use podMonitor instead of serviceMonitor to prevent monitoring data leakage

paulfantom · paulfantom · commit 9ec4747bb8a1 · 2023-06-22T11:43:29.000+02:00
Signed-off-by: paulfantom &lt;pawel@krupa.net.pl&gt;
diff --git a/README.md b/README.md
@@ -103,10 +103,9 @@ their default values.
 | `ingress.tls`               | Ingress TLS configuration (YAML)                                                           | `[]`            |
 | `ingress.className`         | Ingress controller class name                                                              | `nginx`         |
 | `metrics.enabled`           | Enable metrics on Service                                                                  | `false`         |
-| `metrics.port`              | TCP port on which the service metrics is exposed                                           | `5001`          |
-| `metrics.serviceMonitor.annotations` | Prometheus Operator ServiceMonitor annotations                                    | `{}`            |
-| `metrics.serviceMonitor.enable` | If true, Prometheus Operator ServiceMonitor will be created                            | `false`         |
-| `metrics.serviceMonitor.labels` | Prometheus Operator ServiceMonitor labels                                              | `{}`            |
+| `metrics.podMonitor.annotations` | Prometheus Operator PodMonitor annotations                                    | `{}`            |
+| `metrics.podMonitor.enable` | If true, Prometheus Operator PodMonitor will be created                            | `false`         |
+| `metrics.podMonitor.labels` | Prometheus Operator PodMonitor labels                                              | `{}`            |
 | `metrics.prometheusRule.annotations` | Prometheus Operator PrometheusRule annotations                                    | `{}`            |
 | `metrics.prometheusRule.enable` | If true, Prometheus Operator prometheusRule will be created                            | `false`         |
 | `metrics.prometheusRule.labels` | Prometheus Operator prometheusRule labels                                              | `{}`            |
diff --git a/templates/podmonitor.yaml b/templates/podmonitor.yaml
@@ -0,0 +1,21 @@
+{{- if and .Values.metrics.enabled .Values.metrics.podMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ template "docker-registry.fullname" . }}-podmonitor
+  labels:
+    app: {{ template "docker-registry.name" . }}-metrics
+    release: {{ .Release.Name }}
+{{- if .Values.metrics.podMonitor.labels }}
+{{ toYaml .Values.metrics.podMonitor.labels | indent 4 }}
+{{- end }}
+spec:
+  podMetricsEndpoints:
+  - interval: 15s
+    port: http-metrics
+  selector:
+    matchLabels:
+      app: {{ template "docker-registry.name" . }}
+      release: {{ .Release.Name }}
+      heritage: {{ .Release.Service }}
+{{- end }}
diff --git a/templates/service.yaml b/templates/service.yaml
@@ -37,12 +37,6 @@ spec:
       targetPort: 5000
 {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
       nodePort: {{ .Values.service.nodePort }}
-{{- end }}
-{{- if .Values.metrics.enabled }}
-    - port: {{ .Values.metrics.port }}
-      protocol: TCP
-      name: http-metrics
-      targetPort: {{ (split ":" .Values.configData.http.debug.addr)._1 }}
 {{- end }}
   selector:
     app: {{ template "docker-registry.name" . }}
diff --git a/templates/servicemonitor.yaml b/templates/servicemonitor.yaml
diff --git a/values.yaml b/values.yaml
@@ -118,9 +118,8 @@ proxy:
 
 metrics:
   enabled: false
-  port: 5001
-  # Create a prometheus-operator servicemonitor
-  serviceMonitor:
+  # Create a prometheus-operator podmonitor
+  podMonitor:
     enabled: false
     labels: {}
   # prometheus-operator PrometheusRule defining alerting rules for a Prometheus instance
