1apiVersion: monitoring.coreos.com/v1
2kind: ServiceMonitor
3metadata:
4  name: istio-mesh-monitor
5  namespace: {{ .Release.Namespace }}
6  labels:
7    monitoring: istio-mesh
8    release: {{ .Release.Name }}
9spec:
10  selector:
11    matchExpressions:
12      - {key: istio, operator: In, values: [mixer]}
13  namespaceSelector:
14    matchNames:
15      - {{ .Values.global.telemetryNamespace }}
16  endpoints:
17  - port: prometheus
18    interval: {{ .Values.prometheusOperator.scrapeInterval }}
19---
20apiVersion: monitoring.coreos.com/v1
21kind: ServiceMonitor
22metadata:
23  name: istio-component-monitor
24  namespace: {{ .Release.Namespace }}
25  labels:
26    monitoring: istio-components
27    release: {{ .Release.Name }}
28spec:
29  jobLabel: istio
30  targetLabels: [app]
31  selector:
32    matchExpressions:
33      - {key: istio, operator: In, values: [mixer,pilot,galley,citadel,sidecar-injector]}
34  namespaceSelector:
35    any: true
36  endpoints:
37  - port: http-monitoring
38    interval: {{ .Values.prometheusOperator.scrapeInterval }}
39  - port: http-policy-monitoring
40    interval: {{ .Values.prometheusOperator.scrapeInterval }}
41---
42apiVersion: monitoring.coreos.com/v1
43kind: ServiceMonitor
44metadata:
45  name: envoy-stats-monitor
46  namespace: {{ .Release.Namespace }}
47  labels:
48    monitoring: istio-proxies
49    release: {{ .Release.Name }}
50spec:
51  selector:
52    matchExpressions:
53      - {key: istio-prometheus-ignore, operator: DoesNotExist}
54  namespaceSelector:
55    any: true
56  jobLabel: envoy-stats
57  endpoints:
58  - path: /stats/prometheus
59    targetPort: 15090
60    interval: {{ .Values.prometheusOperator.scrapeInterval }}
61    relabelings:
62    - sourceLabels: [__meta_kubernetes_pod_container_port_name]
63      action: keep
64      regex: '.*-envoy-prom'
65    - action: labeldrop
66      regex: "__meta_kubernetes_pod_label_(.+)"
67    - sourceLabels: [__meta_kubernetes_namespace]
68      action: replace
69      targetLabel: namespace
70    - sourceLabels: [__meta_kubernetes_pod_name]
71      action: replace
72      targetLabel: pod_name
73---
74apiVersion: monitoring.coreos.com/v1
75kind: ServiceMonitor
76metadata:
77  name: kubernetes-pods-monitor
78  namespace: {{ .Release.Namespace }}
79  labels:
80    monitoring: kube-pods
81    release: {{ .Release.Name }}
82spec:
83  selector:
84    matchExpressions:
85      - {key: istio-prometheus-ignore, operator: DoesNotExist}
86  namespaceSelector:
87    any: true
88  jobLabel: kubernetes-pods
89  endpoints:
90  - interval: {{ .Values.prometheusOperator.scrapeInterval }}
91    relabelings:
92    - sourceLabels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
93      action: keep
94      regex: 'true'
95    - sourceLabels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme]
96      action: keep
97      regex: '((;.*)|(.*;http)|(.??))'
