Merge pull request #2452 from simonpasquier/OCPBUGS-39126

OCPBUGS-39126: disable user-defined monitoring per object

Author: openshift-merge-bot[bot]

assets/prometheus-user-workload/prometheus.yaml

@@ -204,7 +204,12 @@ spec:
       operator: NotIn
       values:
       - "false"
-  podMonitorSelector: {}
+  podMonitorSelector:
+    matchExpressions:
+    - key: openshift.io/user-monitoring
+      operator: NotIn
+      values:
+      - "false"
   priorityClassName: openshift-user-critical
   probeNamespaceSelector:
     matchExpressions:
@@ -216,7 +221,12 @@ spec:
       operator: NotIn
       values:
       - "false"
-  probeSelector: {}
+  probeSelector:
+    matchExpressions:
+    - key: openshift.io/user-monitoring
+      operator: NotIn
+      values:
+      - "false"
   replicas: 2
   resources:
     requests:
@@ -233,8 +243,15 @@ spec:
       values:
       - "false"
   ruleSelector:
-    matchLabels:
-      openshift.io/prometheus-rule-evaluation-scope: leaf-prometheus
+    matchExpressions:
+    - key: openshift.io/user-monitoring
+      operator: NotIn
+      values:
+      - "false"
+    - key: openshift.io/prometheus-rule-evaluation-scope
+      operator: In
+      values:
+      - leaf-prometheus
   scrapeConfigNamespaceSelector: null
   scrapeConfigSelector: null
   secrets:
@@ -259,7 +276,12 @@ spec:
       operator: NotIn
       values:
       - "false"
-  serviceMonitorSelector: {}
+  serviceMonitorSelector:
+    matchExpressions:
+    - key: openshift.io/user-monitoring
+      operator: NotIn
+      values:
+      - "false"
   thanos:
     image: quay.io/thanos/thanos:v0.36.1
     resources:

assets/thanos-ruler/thanos-ruler.yaml

@@ -129,6 +129,10 @@ spec:
       - "false"
   ruleSelector:
     matchExpressions:
+    - key: openshift.io/user-monitoring
+      operator: NotIn
+      values:
+      - "false"
     - key: openshift.io/prometheus-rule-evaluation-scope
       operator: NotIn
       values:

jsonnet/components/prometheus-user-workload.libsonnet

@@ -352,16 +352,20 @@ function(params)
           $.kubeRbacProxyFederateSecret.metadata.name,
         ],
         configMaps: ['serving-certs-ca-bundle', 'metrics-client-ca'],
-        probeSelector: {},
+        probeSelector: cfg.resourceSelector,
         probeNamespaceSelector: cfg.namespaceSelector,
-        podMonitorSelector: {},
+        podMonitorSelector: cfg.resourceSelector,
         podMonitorNamespaceSelector: cfg.namespaceSelector,
-        serviceMonitorSelector: {},
+        serviceMonitorSelector: cfg.resourceSelector,
         serviceMonitorNamespaceSelector: cfg.namespaceSelector,
-        ruleSelector: {
-          matchLabels: {
-            'openshift.io/prometheus-rule-evaluation-scope': 'leaf-prometheus',
-          },
+        ruleSelector: cfg.resourceSelector {
+          matchExpressions+: [
+            {
+              key: 'openshift.io/prometheus-rule-evaluation-scope',
+              operator: 'In',
+              values: ['leaf-prometheus'],
+            },
+          ],
         },
         ruleNamespaceSelector: cfg.namespaceSelector,
         scrapeConfigSelector: null,

jsonnet/components/thanos-ruler.libsonnet

@@ -389,8 +389,8 @@ function(params)
         },
         enforcedNamespaceLabel: 'namespace',
         listenLocal: true,
-        ruleSelector: {
-          matchExpressions:
+        ruleSelector: cfg.resourceSelector {
+          matchExpressions+:
             [
               {
                 key: 'openshift.io/prometheus-rule-evaluation-scope',

jsonnet/main.jsonnet

@@ -36,6 +36,15 @@ local commonConfig = {
       'openshift.io/cluster-monitoring': 'true',
     },
   },
+  userWorkloadMonitoringResourceSelector: {
+    matchExpressions: [
+      {
+        key: 'openshift.io/user-monitoring',
+        operator: 'NotIn',
+        values: ['false'],
+      },
+    ],
+  },
   userWorkloadMonitoringNamespaceSelector: {
     matchExpressions: [
       {
@@ -326,6 +335,7 @@ local inCluster =
           'app.kubernetes.io/name': 'thanos-ruler',
           'thanos-ruler': 'user-workload',
         },
+        resourceSelector: $.values.common.userWorkloadMonitoringResourceSelector,
         namespaceSelector: $.values.common.userWorkloadMonitoringNamespaceSelector,
         commonLabels+: $.values.common.commonLabels,
         kubeRbacProxyImage: $.values.common.images.kubeRbacProxy,
@@ -478,6 +488,7 @@ local userWorkload =
           requests: { memory: '30Mi', cpu: '6m' },
         },
         namespaces: [$.values.common.namespaceUserWorkload],
+        resourceSelector: $.values.common.userWorkloadMonitoringResourceSelector,
         namespaceSelector: $.values.common.userWorkloadMonitoringNamespaceSelector,
         thanos: inCluster.values.prometheus.thanos,
         tlsCipherSuites: $.values.common.tlsCipherSuites,

