diff --git a/Documentation/resources.adoc b/Documentation/resources.adoc index ca237453a9..038fc6e9d7 100644 --- a/Documentation/resources.adoc +++ b/Documentation/resources.adoc @@ -149,3 +149,14 @@ This also exposes the gRPC endpoints on port 10901. This port is for internal us Expose the `/metrics` and `/validate-webhook` endpoints on port 8443. This port is for internal use, and no other usage is guaranteed. +[id="cmo-validatingwebhookconfigurations-resources"] +== CMO validatingwebhookconfigurations resources + +=== /alertmanagerconfigs.openshift.io + +Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled. + +=== /prometheusrules.openshift.io + +Validating webhook for `PrometheusRule` custom resources. + diff --git a/Documentation/resources.md b/Documentation/resources.md index 68c25fd1dc..3cd767538f 100644 --- a/Documentation/resources.md +++ b/Documentation/resources.md @@ -165,3 +165,13 @@ This also exposes the gRPC endpoints on port 10901. This port is for internal us Expose the `/metrics` and `/validate-webhook` endpoints on port 8443. This port is for internal use, and no other usage is guaranteed. +## ValidatingWebhookConfigurations + +### /alertmanagerconfigs.openshift.io + +Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled. + +### /prometheusrules.openshift.io + +Validating webhook for `PrometheusRule` custom resources. + diff --git a/assets/admission-webhook/alertmanager-config-validating-webhook.yaml b/assets/admission-webhook/alertmanager-config-validating-webhook.yaml index 344fdb41cd..67ba7bc37d 100644 --- a/assets/admission-webhook/alertmanager-config-validating-webhook.yaml +++ b/assets/admission-webhook/alertmanager-config-validating-webhook.yaml @@ -2,6 +2,8 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: + capability.openshift.io/name: OptionalMonitoring + openshift.io/description: Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled. service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/component: controller diff --git a/assets/admission-webhook/prometheus-rule-validating-webhook.yaml b/assets/admission-webhook/prometheus-rule-validating-webhook.yaml index 364e8b4aad..89e6675619 100644 --- a/assets/admission-webhook/prometheus-rule-validating-webhook.yaml +++ b/assets/admission-webhook/prometheus-rule-validating-webhook.yaml @@ -2,6 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: + openshift.io/description: Validating webhook for `PrometheusRule` custom resources. service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/component: controller diff --git a/assets/alertmanager-user-workload/alertmanager.yaml b/assets/alertmanager-user-workload/alertmanager.yaml index 5a401bc9eb..f97492d8f5 100644 --- a/assets/alertmanager-user-workload/alertmanager.yaml +++ b/assets/alertmanager-user-workload/alertmanager.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: Alertmanager metadata: annotations: + capability.openshift.io/name: OptionalMonitoring operator.prometheus.io/controller-id: openshift-user-workload-monitoring/prometheus-operator labels: app.kubernetes.io/component: alert-router diff --git a/assets/alertmanager-user-workload/cluster-role-binding.yaml b/assets/alertmanager-user-workload/cluster-role-binding.yaml index 67131fd71a..064194d24e 100644 --- a/assets/alertmanager-user-workload/cluster-role-binding.yaml +++ b/assets/alertmanager-user-workload/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager-user-workload/cluster-role.yaml b/assets/alertmanager-user-workload/cluster-role.yaml index 43ced39083..636e119875 100644 --- a/assets/alertmanager-user-workload/cluster-role.yaml +++ b/assets/alertmanager-user-workload/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml b/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml index fb936dff42..af19010987 100644 --- a/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml +++ b/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-user-workload diff --git a/assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml b/assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml index ab374ffbe6..4b854a7183 100644 --- a/assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml +++ b/assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-user-workload diff --git a/assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml b/assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml index 9dbb3880cd..3407e7a58e 100644 --- a/assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml +++ b/assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-user-workload diff --git a/assets/alertmanager-user-workload/pod-disruption-budget.yaml b/assets/alertmanager-user-workload/pod-disruption-budget.yaml index 3b9139d2fb..cd62534810 100644 --- a/assets/alertmanager-user-workload/pod-disruption-budget.yaml +++ b/assets/alertmanager-user-workload/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: user-workload diff --git a/assets/alertmanager-user-workload/secret.yaml b/assets/alertmanager-user-workload/secret.yaml index 3d3780669f..66679f7eaa 100644 --- a/assets/alertmanager-user-workload/secret.yaml +++ b/assets/alertmanager-user-workload/secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: user-workload diff --git a/assets/alertmanager-user-workload/service-account.yaml b/assets/alertmanager-user-workload/service-account.yaml index 9a0593efbd..d403846f2e 100644 --- a/assets/alertmanager-user-workload/service-account.yaml +++ b/assets/alertmanager-user-workload/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: user-workload diff --git a/assets/alertmanager-user-workload/service-monitor.yaml b/assets/alertmanager-user-workload/service-monitor.yaml index 84d5a21c3d..8614e42ea3 100644 --- a/assets/alertmanager-user-workload/service-monitor.yaml +++ b/assets/alertmanager-user-workload/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: user-workload diff --git a/assets/alertmanager-user-workload/service.yaml b/assets/alertmanager-user-workload/service.yaml index 5cadee3e4a..a677eda3d3 100644 --- a/assets/alertmanager-user-workload/service.yaml +++ b/assets/alertmanager-user-workload/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: |- Expose the user-defined Alertmanager web server within the cluster on the following ports: * Port 9095 provides access to the Alertmanager endpoints. Granting access requires binding a user to the `monitoring-alertmanager-api-reader` role (for read-only operations) or `monitoring-alertmanager-api-writer` role in the `openshift-user-workload-monitoring` project. diff --git a/assets/alertmanager-user-workload/trusted-ca-bundle.yaml b/assets/alertmanager-user-workload/trusted-ca-bundle.yaml index 9ce49bd9f3..1806c83380 100644 --- a/assets/alertmanager-user-workload/trusted-ca-bundle.yaml +++ b/assets/alertmanager-user-workload/trusted-ca-bundle.yaml @@ -3,6 +3,7 @@ data: {} kind: ConfigMap metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/owning-component: Monitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/alertmanager/alertmanager.yaml b/assets/alertmanager/alertmanager.yaml index f074056bcc..fcc3933a0b 100644 --- a/assets/alertmanager/alertmanager.yaml +++ b/assets/alertmanager/alertmanager.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: Alertmanager metadata: annotations: + capability.openshift.io/name: OptionalMonitoring operator.prometheus.io/controller-id: openshift-monitoring/prometheus-operator labels: app.kubernetes.io/component: alert-router diff --git a/assets/alertmanager/cluster-role-binding.yaml b/assets/alertmanager/cluster-role-binding.yaml index 88b58b0d57..7202346c29 100644 --- a/assets/alertmanager/cluster-role-binding.yaml +++ b/assets/alertmanager/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager/cluster-role.yaml b/assets/alertmanager/cluster-role.yaml index bd6eff9f11..30e525f062 100644 --- a/assets/alertmanager/cluster-role.yaml +++ b/assets/alertmanager/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml b/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml index a028c4b31a..f480fa2616 100644 --- a/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml +++ b/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-main diff --git a/assets/alertmanager/kube-rbac-proxy-secret.yaml b/assets/alertmanager/kube-rbac-proxy-secret.yaml index 767f1c0dbe..cf17da6356 100644 --- a/assets/alertmanager/kube-rbac-proxy-secret.yaml +++ b/assets/alertmanager/kube-rbac-proxy-secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-main diff --git a/assets/alertmanager/kube-rbac-proxy-web-secret.yaml b/assets/alertmanager/kube-rbac-proxy-web-secret.yaml index bd8c0731c2..4c85826b00 100644 --- a/assets/alertmanager/kube-rbac-proxy-web-secret.yaml +++ b/assets/alertmanager/kube-rbac-proxy-web-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager/pod-disruption-budget.yaml b/assets/alertmanager/pod-disruption-budget.yaml index a6e600259c..b139586d02 100644 --- a/assets/alertmanager/pod-disruption-budget.yaml +++ b/assets/alertmanager/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/prometheus-rule.yaml b/assets/alertmanager/prometheus-rule.yaml index b9b60b8842..8a19e8ff0c 100644 --- a/assets/alertmanager/prometheus-rule.yaml +++ b/assets/alertmanager/prometheus-rule.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/route.yaml b/assets/alertmanager/route.yaml index ada479a4a5..a2173b70b9 100644 --- a/assets/alertmanager/route.yaml +++ b/assets/alertmanager/route.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Route metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the `/api` endpoints of the `alertmanager-main` service via a router. labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/alertmanager/secret.yaml b/assets/alertmanager/secret.yaml index ba664f097b..cfe72864bd 100644 --- a/assets/alertmanager/secret.yaml +++ b/assets/alertmanager/secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/service-account.yaml b/assets/alertmanager/service-account.yaml index f55810dac3..495ffedcbd 100644 --- a/assets/alertmanager/service-account.yaml +++ b/assets/alertmanager/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/service-monitor.yaml b/assets/alertmanager/service-monitor.yaml index 0f133fbc8c..b06552bc38 100644 --- a/assets/alertmanager/service-monitor.yaml +++ b/assets/alertmanager/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/service.yaml b/assets/alertmanager/service.yaml index 557dbb1dab..8777622e29 100644 --- a/assets/alertmanager/service.yaml +++ b/assets/alertmanager/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: |- Expose the Alertmanager web server within the cluster on the following ports: * Port 9094 provides access to all the Alertmanager endpoints. Granting access requires binding a user to the `monitoring-alertmanager-view` role (for read-only operations) or `monitoring-alertmanager-edit` role in the `openshift-monitoring` project. diff --git a/assets/alertmanager/trusted-ca-bundle.yaml b/assets/alertmanager/trusted-ca-bundle.yaml index 62f486b4b8..75b732479a 100644 --- a/assets/alertmanager/trusted-ca-bundle.yaml +++ b/assets/alertmanager/trusted-ca-bundle.yaml @@ -3,6 +3,7 @@ data: {} kind: ConfigMap metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/owning-component: Monitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml b/assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml index 06dd397f4d..0fb8bccd9f 100644 --- a/assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml +++ b/assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml b/assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml index e6f6a06133..36272e5838 100644 --- a/assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml +++ b/assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml b/assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml index 26ab78673f..53dcee738b 100644 --- a/assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml +++ b/assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml b/assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml index 08709cfb5b..2be0aa17f1 100644 --- a/assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml +++ b/assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml b/assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml index 5c16b9a2c2..9ad6b09284 100644 --- a/assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml +++ b/assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml b/assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml index f0002e4ce5..a1fea86663 100644 --- a/assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml +++ b/assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/monitoring-plugin/console-plugin.yaml b/assets/monitoring-plugin/console-plugin.yaml index 03937afdf2..65bf2950f1 100644 --- a/assets/monitoring-plugin/console-plugin.yaml +++ b/assets/monitoring-plugin/console-plugin.yaml @@ -1,6 +1,8 @@ apiVersion: console.openshift.io/v1 kind: ConsolePlugin metadata: + annotations: + capability.openshift.io/name: Console labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/deployment.yaml b/assets/monitoring-plugin/deployment.yaml index b61d4b0063..21977d8534 100644 --- a/assets/monitoring-plugin/deployment.yaml +++ b/assets/monitoring-plugin/deployment.yaml @@ -1,6 +1,8 @@ apiVersion: apps/v1 kind: Deployment metadata: + annotations: + capability.openshift.io/name: Console labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/pod-disruption-budget.yaml b/assets/monitoring-plugin/pod-disruption-budget.yaml index 5af34f82eb..7badc26d9a 100644 --- a/assets/monitoring-plugin/pod-disruption-budget.yaml +++ b/assets/monitoring-plugin/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: Console labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/service-account.yaml b/assets/monitoring-plugin/service-account.yaml index 45c000f9a1..0f7640edf2 100644 --- a/assets/monitoring-plugin/service-account.yaml +++ b/assets/monitoring-plugin/service-account.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: Console labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/service.yaml b/assets/monitoring-plugin/service.yaml index 4e4bfc2750..bc19eed4b4 100644 --- a/assets/monitoring-plugin/service.yaml +++ b/assets/monitoring-plugin/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: Console openshift.io/description: Expose the monitoring plugin service on port 9443. This port is for internal use, and no other usage is guaranteed. service.beta.openshift.io/serving-cert-secret-name: monitoring-plugin-cert labels: diff --git a/assets/prometheus-operator-user-workload/cluster-role-binding.yaml b/assets/prometheus-operator-user-workload/cluster-role-binding.yaml index f76857b012..dc38a02ac2 100644 --- a/assets/prometheus-operator-user-workload/cluster-role-binding.yaml +++ b/assets/prometheus-operator-user-workload/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/cluster-role.yaml b/assets/prometheus-operator-user-workload/cluster-role.yaml index 6ceb43bde6..b8397f8fa3 100644 --- a/assets/prometheus-operator-user-workload/cluster-role.yaml +++ b/assets/prometheus-operator-user-workload/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/deployment.yaml b/assets/prometheus-operator-user-workload/deployment.yaml index c2a2e77d8a..761aefd85c 100644 --- a/assets/prometheus-operator-user-workload/deployment.yaml +++ b/assets/prometheus-operator-user-workload/deployment.yaml @@ -1,6 +1,8 @@ apiVersion: apps/v1 kind: Deployment metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml b/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml index b7c4d8d441..1ded3c3636 100644 --- a/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml +++ b/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-operator-user-workload/service-account.yaml b/assets/prometheus-operator-user-workload/service-account.yaml index 369dad61e6..5ee6d1266a 100644 --- a/assets/prometheus-operator-user-workload/service-account.yaml +++ b/assets/prometheus-operator-user-workload/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/service-monitor.yaml b/assets/prometheus-operator-user-workload/service-monitor.yaml index 42d7ba0379..4559b70a58 100644 --- a/assets/prometheus-operator-user-workload/service-monitor.yaml +++ b/assets/prometheus-operator-user-workload/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/service.yaml b/assets/prometheus-operator-user-workload/service.yaml index d3e10d32b3..82773020b7 100644 --- a/assets/prometheus-operator-user-workload/service.yaml +++ b/assets/prometheus-operator-user-workload/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the `/metrics` endpoint on port 8443. This port is for internal use, and no other usage is guaranteed. service.beta.openshift.io/serving-cert-secret-name: prometheus-operator-user-workload-tls labels: diff --git a/assets/prometheus-user-workload/alertmanager-role-binding.yaml b/assets/prometheus-user-workload/alertmanager-role-binding.yaml index 30a7b67b88..04304c4465 100644 --- a/assets/prometheus-user-workload/alertmanager-role-binding.yaml +++ b/assets/prometheus-user-workload/alertmanager-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/alertmanager-user-workload-role-binding.yaml b/assets/prometheus-user-workload/alertmanager-user-workload-role-binding.yaml index d10bf73219..fc2e3664b5 100644 --- a/assets/prometheus-user-workload/alertmanager-user-workload-role-binding.yaml +++ b/assets/prometheus-user-workload/alertmanager-user-workload-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/cluster-role-binding.yaml b/assets/prometheus-user-workload/cluster-role-binding.yaml index 3fc36b9bb4..d743d57e51 100644 --- a/assets/prometheus-user-workload/cluster-role-binding.yaml +++ b/assets/prometheus-user-workload/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/cluster-role.yaml b/assets/prometheus-user-workload/cluster-role.yaml index f538c1ba20..76ea95dace 100644 --- a/assets/prometheus-user-workload/cluster-role.yaml +++ b/assets/prometheus-user-workload/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/config-map.yaml b/assets/prometheus-user-workload/config-map.yaml index d283393d49..c1a62c565e 100644 --- a/assets/prometheus-user-workload/config-map.yaml +++ b/assets/prometheus-user-workload/config-map.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: ConfigMap metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/federate-route.yaml b/assets/prometheus-user-workload/federate-route.yaml index b2d97816f4..3947de0ddf 100644 --- a/assets/prometheus-user-workload/federate-route.yaml +++ b/assets/prometheus-user-workload/federate-route.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Route metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the `/federate` endpoint of the `prometheus-user-workload` service via a router. labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-user-workload/grpc-tls-secret.yaml b/assets/prometheus-user-workload/grpc-tls-secret.yaml index 67bad550a3..e4e336a493 100644 --- a/assets/prometheus-user-workload/grpc-tls-secret.yaml +++ b/assets/prometheus-user-workload/grpc-tls-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: prometheus-k8s diff --git a/assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml b/assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml index fdd9a420dd..d4eca82bec 100644 --- a/assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml +++ b/assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml b/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml index a7db24da31..b958ae9677 100644 --- a/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml +++ b/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/pod-disruption-budget.yaml b/assets/prometheus-user-workload/pod-disruption-budget.yaml index daae86eef3..26625029e8 100644 --- a/assets/prometheus-user-workload/pod-disruption-budget.yaml +++ b/assets/prometheus-user-workload/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/prometheus.yaml b/assets/prometheus-user-workload/prometheus.yaml index c608da0ac0..c1f976863f 100644 --- a/assets/prometheus-user-workload/prometheus.yaml +++ b/assets/prometheus-user-workload/prometheus.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: Prometheus metadata: annotations: + capability.openshift.io/name: OptionalMonitoring operator.prometheus.io/controller-id: openshift-user-workload-monitoring/prometheus-operator labels: app.kubernetes.io/component: prometheus diff --git a/assets/prometheus-user-workload/role-binding-config.yaml b/assets/prometheus-user-workload/role-binding-config.yaml index f16968db54..b8ca31e909 100644 --- a/assets/prometheus-user-workload/role-binding-config.yaml +++ b/assets/prometheus-user-workload/role-binding-config.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/role-binding-specific-namespaces.yaml b/assets/prometheus-user-workload/role-binding-specific-namespaces.yaml index 87f17e7447..1d5526c246 100644 --- a/assets/prometheus-user-workload/role-binding-specific-namespaces.yaml +++ b/assets/prometheus-user-workload/role-binding-specific-namespaces.yaml @@ -3,6 +3,8 @@ items: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/role-config.yaml b/assets/prometheus-user-workload/role-config.yaml index 7e67819024..11c3cb7816 100644 --- a/assets/prometheus-user-workload/role-config.yaml +++ b/assets/prometheus-user-workload/role-config.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/role-specific-namespaces.yaml b/assets/prometheus-user-workload/role-specific-namespaces.yaml index 20a03bcb08..6855f06fe9 100644 --- a/assets/prometheus-user-workload/role-specific-namespaces.yaml +++ b/assets/prometheus-user-workload/role-specific-namespaces.yaml @@ -3,6 +3,8 @@ items: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/service-account.yaml b/assets/prometheus-user-workload/service-account.yaml index 64ad0b2530..cf803a0dfa 100644 --- a/assets/prometheus-user-workload/service-account.yaml +++ b/assets/prometheus-user-workload/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/service-monitor-thanos-sidecar.yaml b/assets/prometheus-user-workload/service-monitor-thanos-sidecar.yaml index 97aba2a46d..c9bdd63f8e 100644 --- a/assets/prometheus-user-workload/service-monitor-thanos-sidecar.yaml +++ b/assets/prometheus-user-workload/service-monitor-thanos-sidecar.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: thanos-sidecar app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/service-monitor.yaml b/assets/prometheus-user-workload/service-monitor.yaml index 76ba2d168d..97c34044fd 100644 --- a/assets/prometheus-user-workload/service-monitor.yaml +++ b/assets/prometheus-user-workload/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/service-thanos-sidecar.yaml b/assets/prometheus-user-workload/service-thanos-sidecar.yaml index fd38d75f4b..39d3977db7 100644 --- a/assets/prometheus-user-workload/service-thanos-sidecar.yaml +++ b/assets/prometheus-user-workload/service-thanos-sidecar.