98    - sourceLabels: [__meta_kubernetes_pod_annotation_istio_mtls]
99      action: drop
100      regex: 'true'
101    - sourceLabels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
102      action: replace
103      targetLabel: __metrics_path__
104      regex: '(.+)'
105    - sourceLabels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
106      action: replace
107      regex: '([^:]+)(?::\d+)?;(\d+)'
108      replacement: $1:$2
109      targetLabel: __address__
110    - action: labelmap
111      regex: '__meta_kubernetes_pod_label_(.+)'
112    - sourceLabels: [__meta_kubernetes_namespace]
113      action: replace
114      targetLabel: namespace
115    - sourceLabels: [__meta_kubernetes_pod_name]
116      action: replace
117      targetLabel: pod_name
118---
119{{- if .Values.prometheus.provisionPrometheusCert }}
120apiVersion: monitoring.coreos.com/v1
121kind: ServiceMonitor
122metadata:
123  name: kubernetes-pods-secure-monitor
124  namespace: {{ .Release.Namespace }}
125  labels:
126    monitoring: kube-pods-secure
127    release: {{ .Release.Name }}
128spec:
129  selector:
130    matchExpressions:
131      - {key: istio-prometheus-ignore, operator: DoesNotExist}
132  namespaceSelector:
133    any: true
134  jobLabel: kubernetes-pods-secure
135  endpoints:
136  - interval: {{ .Values.prometheusOperator.scrapeInterval }}
137    scheme: https
138    tlsConfig:
139      caFile: /etc/prometheus/secrets/istio.prometheus/root-cert.pem
140      certFile: /etc/prometheus/secrets/istio.prometheus/cert-chain.pem
141      keyFile: /etc/prometheus/secrets/istio.prometheus/key.pem
142      insecureSkipVerify: true  # prometheus does not support secure naming.
143    relabelings:
144    - sourceLabels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
145      action: keep
146      regex: 'true'
147    # sidecar status annotation is added by sidecar injector and
148    # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
149    - sourceLabels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
150      action: keep
151      regex: '(([^;]+);([^;]*))|(([^;]*);(true))'
152    - sourceLabels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
153      action: drop
154      regex: '(http)'
155    - sourceLabels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
156      action: replace
157      targetLabel: __metrics_path__
158      regex: '(.+)'
159    - sourceLabels: [__address__]  # Only keep address that is host:port
160      action: keep    # otherwise an extra target with ':443' is added for https scheme
161      regex: '([^:]+):(\d+)'
162    - sourceLabels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
163      action: replace
164      regex: '([^:]+)(?::\d+)?;(\d+)'
165      replacement: $1:$2
166      targetLabel: __address__
167    - action: labelmap
168      regex: '__meta_kubernetes_pod_label_(.+)'
169    - sourceLabels: [__meta_kubernetes_namespace]
170      action: replace
171      targetLabel: namespace
172    - sourceLabels: [__meta_kubernetes_pod_name]
173      action: replace
174      targetLabel: pod_name
175{{- end }}
176---
177apiVersion: monitoring.coreos.com/v1
178kind: ServiceMonitor
179metadata:
180  name: kubernetes-services-monitor
181  namespace: {{ .Release.Namespace }}
182  labels:
183    monitoring: kube-services
184    release: {{ .Release.Name }}
185spec:
186  selector:
187    matchExpressions:
188      - {key: istio-prometheus-ignore, operator: DoesNotExist}
189  namespaceSelector:
190    any: true
191  jobLabel: kubernetes-services
192  endpoints:
193  - interval: {{ .Values.prometheusOperator.scrapeInterval }}
194    relabelings:
195    - sourceLabels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
196      action: keep
197      regex: 'true'
198    - sourceLabels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_service_annotation_prometheus_io_scheme]
199      action: keep
200      regex: '((;.*)|(.*;http)|(.??))'
