# prometheus.yaml # ArgoCD Application für Prometheus apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: prometheus namespace: argocd finalizers: - resources-finalizer.argocd.argoproj.io spec: project: default source: repoURL: https://prometheus-community.github.io/helm-charts targetRevision: 27.*.* chart: prometheus helm: valueFiles: - values.yaml values: | server: global: scrape_interval: 15s evaluation_interval: 15s service: type: ClusterIP port: 80 persistentVolume: enabled: true size: 10Gi storageClass: "local-path" resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 128Mi # Security Context für Prometheus Server securityContext: runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 fsGroup: 65534 seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 capabilities: drop: - ALL # Node Exporter deaktiviert - wird separat installiert nodeExporter: enabled: false kubeStateMetrics: enabled: true alertmanager: enabled: true service: type: ClusterIP persistentVolume: enabled: true size: 2Gi storageClass: "local-path" securityContext: runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 fsGroup: 65534 seccompProfile: type: RuntimeDefault # PUSHGATEWAY KOMPLETT DEAKTIVIEREN pushgateway: enabled: false # Zusätzliche Scrape-Konfiguration für k3s serverFiles: prometheus.yml: global: scrape_interval: 15s evaluation_interval: 15s scrape_configs: - job_name: 'prometheus' static_configs: - targets: ['localhost:9090'] - job_name: 'kubernetes-apiservers' kubernetes_sd_configs: - role: endpoints scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt insecure_skip_verify: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token relabel_configs: - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: default;kubernetes;https - job_name: 'kubernetes-nodes' kubernetes_sd_configs: - role: node scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt insecure_skip_verify: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_(.+) - job_name: 'kubernetes-pods' kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] action: keep regex: true - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: (.+) - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] action: replace regex: ([^:]+)(?::\d+)?;(\d+) replacement: $1:$2 target_label: __address__ - action: labelmap regex: __meta_kubernetes_pod_label_(.+) - source_labels: [__meta_kubernetes_namespace] action: replace target_label: kubernetes_namespace - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: kubernetes_pod_name destination: server: https://kubernetes.default.svc namespace: prometheus syncPolicy: anagedNamespaceMetadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: privileged automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true - PrunePropagationPolicy=foreground - RespectIgnoreDifferences=true