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring service.beta.openshift.io/serving-cert-secret-name: prometheus-user-workload-thanos-sidecar-tls labels: app.kubernetes.io/component: thanos-sidecar diff --git a/assets/prometheus-user-workload/service.yaml b/assets/prometheus-user-workload/service.yaml index d831e75dfd..4993f74820 100644 --- a/assets/prometheus-user-workload/service.yaml +++ b/assets/prometheus-user-workload/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: |- Expose the Prometheus web server within the cluster on the following ports: * Port 9091 provides access to the `/metrics` endpoint only. This port is for internal use, and no other usage is guaranteed. diff --git a/assets/prometheus-user-workload/serving-certs-ca-bundle.yaml b/assets/prometheus-user-workload/serving-certs-ca-bundle.yaml index 489150e295..e4f8c6c609 100644 --- a/assets/prometheus-user-workload/serving-certs-ca-bundle.yaml +++ b/assets/prometheus-user-workload/serving-certs-ca-bundle.yaml @@ -3,6 +3,7 @@ data: {} kind: ConfigMap metadata: annotations: + capability.openshift.io/name: OptionalMonitoring service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-user-workload/trusted-ca-bundle.yaml b/assets/prometheus-user-workload/trusted-ca-bundle.yaml index a78bc20399..d81191f54f 100644 --- a/assets/prometheus-user-workload/trusted-ca-bundle.yaml +++ b/assets/prometheus-user-workload/trusted-ca-bundle.yaml @@ -3,6 +3,7 @@ data: {} kind: ConfigMap metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/owning-component: Monitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/thanos-ruler/alertmanager-role-binding.yaml b/assets/thanos-ruler/alertmanager-role-binding.yaml index f05a468612..d876491324 100644 --- a/assets/thanos-ruler/alertmanager-role-binding.yaml +++ b/assets/thanos-ruler/alertmanager-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/alertmanager-user-workload-role-binding.yaml b/assets/thanos-ruler/alertmanager-user-workload-role-binding.yaml index 8f38fad22f..3354542c46 100644 --- a/assets/thanos-ruler/alertmanager-user-workload-role-binding.yaml +++ b/assets/thanos-ruler/alertmanager-user-workload-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/alertmanagers-config-secret.yaml b/assets/thanos-ruler/alertmanagers-config-secret.yaml index 2b7e0a2126..b06dda27f1 100644 --- a/assets/thanos-ruler/alertmanagers-config-secret.yaml +++ b/assets/thanos-ruler/alertmanagers-config-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: thanos-ruler diff --git a/assets/thanos-ruler/cluster-role-binding-monitoring.yaml b/assets/thanos-ruler/cluster-role-binding-monitoring.yaml index 92f7a269f6..8fafc30c5b 100644 --- a/assets/thanos-ruler/cluster-role-binding-monitoring.yaml +++ b/assets/thanos-ruler/cluster-role-binding-monitoring.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/cluster-role-binding.yaml b/assets/thanos-ruler/cluster-role-binding.yaml index 5f1cca1f00..d25d6233cd 100644 --- a/assets/thanos-ruler/cluster-role-binding.yaml +++ b/assets/thanos-ruler/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/cluster-role.yaml b/assets/thanos-ruler/cluster-role.yaml index ed0f77d538..23105d0c77 100644 --- a/assets/thanos-ruler/cluster-role.yaml +++ b/assets/thanos-ruler/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/grpc-tls-secret.yaml b/assets/thanos-ruler/grpc-tls-secret.yaml index 7e569f2035..92ac0fa6bb 100644 --- a/assets/thanos-ruler/grpc-tls-secret.yaml +++ b/assets/thanos-ruler/grpc-tls-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: thanos-ruler diff --git a/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml b/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml index 39cad389a0..113b2424fb 100644 --- a/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml +++ b/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/kube-rbac-proxy-web-secret.yaml b/assets/thanos-ruler/kube-rbac-proxy-web-secret.yaml index 43d233b5c4..eb28e8a1ce 100644 --- a/assets/thanos-ruler/kube-rbac-proxy-web-secret.yaml +++ b/assets/thanos-ruler/kube-rbac-proxy-web-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/pod-disruption-budget.yaml b/assets/thanos-ruler/pod-disruption-budget.yaml index 5d5b983c69..fd8219f5e9 100644 --- a/assets/thanos-ruler/pod-disruption-budget.yaml +++ b/assets/thanos-ruler/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/query-config-secret.yaml b/assets/thanos-ruler/query-config-secret.yaml index 5550318438..e1edbf511f 100644 --- a/assets/thanos-ruler/query-config-secret.yaml +++ b/assets/thanos-ruler/query-config-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: thanos-ruler diff --git a/assets/thanos-ruler/route.yaml b/assets/thanos-ruler/route.yaml index b075687973..cf7310aef2 100644 --- a/assets/thanos-ruler/route.yaml +++ b/assets/thanos-ruler/route.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Route metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the `/api` endpoints of the `thanos-ruler` service via a router. labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/thanos-ruler/service-account.yaml b/assets/thanos-ruler/service-account.yaml index be216f7210..7c2a9b61cb 100644 --- a/assets/thanos-ruler/service-account.yaml +++ b/assets/thanos-ruler/service-account.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: annotations: + capability.openshift.io/name: OptionalMonitoring serviceaccounts.openshift.io/oauth-redirectreference.thanos-ruler-: "" labels: app.kubernetes.io/component: rule-evaluation-engine diff --git a/assets/thanos-ruler/service-monitor.yaml b/assets/thanos-ruler/service-monitor.yaml index de5cf2e516..e143b548a0 100644 --- a/assets/thanos-ruler/service-monitor.yaml +++ b/assets/thanos-ruler/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: rule-evaluation-engine app.kubernetes.io/instance: thanos-ruler diff --git a/assets/thanos-ruler/service.yaml b/assets/thanos-ruler/service.yaml index 2e77562ea8..d37c375a5d 100644 --- a/assets/thanos-ruler/service.yaml +++ b/assets/thanos-ruler/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: |- Expose the Thanos Ruler web server within the cluster on the following ports: * Port 9091 provides access to all Thanos Ruler endpoints. Granting access requires binding a user to the `cluster-monitoring-view` cluster role. diff --git a/assets/thanos-ruler/thanos-ruler-prometheus-rule.yaml b/assets/thanos-ruler/thanos-ruler-prometheus-rule.yaml index 761394633f..e5295907d6 100644 --- a/assets/thanos-ruler/thanos-ruler-prometheus-rule.yaml +++ b/assets/thanos-ruler/thanos-ruler-prometheus-rule.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/thanos-ruler.yaml b/assets/thanos-ruler/thanos-ruler.yaml index 27f997c185..c5918a768a 100644 --- a/assets/thanos-ruler/thanos-ruler.yaml +++ b/assets/thanos-ruler/thanos-ruler.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ThanosRuler metadata: annotations: + capability.openshift.io/name: OptionalMonitoring operator.prometheus.io/controller-id: openshift-user-workload-monitoring/prometheus-operator labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/jsonnet/components/admission-webhook.libsonnet b/jsonnet/components/admission-webhook.libsonnet index 75f1cde135..ff1f83a506 100644 --- a/jsonnet/components/admission-webhook.libsonnet +++ b/jsonnet/components/admission-webhook.libsonnet @@ -2,6 +2,7 @@ local tlsVolumeName = 'prometheus-operator-admission-webhook-tls'; local admissionWebhook = import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/admission-webhook.libsonnet'; local antiAffinity = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/addons/anti-affinity.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local aw = admissionWebhook(params); @@ -98,7 +99,7 @@ function(params) }, annotations: { 'service.beta.openshift.io/inject-cabundle': 'true', - }, + } + withDescription('Validating webhook for `PrometheusRule` custom resources.'), }, webhooks: [ { @@ -128,7 +129,7 @@ function(params) ], }, - alertmanagerConfigValidatingWebhook: { + alertmanagerConfigValidatingWebhook: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'admissionregistration.k8s.io/v1', kind: 'ValidatingWebhookConfiguration', metadata: { @@ -139,7 +140,7 @@ function(params) }, annotations: { 'service.beta.openshift.io/inject-cabundle': 'true', - }, + } + withDescription('Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled.'), }, webhooks: [ { @@ -167,5 +168,5 @@ function(params) failurePolicy: 'Ignore', }, ], - }, + }), } diff --git a/jsonnet/components/alertmanager-user-workload.libsonnet b/jsonnet/components/alertmanager-user-workload.libsonnet index 5e0df6caab..6110babfa3 100644 --- a/jsonnet/components/alertmanager-user-workload.libsonnet +++ b/jsonnet/components/alertmanager-user-workload.libsonnet @@ -6,13 +6,14 @@ local generateSecret = import '../utils/generate-secret.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredRoles = (import '../utils/add-annotations.libsonnet').requiredRoles; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local cfg = params { replicas: 2, }; - alertmanager(cfg) { + local o = alertmanager(cfg) { // Hide resources which are not needed because already deployed in the openshift-monitoring namespace. prometheusRule:: {}, @@ -414,4 +415,6 @@ function(params) ], }, }, - } + }; + + optIntoCapability.optionalMonitoringForObjectWithWalk(o) diff --git a/jsonnet/components/alertmanager.libsonnet b/jsonnet/components/alertmanager.libsonnet index 896623b9fa..de836b1452 100644 --- a/jsonnet/components/alertmanager.libsonnet +++ b/jsonnet/components/alertmanager.libsonnet @@ -7,13 +7,14 @@ local withDescription = (import '../utils/add-annotations.libsonnet').withDescri local testFilePlaceholder = (import '../utils/add-annotations.libsonnet').testFilePlaceholder; local requiredRoles = (import '../utils/add-annotations.libsonnet').requiredRoles; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local cfg = params { replicas: 2, }; - alertmanager(cfg) { + local o = alertmanager(cfg) { trustedCaBundle: generateCertInjection.trustedCNOCaBundleCM(cfg.namespace, 'alertmanager-trusted-ca-bundle'), // OpenShift route to access the Alertmanager UI. @@ -440,4 +441,6 @@ function(params) ], }, }, - } + }; + + optIntoCapability.optionalMonitoringForObjectWithWalk(o) diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet index c9d2b9b8f5..58f1b3f89a 100644 --- a/jsonnet/components/cluster-monitoring-operator.libsonnet +++ b/jsonnet/components/cluster-monitoring-operator.libsonnet @@ -1,6 +1,7 @@ local metrics = import 'github.com/openshift/telemeter/jsonnet/telemeter/metrics.jsonnet'; local cmoRules = import './../rules.libsonnet'; +local optIntoCapability = import './../utils/opt-into-capability.libsonnet'; local kubePrometheus = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/mixin/custom.libsonnet'; local defaults = { @@ -329,7 +330,7 @@ function(params) { // - get/list/watch permissions on alertingrules and alertrelabelconfigs to detect changes requiring reconciliation. // - all permissions on alertingrules/finalizers to set the `ownerReferences` field on generated prometheusrules. // - all permissions on alertingrules/status to set the status of alertingrules. - alertCustomizationRole: { + alertCustomizationRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -354,7 +355,7 @@ function(params) { verbs: ['*'], }, ], - }, + }), // This cluster role enables access to the Observe page in the admin console // and the different API services. @@ -422,7 +423,7 @@ function(params) { // This role enables read/write access to the platform Alertmanager API // through kube-rbac-proxy. - monitoringAlertmanagerEditRole: { + monitoringAlertmanagerEditRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -437,11 +438,11 @@ function(params) { verbs: ['*'], }, ], - }, + }), // This role enables read access to the platform Alertmanager API // through kube-rbac-proxy. - monitoringAlertmanagerViewRole: { + monitoringAlertmanagerViewRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -456,7 +457,7 @@ function(params) { verbs: ['get', 'list'], }, ], - }, + }), // This role provides read access to the user-workload Alertmanager API. // We use a fake subresource 'api' to map to the /api/* endpoints of the @@ -464,7 +465,7 @@ function(params) { // Using "nonResourceURLs" doesn't work because authenticated users and // service accounts are allowed to get /api/* by default. // See https://issues.redhat.com/browse/OCPBUGS-17850. - userWorkloadAlertmanagerApiReader: { + userWorkloadAlertmanagerApiReader: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -477,11 +478,11 @@ function(params) { resourceNames: ['user-workload'], verbs: ['get', 'list'], }], - }, + }), // This role provides read/write access to the user-workload Alertmanager API. // See the 'monitoring-alertmanager-api-reader' role for details. - userWorkloadAlertmanagerApiWriter: { + userWorkloadAlertmanagerApiWriter: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -494,7 +495,7 @@ function(params) { resourceNames: ['user-workload'], verbs: ['*'], }], - }, + }), monitoringEditClusterRole: { apiVersion: 'rbac.authorization.k8s.io/v1', @@ -538,7 +539,7 @@ function(params) { }, // This role provides read/write access to the user-workload monitoring configuration. - userWorkloadConfigEditRole: { + userWorkloadConfigEditRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -551,10 +552,10 @@ function(params) { resources: ['configmaps'], verbs: ['get', 'list', 'watch', 'patch', 'update'], }], - }, + }), // This cluster role can be referenced in a RoleBinding object to provide read/write access to AlertmanagerConfiguration objects for a project. - alertingEditClusterRole: { + alertingEditClusterRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'ClusterRole', metadata: { @@ -565,5 +566,5 @@ function(params) { resources: ['alertmanagerconfigs'], verbs: ['*'], }], - }, + }), } diff --git a/jsonnet/components/monitoring-plugin.libsonnet b/jsonnet/components/monitoring-plugin.libsonnet index 15de856eff..d07c169aeb 100644 --- a/jsonnet/components/monitoring-plugin.libsonnet +++ b/jsonnet/components/monitoring-plugin.libsonnet @@ -1,4 +1,5 @@ local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local cfg = params; @@ -20,7 +21,7 @@ function(params) local tlsCertPath = tlsMountPath + '/tls.crt'; local tlsKeyPath = tlsMountPath + '/tls.key'; - { + local o = { _config+:: { name: pluginName, namespace: 'openshift-monitoring', @@ -223,4 +224,6 @@ function(params) }, // template }, // spec }, // deployment - } + }; + + optIntoCapability.consoleForObjectWithWalk(o) diff --git a/jsonnet/components/prometheus-operator-user-workload.libsonnet b/jsonnet/components/prometheus-operator-user-workload.libsonnet index 049b057c2e..ee6f5157f9 100644 --- a/jsonnet/components/prometheus-operator-user-workload.libsonnet +++ b/jsonnet/components/prometheus-operator-user-workload.libsonnet @@ -4,11 +4,12 @@ local operator = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/ local generateSecret = import '../utils/generate-secret.libsonnet'; local rbac = import '../utils/rbac.