Add metricbeat annotations and control over access to the metrics endpoint

chart/Chart.yaml

@@ -2,11 +2,11 @@ apiVersion: v2
 name: f7t4jhub
 description: A Helm chart to Deploy JupyterHub with the FirecREST Spawner
 type: application
-version: 0.6.2
+version: 0.7.0
 appVersion: "4.1.5"
 dependencies:
   - name: f7t4jhub
-    version: 0.6.2
+    version: 0.7.0
     repository: "file://./f7t4jhub"
   - name: reloader
     version: v1.0.51

chart/f7t4jhub/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: f7t4jhub
 description: A Helm chart to Deploy JupyterHub with the FirecREST Spawner
 type: application
-version: 0.6.2
+version: 0.7.0
 appVersion: "4.1.5"

chart/f7t4jhub/files/jupyterhub-config.py

@@ -186,4 +186,4 @@ async def refresh_user(self, user, handler=None):
 # This should be set to the URL which the hub uses to connect to the proxy’s API.
 c.ConfigurableHTTPProxy.api_url = 'http://{{ .Release.Name }}-proxy-svc:{{ .Values.network.apiPort }}'
 
-{{ .Values.extraConfig }}
+{{ .Values.config.extraConfig }}

chart/f7t4jhub/templates/deployment-hub.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app: hub
   annotations:
-    {{- if .Values.vault.enabled }}
+    {{- if .Values.reloader.enabled }}
     configmap.reloader.stakater.com/reload: "{{ .Release.Name }}-configmap"
     secret.reloader.stakater.com/reload: "{{ .Release.Name }}-common-secrets"
     {{- end }}
@@ -18,6 +18,14 @@ spec:
     metadata:
       labels:
         app: hub
+      annotations:
+      {{- if .Values.metricbeat.enabled }}
+        co.elastic.metrics/enabled: "true"
+        co.elastic.metrics/hosts: '"${data.host}:{{ .Values.network.externalPort }}"'
+        co.elastic.metrics/metrics_path: /metrics
+        co.elastic.metrics/metricsets: collector
+        co.elastic.metrics/module: prometheus
+      {{- end }}
     spec:
       securityContext:
           runAsUser: 1000
@@ -53,7 +61,7 @@ spec:
               secretKeyRef:
                 name: {{ .Release.Name }}-secret
                 key: configProxyAuthToken
-          {{- if .Values.vault.enabled }}
+          {{- if .Values.vault.keycloak.enabled }}
           - name: KC_CLIENT_ID
             valueFrom:
               secretKeyRef:
@@ -80,7 +88,7 @@ spec:
             items:
               - key: jupyterhub-config
                 path: jupyterhub_config.py
-      {{- if .Values.vault.enabled }}
+      {{- if .Values.vault.containerRegistry.enabled }}
       imagePullSecrets:
       - name: {{ .Release.Name }}-registry-docker-config
       {{- end }}

chart/f7t4jhub/templates/external-secret-registry.yml → chart/f7t4jhub/templates/external-secret-registry.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.vault.enabled }}
+{{- if .Values.vault.containerRegistry.enabled }}
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
@@ -19,6 +19,6 @@ spec:
   data:
   - secretKey: jfrog_docker_config
     remoteRef:
-      key: jfrog
+      key: {{ .Values.vault.containerRegistry.secretPath }}
       property: docker_config
 {{- end }}

chart/f7t4jhub/templates/external-secret.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.vault.enabled }}
+{{- if .Values.vault.keycloak.enabled }}
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
@@ -14,10 +14,10 @@ spec:
   data:
   - secretKey: kc_client_secret
     remoteRef:
-      key: {{ .Values.vault.secretPath }}
+      key: {{ .Values.vault.keycloak.secretPath }}
       property: kc_client_secret
   - secretKey: kc_client_id
     remoteRef:
-      key: {{ .Values.vault.secretPath }}
+      key: {{ .Values.vault.keycloak.secretPath }}
       property: kc_client_id
 {{- end }}