pkg/manifests/manifests.go

@@ -63,6 +63,9 @@ const (
 
 	nodeSelectorMaster = "node-role.kubernetes.io/master"
 
+	userMonitoringLabel    = "openshift.io/user-monitoring"
+	clusterMonitoringLabel = "openshift.io/cluster-monitoring"
+
 	platformAlertmanagerService     = "alertmanager-main"
 	userWorkloadAlertmanagerService = "alertmanager-user-workload"
 
@@ -476,17 +479,24 @@ func (f *Factory) AlertmanagerUserWorkload() (*monv1.Alertmanager, error) {
 	a.Spec.Secrets = append(a.Spec.Secrets, alertmanagerConfig.Secrets...)
 
 	if alertmanagerConfig.EnableAlertmanagerConfig {
-		a.Spec.AlertmanagerConfigSelector = &metav1.LabelSelector{}
-
+		a.Spec.AlertmanagerConfigSelector = &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      userMonitoringLabel,
+					Operator: metav1.LabelSelectorOpNotIn,
+					Values:   []string{"false"},
+				},
+			},
+		}
 		a.Spec.AlertmanagerConfigNamespaceSelector = &metav1.LabelSelector{
 			MatchExpressions: []metav1.LabelSelectorRequirement{
 				{
-					Key:      "openshift.io/cluster-monitoring",
+					Key:      clusterMonitoringLabel,
 					Operator: metav1.LabelSelectorOpNotIn,
 					Values:   []string{"true"},
 				},
 				{
-					Key:      "openshift.io/user-monitoring",
+					Key:      userMonitoringLabel,
 					Operator: metav1.LabelSelectorOpNotIn,
 					Values:   []string{"false"},
 				},
@@ -608,17 +618,25 @@ func (f *Factory) AlertmanagerMain() (*monv1.Alertmanager, error) {
 
 	if f.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.EnableUserAlertManagerConfig &&
 		!f.config.UserWorkloadConfiguration.Alertmanager.Enabled {
-		a.Spec.AlertmanagerConfigSelector = &metav1.LabelSelector{}
+		a.Spec.AlertmanagerConfigSelector = &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      userMonitoringLabel,
+					Operator: metav1.LabelSelectorOpNotIn,
+					Values:   []string{"false"},
+				},
+			},
+		}
 
 		a.Spec.AlertmanagerConfigNamespaceSelector = &metav1.LabelSelector{
 			MatchExpressions: []metav1.LabelSelectorRequirement{
 				{
-					Key:      "openshift.io/cluster-monitoring",
+					Key:      clusterMonitoringLabel,
 					Operator: metav1.LabelSelectorOpNotIn,
 					Values:   []string{"true"},
 				},
 				{
-					Key:      "openshift.io/user-monitoring",
+					Key:      userMonitoringLabel,
 					Operator: metav1.LabelSelectorOpNotIn,
 					Values:   []string{"false"},
 				},

pkg/manifests/manifests_test.go

@@ -3085,7 +3085,17 @@ ingress:
 			t.Fatal("expected 'alertmanagerConfigSelector' to configure selector")
 		}
 
-		if !reflect.DeepEqual(a.Spec.AlertmanagerConfigSelector, &metav1.LabelSelector{}) {
+		if !reflect.DeepEqual(
+			a.Spec.AlertmanagerConfigSelector,
+			&metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      userMonitoringLabel,
+						Operator: metav1.LabelSelectorOpNotIn,
+						Values:   []string{"false"},
+					},
+				},
+			}) {
 			t.Fatal("expected match all alertmanagerConfigSelector")
 		}
 
