collectd: Add DaemonSet for collectd

Since all the nodes in the cluster run Fedora CoreOS now, we can
deploy collectd as a container, managed by a DaemonSet.

Note that while _collectd_ has to run as _root_ in order to collect
a lot of metrics, it should not run with all privileges.  It does need
to run as a "super-privileged container" (`spc_t` SELinux domain), but
it does _not_ need most kernel capabilities.

collectd/collectd.d/df.conf

@@ -0,0 +1,10 @@
+LoadPlugin df
+
+<Plugin df>
+    ReportByDevice true
+
+    FSType autofs
+    FSType overlay
+    FSType efivarfs
+    IgnoreSelected true
+</Plugin>

collectd/collectd.d/log.conf

@@ -0,0 +1,8 @@
+LoadPlugin logfile
+
+<Plugin logfile>
+	LogLevel info
+	File stderr
+	Timestamp false
+	PrintSeverity true
+</Plugin>

collectd/collectd.d/plugins.conf

@@ -0,0 +1,9 @@
+LoadPlugin chrony
+LoadPlugin cpufreq
+LoadPlugin disk
+LoadPlugin entropy
+LoadPlugin processes
+LoadPlugin swap
+LoadPlugin tcpconns
+LoadPlugin thermal
+LoadPlugin uptime

collectd/collectd.d/prometheus.conf

@@ -0,0 +1,5 @@
+LoadPlugin write_prometheus
+
+<Plugin write_prometheus>
+    Port 9103
+</Plugin>

collectd/collectd.yaml

@@ -0,0 +1,74 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: collectd
+  labels:
+    app.kubernetes.io/name: collectd
+    app.kubernetes.io/component: collectd
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: collectd
+      app.kubernetes.io/component: collectd
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: collectd
+        app.kubernetes.io/component: collectd
+    spec:
+      containers:
+      - name: collectd
+        image: git.pyrocufflink.net/containerimages/collectd
+        ports:
+        - containerPort: 9103
+          name: http
+        readinessProbe: &probe
+          httpGet:
+            port: http
+            path: /metrics
+          periodSeconds: 60
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          successThreshold: 1
+          failureThreshold: 30
+          timeoutSeconds: 1
+        securityContext:
+          capabilities:
+            add:
+            - DAC_READ_SEARCH
+            drop:
+            - ALL
+          seLinuxOptions:
+            type: spc_t
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/collectd.d
+          name: config
+          readOnly: true
+        - mountPath: /host
+          name: host
+        - mountPath: /run
+          name: host
+          subPath: run
+        - mountPath: /tmp
+          name: tmp
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      tolerations:
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: config
+        configMap:
+          name: collectd
+      - name: host
+        hostPath:
+          path: /
+      - name: tmp
+        emptyDir:
+          medium: Memory

collectd/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: collectd
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: collectd
+    app.kubernetes.io/part-of: collectd
+  includeSelectors: false
+
+resources:
+- namespace.yaml
+- collectd.yaml
+
+configMapGenerator:
+- name: collectd
+  files:
+  - collectd.d/df.conf
+  - collectd.d/log.conf
+  - collectd.d/plugins.conf
+  - collectd.d/prometheus.conf
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: DaemonSet
+    metadata:
+      name: collectd
+    spec:
+      template:
+        spec:
+          nodeSelector:
+            du5t1n.me/collectd: 'true'

collectd/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: collectd
+  labels:
+    app.kubernetes.io/name: collectd