|
| 1 | +//// |
| 2 | +Module included in the following assemblies: |
| 3 | +* service_mesh/v2x/ossm-observability.adoc |
| 4 | +//// |
| 5 | + |
| 6 | +:_content-type: PROCEDURE |
| 7 | +[id="ossm-integrating-with-user-workload-monitoring_{context}"] |
| 8 | += Integrating with user-workload monitoring |
| 9 | + |
| 10 | +By default, {SMProductName} (OSSM) installs the Service Mesh control plane (SMCP) with a dedicated instance of Prometheus for collecting metrics from a mesh. However, production systems need more advanced monitoring systems, like {product-title} monitoring for user-defined projects. |
| 11 | + |
| 12 | +The following steps show how to integrate Service Mesh with user-workload monitoring. |
| 13 | + |
| 14 | +.Prerequisites |
| 15 | + |
| 16 | +* User-workload monitoring is enabled. |
| 17 | +* {SMProductName} Operator 2.4 is installed. |
| 18 | +
|
| 19 | +.Procedure |
| 20 | + |
| 21 | +. Configure the SMCP for external Prometheus: |
| 22 | ++ |
| 23 | +[source,yaml] |
| 24 | +---- |
| 25 | +apiVersion: maistra.io/v2 |
| 26 | +kind: ServiceMeshControlPlane |
| 27 | +metadata: |
| 28 | + name: basic |
| 29 | + namespace: istio-system |
| 30 | +spec: |
| 31 | + addons: |
| 32 | + prometheus: |
| 33 | + enabled: false # <1> |
| 34 | + grafana: |
| 35 | + enabled: false # <2> |
| 36 | + kiali: |
| 37 | + enabled: false |
| 38 | +---- |
| 39 | +<1> Disable the default Prometheus instance provided by OSSM. |
| 40 | +<2> Disable Grafana. It is not supported with an external Prometheus instance. |
| 41 | + |
| 42 | +. Apply a custom network policy to allow ingress traffic from the monitoring namespace: |
| 43 | ++ |
| 44 | +[source,yaml] |
| 45 | +---- |
| 46 | +apiVersion: networking.k8s.io/v1 |
| 47 | +kind: NetworkPolicy |
| 48 | +metadata: |
| 49 | + name: user-workload-access |
| 50 | + namespace: bookinfo |
| 51 | +spec: |
| 52 | + ingress: |
| 53 | + - from: |
| 54 | + - namespaceSelector: |
| 55 | + matchLabels: |
| 56 | + network.openshift.io/policy-group: monitoring |
| 57 | + podSelector: {} |
| 58 | + policyTypes: |
| 59 | + - Ingress |
| 60 | +---- |
| 61 | + |
| 62 | +. Apply a `Telemetry` object to enable traffic metrics in Istio proxies: |
| 63 | ++ |
| 64 | +[source,yaml] |
| 65 | +---- |
| 66 | +apiVersion: telemetry.istio.io/v1alpha1 |
| 67 | +kind: Telemetry |
| 68 | +metadata: |
| 69 | + name: enable-prometheus-metrics |
| 70 | + namespace: istio-system # <1> |
| 71 | +spec: |
| 72 | + selector: # <2> |
| 73 | + matchLabels: |
| 74 | + app: bookinfo |
| 75 | + metrics: |
| 76 | + - providers: |
| 77 | + - name: prometheus |
| 78 | +---- |
| 79 | +<1> A `Telemetry` object created in the control plane namespace applies to all workloads in a mesh. To apply telemetry to only one namespace, create the object in the target namespace. |
| 80 | +<2> Optional: Setting the `selector.matchLabels` spec applies the `Telemetry` object to specific workloads in the target namespace. |
| 81 | + |
| 82 | +. Apply a `ServiceMonitor` object to monitor the Istio control plane: |
| 83 | ++ |
| 84 | +[source,yaml] |
| 85 | +---- |
| 86 | +apiVersion: monitoring.coreos.com/v1 |
| 87 | +kind: ServiceMonitor |
| 88 | +metadata: |
| 89 | + name: istiod-monitor |
| 90 | + namespace: istio-system # <1> |
| 91 | +spec: |
| 92 | + targetLabels: |
| 93 | + - app |
| 94 | + selector: |
