MON-4361,MON-4380: Optional Monitoring Capability

Documentation/resources.adoc

@@ -149,3 +149,14 @@ This also exposes the gRPC endpoints on port 10901. This port is for internal us
 
 Expose the `/metrics` and `/validate-webhook` endpoints on port 8443. This port is for internal use, and no other usage is guaranteed.
 
+[id="cmo-validatingwebhookconfigurations-resources"]
+== CMO validatingwebhookconfigurations resources
+
+=== /alertmanagerconfigs.openshift.io
+
+Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled.
+
+=== /prometheusrules.openshift.io
+
+Validating webhook for `PrometheusRule` custom resources.
+

Documentation/resources.md

@@ -165,3 +165,13 @@ This also exposes the gRPC endpoints on port 10901. This port is for internal us
 
 Expose the `/metrics` and `/validate-webhook` endpoints on port 8443. This port is for internal use, and no other usage is guaranteed.
 
+## ValidatingWebhookConfigurations
+
+### /alertmanagerconfigs.openshift.io
+
+Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled.
+
+### /prometheusrules.openshift.io
+
+Validating webhook for `PrometheusRule` custom resources.
+

assets/admission-webhook/alertmanager-config-validating-webhook.yaml

@@ -2,6 +2,8 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
+    capability.openshift.io/name: OptionalMonitoring
+    openshift.io/description: Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled.
     service.beta.openshift.io/inject-cabundle: "true"
   labels:
     app.kubernetes.io/component: controller

assets/admission-webhook/prometheus-rule-validating-webhook.yaml

@@ -2,6 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
+    openshift.io/description: Validating webhook for `PrometheusRule` custom resources.
     service.beta.openshift.io/inject-cabundle: "true"
   labels:
     app.kubernetes.io/component: controller

assets/alertmanager-user-workload/alertmanager.yaml

@@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: Alertmanager
 metadata:
   annotations:
+    capability.openshift.io/name: OptionalMonitoring
     operator.prometheus.io/controller-id: openshift-user-workload-monitoring/prometheus-operator
   labels:
     app.kubernetes.io/component: alert-router

assets/alertmanager-user-workload/cluster-role-binding.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/alertmanager-user-workload/cluster-role.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 data: {}
 kind: Secret
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-user-workload

assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-user-workload

assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-user-workload

assets/alertmanager-user-workload/pod-disruption-budget.yaml

@@ -1,6 +1,8 @@
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload

assets/alertmanager-user-workload/secret.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload

assets/alertmanager-user-workload/service-account.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload

assets/alertmanager-user-workload/service-monitor.yaml

@@ -1,6 +1,8 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload

assets/alertmanager-user-workload/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
+    capability.openshift.io/name: OptionalMonitoring
     openshift.io/description: |-
       Expose the user-defined Alertmanager web server within the cluster on the following ports:
       * Port 9095 provides access to the Alertmanager endpoints. Granting access requires binding a user to the `monitoring-alertmanager-api-reader` role (for read-only operations) or `monitoring-alertmanager-api-writer` role in the `openshift-user-workload-monitoring` project.

assets/alertmanager-user-workload/trusted-ca-bundle.yaml

@@ -3,6 +3,7 @@ data: {}
 kind: ConfigMap
 metadata:
   annotations:
+    capability.openshift.io/name: OptionalMonitoring
     openshift.io/owning-component: Monitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/alertmanager/alertmanager.yaml

@@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: Alertmanager
 metadata:
   annotations:
+    capability.openshift.io/name: OptionalMonitoring
     operator.prometheus.io/controller-id: openshift-monitoring/prometheus-operator
   labels:
     app.kubernetes.io/component: alert-router

assets/alertmanager/cluster-role-binding.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/alertmanager/cluster-role.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/alertmanager/kube-rbac-proxy-metric-secret.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 data: {}
 kind: Secret
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-main

assets/alertmanager/kube-rbac-proxy-secret.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-main

assets/alertmanager/kube-rbac-proxy-web-secret.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 data: {}
 kind: Secret
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/alertmanager/pod-disruption-budget.yaml

@@ -1,6 +1,8 @@
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main

assets/alertmanager/prometheus-rule.yaml

@@ -1,6 +1,8 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main

assets/alertmanager/route.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Route
 metadata:
   annotations:
+    capability.openshift.io/name: OptionalMonitoring
     openshift.io/description: Expose the `/api` endpoints of the `alertmanager-main` service via a router.
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/alertmanager/secret.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main

assets/alertmanager/service-account.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main

assets/alertmanager/service-monitor.yaml

@@ -1,6 +1,8 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main

assets/alertmanager/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
+    capability.openshift.io/name: OptionalMonitoring
     openshift.io/description: |-
       Expose the Alertmanager web server within the cluster on the following ports:
       * Port 9094 provides access to all the Alertmanager endpoints. Granting access requires binding a user to the `monitoring-alertmanager-view` role (for read-only operations) or `monitoring-alertmanager-edit` role in the `openshift-monitoring` project.

assets/alertmanager/trusted-ca-bundle.yaml

@@ -3,6 +3,7 @@ data: {}
 kind: ConfigMap
 metadata:
   annotations:
+    capability.openshift.io/name: OptionalMonitoring
     openshift.io/owning-component: Monitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring

assets/monitoring-plugin/console-plugin.yaml

@@ -1,6 +1,8 @@
 apiVersion: console.openshift.io/v1
 kind: ConsolePlugin
 metadata:
+  annotations:
+    capability.openshift.io/name: Console
   labels:
     app.kubernetes.io/component: monitoring-plugin
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/monitoring-plugin/deployment.yaml

@@ -1,6 +1,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  annotations:
+    capability.openshift.io/name: Console
   labels:
     app.kubernetes.io/component: monitoring-plugin
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/monitoring-plugin/pod-disruption-budget.yaml

@@ -1,6 +1,8 @@
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
+  annotations:
+    capability.openshift.io/name: Console
   labels:
     app.kubernetes.io/component: monitoring-plugin
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/monitoring-plugin/service-account.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  annotations:
+    capability.openshift.io/name: Console
   labels:
     app.kubernetes.io/component: monitoring-plugin
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/monitoring-plugin/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
+    capability.openshift.io/name: Console
     openshift.io/description: Expose the monitoring plugin service on port 9443. This port is for internal use, and no other usage is guaranteed.
     service.beta.openshift.io/serving-cert-secret-name: monitoring-plugin-cert
   labels:

assets/prometheus-operator-user-workload/cluster-role-binding.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/prometheus-operator-user-workload/cluster-role.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/managed-by: cluster-monitoring-operator

assets/prometheus-operator-user-workload/deployment.yaml

@@ -1,6 +1,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  annotations:
+    capability.openshift.io/name: OptionalMonitoring
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/managed-by: cluster-monitoring-operator