Move Prom metrics to a dedicated port + improve Helm chart (#599)

2026-01-26 17:28:51 +08:00
parent 24d0918e73
commit 145bf9d81a
18 changed files with 331 additions and 116 deletions
--- a/helm/opengist/README.md
+++ b/helm/opengist/README.md
@@ -6,6 +6,7 @@ Opengist Helm chart for Kubernetes.

 * [Install](#install)
 * [Configuration](#configuration)
+* [Metrics & Monitoring](#metrics--monitoring)
 * [Dependencies](#dependencies)
  * [Meilisearch Indexer](#meilisearch-indexer)
  * [PostgreSQL Database](#postgresql-database)
@@ -47,6 +48,76 @@ If defined, this existing secret will be used instead of creating a new one.
 configExistingSecret: <name of the secret>
 ```

+## Metrics & Monitoring
+
+Opengist exposes Prometheus metrics on a separate port (default: `6158`). The metrics server runs independently from the main HTTP server for security.
+
+### Enabling Metrics
+
+To enable metrics, set `metrics.enabled: true` in your Opengist config:
+
+```yaml
+config:
+  metrics.enabled: true
+```
+
+This will:
+1. Start a metrics server on port 6158 inside the container
+2. Create a Kubernetes Service exposing the metrics ports
+
+### Available Metrics
+
+| Metric Name | Type | Description |
+|-------------|------|-------------|
+| `opengist_users_total` | Gauge | Total number of registered users |
+| `opengist_gists_total` | Gauge | Total number of gists |
+| `opengist_ssh_keys_total` | Gauge | Total number of SSH keys |
+| `opengist_request_duration_seconds_*` | Histogram | HTTP request duration metrics |
+
+### ServiceMonitor for Prometheus Operator
+
+If you're using [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can enable automatic service discovery with a ServiceMonitor:
+
+```yaml
+config:
+  metrics.enabled: true
+
+service:
+  metrics:
+    serviceMonitor:
+      enabled: true
+      labels:
+        release: prometheus  # match your Prometheus serviceMonitorSelector
+```
+
+### Manual Prometheus Configuration
+
+If you're not using Prometheus Operator, you can configure Prometheus to scrape the metrics endpoint directly:
+
+```yaml
+scrape_configs:
+  - job_name: 'opengist'
+    static_configs:
+      - targets: ['opengist-metrics:6158']
+    metrics_path: /metrics
+```
+
+Or use Kubernetes service discovery:
+
+```yaml
+scrape_configs:
+  - job_name: 'opengist'
+    kubernetes_sd_configs:
+      - role: service
+    relabel_configs:
+      - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_component]
+        regex: metrics
+        action: keep
+      - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name]
+        regex: opengist
+        action: keep
+```
+
 ## Dependencies

 ### Meilisearch Indexer
--- a/helm/opengist/templates/deployment.yaml
+++ b/helm/opengist/templates/deployment.yaml
@@ -67,6 +67,11 @@ spec:
            - name: http
              containerPort: {{ .Values.service.http.port }}
              protocol: TCP
+          {{- if index .Values.config "metrics.enabled" }}
+            - name: metrics
+              containerPort: {{ .Values.service.metrics.port }}
+              protocol: TCP
+          {{- end }}
          {{- if .Values.livenessProbe.enabled }}
          livenessProbe:
            {{- toYaml (omit .Values.livenessProbe "enabled") | nindent 12 }}
--- a/helm/opengist/templates/servicemonitor.yaml
+++ b/helm/opengist/templates/servicemonitor.yaml
@@ -0,0 +1,41 @@
+{{- if and (index .Values.config "metrics.enabled") .Values.service.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "opengist.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- with .Values.service.metrics.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.metrics.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  endpoints:
+    - port: metrics
+      {{- with .Values.service.metrics.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.service.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      path: /metrics
+      {{- with .Values.service.metrics.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.service.metrics.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Values.namespace | default .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "opengist.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: metrics
+{{- end }}
--- a/helm/opengist/templates/statefulset.yaml
+++ b/helm/opengist/templates/statefulset.yaml
@@ -140,6 +140,11 @@ spec:
              containerPort: {{ .Values.service.ssh.port }}
              protocol: TCP
          {{- end }}
+          {{- if index .Values.config "metrics.enabled" }}
+            - name: metrics
+              containerPort: {{ .Values.service.metrics.port }}
+              protocol: TCP
+          {{- end }}
          {{- if .Values.livenessProbe.enabled }}
          livenessProbe:
            {{- toYaml (omit .Values.livenessProbe "enabled") | nindent 12 }}
@@ -172,7 +177,7 @@ spec:
            defaultMode: 511
        - name: config-volume
          emptyDir: {}
-        {{- /* 
+        {{- /*
        ========================================
        VOLUME MOUNTING DECISION TREE
        ========================================
@@ -216,7 +221,7 @@ spec:
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-  {{- /* 
+  {{- /*
  ========================================
  VOLUMECLAIMTEMPLATES DECISION TREE
  ========================================
@@ -224,14 +229,14 @@ spec:
    - persistence.enabled=true
    - persistence.existingClaim is empty
    - persistence.mode=perReplica (default)
-  
+
  This creates one PVC per replica (RWO typically).
-  
+
  NOT used when:
    - existingClaim is set (PVC already exists, referenced in volumes above)
    - mode=shared (standalone PVC created via pvc-shared.yaml)
    - persistence disabled (emptyDir used)
-  
+
  WARNING: perReplica + replicaCount>1 causes data divergence. Use shared mode for multi-replica.
  */}}
  {{- if and .Values.persistence.enabled (ne (default "" .Values.persistence.existingClaim) "") }}
--- a/helm/opengist/templates/svc-metrics.yaml
+++ b/helm/opengist/templates/svc-metrics.yaml
@@ -0,0 +1,32 @@
+{{- if index .Values.config "metrics.enabled" }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "opengist.fullname" . }}-metrics
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    app.kubernetes.io/component: metrics
+    {{- with .Values.service.metrics.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.metrics.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.metrics.type }}
+  {{- if .Values.service.metrics.clusterIP }}
+  clusterIP: {{ .Values.service.metrics.clusterIP }}
+  {{- end }}
+  ports:
+    - port: {{ .Values.service.metrics.port }}
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+      {{- if and (eq .Values.service.metrics.type "NodePort") .Values.service.metrics.nodePort }}
+      nodePort: {{ .Values.service.metrics.nodePort }}
+      {{- end }}
+  selector:
+    {{- include "opengist.selectorLabels" . | nindent 4 }}
+{{- end }}
--- a/helm/opengist/values.yaml
+++ b/helm/opengist/values.yaml
@@ -8,6 +8,7 @@ namespace: ""
 config:
  log-level: "warn"
  log-output: "stdout"
+  metrics.enabled: false

 ## If defined, the existing secret will be used instead of creating a new one.
 ## The secret must contain a key named `config.yml` with the YAML configuration.
@@ -101,6 +102,26 @@ service:
    loadBalancerSourceRanges: []
    externalTrafficPolicy:

+  # A metrics K8S service on port 6158 is created when the Opengist config metrics.enabled: true
+  metrics:
+    type: ClusterIP
+    clusterIP:
+    port: 6158
+    nodePort:
+    labels: {}
+    annotations: {}
+
+    # A service monitor can be used to work with your Prometheus setup.
+    serviceMonitor:
+      enabled: true
+      labels: {}
+      #  release: kube-prom-stack
+      interval:
+      scrapeTimeout:
+      annotations: {}
+      relabelings: []
+      metricRelabelings: []
+
 ## HTTP Ingress for Opengist
 ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress: