From b5e213d49ec7829bbdc64663ae39230c168905e9 Mon Sep 17 00:00:00 2001 From: Celene Chang <celene@datadoghq.com> Date: Wed, 16 Feb 2022 11:32:27 -0500 Subject: [PATCH] [kubelet/kubernetes_state] add spec.yaml files --- kubelet/assets/configuration/spec.yaml | 52 ++ .../kubelet/data/conf.yaml.example | 529 +++++++++++++++++- kubelet/manifest.json | 5 +- .../assets/configuration/spec.yaml | 77 +++ .../kubernetes_state/data/auto_conf.yaml | 30 +- .../kubernetes_state/data/conf.yaml.example | 526 +++++++++++++++-- kubernetes_state/manifest.json | 5 +- 7 files changed, 1140 insertions(+), 84 deletions(-) create mode 100644 kubelet/assets/configuration/spec.yaml create mode 100644 kubernetes_state/assets/configuration/spec.yaml diff --git a/kubelet/assets/configuration/spec.yaml b/kubelet/assets/configuration/spec.yaml new file mode 100644 index 00000000000000..330e54e2d64cd8 --- /dev/null +++ b/kubelet/assets/configuration/spec.yaml @@ -0,0 +1,52 @@ +name: Kubelet +files: +- name: kubelet.yaml + options: + - template: init_config + options: + - template: init_config/openmetrics_legacy + - template: instances + options: + - name: cadvisor_metrics_endpoint + description: | + 1.7.6+ clusters expose container metrics in the prometheus format. + This is the default setting. See next section for legacy clusters. + + URL of the cadvisor metrics prometheus endpoint. + Pass an empty string, or set the cadvisor_port option to disable cadvisor metrics collection. + example: http://10.8.0.1:10255/metrics/cadvisor + display_priority: 1 + - name: kubelet_metrics_endpoint + description: | + URL of the kubelet metrics prometheus endpoint + Pass an empty string to disable kubelet metrics collection. + example: http://10.8.0.1:10255/metrics + display_priority: 1 + - name: cadvisor_port + description: | + Metric collection for legacy (< 1.7.6) clusters via the kubelet's cadvisor port. + This port is closed by default on k8s 1.7+ and OpenShift, enable it + via the `--cadvisor-port=4194` kubelet option. + + Port to connect to, uncomment and set accordingly to enable collection. + example: 4194 + display_priority: 1 + - name: enabled_rates + description: | + Allow list of rate type metrics to collect from cadvisor. + example: + - cpu.* + - network.* + display_priority: 1 + - name: enabled_gauges + description: | + Allow list of gauge type metrics to collect from cadvisor. + example: + - filesystem.* + display_priority: 1 + - template: instances/openmetrics_legacy + overrides: + prometheus_url.hidden: true + prometheus_metrics_prefix.hidden: true + min_collection_interval.value.example: 20 + min_collection_interval.enabled: true diff --git a/kubelet/datadog_checks/kubelet/data/conf.yaml.example b/kubelet/datadog_checks/kubelet/data/conf.yaml.example index a7f9a2448727e0..1d0b3f15e749d1 100644 --- a/kubelet/datadog_checks/kubelet/data/conf.yaml.example +++ b/kubelet/datadog_checks/kubelet/data/conf.yaml.example @@ -1,62 +1,537 @@ +## All options defined here are available to all instances. +# init_config: -instances: + ## @param proxy - mapping - optional + ## Set HTTP or HTTPS proxies for all instances. Use the `no_proxy` list + ## to specify hosts that must bypass proxies. + ## + ## The SOCKS protocol is also supported like so: + ## + ## socks5://user:pass@host:port + ## + ## Using the scheme `socks5` causes the DNS resolution to happen on the + ## client, rather than on the proxy server. This is in line with `curl`, + ## which uses the scheme to decide whether to do the DNS resolution on + ## the client or proxy. If you want to resolve the domains on the proxy + ## server, use `socks5h` as the scheme. + # + # proxy: + # http: http://<PROXY_SERVER_FOR_HTTP>:<PORT> + # https: https://<PROXY_SERVER_FOR_HTTPS>:<PORT> + # no_proxy: + # - <HOSTNAME_1> + # - <HOSTNAME_2> - - - ## @param tags - list of key:value element - optional - ## List of tags to attach to every metric, event and service check emitted by this integration. + ## @param skip_proxy - boolean - optional - default: false + ## If set to `true`, this makes the check bypass any proxy + ## settings enabled and attempt to reach services directly. + # + # skip_proxy: false + + ## @param timeout - number - optional - default: 10 + ## The timeout for connecting to services. + # + # timeout: 10 + + ## @param service - string - optional + ## Attach the tag `service:<SERVICE>` to every metric, event, and service check emitted by this integration. ## - ## Learn more about tagging: https://docs.datadoghq.com/tagging/ + ## Additionally, this sets the default `service` for every log source. # - # tags: - # - <KEY_1>:<VALUE_1> - # - <KEY_2>:<VALUE_2> + # service: <SERVICE> +## Every instance is scheduled independent of the others. +# +instances: + + - ## 1.7.6+ clusters expose container metrics in the prometheus format. ## This is the default setting. See next section for legacy clusters. - - ## @param cadvisor_metrics_endpoint - string - optional - ## url of the cadvisor metrics prometheus endpoint. + ## + ## URL of the cadvisor metrics prometheus endpoint. ## Pass an empty string, or set the cadvisor_port option to disable cadvisor metrics collection. # # cadvisor_metrics_endpoint: http://10.8.0.1:10255/metrics/cadvisor - ## @param kubelet_metrics_endpoint - string - optional - ## url of the kubelet metrics prometheus endpoint - ## Pass an empty string to disable kubelet metrics collection + ## URL of the kubelet metrics prometheus endpoint + ## Pass an empty string to disable kubelet metrics collection. # # kubelet_metrics_endpoint: http://10.8.0.1:10255/metrics - ## @param send_histograms_buckets - boolean - optional - ## The histogram buckets can be noisy and generate a lot of tags. - ## send_histograms_buckets controls whether or not you want to pull them. - # - # send_histograms_buckets: true - ## Metric collection for legacy (< 1.7.6) clusters via the kubelet's cadvisor port. ## This port is closed by default on k8s 1.7+ and OpenShift, enable it ## via the `--cadvisor-port=4194` kubelet option. - - ## @param cadvisor_port - integer - optional + ## ## Port to connect to, uncomment and set accordingly to enable collection. # # cadvisor_port: 4194 - ## @param enabled_rates - list of string - optional - ## Whitelist of rate type metrics to collect from cadvisor, these are the default + ## Allow list of rate type metrics to collect from cadvisor. # # enabled_rates: # - cpu.