201    - sourceLabels: [__meta_kubernetes_pod_annotation_istio_mtls]
202      action: drop
203      regex: 'true'
204    - sourceLabels: [__meta_kubernetes_service_annotation_prometheus_io_path]
205      action: replace
206      targetLabel: __metrics_path__
207      regex: '(.+)'
208    - sourceLabels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
209      action: replace
210      regex: '([^:]+)(?::\d+)?;(\d+)'
211      replacement: $1:$2
212      targetLabel: __address__
213    - action: labelmap
214      regex: '__meta_kubernetes_pod_label_(.+)'
215    - sourceLabels: [__meta_kubernetes_namespace]
216      action: replace
217      targetLabel: namespace
218    - sourceLabels: [__meta_kubernetes_pod_name]
219      action: replace
220      targetLabel: pod_name
221---
222{{- if .Values.prometheus.provisionPrometheusCert  }}
223apiVersion: monitoring.coreos.com/v1
224kind: ServiceMonitor
225metadata:
226  name: kubernetes-services-secure-monitor
227  namespace: {{ .Release.Namespace }}
228  labels:
229    monitoring: kube-services-secure
230    release: {{ .Release.Name }}
231spec:
232  selector:
233    matchExpressions:
234      - {key: istio-prometheus-ignore, operator: DoesNotExist}
235  namespaceSelector:
236    any: true
237  jobLabel: kubernetes-services-secure
238  endpoints:
239  - interval: {{ .Values.prometheusOperator.scrapeInterval }}
240    scheme: https
241    tlsConfig:
242      caFile: /etc/prometheus/secrets/istio.prometheus/root-cert.pem
243      certFile: /etc/prometheus/secrets/istio.prometheus/cert-chain.pem
244      keyFile: /etc/prometheus/secrets/istio.prometheus/key.pem
245      insecureSkipVerify: true  # prometheus does not support secure naming.
246    relabelings:
247    - sourceLabels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
248      action: keep
249      regex: 'true'
250    # sidecar status annotation is added by sidecar injector and
251    # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
252    - sourceLabels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
253      action: keep
254      regex: '(([^;]+);([^;]*))|(([^;]*);(true))'
255    - sourceLabels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
256      action: drop
257      regex: '(http)'
258    - sourceLabels: [__meta_kubernetes_service_annotation_prometheus_io_path]
259      action: replace
260      targetLabel: __metrics_path__
261      regex: '(.+)'
262    - sourceLabels: [__address__]  # Only keep address that is host:port
263      action: keep    # otherwise an extra target with ':443' is added for https scheme
264      regex: '([^:]+):(\d+)'
265    - sourceLabels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
266      action: replace
267      regex: '([^:]+)(?::\d+)?;(\d+)'
268      replacement: $1:$2
269      targetLabel: __address__
270    - action: labelmap
271      regex: '__meta_kubernetes_pod_label_(.+)'
272    - sourceLabels: [__meta_kubernetes_namespace]
273      action: replace
274      targetLabel: namespace
275    - sourceLabels: [__meta_kubernetes_pod_name]
276      action: replace
277      targetLabel: pod_name
278{{- end }}
279---
280apiVersion: monitoring.coreos.com/v1
281kind: ServiceMonitor
282metadata:
283  name: kubelet
284  namespace: {{ .Release.Namespace }}
285  labels:
286    monitoring: kubelet-monitor
287    release: {{ .Release.Name }}
288spec:
289  endpoints:
290  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
291    honorLabels: true
292    interval: {{ .Values.prometheusOperator.scrapeInterval }}
293    port: http-metrics
294    scheme: http
295    tlsConfig:
296      insecureSkipVerify: true
297  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
298    honorLabels: true
299    interval: {{ .Values.prometheusOperator.scrapeInterval }}
300    relabelings:
301    - sourceLabels: [job]
302      action: replace
303      replacement: kubernetes-cadvisor
304      targetLabel: job
305    metricRelabelings:
306    - action: drop
307      regex: container_(network_tcp_usage_total|network_udp_usage_total|tasks_state|cpu_load_average_10s)
308      sourceLabels:
309      - __name__
310    path: /metrics/cadvisor
311    port: http-metrics
312    scheme: http
313    tlsConfig:
314      insecureSkipVerify: true
315  jobLabel: k8s-app
316  namespaceSelector:
317    matchNames:
318    - kube-system
319  selector:
320    matchLabels:
321      k8s-app: kubelet
322