Merge pull request #305 from clobrano/bundle-ocp-metrics-1

Add Prometheus configuration to bundle OCP

Author: openshift-merge-bot[bot]

.github/workflows/pre-submit.yaml

@@ -26,11 +26,14 @@ jobs:
     - name: Build
       run: make manager
 
-    - name: Test
+    - name: Verify no bundle changes and run unit-tests
       run: make manifests bundle-k8s bundle-reset test
 
-    - name: Test container build
-      run: make container-build
+    - name: Test container build K8s
+      run: make container-build-k8s
+
+    - name: Test container build OCP
+      run: make container-build-ocp
 
   e2e-k8s:
     runs-on: ubuntu-22.04

Makefile

@@ -427,15 +427,15 @@ bundle-reset: ## Revert all version or build date related changes
 	sed -r -i "/replaces:.*/d" ${CSV}
 
 .PHONY: bundle-build-ocp
-bundle-build-ocp: bundle-ocp bundle-update ## Build the bundle image.
+bundle-build-ocp: bundle-ocp bundle-update ## Build the bundle image for OCP.
 	podman build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
 
 .PHONY: bundle-build-k8s
 bundle-build-k8s: bundle-k8s bundle-update ## Build the bundle image for k8s.
 	podman build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
 
 .PHONY: bundle-build-metrics
-bundle-build-metrics: bundle-metrics bundle-update ## Build the bundle image for k8s.
+bundle-build-metrics: bundle-metrics bundle-update ## Build the bundle image for K8s with metric related configuration
 	podman build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
 
 .PHONY: bundle-push
@@ -482,18 +482,19 @@ deploy-snr:
 
 ##@ Targets used by CI
 
-.PHONY: container-build
-container-build: ## Build containers
+.PHONY: container-build-ocp
+container-build-ocp: ## Build containers for OCP
 	make docker-build bundle-build-ocp
 
 .PHONY: container-build-k8s
-container-build-k8s: ## Build containers
+container-build-k8s: ## Build containers for K8s
 	make docker-build bundle-build-k8s
 
 .PHONY: container-build-metrics
-container-build-metrics: ## Build containers
+container-build-metrics: ## Build containers for K8s with metric related configuration
 	make docker-build bundle-build-metrics
 
+
 .PHONY: container-push
 container-push:  ## Push containers (NOTE: catalog can't be build before bundle was pushed)
 	make docker-push bundle-push index-build index-push

config/manifests/ocp/auth_proxy_service_patch.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller-manager
+    app.kubernetes.io/instance: metrics
+  annotations:
+      service.beta.openshift.io/serving-cert-secret-name: node-healthcheck-tls
+  name: controller-manager-metrics-service
+  namespace: system

config/manifests/ocp/deployment_patch.yaml

@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        args:
+          - "--secure-listen-address=0.0.0.0:8443"
+          - "--http2-disable"
+          - "--upstream=http://127.0.0.1:8080/"
+          - "--logtostderr=true"
+          - "--v=10"
+          - "--tls-cert-file=/etc/tls/private/tls.crt"
+          - "--tls-private-key-file=/etc/tls/private/tls.key"
+        volumeMounts:
+          - name: tls-config
+            mountPath: /etc/tls/private
+            readOnly: true
+      volumes:
+        - name: tls-config
+          secret:
+            secretName: node-healthcheck-tls

config/manifests/ocp/kustomization.yaml

@@ -1,8 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
 resources:
 - ../base
 - ../../optional/console-plugin
+- ../../optional/prometheus-ocp
 
 patches:
   - path: clusterserviceversion_patch.yaml
     target:
       kind: ClusterServiceVersion
+  - path: deployment_patch.yaml
+    target:
+      kind: Deployment
+      name: controller-manager
+  - path: auth_proxy_service_patch.yaml
+    target:
+      kind: Service
+      name: controller-manager-metrics-service

config/optional/prometheus-ocp/ca-configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ca-bundle
+  namespace: system
+  annotations:
+      service.beta.openshift.io/inject-cabundle: "true"
+data: {}

config/optional/prometheus-ocp/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ca-configmap.yaml
+
+components:
+- ../../patches/common

config/optional/prometheus-ocp/monitor.yaml

@@ -0,0 +1,30 @@
+
+# Prometheus Monitor Service (Metrics)
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/component: controller-manager
+  name: node-healthcheck-controller-manager-metrics-monitor
+  namespace: system
+spec:
+  endpoints:
+  - interval: 5s
+    port: https
+    scheme: https
+    authorization:
+      type: Bearer
+      credentials:
+        name: prometheus-user-workload-token
+        key: token
+    tlsConfig:
+      ca:
+        configMap:
+          name: node-healthcheck-ca-bundle
+          key: service-ca.crt
+      serverName: node-healthcheck-controller-manager-metrics-service.system.svc
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller-manager
+      app.kubernetes.io/name: node-healthcheck-operator
+      app.kubernetes.io/instance: metrics

config/optional/prometheus-ocp/readme.md

@@ -0,0 +1,37 @@
+# User Workload Prometheus configuration
+
+Use the following steps to create a bundle predisposed for OpenShift User Workload Prometheus (UWP) Monitoring [1].
+
+1. Configure the Monitoring stack, if not already done [2]
+2. Enable monitoring for user-defined projects [3]
+3. Ensure NHC bundle with monitoring supported (>= v0.8.0) is installed [4]
+4. Once the bundle is installed, create a new UWP token Secret from an existing `prometheus-user-workload-token` Secret
+
+    IMPORTANT NOTE: use the operator's namespace (e.g. `openshift-workload-availability`).
+
+    ```bash
+    # Get the existing prometheus-user-workload-token Secret
+    existingPrometheusTokenSecret=$(kubectl get secret --namespace openshift-user-workload-monitoring | grep prometheus-user-workload-token | awk '{print $1}')
+
+    # Create a new Secret in the operator's namespace
+    kubectl get secret ${existingPrometheusTokenSecret} --namespace=openshift-user-workload-monitoring -o yaml | \
+        sed '/namespace: .*==/d;/ca.crt:/d;/serviceCa.crt/d;/creationTimestamp:/d;/resourceVersion:/d;/uid:/d;/annotations/d;/kubernetes.io/d;' | \
+        sed 's/namespace: .*/namespace: openshift-workload-availability/' | \
+        sed 's/name: .*/name: prometheus-user-workload-token/' | \
+        sed 's/type: .*/type: Opaque/' | \
+        > prom-token.yaml
+
+    kubectl apply -f prom-token.yaml
+    ```
+
+5. Create a new ServiceMonitor from `config/optional/prometheus-ocp/monitor.yaml` in the operator's namespace (e.g. `openshift-workload-availability`)
+
+    ```bash
+    sed -i 's/system/openshift-workload-availability/g' monitor.yaml
+    kubectl apply -f monitor.yaml
+    ```
+
+[1]: https://docs.openshift.com/container-platform/4.15/monitoring/enabling-monitoring-for-user-defined-projects.html
+[2]: https://docs.openshift.com/container-platform/4.15/monitoring/configuring-the-monitoring-stack.html
+[3]: https://docs.openshift.com/container-platform/4.15/monitoring/enabling-monitoring-for-user-defined-projects.html#enabling-monitoring-for-user-defined-projects_enabling-monitoring-for-user-defined-projects
+[4]: for testing purposes, you can build the bundle with `hack/ocp/test_create_bundle_ocp_image_in_quay.sh`

config/optional/prometheus/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 - monitor.yaml
 
 components:
-- ../../patches/common
+- ../../patches/common