* # - network.* - ## @param enabled_gauges - list of string - optional - ## Whitelist of gauge type metrics to collect from cadvisor, these are the default + ## Allow list of gauge type metrics to collect from cadvisor. # # enabled_gauges: # - filesystem.* - ## @param min_collection_interval - integer - optional - default: 15 + ## @param health_service_check - boolean - optional - default: true + ## Send a service check reporting about the health of the Prometheus endpoint. + ## The service check is named <NAMESPACE>.prometheus.health + # + # health_service_check: true + + ## @param label_to_hostname - string - optional + ## Override the hostname with the value of one label. + # + # label_to_hostname: <LABEL> + + ## @param label_joins - mapping - optional + ## Allows targeting a metric to retrieve its label with a 1:1 mapping. + # + # label_joins: + # target_metric: + # label_to_match: <MATCHED_LABEL> + # labels_to_get: + # - <EXTRA_LABEL_1> + # - <EXTRA_LABEL_2> + + ## @param labels_mapper - mapping - optional + ## The label mapper allows you to rename labels. + ## Format is <LABEL_TO_RENAME>: <NEW_LABEL_NAME> + # + # labels_mapper: + # flavor: origin + + ## @param type_overrides - mapping - optional + ## Override a type in the Prometheus payload or type an untyped metric (ignored by default). + ## Supported <METRIC_TYPE> are `gauge`, `counter`, `histogram`, and `summary`. + ## The "*" wildcard can be used to match multiple metric names. + # + # type_overrides: + # <METRIC_NAME>: <METRIC_TYPE> + + ## @param send_histograms_buckets - boolean - optional - default: true + ## Set send_histograms_buckets to true to send the histograms bucket. + # + # send_histograms_buckets: true + + ## @param send_distribution_buckets - boolean - optional - default: false + ## Set `send_distribution_buckets` to `true` to send histograms as Datadog distribution metrics. + ## + ## Learn more about distribution metrics: https://docs.datadoghq.com/developers/metrics/distributions/ + # + # send_distribution_buckets: false + + ## @param send_monotonic_counter - boolean - optional - default: true + ## Set send_monotonic_counter to true to send counters as monotonic counter. + # + # send_monotonic_counter: true + + ## @param send_distribution_counts_as_monotonic - boolean - optional - default: false + ## If set to true, sends histograms and summary counters as monotonic counters (instead of gauges). + # + # send_distribution_counts_as_monotonic: false + + ## @param send_distribution_sums_as_monotonic - boolean - optional - default: false + ## If set to true, sends histograms and summary sums as monotonic counters (instead of gauges). + # + # send_distribution_sums_as_monotonic: false + + ## @param use_process_start_time - boolean - optional - default: false + ## Whether to enable a heuristic for reporting counter values on the first scrape. When true, + ## the first time an endpoint is scraped, check `process_start_time_seconds` to decide whether zero + ## initial value can be assumed for counters. This requires keeping metrics in memory until the entire + ## response is received. + # + # use_process_start_time: false + + ## @param exclude_labels - list of strings - optional + ## A list of labels to be excluded. May be used in conjunction with `include_labels`. + ## Labels defined in `excluded labels` will take precedence in case of overlap. + # + # exclude_labels: + # - timestamp + + ## @param include_labels - list of strings - optional + ## A list of labels to include. May be used in conjunction with `exclude_labels`. + ## Labels defined in `excluded labels` will take precedence in case of overlap. + # + # include_labels: [] + + ## @param bearer_token_auth - boolean or string - optional - default: false + ## If set to true, adds a bearer token authentication header. + ## If set to 'tls_only', only adds a bearer token authentication header if the endpoint is secure https. + ## Note: If bearer_token_path is not set, the default path is /var/run/secrets/kubernetes.io/serviceaccount/token. + # + # bearer_token_auth: false + + ## @param bearer_token_path - string - optional + ## The path to a Kubernetes service account bearer token file. Make sure the file exists and is mounted correctly. + ## Note: bearer_token_auth should be set to true to enable adding the token to HTTP headers for authentication. + # + # bearer_token_path: <TOKEN_PATH> + + ## @param ignore_metrics - list of strings - optional + ## A list of metrics to ignore, the "*" wildcard can be used to match multiple metric names. + ## The wildcard matching is done via fnmatch, it locates a match anywhere in the string. + # + # ignore_metrics: + # - <IGNORED_METRIC_NAME> + # - <SUBSTRING_*> + # - <*_SUBSTRING> + + ## @param ignore_metrics_by_labels - mapping - optional + ## A mapping of labels where metrics with matching label key and values are ignored. + ## Use the "*" wildcard to match all label values. + # + # ignore_metrics_by_labels: + # <KEY_1>: + # - <LABEL_1> + # - <LABEL_2> + # <KEY_2>: + # - '*' + + ## @param ignore_tags - list of strings - optional + ## A list of regular expressions used to ignore tags added by autodiscovery and entries in the `tags` option. + # + # ignore_tags: + # - <FULL:TAG> + # - <TAG_PREFIX:.