| 95 | + matchLabels: |
| 96 | + istio: pilot |
| 97 | + endpoints: |
| 98 | + - port: http-monitoring |
| 99 | + interval: 30s |
| 100 | + relabelings: |
| 101 | + - action: replace |
| 102 | + replacement: "<smcp_name>-<smcp_namespace>" # <2> |
| 103 | + targetLabel: mesh_id |
| 104 | +---- |
| 105 | +<1> Since {product-title} monitoring ignores the `namespaceSelector` spec in `ServiceMonitor` and `PodMonitor` objects, you must apply the `PodMonitor` object in all mesh namespaces, including the control plane namespace. |
| 106 | +<2> A shared Prometheus instance can include metrics from multiple meshes. However, if you are deploying Kiali, the metrics must be associated with a single mesh. To associate metrics with a single mesh, add a unique `mesh_id` to each one. Doing so narrows the query scope in Kiali to only the relevant mesh metrics. |
| 107 | + |
| 108 | +. Apply a `PodMonitor` object to collect metrics from Istio proxies: |
| 109 | ++ |
| 110 | +[source,yaml] |
| 111 | +---- |
| 112 | +apiVersion: monitoring.coreos.com/v1 |
| 113 | +kind: PodMonitor |
| 114 | +metadata: |
| 115 | + name: istio-proxies-monitor |
| 116 | + namespace: istio-system # <1> |
| 117 | +spec: |
| 118 | + selector: |
| 119 | + matchExpressions: |
| 120 | + - key: istio-prometheus-ignore |
| 121 | + operator: DoesNotExist |
| 122 | + podMetricsEndpoints: |
| 123 | + - path: /stats/prometheus |
| 124 | + interval: 30s |
| 125 | + relabelings: |
| 126 | + - action: keep |
| 127 | + sourceLabels: [__meta_kubernetes_pod_container_name] |
| 128 | + regex: "istio-proxy" |
| 129 | + - action: keep |
| 130 | + sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape] |
| 131 | + - action: replace |
| 132 | + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) |
| 133 | + replacement: '[$2]:$1' |
| 134 | + sourceLabels: [__meta_kubernetes_pod_annotation_prometheus_io_port, |
| 135 | + __meta_kubernetes_pod_ip] |
| 136 | + targetLabel: __address__ |
| 137 | + - action: replace |
| 138 | + regex: (\d+);((([0-9]+?)(\.|$)){4}) |
| 139 | + replacement: $2:$1 |
| 140 | + sourceLabels: [__meta_kubernetes_pod_annotation_prometheus_io_port, |
| 141 | + __meta_kubernetes_pod_ip] |
| 142 | + targetLabel: __address__ |
| 143 | + - action: labeldrop |
| 144 | + regex: "__meta_kubernetes_pod_label_(.+)" |
| 145 | + - sourceLabels: [__meta_kubernetes_namespace] |
| 146 | + action: replace |
| 147 | + targetLabel: namespace |
| 148 | + - sourceLabels: [__meta_kubernetes_pod_name] |
| 149 | + action: replace |
| 150 | + targetLabel: pod_name |
| 151 | + - action: replace |
| 152 | + replacement: "<smcp_name>-<smcp_namespace>" # <2> |
| 153 | + targetLabel: mesh_id |
| 154 | +---- |
| 155 | +<1> Since {product-title} monitoring ignores the `namespaceSelector` spec in `ServiceMonitor` and `PodMonitor` objects, you must apply the `PodMonitor` object in all mesh namespaces, including the control plane namespace. |
| 156 | +<2> A shared Prometheus instance can include metrics from multiple meshes. However, if you are deploying Kiali, the metrics must be associated with a single mesh. To associate metrics with a single mesh, add a unique `mesh_id` to each one. Doing so narrows the query scope in Kiali to only the relevant mesh metrics. |
| 157 | +
|
| 158 | +. Open the {product-title} web console, and check that metrics are visible. |
0 commit comments