Add helm chart

.github/workflows/branch.yml

@@ -58,3 +58,10 @@ jobs:
           RELEASE_DATE=${{ env.RELEASE_DATE }}
           VERSION=${{ env.RELEASE_VERSION }}
           COMMIT=${{ github.sha }}
+    - name: Publish Unstable Helm charts
+      uses: stefanprodan/helm-gh-pages@v1.7.0
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        charts_dir: deployments/kubernetes/helm
+        chart_version: 0.0.0-${{ env.RELEASE_VERSION }}
+        app_version: ${{ env.RELEASE_VERSION }}

.github/workflows/release.yml

@@ -22,6 +22,8 @@ jobs:
         echo "RELEASE_VERSION=$VERSION" >> $GITHUB_ENV
         export CURRENT_DATE=$(date --iso-8601=seconds)
         echo "RELEASE_DATE=$CURRENT_DATE" >> $GITHUB_ENV
+        export CHART_RELEASE_VERSION=${VERSION:1}
+        echo "CHART_RELEASE_VERSION=$CHART_RELEASE_VERSION" >> $GITHUB_ENV
 
     - name: Building binaries
       run: |
@@ -90,3 +92,11 @@ jobs:
         asset_path: ./binaries/prometheus-multi-tenant-proxy-darwing-amd64
         asset_name: prometheus-multi-tenant-proxy-darwing-amd64
         asset_content_type: application/octet-stream
+
+    - name: Publish Helm charts
+      uses: stefanprodan/helm-gh-pages@v1.7.0
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        charts_dir: deployments/kubernetes/helm
+        chart_version: ${{ env.CHART_RELEASE_VERSION }}
+        app_version: ${{ env.RELEASE_VERSION }}

README.md

@@ -224,6 +224,74 @@ The proxy can be configured to use either namespaces and/or labels to query Prom
 At least one must be configured, otherwise the proxy will not proxy the query to Prometheus.
 *(It could lead to a security issue if the proxy is not configured to use namespaces or labels)*
 
+### Deploy on Kubernetes using Helm
+
+The proxy can be deployed on Kubernetes using Helm. The Helm chart is available at [k8spin/prometheus-multi-tenant-proxy](https://k8spin.github.io/prometheus-multi-tenant-proxy). Find the chart's documentation on its [README.md](deployments/kubernetes/helm/prometheus-multi-tenant-proxy/README.md).
+
+TL;DR:
+
+```bash
+$ helm repo add k8spin-prometheus-multi-tenant-proxy https://k8spin.github.io/prometheus-multi-tenant-proxy
+$ helm repo update
+$ helm upgrade --install prometheus-multi-tenant-proxy k8spin-prometheus-multi-tenant-proxy/prometheus-multi-tenant-proxy --set proxy.prometheusEndpoint=http://prometheus.monitoring.svc.cluster.local:9090
+```
+
+#### Example using flux
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: prometheus-multi-tenant-proxy
+  namespace: flux-system
+  labels:
+    phase: seed
+spec:
+  interval: 1m0s
+  url: https://k8spin.github.io/prometheus-multi-tenant-proxy
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: prometheus-multi-tenant-proxy
+  namespace: flux-system
+spec:
+  timeout: 30m
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  interval: 1m
+  chart:
+    spec:
+      chart: prometheus-multi-tenant-proxy
+      version: "1.10.0"
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-multi-tenant-proxy
+        namespace: flux-system
+      interval: 1m
+  releaseName: prometheus-multi-tenant-proxy
+  targetNamespace: monitoring
+  storageNamespace: monitoring
+  valuesFrom: []
+  values:
+    proxy:
+      prometheusEndpoint: http://prometheus.monitoring.svc.cluster.local:9090
+      auth:
+        basic:
+          authn: |
+            users:
+              - username: User-a
+                password: pass-a
+                namespace: tenant-a
+              - username: User-b
+                password: pass-b
+                namespace: tenant-b
+```
 
 ## Build it
 

deployments/kubernetes/helm/prometheus-multi-tenant-proxy/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deployments/kubernetes/helm/prometheus-multi-tenant-proxy/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: prometheus-multi-tenant-proxy
+description: K8Spin - Prometheus multi-tenant proxy
+type: application
+# The version is injected by the release workflow
+version: 0.0.0
+appVersion: 0.0.0

deployments/kubernetes/helm/prometheus-multi-tenant-proxy/README.md

@@ -0,0 +1,57 @@
+
+Prometheus-multi-tenant-proxy
+===========
+
+K8Spin - Prometheus multi-tenant proxy
+
+
+## Configuration
+
+The following table lists the configurable parameters of the Prometheus-multi-tenant-proxy chart and their default values.
+
+| Parameter                | Description             | Default        |
+| ------------------------ | ----------------------- | -------------- |
+| `replicaCount` |  | `1` |
+| `image.repository` |  | `"ghcr.io/k8spin/prometheus-multi-tenant-proxy"` |
+| `image.pullPolicy` |  | `"IfNotPresent"` |
+| `image.tag` |  | `""` |
+| `imagePullSecrets` |  | `[]` |
+| `nameOverride` |  | `""` |
+| `fullnameOverride` |  | `""` |
+| `serviceAccount.create` |  | `true` |
+| `serviceAccount.annotations` |  | `{}` |
+| `serviceAccount.name` |  | `""` |
+| `podAnnotations` |  | `{}` |
+| `podSecurityContext.fsGroup` |  | `2000` |
+| `securityContext.capabilities.drop` |  | `["ALL"]` |
+| `securityContext.readOnlyRootFilesystem` |  | `true` |
+| `securityContext.runAsNonRoot` |  | `true` |
+| `securityContext.runAsUser` |  | `1000` |
+| `service.type` |  | `"ClusterIP"` |
+| `service.port` |  | `80` |
+| `ingress.enabled` |  | `false` |
+| `ingress.className` |  | `""` |
+| `ingress.annotations` |  | `{}` |
+| `ingress.hosts` |  | `[{"host": "chart-example.local", "paths": [{"path": "/", "pathType": "ImplementationSpecific"}]}]` |
+| `ingress.tls` |  | `[]` |
+| `resources` |  | `{}` |
+| `autoscaling.enabled` |  | `false` |
+| `autoscaling.minReplicas` |  | `1` |
+| `autoscaling.maxReplicas` |  | `100` |
+| `autoscaling.targetCPUUtilizationPercentage` |  | `80` |
+| `nodeSelector` |  | `{}` |
+| `tolerations` |  | `[]` |
+| `affinity` |  | `{}` |
+| `proxy.port` |  | `9092` |
+| `proxy.prometheusEndpoint` |  | `""` |
+| `proxy.extraArgs` |  | `[]` |
+| `proxy.extraEnv` |  | `[]` |
+| `proxy.auth.type` | basic or jwt | `"basic"` |
+| `proxy.auth.jwt.url` | URL/Path to the JWT configuration | `""` |
+| `proxy.auth.basic.createSecret` |  | `true` |
+| `proxy.auth.basic.secretName` | In use only if createSecret is false | `"prometheus-multi-tenant-proxy"` |
+
+
+
+
+

deployments/kubernetes/helm/prometheus-multi-tenant-proxy/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "prometheus-multi-tenant-proxy.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "prometheus-multi-tenant-proxy.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "prometheus-multi-tenant-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "prometheus-multi-tenant-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

deployments/kubernetes/helm/prometheus-multi-tenant-proxy/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "prometheus-multi-tenant-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "prometheus-multi-tenant-proxy.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "prometheus-multi-tenant-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "prometheus-multi-tenant-proxy.labels" -}}
+helm.sh/chart: {{ include "prometheus-multi-tenant-proxy.chart" . }}
+{{ include "prometheus-multi-tenant-proxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "prometheus-multi-tenant-proxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "prometheus-multi-tenant-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "prometheus-multi-tenant-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "prometheus-multi-tenant-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

deployments/kubernetes/helm/prometheus-multi-tenant-proxy/templates/deployment.yaml

@@ -0,0 +1,91 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "prometheus-multi-tenant-proxy.fullname" . }}
+  labels:
+    {{- include "prometheus-multi-tenant-proxy.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "prometheus-multi-tenant-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "prometheus-multi-tenant-proxy.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "prometheus-multi-tenant-proxy.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - run
+          {{- if .Values.proxy.extraArgs }}
+            {{- toYaml .Values.proxy.extraArgs | nindent 12 }}
+          {{- end }}
+          env:
+            - name: PROM_PROXY_PROMETHEUS_ENDPOINT
+              value: {{ .Values.proxy.prometheusEndpoint | quote }}
+            - name: PROM_PROXY_PORT
+              value: {{ .Values.proxy.port | quote }}
+            - name: PROM_PROXY_AUTH_TYPE
+              value: {{ .Values.proxy.auth.type | quote }}
+            - name: PROM_PROXY_AUTH_CONFIG
+              value: {{ if eq .Values.proxy.auth.type "basic" }}"/etc/prometheus-multi-tenant-proxy/authn.yaml"{{ else }}{{ .Values.proxy.auth.jwt.url | quote }}{{ end }}
+          {{- if .Values.proxy.extraEnv }}
+            {{- toYaml .Values.proxy.extraEnv | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.proxy.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /-/healthy
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /-/ready
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+{{- if eq .Values.proxy.auth.type "basic" }}
+          volumeMounts:
+            - name: authn
+              mountPath: /etc/prometheus-multi-tenant-proxy/authn.yaml
+              subPath: authn.yaml
+      volumes:
+        - name: authn
+          secret:
+            secretName: {{ if .Values.proxy.auth.basic.createSecret }}{{ include "prometheus-multi-tenant-proxy.fullname" . }}{{ else }}{{ .Values.proxy.auth.basic.secretName }}{{ end }}
+            items:
+              - key: authn.yaml
+                path: authn.yaml
+{{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}