*> + # - <TAG_SUFFIX$> + + ## @param proxy - mapping - optional + ## This overrides the `proxy` setting in `init_config`. + ## + ## Set HTTP or HTTPS proxies for this instance. Use the `no_proxy` list + ## to specify hosts that must bypass proxies. + ## + ## The SOCKS protocol is also supported, for example: + ## + ## socks5://user:pass@host:port + ## + ## Using the scheme `socks5` causes the DNS resolution to happen on the + ## client, rather than on the proxy server. This is in line with `curl`, + ## which uses the scheme to decide whether to do the DNS resolution on + ## the client or proxy. If you want to resolve the domains on the proxy + ## server, use `socks5h` as the scheme. + # + # proxy: + # http: http://<PROXY_SERVER_FOR_HTTP>:<PORT> + # https: https://<PROXY_SERVER_FOR_HTTPS>:<PORT> + # no_proxy: + # - <HOSTNAME_1> + # - <HOSTNAME_2> + + ## @param skip_proxy - boolean - optional - default: false + ## This overrides the `skip_proxy` setting in `init_config`. + ## + ## If set to `true`, this makes the check bypass any proxy + ## settings enabled and attempt to reach services directly. + # + # skip_proxy: false + + ## @param auth_type - string - optional - default: basic + ## The type of authentication to use. The available types (and related options) are: + ## + ## - basic + ## |__ username + ## |__ password + ## |__ use_legacy_auth_encoding + ## - digest + ## |__ username + ## |__ password + ## - ntlm + ## |__ ntlm_domain + ## |__ password + ## - kerberos + ## |__ kerberos_auth + ## |__ kerberos_cache + ## |__ kerberos_delegate + ## |__ kerberos_force_initiate + ## |__ kerberos_hostname + ## |__ kerberos_keytab + ## |__ kerberos_principal + ## - aws + ## |__ aws_region + ## |__ aws_host + ## |__ aws_service + ## + ## The `aws` auth type relies on boto3 to automatically gather AWS credentials, for example: from `.aws/credentials`. + ## Details: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#configuring-credentials + # + # auth_type: basic + + ## @param use_legacy_auth_encoding - boolean - optional - default: true + ## When `auth_type` is set to `basic`, this determines whether to encode as `latin1` rather than `utf-8`. + # + # use_legacy_auth_encoding: true + + ## @param username - string - optional + ## The username to use if services are behind basic or digest auth. + # + # username: <USERNAME> + + ## @param password - string - optional + ## The password to use if services are behind basic or NTLM auth. + # + # password: <PASSWORD> + + ## @param ntlm_domain - string - optional + ## If your services use NTLM authentication, specify + ## the domain used in the check. For NTLM Auth, append + ## the username to domain, not as the `username` parameter. + # + # ntlm_domain: <NTLM_DOMAIN>\<USERNAME> + + ## @param kerberos_auth - string - optional - default: disabled + ## If your services use Kerberos authentication, you can specify the Kerberos + ## strategy to use between: + ## + ## - required + ## - optional + ## - disabled + ## + ## See https://github.com/requests/requests-kerberos#mutual-authentication + # + # kerberos_auth: disabled + + ## @param kerberos_cache - string - optional + ## Sets the KRB5CCNAME environment variable. + ## It should point to a credential cache with a valid TGT. + # + # kerberos_cache: <KERBEROS_CACHE> + + ## @param kerberos_delegate - boolean - optional - default: false + ## Set to `true` to enable Kerberos delegation of credentials to a server that requests delegation. + ## + ## See https://github.com/requests/requests-kerberos#delegation + # + # kerberos_delegate: false + + ## @param kerberos_force_initiate - boolean - optional - default: false + ## Set to `true` to preemptively initiate the Kerberos GSS exchange and + ## present a Kerberos ticket on the initial request (and all subsequent). + ## + ## See https://github.com/requests/requests-kerberos#preemptive-authentication + # + # kerberos_force_initiate: false + + ## @param kerberos_hostname - string - optional + ## Override the hostname used for the Kerberos GSS exchange if its DNS name doesn't + ## match its Kerberos hostname, for example: behind a content switch or load balancer. + ## + ## See https://github.com/requests/requests-kerberos#hostname-override + # + # kerberos_hostname: <KERBEROS_HOSTNAME> + + ## @param kerberos_principal - string - optional + ## Set an explicit principal, to force Kerberos to look for a + ## matching credential cache for the named user. + ## + ## See https://github.com/requests/requests-kerberos#explicit-principal + # + # kerberos_principal: <KERBEROS_PRINCIPAL> + + ## @param kerberos_keytab - string - optional + ## Set the path to your Kerberos key tab file. + # + # kerberos_keytab: <KEYTAB_FILE_PATH> + + ## @param auth_token - mapping - optional + ## This allows for the use of authentication information from dynamic sources. + ## Both a reader and writer must be configured. + ## + ## The available readers are: + ## + ## - type: file + ## path (required): The absolute path for the file to read from. + ## pattern: A regular expression pattern with a single capture group used to find the + ## token rather than using the entire file, for example: Your secret is (.+) + ## + ## The available writers are: + ## + ## - type: header + ## name (required): The name of the field, for example: Authorization + ## value: The template value, for example `Bearer <TOKEN>`. The default is: <TOKEN> + ## placeholder: The substring in `value` to replace by the token, defaults to: <TOKEN> + # + # auth_token: + # reader: + # type: <READER_TYPE> + # <OPTION_1>: <VALUE_1> + # <OPTION_2>: <VALUE_2> + # writer: + # type: <WRITER_TYPE> + # <OPTION_1>: <VALUE_1> + # <OPTION_2>: <VALUE_2> + + ## @param aws_region - string - optional + ## If your services require AWS Signature Version 4 signing, set the region. + ## + ## See https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html + # + # aws_region: <AWS_REGION> + + ## @param aws_host - string - optional + ## If your services require AWS Signature Version 4 signing, set the host. + ## This only needs the hostname and does not require the protocol (HTTP, HTTPS, and more). + ## For example, if connecting to https://us-east-1.amazonaws.com/, set `aws_host` to `us-east-1.amazonaws.com`. + ## + ## Note: This setting is not necessary for official integrations. + ## + ## See https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html + # + # aws_host: <AWS_HOST> + + ## @param aws_service - string - optional + ## If your services require AWS Signature Version 4 signing, set the service code. For a list + ## of available service codes, see https://docs.aws.amazon.com/general/latest/gr/rande.html + ## + ## Note: This setting is not necessary for official integrations. + ## + ## See https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html + # + # aws_service: <AWS_SERVICE> + + ## @param tls_verify - boolean - optional - default: true + ## Instructs the check to validate the TLS certificate of services. + # + # tls_verify: true + + ## @param tls_use_host_header - boolean - optional - default: false + ## If a `Host` header is set, this enables its use for SNI (matching against the TLS certificate CN or SAN). + # + # tls_use_host_header: false + + ## @param tls_ignore_warning - boolean - optional - default: false + ## If `tls_verify` is disabled, security warnings are logged by the check. + ## Disable those by setting `tls_ignore_warning` to true. + ## + ## Note: `tls_ignore_warning` set to true is currently only reliable if used by one instance of one integration. + ## If enabled for multiple instances, spurious warnings might still appear even if `tls_ignore_warning` is set + ## to true. + # + # tls_ignore_warning: false + + ## @param tls_cert - string - optional + ## The path to a single file in PEM format containing a certificate as well as any + ## number of CA certificates needed to establish the certificate's authenticity for + ## use when connecting to services. It may also contain an unencrypted private key to use. + # + # tls_cert: <CERT_PATH> + + ## @param tls_private_key - string - optional + ## The unencrypted private key to use for `tls_cert` when connecting to services. This is + ## required if `tls_cert` is set and it does not already contain a private key. + # + # tls_private_key: <PRIVATE_KEY_PATH> + + ## @param tls_ca_cert - string - optional + ## The path to a file of concatenated CA certificates in PEM format or a directory + ## containing several CA certificates in PEM format. If a directory, the directory + ## must have been processed using the c_rehash utility supplied with OpenSSL. See: + ## https://www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_locations.html + # + # tls_ca_cert: <CA_CERT_PATH> + + ## @param tls_protocols_allowed - list of strings - optional + ## The expected versions of TLS/SSL when fetching intermediate certificates. + ## Only `SSLv3`, `TLSv1.2`, `TLSv1.3` are allowed by default. The possible values are: + ## SSLv3 + ## TLSv1 + ## TLSv1.1 + ## TLSv1.2 + ## TLSv1.3 + # + # tls_protocols_allowed: + # - SSLv3 + # - TLSv1.2 + # - TLSv1.3 + + ## @param headers - mapping - optional + ## The headers parameter allows you to send specific headers with every request. + ## You can use it for explicitly specifying the host header or adding headers for + ## authorization purposes. + ## + ## This overrides any default headers. + # + # headers: + # Host: <ALTERNATIVE_HOSTNAME> + # X-Auth-Token: <AUTH_TOKEN> + + ## @param extra_headers - mapping - optional + ## Additional headers to send with every request. + # + # extra_headers: + # Host: <ALTERNATIVE_HOSTNAME> + # X-Auth-Token: <AUTH_TOKEN> + + ## @param timeout - number - optional - default: 10 + ## The timeout for accessing services. + ## + ## This overrides the `timeout` setting in `init_config`. + # + # timeout: 10 + + ## @param connect_timeout - number - optional + ## The connect timeout for accessing services. Defaults to `timeout`. + # + # connect_timeout: <CONNECT_TIMEOUT> + + ## @param read_timeout - number - optional + ## The read timeout for accessing services. Defaults to `timeout`. + # + # read_timeout: <READ_TIMEOUT> + + ## @param request_size - number - optional - default: 10 + ## The number of kibibytes (KiB) to read from streaming HTTP responses at a time. + # + # request_size: 10 + + ## @param log_requests - boolean - optional - default: false + ## Whether or not to debug log the HTTP(S) requests made, including the method and URL. + # + # log_requests: false + + ## @param persist_connections - boolean - optional - default: false + ## Whether or not to persist cookies and use connection pooling for increased performance. + # + # persist_connections: false + + ## @param allow_redirects - boolean - optional - default: true + ## Whether or not to allow URL redirection. + # + # allow_redirects: true + + ## @param tags - list of strings - optional + ## A list of tags to attach to every metric and service check emitted by this instance. + ## + ## Learn more about tagging at https://docs.datadoghq.com/tagging + # + # tags: + # - <KEY_1>:<VALUE_1> + # - <KEY_2>:<VALUE_2> + + ## @param service - string - optional + ## Attach the tag `service:<SERVICE>` to every metric, event, and service check emitted by this integration. + ## + ## Overrides any `service` defined in the `init_config` section. + # + # service: <SERVICE> + + ## @param min_collection_interval - number - optional - default: 20 ## This changes the collection interval of the check. For more information, see: ## https://docs.datadoghq.com/developers/write_agent_check/#collection-interval # min_collection_interval: 20 + + ## @param empty_default_hostname - boolean - optional - default: false + ## This forces the check to send metrics with no hostname. + ## + ## This is useful for cluster-level checks. + # + # empty_default_hostname: false diff --git a/kubelet/manifest.json b/kubelet/manifest.json index 474dd1204f7db3..a90697de685e0e 100644 --- a/kubelet/manifest.json +++ b/kubelet/manifest.json @@ -26,6 +26,9 @@ "dashboards": {}, "service_checks": "assets/service_checks.json", "logs": {}, - "metrics_metadata": "metadata.csv" + "metrics_metadata": "metadata.csv", + "configuration": { + "spec": "assets/configuration/spec.yaml" + } } } diff --git a/kubernetes_state/assets/configuration/spec.yaml b/kubernetes_state/assets/configuration/spec.yaml new file mode 100644 index 00000000000000..12401a0cac3bff --- /dev/null +++ b/kubernetes_state/assets/configuration/spec.yaml @@ -0,0 +1,77 @@ +name: Kubernetes State +files: +- name: kubernetes_state.yaml + options: + - template: init_config + options: + - template: init_config/openmetrics_legacy + - template: instances + options: + - name: kube_state_url + enabled: true + required: true + description: | + To enable Kube State metrics you must specify the URL exposing the API + value: + type: string + example: + http://example.com:8080/metrics + display_priority: 1 + - template: instances/openmetrics_legacy + overrides: + prometheus_url.hidden: true + prometheus_metrics_prefix.hidden: true + +- name: auto_conf.yaml + options: + - template: ad_identifiers + overrides: + value.example: + - kube-state-metrics + - template: init_config + options: [] + - name: ignore_autodiscovery_tags + description: | + Ignore tags coming from autodiscovery + enabled: true + value: + type: boolean + example: true + - template: instances + options: + - name: kube_state_url + description: | + To enable Kube State metrics you must specify the URL exposing the API. + enabled: true + required: true + value: + type: string + example: + http://%%host%%:8080/metrics + - name: labels_mapper + description: | + Tags are reported as set by kube-state-metrics. If you want to translate + them to other tags, use the labels_mapper dictionary. + example: + namespace: kube_namespace + - name: label_joins + description: | + Add the tags to join from other KSM metrics. + Example: Joining for deployment metrics. Based on: + kube_deployment_labels{deployment="kube-dns",label_addonmanager_kubernetes_io_mode="Reconcile"} + Use the following config to add the value of label_addonmanager_kubernetes_io_mode as a tag to your KSM + deployment metrics. + example: + kube_deployment_labels: + labels_to_match: + - deployment + labels_to_get: + - label_addonmanager_kubernetes_io_mode + - name: hostname_override + description: | + By default the hostname for metrics containing the node label is + overridden by the value of the label, this can be deactivated (all metrics + will be attached to the host running KSM) + example: true + + diff --git a/kubernetes_state/datadog_checks/kubernetes_state/data/auto_conf.yaml b/kubernetes_state/datadog_checks/kubernetes_state/data/auto_conf.yaml index ff7def6b607117..290920a97795c9 100644 --- a/kubernetes_state/datadog_checks/kubernetes_state/data/auto_conf.yaml +++ b/kubernetes_state/datadog_checks/kubernetes_state/data/auto_conf.yaml @@ -1,26 +1,35 @@ +## @param ad_identifiers - list of strings - required +## A list of container identifiers that are used by Autodiscovery to identify +## which container the check should be run against. For more information, see: +## https://docs.datadoghq.com/agent/guide/ad_identifiers/ +# ad_identifiers: - kube-state-metrics +## All options defined here are available to all instances. +# init_config: -# Ignore tags coming from autodiscovery +## @param ignore_autodiscovery_tags - boolean - optional - default: true +## Ignore tags coming from autodiscovery +# ignore_autodiscovery_tags: true +## Every instance is scheduled independent of the others. +# instances: ## @param kube_state_url - string - required - ## To enable Kube State metrics you must specify the url exposing the API + ## To enable Kube State metrics you must specify the URL exposing the API. # - kube_state_url: http://%%host%%:8080/metrics - ## @param labels_mapper - dictionary - optional ## Tags are reported as set by kube-state-metrics. If you want to translate - ## them to other tags, use the labels_mapper dictionary + ## them to other tags, use the labels_mapper dictionary. # # labels_mapper: # namespace: kube_namespace - ## @param label_joins - object - optional ## Add the tags to join from other KSM metrics. ## Example: Joining for deployment metrics. Based on: ## kube_deployment_labels{deployment="kube-dns",label_addonmanager_kubernetes_io_mode="Reconcile"} @@ -28,13 +37,12 @@ instances: ## deployment metrics. # # label_joins: - # kube_deployment_labels: - # labels_to_match: - # - deployment - # labels_to_get: - # - label_addonmanager_kubernetes_io_mode + # kube_deployment_labels: + # labels_to_match: + # - deployment + # labels_to_get: + # - label_addonmanager_kubernetes_io_mode - ## @param hostname_override - boolean - optional - default: true ## By default the hostname for metrics containing the node label is ## overridden by the value of the label, this can be deactivated (all metrics ## will be attached to the host running KSM) diff --git a/kubernetes_state/datadog_checks/kubernetes_state/data/conf.yaml.example b/kubernetes_state/datadog_checks/kubernetes_state/data/conf.yaml.example index 8cee50b74563fe..a9ddde4c03897c 100644 --- a/kubernetes_state/datadog_checks/kubernetes_state/data/conf.yaml.example +++ b/kubernetes_state/datadog_checks/kubernetes_state/data/conf.yaml.example @@ -1,71 +1,509 @@ +## All options defined here are available to all instances. +# init_config: + ## @param proxy - mapping - optional + ## Set HTTP or HTTPS proxies for all instances. Use the `no_proxy` list + ## to specify hosts that must bypass proxies. + ## + ## The SOCKS protocol is also supported like so: + ## + ## socks5://user:pass@host:port + ## + ## Using the scheme `socks5` causes the DNS resolution to happen on the + ## client, rather than on the proxy server. This is in line with `curl`, + ## which uses the scheme to decide whether to do the DNS resolution on + ## the client or proxy. If you want to resolve the domains on the proxy + ## server, use `socks5h` as the scheme. + # + # proxy: + # http: http://<PROXY_SERVER_FOR_HTTP>:<PORT> + # https: https://<PROXY_SERVER_FOR_HTTPS>:<PORT> + # no_proxy: + # - <HOSTNAME_1> + # - <HOSTNAME_2> + + ## @param skip_proxy - boolean - optional - default: false + ## If set to `true`, this makes the check bypass any proxy + ## settings enabled and attempt to reach services directly. + # + # skip_proxy: false + + ## @param timeout - number - optional - default: 10 + ## The timeout for connecting to services. + # + # timeout: 10 + + ## @param service - string - optional + ## Attach the tag `service:<SERVICE>` to every metric, event, and service check emitted by this integration. + ## + ## Additionally, this sets the default `service` for every log source. + # + # service: <SERVICE> + +## Every instance is scheduled independent of the others. +# instances: - ## @param kube_state_url - string - required - ## To enable Kube State metrics you must specify the url exposing the API + ## @param kube_state_url - string - optional - default: http://example.com:8080/metrics + ## To enable Kube State metrics you must specify the URL exposing the API # - kube_state_url: http://example.com:8080/metrics - ## @param labels_mapper - dictionary - optional - ## Tags are reported as set by kube-state-metrics. If you want to translate - ## them to other tags, use the labels_mapper dictionary + ## @param health_service_check - boolean - optional - default: true + ## Send a service check reporting about the health of the Prometheus endpoint. + ## The service check is named <NAMESPACE>.prometheus.health # - # labels_mapper: - # namespace: kube_namespace + # health_service_check: true - ## @param label_joins - object - optional - ## Add the tags to join from other KSM metrics. - ## Example: Joining for deployment metrics. Based on: - ## kube_deployment_labels{deployment="kube-dns",label_addonmanager_kubernetes_io_mode="Reconcile"} - ## Use the following config to add the value of label_addonmanager_kubernetes_io_mode as a tag to your KSM - ## deployment metrics. + ## @param label_to_hostname - string - optional + ## Override the hostname with the value of one label. + # + # label_to_hostname: <LABEL> + + ## @param label_joins - mapping - optional + ## Allows targeting a metric to retrieve its label with a 1:1 mapping. # # label_joins: - # kube_deployment_labels: - # labels_to_match: - # - deployment + # target_metric: + # label_to_match: <MATCHED_LABEL> # labels_to_get: - # - label_addonmanager_kubernetes_io_mode + # - <EXTRA_LABEL_1> + # - <EXTRA_LABEL_2> + + ## @param labels_mapper - mapping - optional + ## The label mapper allows you to rename labels. + ## Format is <LABEL_TO_RENAME>: <NEW_LABEL_NAME> + # + # labels_mapper: + # flavor: origin + + ## @param type_overrides - mapping - optional + ## Override a type in the Prometheus payload or type an untyped metric (ignored by default). + ## Supported <METRIC_TYPE> are `gauge`, `counter`, `histogram`, and `summary`. + ## The "*" wildcard can be used to match multiple metric names. + # + # type_overrides: + # <METRIC_NAME>: <METRIC_TYPE> + + ## @param send_histograms_buckets - boolean - optional - default: true + ## Set send_histograms_buckets to true to send the histograms bucket. + # + # send_histograms_buckets: true + + ## @param send_distribution_buckets - boolean - optional - default: false + ## Set `send_distribution_buckets` to `true` to send histograms as Datadog distribution metrics. + ## + ## Learn more about distribution metrics: https://docs.datadoghq.com/developers/metrics/distributions/ + # + # send_distribution_buckets: false + + ## @param send_monotonic_counter - boolean - optional - default: true + ## Set send_monotonic_counter to true to send counters as monotonic counter. + # + # send_monotonic_counter: true + + ## @param send_distribution_counts_as_monotonic - boolean - optional - default: false + ## If set to true, sends histograms and summary counters as monotonic counters (instead of gauges). + # + # send_distribution_counts_as_monotonic: false + + ## @param send_distribution_sums_as_monotonic - boolean - optional - default: false + ## If set to true, sends histograms and summary sums as monotonic counters (instead of gauges). + # + # send_distribution_sums_as_monotonic: false + + ## @param use_process_start_time - boolean - optional - default: false + ## Whether to enable a heuristic for reporting counter values on the first scrape. When true, + ## the first time an endpoint is scraped, check `process_start_time_seconds` to decide whether zero + ## initial value can be assumed for counters. This requires keeping metrics in memory until the entire + ## response is received. + # + # use_process_start_time: false + + ## @param exclude_labels - list of strings - optional + ## A list of labels to be excluded. May be used in conjunction with `include_labels`. + ## Labels defined in `excluded labels` will take precedence in case of overlap. + # + # exclude_labels: + # - timestamp + + ## @param include_labels - list of strings - optional + ## A list of labels to include. May be used in conjunction with `exclude_labels`. + ## Labels defined in `excluded labels` will take precedence in case of overlap. + # + # include_labels: [] + + ## @param bearer_token_auth - boolean or string - optional - default: false + ## If set to true, adds a bearer token authentication header. + ## If set to 'tls_only', only adds a bearer token authentication header if the endpoint is secure https. + ## Note: If bearer_token_path is not set, the default path is /var/run/secrets/kubernetes.io/serviceaccount/token. + # + # bearer_token_auth: false + + ## @param bearer_token_path - string - optional + ## The path to a Kubernetes service account bearer token file. Make sure the file exists and is mounted correctly. + ## Note: bearer_token_auth should be set to true to enable adding the token to HTTP headers for authentication. + # + # bearer_token_path: <TOKEN_PATH> + + ## @param ignore_metrics - list of strings - optional + ## A list of metrics to ignore, the "*" wildcard can be used to match multiple metric names. + ## The wildcard matching is done via fnmatch, it locates a match anywhere in the string. + # + # ignore_metrics: + # - <IGNORED_METRIC_NAME> + # - <SUBSTRING_*> + # - <*_SUBSTRING> + + ## @param ignore_metrics_by_labels - mapping - optional + ## A mapping of labels where metrics with matching label key and values are ignored. + ## Use the "*" wildcard to match all label values. + # + # ignore_metrics_by_labels: + # <KEY_1>: + # - <LABEL_1> + # - <LABEL_2> + # <KEY_2>: + # - '*' + + ## @param ignore_tags - list of strings - optional + ## A list of regular expressions used to ignore tags added by autodiscovery and entries in the `tags` option. + # + # ignore_tags: + # - <FULL:TAG> + # - <TAG_PREFIX:.*> + # - <TAG_SUFFIX$> + + ## @param proxy - mapping - optional + ## This overrides the `proxy` setting in `init_config`. + ## + ## Set HTTP or HTTPS proxies for this instance. Use the `no_proxy` list + ## to specify hosts that must bypass proxies. + ## + ## The SOCKS protocol is also supported, for example: + ## + ## socks5://user:pass@host:port + ## + ## Using the scheme `socks5` causes the DNS resolution to happen on the + ## client, rather than on the proxy server. This is in line with `curl`, + ## which uses the scheme to decide whether to do the DNS resolution on + ## the client or proxy. If you want to resolve the domains on the proxy + ## server, use `socks5h` as the scheme. + # + # proxy: + # http: http://<PROXY_SERVER_FOR_HTTP>:<PORT> + # https: https://<PROXY_SERVER_FOR_HTTPS>:<PORT> + # no_proxy: + # - <HOSTNAME_1> + # - <HOSTNAME_2> + + ## @param skip_proxy - boolean - optional - default: false + ## This overrides the `skip_proxy` setting in `init_config`. + ## + ## If set to `true`, this makes the check bypass any proxy + ## settings enabled and attempt to reach services directly. + # + # skip_proxy: false + + ## @param auth_type - string - optional - default: basic + ## The type of authentication to use. The available