@@ -3098,13 +3108,13 @@ ingress:
 		}
 
 		expectPlatformOptIn := metav1.LabelSelectorRequirement{
-			Key:      "openshift.io/cluster-monitoring",
+			Key:      clusterMonitoringLabel,
 			Operator: metav1.LabelSelectorOpNotIn,
 			Values:   []string{"true"},
 		}
 
 		expectUWMOptIn := metav1.LabelSelectorRequirement{
-			Key:      "openshift.io/user-monitoring",
+			Key:      userMonitoringLabel,
 			Operator: metav1.LabelSelectorOpNotIn,
 			Values:   []string{"false"},
 		}

test/e2e/user_workload_monitoring_test.go

@@ -199,6 +199,7 @@ func TestUserWorkloadMonitoringOptOut(t *testing.T) {
 		f    func(*testing.T)
 	}{
 		{"assert namespace opt out removes appropriate targets", assertNamespaceOptOut},
+		{"assert service monitor opt out removes appropriate targets", assertServiceMonitorOptOut},
 	} {
 		t.Run(scenario.name, scenario.f)
 	}
@@ -1408,7 +1409,7 @@ func assertGRPCTLSRotation(t *testing.T) {
 func assertNamespaceOptOut(t *testing.T) {
 	ctx := context.Background()
 
-	serviceMonitorJobName := "serviceMonitor/user-workload-test/prometheus-example-monitor/0"
+	serviceMonitorJobName := fmt.Sprintf("serviceMonitor/%s/%s/0", userWorkloadTestNs, serviceMonitorTestName)
 
 	// Ensure the target for the example ServiceMonitor exists.
 	f.ThanosQuerierClient.WaitForTargetsReturn(t, 5*time.Minute, func(body []byte) error {
@@ -1459,3 +1460,58 @@ func assertNamespaceOptOut(t *testing.T) {
 		return getActiveTarget(body, serviceMonitorJobName)
 	})
 }
+
+func assertServiceMonitorOptOut(t *testing.T) {
+	ctx := context.Background()
+
+	serviceMonitorJobName := fmt.Sprintf("serviceMonitor/%s/%s/0", userWorkloadTestNs, serviceMonitorTestName)
+
+	// Ensure the target for the example ServiceMonitor exists.
+	f.ThanosQuerierClient.WaitForTargetsReturn(t, 5*time.Minute, func(body []byte) error {
+		return getActiveTarget(body, serviceMonitorJobName)
+	})
+
+	// Add opt-out label to service monitor.
+	sm, err := f.MonitoringClient.ServiceMonitors(userWorkloadTestNs).Get(ctx, serviceMonitorTestName, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to fetch user-workload service monitor: %v", err)
+	}
+
+	labels := sm.GetLabels()
+	labels["openshift.io/user-monitoring"] = "false"
+	sm.SetLabels(labels)
+
+	_, err = f.MonitoringClient.ServiceMonitors(userWorkloadTestNs).Update(ctx, sm, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to apply user-monitoring opt-out label: %v", err)
+	}
+
+	// Ensure the target for the example ServiceMonitor is removed.
+	f.ThanosQuerierClient.WaitForTargetsReturn(t, 5*time.Minute, func(body []byte) error {
+		if err := getActiveTarget(body, serviceMonitorJobName); err == nil {
+			return fmt.Errorf("target '%s' exists, but should not", serviceMonitorJobName)
+		}
+
+		return nil
+	})
+
+	// Remove opt-out label from namespace.
+	sm, err = f.MonitoringClient.ServiceMonitors(userWorkloadTestNs).Get(ctx, serviceMonitorTestName, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to fetch user-workload service monitor: %v", err)
+	}
+
+	labels = sm.GetLabels()
+	delete(labels, "openshift.io/user-monitoring")
+	sm.SetLabels(labels)
+
+	_, err = f.MonitoringClient.ServiceMonitors(userWorkloadTestNs).Update(ctx, sm, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to remove user-monitoring opt-out label: %v", err)
+	}
+
+	// Ensure the target for the example ServiceMonitor is recreated.
+	f.ThanosQuerierClient.WaitForTargetsReturn(t, 5*time.Minute, func(body []byte) error {
+		return getActiveTarget(body, serviceMonitorJobName)
+	})
+}

test/e2e/uwm_helpers.go

@@ -17,7 +17,8 @@ import (
 )
 
 const (
-	userWorkloadTestNs = "user-workload-test"
+	userWorkloadTestNs     = "user-workload-test"
+	serviceMonitorTestName = "prometheus-example-monitor"
 )
 
 var (
@@ -171,9 +172,9 @@ func deployUserApplication(t *testing.T, f *framework.Framework) error {
 
 	_, err = f.MonitoringClient.ServiceMonitors(userWorkloadTestNs).Create(ctx, &monitoringv1.ServiceMonitor{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "prometheus-example-monitor",
+			Name: serviceMonitorTestName,
 			Labels: map[string]string{
-				"k8s-app":                  "prometheus-example-monitor",
+				"k8s-app":                  serviceMonitorTestName,
 				framework.E2eTestLabelName: framework.E2eTestLabelValue,
 			},
 		},