From 28d0891729258a1179b4ef632afce6521df0e1d6 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Sat, 19 May 2018 13:05:50 -0700
Subject: [PATCH] Annotate nginx-ingress addon for Prometheus auto-discovery

* Add Google Cloud firewall rule to allow worker to worker access
to health and metrics
---
 CHANGES.md                                         |  1 +
 addons/nginx-ingress/aws/service.yaml              |  3 +++
 addons/nginx-ingress/digital-ocean/service.yaml    |  3 +++
 addons/nginx-ingress/google-cloud/service.yaml     |  3 +++
 google-cloud/container-linux/kubernetes/network.tf | 14 ++++++++++++++
 google-cloud/fedora-atomic/kubernetes/network.tf   | 14 ++++++++++++++
 6 files changed, 38 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 11d16a58..40265834 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -40,6 +40,7 @@ Notable changes between versions.
 * Update Grafana from v5.04 to v5.1.3 ([#208](https://github.com/poseidon/typhoon/pull/208))
   * Disable Grafana Google Analytics by default ([#214](https://github.com/poseidon/typhoon/issues/214))
 * Update nginx-ingress from 0.14.0 to 0.15.0
+* Annotate nginx-ingress service so Prometheus auto-discovers and scrapes service endpoints ([#222](https://github.com/poseidon/typhoon/pull/222))
 
 ## v1.10.2
 
diff --git a/addons/nginx-ingress/aws/service.yaml b/addons/nginx-ingress/aws/service.yaml
index 88afc467..fb81064f 100644
--- a/addons/nginx-ingress/aws/service.yaml
+++ b/addons/nginx-ingress/aws/service.yaml
@@ -3,6 +3,9 @@ kind: Service
 metadata:
   name: nginx-ingress-controller
   namespace: ingress
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/port: '10254'
 spec:
   type: ClusterIP
   selector:
diff --git a/addons/nginx-ingress/digital-ocean/service.yaml b/addons/nginx-ingress/digital-ocean/service.yaml
index 88afc467..fb81064f 100644
--- a/addons/nginx-ingress/digital-ocean/service.yaml
+++ b/addons/nginx-ingress/digital-ocean/service.yaml
@@ -3,6 +3,9 @@ kind: Service
 metadata:
   name: nginx-ingress-controller
   namespace: ingress
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/port: '10254'
 spec:
   type: ClusterIP
   selector:
diff --git a/addons/nginx-ingress/google-cloud/service.yaml b/addons/nginx-ingress/google-cloud/service.yaml
index 88afc467..fb81064f 100644
--- a/addons/nginx-ingress/google-cloud/service.yaml
+++ b/addons/nginx-ingress/google-cloud/service.yaml
@@ -3,6 +3,9 @@ kind: Service
 metadata:
   name: nginx-ingress-controller
   namespace: ingress
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/port: '10254'
 spec:
   type: ClusterIP
   selector:
diff --git a/google-cloud/container-linux/kubernetes/network.tf b/google-cloud/container-linux/kubernetes/network.tf
index 628b0fcc..85412bf1 100644
--- a/google-cloud/container-linux/kubernetes/network.tf
+++ b/google-cloud/container-linux/kubernetes/network.tf
@@ -135,6 +135,20 @@ resource "google_compute_firewall" "internal-kubelet" {
   target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }
 
+# Allow Prometheus to scrape ingress-controller
+resource "google_compute_firewall" "ingress-health" {
+  name    = "${var.cluster_name}-ingress-health"
+  network = "${google_compute_network.network.name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [10254]
+  }
+
+  source_tags = ["${var.cluster_name}-worker"]
+  target_tags = ["${var.cluster_name}-worker"]
+}
+
 resource "google_compute_firewall" "internal-kubelet-readonly" {
   name    = "${var.cluster_name}-internal-kubelet-readonly"
   network = "${google_compute_network.network.name}"
diff --git a/google-cloud/fedora-atomic/kubernetes/network.tf b/google-cloud/fedora-atomic/kubernetes/network.tf
index 628b0fcc..85412bf1 100644
--- a/google-cloud/fedora-atomic/kubernetes/network.tf
+++ b/google-cloud/fedora-atomic/kubernetes/network.tf
@@ -135,6 +135,20 @@ resource "google_compute_firewall" "internal-kubelet" {
   target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }
 
+# Allow Prometheus to scrape ingress-controller
+resource "google_compute_firewall" "ingress-health" {
+  name    = "${var.cluster_name}-ingress-health"
+  network = "${google_compute_network.network.name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [10254]
+  }
+
+  source_tags = ["${var.cluster_name}-worker"]
+  target_tags = ["${var.cluster_name}-worker"]
+}
+
 resource "google_compute_firewall" "internal-kubelet-readonly" {
   name    = "${var.cluster_name}-internal-kubelet-readonly"
   network = "${google_compute_network.network.name}"