types (and related options) are: + ## + ## - basic + ## |__ username + ## |__ password + ## |__ use_legacy_auth_encoding + ## - digest + ## |__ username + ## |__ password + ## - ntlm + ## |__ ntlm_domain + ## |__ password + ## - kerberos + ## |__ kerberos_auth + ## |__ kerberos_cache + ## |__ kerberos_delegate + ## |__ kerberos_force_initiate + ## |__ kerberos_hostname + ## |__ kerberos_keytab + ## |__ kerberos_principal + ## - aws + ## |__ aws_region + ## |__ aws_host + ## |__ aws_service + ## + ## The `aws` auth type relies on boto3 to automatically gather AWS credentials, for example: from `.aws/credentials`. + ## Details: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#configuring-credentials + # + # auth_type: basic + + ## @param use_legacy_auth_encoding - boolean - optional - default: true + ## When `auth_type` is set to `basic`, this determines whether to encode as `latin1` rather than `utf-8`. + # + # use_legacy_auth_encoding: true + + ## @param username - string - optional + ## The username to use if services are behind basic or digest auth. + # + # username: <USERNAME> + + ## @param password - string - optional + ## The password to use if services are behind basic or NTLM auth. + # + # password: <PASSWORD> + + ## @param ntlm_domain - string - optional + ## If your services use NTLM authentication, specify + ## the domain used in the check. For NTLM Auth, append + ## the username to domain, not as the `username` parameter. + # + # ntlm_domain: <NTLM_DOMAIN>\<USERNAME> + + ## @param kerberos_auth - string - optional - default: disabled + ## If your services use Kerberos authentication, you can specify the Kerberos + ## strategy to use between: + ## + ## - required + ## - optional + ## - disabled + ## + ## See https://github.com/requests/requests-kerberos#mutual-authentication + # + # kerberos_auth: disabled + + ## @param kerberos_cache - string - optional + ## Sets the KRB5CCNAME environment variable. + ## It should point to a credential cache with a valid TGT. + # + # kerberos_cache: <KERBEROS_CACHE> + + ## @param kerberos_delegate - boolean - optional - default: false + ## Set to `true` to enable Kerberos delegation of credentials to a server that requests delegation. + ## + ## See https://github.com/requests/requests-kerberos#delegation + # + # kerberos_delegate: false + + ## @param kerberos_force_initiate - boolean - optional - default: false + ## Set to `true` to preemptively initiate the Kerberos GSS exchange and + ## present a Kerberos ticket on the initial request (and all subsequent). + ## + ## See https://github.com/requests/requests-kerberos#preemptive-authentication + # + # kerberos_force_initiate: false + + ## @param kerberos_hostname - string - optional + ## Override the hostname used for the Kerberos GSS exchange if its DNS name doesn't + ## match its Kerberos hostname, for example: behind a content switch or load balancer. + ## + ## See https://github.com/requests/requests-kerberos#hostname-override + # + # kerberos_hostname: <KERBEROS_HOSTNAME> + + ## @param kerberos_principal - string - optional + ## Set an explicit principal, to force Kerberos to look for a + ## matching credential cache for the named user. + ## + ## See https://github.com/requests/requests-kerberos#explicit-principal + # + # kerberos_principal: <KERBEROS_PRINCIPAL> + + ## @param kerberos_keytab - string - optional + ## Set the path to your Kerberos key tab file. + # + # kerberos_keytab: <KEYTAB_FILE_PATH> + + ## @param auth_token - mapping - optional + ## This allows for the use of authentication information from dynamic sources. + ## Both a reader and writer must be configured. + ## + ## The available readers are: + ## + ## - type: file + ## path (required): The absolute path for the file to read from. + ## pattern: A regular expression pattern with a single capture group used to find the + ## token rather than using the entire file, for example: Your secret is (.+) + ## + ## The available writers are: + ## + ## - type: header + ## name (required): The name of the field, for example: Authorization + ## value: The template value, for example `Bearer <TOKEN>`. The default is: <TOKEN> + ## placeholder: The substring in `value` to replace by the token, defaults to: <TOKEN> + # + # auth_token: + # reader: + # type: <READER_TYPE> + # <OPTION_1>: <VALUE_1> + # <OPTION_2>: <VALUE_2> + # writer: + # type: <WRITER_TYPE> + # <OPTION_1>: <VALUE_1> + # <OPTION_2>: <VALUE_2> + + ## @param aws_region - string - optional + ## If your services require AWS Signature Version 4 signing, set the region. + ## + ## See https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html + # + # aws_region: <AWS_REGION> + + ## @param aws_host - string - optional + ## If your services require AWS Signature Version 4 signing, set the host. + ## This only needs the hostname and does not require the protocol (HTTP, HTTPS, and more). + ## For example, if connecting to https://us-east-1.amazonaws.com/, set `aws_host` to `us-east-1.amazonaws.com`. + ## + ## Note: This setting is not necessary for official integrations. + ## + ## See https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html + # + # aws_host: <AWS_HOST> + + ## @param aws_service - string - optional + ## If your services require AWS Signature Version 4 signing, set the service code. For a list + ## of available service codes, see https://docs.aws.amazon.com/general/latest/gr/rande.html + ## + ## Note: This setting is not necessary for official integrations. + ## + ## See https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html + # + # aws_service: <AWS_SERVICE> - ## @param hostname_override - boolean - optional - default: true - ## By default the hostname for metrics containing the node label is - ## overridden by the value of the label, this can be deactivated (all metrics - ## will be attached to the host running KSM) + ## @param tls_verify - boolean - optional - default: true + ## Instructs the check to validate the TLS certificate of services. # - # hostname_override: true + # tls_verify: true - ## @param tags - list of key:value element - optional - ## List of tags to attach to every metric, event and service check emitted by this integration. + ## @param tls_use_host_header - boolean - optional - default: false + ## If a `Host` header