts |
Additional volume mounts. | undefined |
daemonSet.nodeSelector |
NodeSelector of the fail2ban-exporter daemonSet. | {} |
daemonSet.priorityClassName |
PriorityClassName of the fail2ban-exporter daemonSet. | "" |
daemonSet.restartPolicy |
Restart policy of the fail2ban-exporter daemonSet. | "" |
daemonSet.securityContext |
Security context of the fail2ban-exporter daemonSet. | {} |
daemonSet.updateStrategy.rollingUpdate.maxSurge |
The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | 1 |
daemonSet.updateStrategy.rollingUpdate.maxUnavailable |
The maximum number of pods that can be unavailable during a rolling update. | 0 |
daemonSet.updateStrategy.type |
Strategy type - OnDelete or RollingUpdate . |
RollingUpdate |
daemonSet.terminationGracePeriodSeconds |
How long to wait until forcefully kill the pod. | 60 |
daemonSet.tolerations |
Tolerations of the fail2ban-exporter daemonSet. | [] |
daemonSet.topologySpreadConstraints |
TopologySpreadConstraints of the fail2ban-exporter daemonSet. | [] |
daemonSet.volumes |
Additional volumes to mount into the pods of the prometheus-exporter daemonset. | undefined |
Grafana
Name | Description | Value |
---|---|---|
grafana.enabled |
Enable integration into Grafana. Require the Prometheus operator daemonSet. | false |
grafana.dashboardDiscoveryLabels |
Labels that Grafana uses to discover resources. The labels may vary depending on the Grafana daemonSet. | undefined |
grafana.dashboards.fail2banExporter.enabled |
Enable deployment of Grafana dashboard fail2banExporter . |
true |
grafana.dashboards.fail2banExporter.annotations |
Additional configmap annotations. | {} |
grafana.dashboards.fail2banExporter.labels |
Additional configmap labels. | {} |
Ingress
Name | Description | Value |
---|---|---|
ingress.enabled |
Enable creation of an ingress resource. Requires, that the http service is also enabled. | false |
ingress.className |
Ingress class. | nginx |
ingress.annotations |
Additional ingress annotations. | {} |
ingress.labels |
Additional ingress labels. | {} |
ingress.hosts |
Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k. | [] |
ingress.tls |
Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``. | [] |
Pod disruption
Name | Description | Value |
---|---|---|
podDisruptionBudget |
Pod disruption budget. | {} |
Network
Name | Description | Value |
---|---|---|
networkPolicies |
Deploy network policies based on the used container network interface (CNI) implementation - like calico or weave. | {} |
Prometheus
Name | Description | Value |
---|---|---|
prometheus.metrics.enabled |
Enable of scraping metrics by Prometheus. | true |
prometheus.metrics.podMonitor.enabled |
Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource. | false |
prometheus.metrics.podMonitor.annotations |
Additional podMonitor annotations. | {} |
prometheus.metrics.podMonitor.enableHttp2 |
Enable HTTP2. | true |
prometheus.metrics.podMonitor.followRedirects |
FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. | false |
prometheus.metrics.podMonitor.honorLabels |
Honor labels. | false |
prometheus.metrics.podMonitor.labels |
Additional podMonitor labels. | {} |
prometheus.metrics.podMonitor.interval |
Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | 60s |
prometheus.metrics.podMonitor.path |
HTTP path for scraping Prometheus metrics. | /metrics |
prometheus.metrics.podMonitor.relabelings |
RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | [] |
prometheus.metrics.podMonitor.scrapeTimeout |
Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | 30s |
prometheus.metrics.podMonitor.scheme |
HTTP scheme to use for scraping. For example http or https . |
http |
prometheus.metrics.podMonitor.tlsConfig |
TLS configuration to use when scraping the metric endpoint by Prometheus. | {} |
prometheus.metrics.serviceMonitor.enabled |
Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource. | false |
prometheus.metrics.serviceMonitor.annotations |
Additional serviceMonitor annotations. | {} |
prometheus.metrics.serviceMonitor.labels |
Additional serviceMonitor labels. | {} |
prometheus.metrics.serviceMonitor.enableHttp2 |
Enable HTTP2. | true |
prometheus.metrics.serviceMonitor.followRedirects |
FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. | false |
prometheus.metrics.serviceMonitor.honorLabels |
Honor labels. | false |
prometheus.metrics.serviceMonitor.interval |
Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | 60s |
prometheus.metrics.serviceMonitor.path |
HTTP path for scraping Prometheus metrics. | /metrics |
prometheus.metrics.serviceMonitor.relabelings |
RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. | [] |
prometheus.metrics.serviceMonitor.scrapeTimeout |
Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | 30s |
prometheus.metrics.serviceMonitor.scheme |
HTTP scheme to use for scraping. For example http or https . |
http |
prometheus.metrics.serviceMonitor.tlsConfig |
TLS configuration to use when scraping the metric endpoint by Prometheus. | {} |
prometheus.rules |
Array of Prometheus rules for monitoring the application and triggering alerts. | [] |
Service
Name | Description | Value |
---|---|---|
services.http.enabled |
Enable the service. | true |
services.http.annotations |
Additional service annotations. | {} |
services.http.externalIPs |
External IPs for the service. | [] |
services.http.externalTrafficPolicy |
If service.type is NodePort or LoadBalancer , set this to Local to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. |
Cluster |
services.http.internalTrafficPolicy |
If service.type is NodePort or LoadBalancer , set this to Local to tell kube-proxy to only use node local endpoints for cluster internal traffic. |
Cluster |
services.http.ipFamilies |
IPFamilies is list of IP families (e.g. IPv4 , IPv6 ) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization. |
[] |
services.http.labels |
Additional service labels. | {} |
services.http.loadBalancerClass |
LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type LoadBalancer . |
"" |
services.http.loadBalancerIP |
LoadBalancer will get created with the IP specified in this field. Requires service from type LoadBalancer . |
"" |
services.http.loadBalancerSourceRanges |
Source range filter for LoadBalancer. Requires service from type LoadBalancer . |
[] |
services.http.port |
Port to forward the traffic to. | 9191 |
services.http.sessionAffinity |
Supports ClientIP and None . Enable client IP based session affinity via ClientIP . |
None |
services.http.sessionAffinityConfig |
Contains the configuration of the session affinity. | {} |
services.http.type |
Kubernetes service type for the traffic. | ClusterIP |
ServiceAccount
Name | Description | Value |
---|---|---|
serviceAccount.existing.enabled |
Use an existing service account instead of creating a new one. Assumes that the user has all the necessary kubernetes API authorizations. | false |
serviceAccount.existing.serviceAccountName |
Name of the existing service account. | "" |
serviceAccount.new.annotations |
Additional service account annotations. | {} |
serviceAccount.new.labels |
Additional service account labels. | {} |
serviceAccount.new.automountServiceAccountToken |
Enable/disable auto mounting of the service account token. | true |
serviceAccount.new.imagePullSecrets |
ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this serviceAccount. | [] |
serviceAccount.new.secrets |
Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount. | [] |