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local po = operator(params); - po { + local opo = po { mixin:: null, prometheusRule:: null, @@ -196,4 +197,6 @@ function(params) ], }, }, - } + }; + + optIntoCapability.optionalMonitoringForObjectWithWalk(opo) diff --git a/jsonnet/components/prometheus-operator.libsonnet b/jsonnet/components/prometheus-operator.libsonnet index f6a5d2ae87..84e8b75fc1 100644 --- a/jsonnet/components/prometheus-operator.libsonnet +++ b/jsonnet/components/prometheus-operator.libsonnet @@ -6,14 +6,36 @@ local conversionWebhook = import 'github.com/prometheus-operator/prometheus-oper local generateSecret = import '../utils/generate-secret.libsonnet'; local rbac = import '../utils/rbac.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; +local optIntoCapability = import '../utils/opt-into-capability.libsonnet'; function(params) local po = operator(params); po { + '0thanosrulerCustomResourceDefinition'+: { + metadata+: { + annotations+: { + 'capability.openshift.io/name': 'OptionalMonitoring', + }, + }, + }, + '0probeCustomResourceDefinition'+: { + metadata+: { + annotations+: { + 'capability.openshift.io/name': 'OptionalMonitoring', + }, + }, + }, + '0alertmanagerCustomResourceDefinition'+: { + metadata+: { + annotations+: { + 'capability.openshift.io/name': 'OptionalMonitoring', + }, + }, + }, '0alertmanagerConfigCustomResourceDefinition'+: // Add v1beta1 AlertmanagerConfig version. - (import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/alertmanagerconfigs-v1beta1-crd.libsonnet') + + optIntoCapability.optionalMonitoringForObject(import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/alertmanagerconfigs-v1beta1-crd.libsonnet') + // Enable conversion webhook. conversionWebhook(params.conversionWebhook), diff --git a/jsonnet/components/prometheus-user-workload.libsonnet b/jsonnet/components/prometheus-user-workload.libsonnet index 1b7c425732..e948ecddc3 100644 --- a/jsonnet/components/prometheus-user-workload.libsonnet +++ b/jsonnet/components/prometheus-user-workload.libsonnet @@ -2,12 +2,13 @@ local generateCertInjection = import '../utils/generate-certificate-injection.li local generateSecret = import '../utils/generate-secret.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); local prometheus = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/prometheus.libsonnet'; function(params) local cfg = params; - prometheus(cfg) + { + local o = prometheus(cfg) + { // Hide not needed resources prometheusRule:: {}, @@ -611,4 +612,6 @@ function(params) automountServiceAccountToken: false, }, - } + }; + + optIntoCapability.optionalMonitoringForObjectWithWalk(o) diff --git a/jsonnet/components/thanos-ruler.libsonnet b/jsonnet/components/thanos-ruler.libsonnet index 25457df563..6549920916 100644 --- a/jsonnet/components/thanos-ruler.libsonnet +++ b/jsonnet/components/thanos-ruler.libsonnet @@ -3,6 +3,7 @@ local generateSecret = import '../utils/generate-secret.libsonnet'; local ruler = import 'github.com/thanos-io/kube-thanos/jsonnet/kube-thanos/kube-thanos-rule.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); local defaults = { volumeClaimTemplate: {}, @@ -13,7 +14,7 @@ function(params) local cfg = defaults + params; local tr = ruler(cfg); - tr { + local o = tr { mixin:: (import 'github.com/thanos-io/thanos/mixin/alerts/rule.libsonnet') { targetGroups: { namespace: tr.config.namespace, @@ -569,4 +570,6 @@ function(params) statefulSet:: {}, - } + }; + + optIntoCapability.optionalMonitoringForObjectWithWalk(o) diff --git a/jsonnet/utils/opt-into-capability.libsonnet b/jsonnet/utils/opt-into-capability.libsonnet new file mode 100644 index 0000000000..30ff66a9c7 --- /dev/null +++ b/jsonnet/utils/opt-into-capability.libsonnet @@ -0,0 +1,39 @@ +{ + local addAnnotationToChild(o, key, value) = + o { + metadata+: { + annotations+: { + [key]: value, + }, + }, + }, + local addAnnotationToChildren(o, key, value) = + local listKinds = std.set(['RoleList', 'RoleBindingList']); + o { + [k]: + if std.objectHas(o[k], 'kind') && std.setMember(o[k].kind, listKinds) && std.objectHas(o[k], 'items') + then + o[k] { + items: [addAnnotationToChild(item, key, value) for item in o[k].items], + } + else + addAnnotationToChild(o[k], key, value) + for k in std.objectFields(o) + }, + + local annotationKeyCapability = 'capability.openshift.io/name', + local annotationValueConsoleCapability = 'Console', + local annotationValueOptionalMonitoringCapability = 'OptionalMonitoring', + + // consoleForObject adds the Console capability annotation to a single object. + consoleForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueConsoleCapability), + + // consoleForObjectWithWalk adds the Console capability annotation to all objects in the given parent object, iteratively. + consoleForObjectWithWalk(o): addAnnotationToChildren(o, annotationKeyCapability, annotationValueConsoleCapability), + + // optionalMonitoringForObject adds the OptionalMonitoring capability annotation to a single object. + optionalMonitoringForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueOptionalMonitoringCapability), + + // optionalMonitoringForObjectWithWalk adds the OptionalMonitoring capability annotation to all objects in the given parent object, iteratively. + optionalMonitoringForObjectWithWalk(o): addAnnotationToChildren(o, annotationKeyCapability, annotationValueOptionalMonitoringCapability), +} diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-config-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-config-custom-resource-definition.yaml index f324cc1bd5..d5ace4020f 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-config-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-config-custom-resource-definition.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: OptionalMonitoring controller-gen.kubebuilder.io/version: v0.19.0 include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-custom-resource-definition.yaml index c356dcc8d5..8387e0eea0 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-custom-resource-definition.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: OptionalMonitoring controller-gen.kubebuilder.io/version: v0.19.0 include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0probe-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0probe-custom-resource-definition.yaml index 7b92fde141..58ee9aefae 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0probe-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0probe-custom-resource-definition.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: OptionalMonitoring controller-gen.kubebuilder.io/version: v0.19.0 include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0thanosruler-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0thanosruler-custom-resource-definition.yaml index 9f13bef1e6..3d1e5010bd 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0thanosruler-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0thanosruler-custom-resource-definition.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: OptionalMonitoring controller-gen.kubebuilder.io/version: v0.19.0 include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_02-alert-customization-role.yaml b/manifests/0000_50_cluster-monitoring-operator_02-alert-customization-role.yaml index d724c6a5b8..98464709bd 100644 --- a/manifests/0000_50_cluster-monitoring-operator_02-alert-customization-role.