is set, this enables its use for SNI (matching against the TLS certificate CN or SAN). + # + # tls_use_host_header: false + + ## @param tls_ignore_warning - boolean - optional - default: false + ## If `tls_verify` is disabled, security warnings are logged by the check. + ## Disable those by setting `tls_ignore_warning` to true. + ## + ## Note: `tls_ignore_warning` set to true is currently only reliable if used by one instance of one integration. + ## If enabled for multiple instances, spurious warnings might still appear even if `tls_ignore_warning` is set + ## to true. + # + # tls_ignore_warning: false + + ## @param tls_cert - string - optional + ## The path to a single file in PEM format containing a certificate as well as any + ## number of CA certificates needed to establish the certificate's authenticity for + ## use when connecting to services. It may also contain an unencrypted private key to use. + # + # tls_cert: <CERT_PATH> + + ## @param tls_private_key - string - optional + ## The unencrypted private key to use for `tls_cert` when connecting to services. This is + ## required if `tls_cert` is set and it does not already contain a private key. + # + # tls_private_key: <PRIVATE_KEY_PATH> + + ## @param tls_ca_cert - string - optional + ## The path to a file of concatenated CA certificates in PEM format or a directory + ## containing several CA certificates in PEM format. If a directory, the directory + ## must have been processed using the c_rehash utility supplied with OpenSSL. See: + ## https://www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_locations.html + # + # tls_ca_cert: <CA_CERT_PATH> + + ## @param tls_protocols_allowed - list of strings - optional + ## The expected versions of TLS/SSL when fetching intermediate certificates. + ## Only `SSLv3`, `TLSv1.2`, `TLSv1.3` are allowed by default. The possible values are: + ## SSLv3 + ## TLSv1 + ## TLSv1.1 + ## TLSv1.2 + ## TLSv1.3 + # + # tls_protocols_allowed: + # - SSLv3 + # - TLSv1.2 + # - TLSv1.3 + + ## @param headers - mapping - optional + ## The headers parameter allows you to send specific headers with every request. + ## You can use it for explicitly specifying the host header or adding headers for + ## authorization purposes. + ## + ## This overrides any default headers. + # + # headers: + # Host: <ALTERNATIVE_HOSTNAME> + # X-Auth-Token: <AUTH_TOKEN> + + ## @param extra_headers - mapping - optional + ## Additional headers to send with every request. + # + # extra_headers: + # Host: <ALTERNATIVE_HOSTNAME> + # X-Auth-Token: <AUTH_TOKEN> + + ## @param timeout - number - optional - default: 10 + ## The timeout for accessing services. ## - ## Learn more about tagging: https://docs.datadoghq.com/tagging/ + ## This overrides the `timeout` setting in `init_config`. + # + # timeout: 10 + + ## @param connect_timeout - number - optional + ## The connect timeout for accessing services. Defaults to `timeout`. + # + # connect_timeout: <CONNECT_TIMEOUT> + + ## @param read_timeout - number - optional + ## The read timeout for accessing services. Defaults to `timeout`. + # + # read_timeout: <READ_TIMEOUT> + + ## @param request_size - number - optional - default: 10 + ## The number of kibibytes (KiB) to read from streaming HTTP responses at a time. + # + # request_size: 10 + + ## @param log_requests - boolean - optional - default: false + ## Whether or not to debug log the HTTP(S) requests made, including the method and URL. + # + # log_requests: false + + ## @param persist_connections - boolean - optional - default: false + ## Whether or not to persist cookies and use connection pooling for increased performance. + # + # persist_connections: false + + ## @param allow_redirects - boolean - optional - default: true + ## Whether or not to allow URL redirection. + # + # allow_redirects: true + + ## @param tags - list of strings - optional + ## A list of tags to attach to every metric and service check emitted by this instance. + ## + ## Learn more about tagging at https://docs.datadoghq.com/tagging # # tags: # - <KEY_1>:<VALUE_1> # - <KEY_2>:<VALUE_2> - ## @param prometheus_timeout - integer - optional - default: 10 - ## Set a timeout for the prometheus query. + ## @param service - string - optional + ## Attach the tag `service:<SERVICE>` to every metric, event, and service check emitted by this integration. + ## + ## Overrides any `service` defined in the `init_config` section. # - # prometheus_timeout: 10 + # service: <SERVICE> - ## @param telemetry - boolean - optional - default: false - ## To enable the telemetry check's metrics, you must set this parameter to true. - ## It will generate useful internal check metrics: message payload size, the number - ## of metrics received, processed, ignored.... - ## Metrics can be found under `kubernetes_state.telemetry` + ## @param min_collection_interval - number - optional - default: 15 + ## This changes the collection interval of the check. For more information, see: + ## https://docs.datadoghq.com/developers/write_agent_check/#collection-interval # - # telemetry: false + # min_collection_interval: 15 - ## @param join_standard_tags - boolean - optional - default: false - ## To enable joining standard tags from labels, you must set this parameter to true. - ## It will join standard tags found in these labels coming from info Kube State metrics (*_labels). - ## tags.datadoghq.com/env => env - ## tags.datadoghq.com/service => service - ## tags.datadoghq.com/version => version - ## - ## Resources enabled for join_standard_tags include: - ## Pod, Deployment, ReplicaSet, DaemonSet, StatefulSet, Job, CronJob + ## @param empty_default_hostname - boolean - optional - default: false + ## This forces the check to send metrics with no hostname. ## + ## This is useful for cluster-level checks. # - # join_standard_tags: false + # empty_default_hostname: false diff --git a/kubernetes_state/manifest.json b/kubernetes_state/manifest.json index 3fef37a37504e9..064e7801c99f4c 100644 --- a/kubernetes_state/manifest.json +++ b/kubernetes_state/manifest.json @@ -27,6 +27,9 @@ "dashboards": {}, "service_checks": "assets/service_checks.json", "logs": {}, - "metrics_metadata": "metadata.csv" + "metrics_metadata": "metadata.csv", + "configuration": { + "spec": "assets/configuration/spec.yaml" + } } }