chart/f7t4jhub/templates/ingress.yaml

@@ -1,40 +1,42 @@
-apiVersion: v1
-items:
-- apiVersion: networking.k8s.io/v1
-  kind: Ingress
-  metadata:
-    name: {{ .Release.Name }}-proxy-ingress
-  spec:
-    ingressClassName: nginx
-    rules:
-    - host: {{ .Values.config.commonName }}
-      http:
-        paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: {{ .Release.Name }}-proxy-svc
-              port:
-                number: {{ .Values.network.appPort }}
-        - path: /hub/api
-          pathType: Prefix
-          backend:
-            service:
-              name: {{ .Release.Name }}-proxy-svc
-              port:
-                number: {{ .Values.network.appPort }}
-        - path: /api
-          pathType: Prefix
-          backend:
-            service:
-              name: {{ .Release.Name }}-proxy-svc
-              port:
-                number: {{ .Values.network.apiPort }}
-    tls:
-    - hosts:
-      - {{ .Values.config.commonName }}
-      secretName: {{ .Release.Name }}-cert-secret
-kind: List
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
-  resourceVersion: ""
+  name: {{ .Release.Name }}-proxy-ingress
+  annotations:
+    {{- if .Values.metricbeat.deny_metrics_endpoint }}
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location /hub/metrics {
+        deny all;
+      }
+    {{- end }}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{ .Values.config.commonName }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Release.Name }}-proxy-svc
+            port:
+              number: {{ .Values.network.appPort }}
+      - path: /hub/api
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Release.Name }}-proxy-svc
+            port:
+              number: {{ .Values.network.appPort }}
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Release.Name }}-proxy-svc
+            port:
+              number: {{ .Values.network.apiPort }}
+  tls:
+  - hosts:
+    - {{ .Values.config.commonName }}
+    secretName: {{ .Release.Name }}-cert-secret

chart/f7t4jhub/templates/secret-store.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.vault.enabled }}
+{{- if .Values.vault.keycloak.enabled }}
 apiVersion: external-secrets.io/v1beta1
 kind: SecretStore
 metadata:

chart/values.yaml

@@ -32,21 +32,42 @@ f7t4jhub:
     # Set log level to logging.DEBUG
     debug: false
 
-  vault:
-    # Enable or disable Vault integration
+  reloader:
+    # Enable or disable reloader integration
     enabled: false
 
+  vault:
     # URL for the Vault service (replace with your own Vault URL)
     url: 'https://vault.example.com'
 
     # Secret engine used in Vault (replace with your own secret engine)
-    secretEngine: 'jupyterhub'
-
-    # Secret path in Vault (replace with your own secret path)
-    secretPath: 'dom/tds'
+    secretEngine: 'secret-engine'
 
     # Role ID for accessing Vault secrets (replace with your own role ID)
-    roleId: '<role-id>'
+    roleId: 'role-id'
+
+    # keycloack credentials
+    keycloak:
+      # Enable or disable Vault integration
+      enabled: false
+
+      # Secret path in Vault (replace with your own secret path)
+      secretPath: 'secret/path/keycloack'
+
+    # container registry credentials
+    containerRegistry:
+      # Enable or disable Vault integration
+      enabled: false
+
+      # Secret path in Vault (replace with your own secret path)
+      secretPath: 'secret/path/containers'
+
+  metricbeat:
+    # Enable or disable annotations for metric beat monitoring
+    enabled: false
+
+    # Allow or deny access to /hub/metrics
+    deny_metrics_endpoint: false
 
   network:
     # Ports configuration for the application
@@ -127,5 +148,8 @@ f7t4jhub:
       customStateGetHost: None
 
       # Literal python code to add at the end of jupyterhub's configuration
-      extraConfig: |
-        # ...
+      optionsForm: |
+
+    # Literal python code to add at the end of jupyterhub's configuration
+    extraConfig: |
+      # ...