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_02-alert-customization-role.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: + capability.openshift.io/name: OptionalMonitoring include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" diff --git a/pkg/client/client.go b/pkg/client/client.go index e9058276f3..e6b79aef0c 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -1748,6 +1748,10 @@ func (c *Client) HasConsoleCapability(ctx context.Context) (bool, error) { return c.HasClusterCapability(ctx, configv1.ClusterVersionCapabilityConsole) } +func (c *Client) HasOptionalMonitoringCapability(ctx context.Context) (bool, error) { + return true, nil // TODO: implement when the capability is added in /api +} + // CreateOrUpdateConsolePlugin function uses retries because API requests related to the ConsolePlugin resource // may depend on the availability of a conversion container. This container is part of the console-operator Pod, which is not duplicated. // If this pod is down (due to restarts for upgrades or other reasons), transient failures will be reported. diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 91f8e6ecc7..1e163349bb 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -798,35 +798,40 @@ func (o *Operator) sync(ctx context.Context, key string) error { // should also be created first because it is referenced by Prometheus. tasks.NewTaskGroup( []*tasks.TaskSpec{ - newTaskSpec("MetricsScrapingClientCA", tasks.NewMetricsClientCATask(o.client, factory, config)), - newTaskSpec("PrometheusOperator", tasks.NewPrometheusOperatorTask(o.client, factory)), + newTaskSpec(tasks.MetricsClientCATaskName, tasks.NewMetricsClientCATask(o.client, factory, config)), + newTaskSpec(tasks.PrometheusOperatorTaskName, tasks.NewPrometheusOperatorTask(o.client, factory)), }), tasks.NewTaskGroup( []*tasks.TaskSpec{ - newTaskSpec("ClusterMonitoringOperatorDeps", tasks.NewClusterMonitoringOperatorTask(o.client, factory, config)), - newTaskSpec("Prometheus", tasks.NewPrometheusTask(o.client, factory, config)), - newTaskSpec("Alertmanager", tasks.NewAlertmanagerTask(o.client, factory, config)), - newTaskSpec("NodeExporter", tasks.NewNodeExporterTask(o.client, factory)), - newTaskSpec("KubeStateMetrics", tasks.NewKubeStateMetricsTask(o.client, factory)), - newTaskSpec("OpenshiftStateMetrics", tasks.NewOpenShiftStateMetricsTask(o.client, factory)), - newTaskSpec("MetricsServer", tasks.NewMetricsServerTask(ctx, o.namespace, o.client, factory, config)), - newTaskSpec("TelemeterClient", tasks.NewTelemeterClientTask(o.client, factory, config)), - newTaskSpec("ThanosQuerier", tasks.NewThanosQuerierTask(o.client, factory, config)), - newTaskSpec("ControlPlaneComponents", tasks.NewControlPlaneTask(o.client, factory, config)), - newTaskSpec("ConsolePluginComponents", tasks.NewMonitoringPluginTask(o.client, factory, config)), + newTaskSpec(tasks.ClusterMonitoringOperatorTaskName, tasks.NewClusterMonitoringOperatorTask(o.client, factory, config)), + newTaskSpec(tasks.PrometheusTaskName, tasks.NewPrometheusTask(o.client, factory, config)), + newTaskSpec(tasks.AlertmanagerTaskName, tasks.NewAlertmanagerTask(o.client, factory, config)), + newTaskSpec(tasks.NodeExporterTaskName, tasks.NewNodeExporterTask(o.client, factory)), + newTaskSpec(tasks.KubeStateMetricsTaskName, tasks.NewKubeStateMetricsTask(o.client, factory)), + newTaskSpec(tasks.OpenshiftStateMetricsTaskName, tasks.NewOpenShiftStateMetricsTask(o.client, factory)), + newTaskSpec(tasks.MetricsServerTaskName, tasks.NewMetricsServerTask(ctx, o.namespace, o.client, factory, config)), + newTaskSpec(tasks.TelemeterClientTaskName, tasks.NewTelemeterClientTask(o.client, factory, config)), + newTaskSpec(tasks.ThanosQuerierTaskName, tasks.NewThanosQuerierTask(o.client, factory, config)), + newTaskSpec(tasks.ControlPlaneTaskName, tasks.NewControlPlaneTask(o.client, factory, config)), + newTaskSpec(tasks.MonitoringPluginTaskName, tasks.NewMonitoringPluginTask(o.client, factory, config)), // Tried to run the UWM prom-operator in the first group, but some e2e tests started failing. - newUWMTaskSpec("PrometheusOperator", tasks.NewPrometheusOperatorUserWorkloadTask(o.client, factory, config)), - newUWMTaskSpec("Prometheus", tasks.NewPrometheusUserWorkloadTask(o.client, factory, config)), - newUWMTaskSpec("Alertmanager", tasks.NewAlertmanagerUserWorkloadTask(o.client, factory, config)), - newUWMTaskSpec("ThanosRuler", tasks.NewThanosRulerUserWorkloadTask(o.client, factory, config)), + newUWMTaskSpec(tasks.PrometheusOperatorUWMTaskName, tasks.NewPrometheusOperatorUserWorkloadTask(o.client, factory, config)), + newUWMTaskSpec(tasks.PrometheusUWMTaskName, tasks.NewPrometheusUserWorkloadTask(o.client, factory, config)), + newUWMTaskSpec(tasks.AlertmanagerUWMTaskName, tasks.NewAlertmanagerUserWorkloadTask(o.client, factory, config)), + newUWMTaskSpec(tasks.ThanosRulerUWMTaskName, tasks.NewThanosRulerUserWorkloadTask(o.client, factory, config)), }), // The shared configmap depends on resources being created by the previous tasks hence run it last. tasks.NewTaskGroup( []*tasks.TaskSpec{ - newTaskSpec("ConfigurationSharing", tasks.NewConfigSharingTask(o.client, factory, config)), + newTaskSpec(tasks.ConfigSharingTaskName, tasks.NewConfigSharingTask(o.client, factory, config)), }, ), ) + // Skip optional tasks if OptionalMonitoring capability is disabled. + err = tl.MaybeSkipOptionalTasks() + if err != nil { + return fmt.Errorf("failed to assess optional tasks: %w", err) + } klog.Info("Updating ClusterOperator status to InProgress.") err = o.client.StatusReporter().SetRollOutInProgress(ctx) if err != nil { diff --git a/pkg/tasks/clustermonitoringoperator.go b/pkg/tasks/clustermonitoringoperator.go index 843f15ad59..0f601e9f1d 100644 --- a/pkg/tasks/clustermonitoringoperator.go +++ b/pkg/tasks/clustermonitoringoperator.go @@ -45,15 +45,23 @@ func NewClusterMonitoringOperatorTask( } func (t *ClusterMonitoringOperatorTask) Run(ctx context.Context) error { - for name, crf := range map[string]func() (*rbacv1.ClusterRole, error){ + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + + crfs := map[string]func() (*rbacv1.ClusterRole, error){ "cluster-monitoring-view": t.factory.ClusterMonitoringClusterRoleView, "system:aggregated-metrics-reader": t.factory.ClusterMonitoringClusterRoleAggregatedMetricsReader, "pod-metrics-reader": t.factory.ClusterMonitoringClusterRolePodMetricsReader, "monitoring-rules-edit": t.factory.ClusterMonitoringRulesEditClusterRole, "monitoring-rules-view": t.factory.ClusterMonitoringRulesViewClusterRole, "monitoring-edit": t.factory.ClusterMonitoringEditClusterRole, - "alert-routing-edit": t.factory.ClusterMonitoringAlertingEditClusterRole, - } { + } + if optionalMonitoringEnabled { + crfs["alert-routing-edit"] = t.factory.ClusterMonitoringAlertingEditClusterRole + } + for name, crf := range crfs { cr, err := crf() if err != nil { return fmt.Errorf("initializing %s ClusterRole failed: %w", name, err) @@ -65,34 +73,35 @@ func (t *ClusterMonitoringOperatorTask) Run(ctx context.Context) error { } } - uwcr, err := t.factory.ClusterMonitoringEditUserWorkloadConfigRole() - if err != nil { - return fmt.Errorf("initializing UserWorkloadConfigEdit Role failed: %w", err) - } - - err = t.client.CreateOrUpdateRole(ctx, uwcr) - if err != nil { - return fmt.Errorf("reconciling UserWorkloadConfigEdit Role failed: %w", err) - } + if optionalMonitoringEnabled { + uwcr, err := t.factory.ClusterMonitoringEditUserWorkloadConfigRole() + if err != nil { + return fmt.Errorf("initializing UserWorkloadConfigEdit Role failed: %w", err) + } - uwar, err := t.factory.ClusterMonitoringEditUserWorkloadAlertmanagerApiReader() - if err != nil { - return fmt.Errorf("initializing UserWorkloadAlertmanagerApiReader Role failed: %w", err) - } + err = t.client.CreateOrUpdateRole(ctx, uwcr) + if err != nil { + return fmt.Errorf("reconciling UserWorkloadConfigEdit Role failed: %w", err) + } + uwar, err := t.factory.ClusterMonitoringEditUserWorkloadAlertmanagerApiReader() + if err != nil { + return fmt.Errorf("initializing UserWorkloadAlertmanagerApiReader Role failed: %w", err) + } - err = t.client.CreateOrUpdateRole(ctx, uwar) - if err != nil { - return fmt.Errorf("reconciling UserWorkloadAlertmanagerApiReader Role failed: %w", err) - } + err = t.client.CreateOrUpdateRole(ctx, uwar) + if err != nil { + return fmt.Errorf("reconciling UserWorkloadAlertmanagerApiReader Role failed: %w", err) + } - uwaw, err := t.factory.ClusterMonitoringEditUserWorkloadAlertmanagerApiWriter() - if err != nil { - return fmt.Errorf("initializing UserWorkloadAlertmanagerApiWriter Role failed: %w", err) - } + uwaw, err := t.factory.ClusterMonitoringEditUserWorkloadAlertmanagerApiWriter() + if err != nil { + return fmt.Errorf("initializing UserWorkloadAlertmanagerApiWriter Role failed: %w", err) + } - err = t.client.CreateOrUpdateRole(ctx, uwaw) - if err != nil { - return fmt.Errorf("reconciling UserWorkloadAlertmanagerApiWriter Role failed: %w", err) + err = t.client.CreateOrUpdateRole(ctx, uwaw) + if err != nil { + return fmt.Errorf("reconciling UserWorkloadAlertmanagerApiWriter Role failed: %w", err) + } } amrr, err := t.factory.ClusterMonitoringAlertManagerViewRole() @@ -104,8 +113,7 @@ func (t *ClusterMonitoringOperatorTask) Run(ctx context.Context) error { if err != nil { return fmt.Errorf("initializing AlertmanagerWrite Role failed: %w", err) } - - if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { + if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() && optionalMonitoringEnabled { if err = t.client.CreateOrUpdateRole(ctx, amwr); err != nil { return fmt.Errorf("reconciling AlertmanagerWrite Role failed: %w", err) } diff --git a/pkg/tasks/configsharing.go b/pkg/tasks/configsharing.go index d91e5ca780..aef2205747 100644 --- a/pkg/tasks/configsharing.go +++ b/pkg/tasks/configsharing.go @@ -57,7 +57,11 @@ func (t *ConfigSharingTask) Run(ctx context.Context) error { return fmt.Errorf("failed to retrieve Prometheus host: %w", err) } - if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() && optionalMonitoringEnabled { amRoute, err := t.factory.AlertmanagerRoute() if err != nil { return fmt.Errorf("initializing Alertmanager Route failed: %w", err) diff --git a/pkg/tasks/prometheus.go b/pkg/tasks/prometheus.go index ba67e70641..449b71d87f 100644 --- a/pkg/tasks/prometheus.go +++ b/pkg/tasks/prometheus.go @@ -173,7 +173,11 @@ func (t *PrometheusTask) create(ctx context.Context) error { return fmt.Errorf("initializing Prometheus Alertmanager RoleBinding failed: %w", err) } - if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() && optionalMonitoringEnabled { if err = t.client.CreateOrUpdateRoleBinding(ctx, amrb); err != nil { return fmt.Errorf("reconciling Prometheus Alertmanager RoleBinding failed: %w", err) } diff --git a/pkg/tasks/prometheusoperator.go b/pkg/tasks/prometheusoperator.go index 4ecb05e078..c53986df19 100644 --- a/pkg/tasks/prometheusoperator.go +++ b/pkg/tasks/prometheusoperator.go @@ -180,14 +180,20 @@ func (t *PrometheusOperatorTask) runAdmissionWebhook(ctx context.Context) error return fmt.Errorf("reconciling Prometheus Rule Validating Webhook failed: %w", err) } - aw, err := t.factory.AlertManagerConfigValidatingWebhook() + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) if err != nil { - return fmt.Errorf("initializing AlertManagerConfig Validating Webhook failed: %w", err) + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) } + if optionalMonitoringEnabled { + aw, err := t.factory.AlertManagerConfigValidatingWebhook() + if err != nil { + return fmt.Errorf("initializing AlertManagerConfig Validating Webhook failed: %w", err) + } - err = t.client.CreateOrUpdateValidatingWebhookConfiguration(ctx, aw) - if err != nil { - return fmt.Errorf("reconciling AlertManagerConfig Validating Webhook failed: %w", err) + err = t.client.CreateOrUpdateValidatingWebhookConfiguration(ctx, aw) + if err != nil { + return fmt.Errorf("reconciling AlertManagerConfig Validating Webhook failed: %w", err) + } } return nil diff --git a/pkg/tasks/tasks.go b/pkg/tasks/tasks.go index abc2c8ea02..c4f365dc38 100644 --- a/pkg/tasks/tasks.go +++ b/pkg/tasks/tasks.go @@ -20,11 +20,33 @@ import ( "strings" "golang.org/x/sync/errgroup" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" "github.com/openshift/cluster-monitoring-operator/pkg/client" ) +const ( + MetricsClientCATaskName = "MetricsScrapingClientCA" + PrometheusOperatorTaskName = "PrometheusOperator" + ClusterMonitoringOperatorTaskName = "ClusterMonitoringOperatorDeps" + PrometheusTaskName = "Prometheus" + AlertmanagerTaskName = "Alertmanager" + NodeExporterTaskName = "NodeExporter" + KubeStateMetricsTaskName = "KubeStateMetrics" + OpenshiftStateMetricsTaskName = "OpenshiftStateMetrics" + MetricsServerTaskName = "MetricsServer" + TelemeterClientTaskName = "TelemeterClient" + ThanosQuerierTaskName = "ThanosQuerier" + ControlPlaneTaskName = "ControlPlaneComponents" + MonitoringPluginTaskName = "ConsolePluginComponents" + PrometheusOperatorUWMTaskName = "PrometheusOperator" + PrometheusUWMTaskName = "Prometheus" + AlertmanagerUWMTaskName = "Alertmanager" + ThanosRulerUWMTaskName = "ThanosRuler" + ConfigSharingTaskName = "ConfigurationSharing" +) + // TaskRunner manages lists of task groups. Through the RunAll method task groups are // executed, the groups sequentially, each group of tasks concurrently. type TaskRunner struct { @@ -41,6 +63,44 @@ func NewTaskRunner(client *client.Client, taskGroups ...*TaskGroup) *TaskRunner } } +func (tl *TaskRunner) MaybeSkipOptionalTasks() error { + // Optional tasks reflect components that fall under optional monitoring, which will be skipped (not deployed) + // if the `OptionalMonitoring` capability is disabled. + optionalTasks := sets.New[string]( + AlertmanagerTaskName, + PrometheusOperatorUWMTaskName, + PrometheusUWMTaskName, + AlertmanagerUWMTaskName, + ThanosRulerUWMTaskName, + ) + optionalMonitoringEnabled, err := tl.client.HasOptionalMonitoringCapability(context.Background()) + if err != nil { + return fmt.Errorf("could not determine optional monitoring capability status: %w", err) + } + if optionalMonitoringEnabled { + klog.V(2).Infof("OptionalMonitoring capability is enabled, all monitoring components will be deployed") + return nil + } + + var filteredTaskGroups []*TaskGroup + for _, tg := range tl.taskGroups { + var filteredTasks []*TaskSpec + for _, t := range tg.tasks { + if optionalTasks.Has(t.Name) { + klog.V(2).Infof("skipping optional monitoring component %q as OptionalMonitoring capability is disabled", t.Name) + continue + } + filteredTasks = append(filteredTasks, t) + } + if len(filteredTasks) > 0 { + filteredTaskGroups = append(filteredTaskGroups, &TaskGroup{tasks: filteredTasks}) + } + } + tl.taskGroups = append([]*TaskGroup{}, filteredTaskGroups...) + + return nil +} + // RunAll executes all registered task groups sequentially. For each group the // taskGroup.RunConcurrently function is called.