Merge pull request #28411 from dgoodwin/target-down-kube-system

openshift-merge-bot[bot] · web-flow · commit 2972625e1549 · 2023-11-22T16:11:43.000Z
TRT-1235: Add ability to specify alerts that should never fire
diff --git a/pkg/monitortestlibrary/allowedalerts/all.go b/pkg/monitortestlibrary/allowedalerts/all.go
@@ -12,64 +12,71 @@ func AllAlertTests(jobType *platformidentification.JobType, etcdAllowance AlertT
 
 	ret := []AlertTest{}
 	ret = append(ret, newWatchdogAlert(jobType))
-	ret = append(ret, newNamespacedAlert("KubePodNotReady", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newNamespacedAlert("KubePodNotReady", jobType).firing().toTests()...)
-
-	ret = append(ret, newAlert("etcd", "etcdMembersDown", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdMembersDown", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdGRPCRequestsSlow", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdGRPCRequestsSlow", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdHighNumberOfFailedGRPCRequests", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdHighNumberOfFailedGRPCRequests", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdMemberCommunicationSlow", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdMemberCommunicationSlow", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdNoLeader", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdNoLeader", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdHighFsyncDurations", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdHighFsyncDurations", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdHighCommitDurations", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdHighCommitDurations", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdInsufficientMembers", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdInsufficientMembers", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("etcd", "etcdHighNumberOfLeaderChanges", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTestPerNamespace("KubePodNotReady", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTestPerNamespace("KubePodNotReady", jobType).firing().toTests()...)
+
+	ret = append(ret, newAlertTest("bz-etcd", "etcdMembersDown", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdMembersDown", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdGRPCRequestsSlow", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdGRPCRequestsSlow", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdHighNumberOfFailedGRPCRequests", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdHighNumberOfFailedGRPCRequests", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdMemberCommunicationSlow", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdMemberCommunicationSlow", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdNoLeader", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdNoLeader", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdHighFsyncDurations", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdHighFsyncDurations", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdHighCommitDurations", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdHighCommitDurations", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdInsufficientMembers", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdInsufficientMembers", jobType).firing().toTests()...)
+
+	// A rare and pretty serious failure, should always be accompanied by other failures but we want to see a specific test failure for this.
+	// It likely means a kubelet is down.
+	ret = append(ret, newAlertTest(
+		"sig-node", "TargetDown", jobType).inNamespace("kube-system").
+		firing().alwaysFail().toTests()...)
+
+	ret = append(ret, newAlertTest("bz-etcd", "etcdHighNumberOfLeaderChanges", jobType).pending().neverFail().toTests()...)
 
 	// This test gets a little special treatment, if we're moving through etcd updates, we expect leader changes, so if this scenario is detected
 	// this test is given fixed leeway for the alert to fire, otherwise it too falls back to historical data.
-	ret = append(ret, newAlert("etcd", "etcdHighNumberOfLeaderChanges", jobType).withAllowance(etcdAllowance).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-etcd", "etcdHighNumberOfLeaderChanges", jobType).withAllowance(etcdAllowance).firing().toTests()...)
 
-	ret = append(ret, newAlert("kube-apiserver", "KubeAPIErrorBudgetBurn", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("kube-apiserver", "KubeAPIErrorBudgetBurn", jobType).firing().toTests()...)
-	ret = append(ret, newAlert("kube-apiserver", "KubeClientErrors", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("kube-apiserver", "KubeClientErrors", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-kube-apiserver", "KubeAPIErrorBudgetBurn", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-kube-apiserver", "KubeAPIErrorBudgetBurn", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-kube-apiserver", "KubeClientErrors", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-kube-apiserver", "KubeClientErrors", jobType).firing().toTests()...)
 
-	ret = append(ret, newAlert("storage", "KubePersistentVolumeErrors", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("storage", "KubePersistentVolumeErrors", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-storage", "KubePersistentVolumeErrors", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-storage", "KubePersistentVolumeErrors", jobType).firing().toTests()...)
 
-	ret = append(ret, newAlert("machine config operator", "MCDDrainError", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("machine config operator", "MCDDrainError", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-machine config operator", "MCDDrainError", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-machine config operator", "MCDDrainError", jobType).firing().toTests()...)
 
-	ret = append(ret, newAlert("single-node", "KubeMemoryOvercommit", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-single-node", "KubeMemoryOvercommit", jobType).pending().neverFail().toTests()...)
 	// this appears to have no direct impact on the cluster in CI.  It's important in general, but for CI we're willing to run pretty hot.
-	ret = append(ret, newAlert("single-node", "KubeMemoryOvercommit", jobType).firing().neverFail().toTests()...)
-	ret = append(ret, newAlert("machine config operator", "MCDPivotError", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("machine config operator", "MCDPivotError", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-single-node", "KubeMemoryOvercommit", jobType).firing().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-machine config operator", "MCDPivotError", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-machine config operator", "MCDPivotError", jobType).firing().toTests()...)
 
-	ret = append(ret, newAlert("monitoring", "PrometheusOperatorWatchErrors", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("monitoring", "PrometheusOperatorWatchErrors", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-monitoring", "PrometheusOperatorWatchErrors", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-monitoring", "PrometheusOperatorWatchErrors", jobType).firing().toTests()...)
 
-	ret = append(ret, newAlert("networking", "OVNKubernetesResourceRetryFailure", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("networking", "OVNKubernetesResourceRetryFailure", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-networking", "OVNKubernetesResourceRetryFailure", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-networking", "OVNKubernetesResourceRetryFailure", jobType).firing().toTests()...)
 
-	ret = append(ret, newAlert("OLM", "RedhatOperatorsCatalogError", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("OLM", "RedhatOperatorsCatalogError", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-OLM", "RedhatOperatorsCatalogError", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-OLM", "RedhatOperatorsCatalogError", jobType).firing().toTests()...)
 
-	ret = append(ret, newAlert("storage", "VSphereOpenshiftNodeHealthFail", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("storage", "VSphereOpenshiftNodeHealthFail", jobType).firing().neverFail().toTests()...) // https://bugzilla.redhat.com/show_bug.cgi?id=2055729
+	ret = append(ret, newAlertTest("bz-storage", "VSphereOpenshiftNodeHealthFail", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-storage", "VSphereOpenshiftNodeHealthFail", jobType).firing().neverFail().toTests()...) // https://bugzilla.redhat.com/show_bug.cgi?id=2055729
 
-	ret = append(ret, newAlert("samples", "SamplesImagestreamImportFailing", jobType).pending().neverFail().toTests()...)
-	ret = append(ret, newAlert("samples", "SamplesImagestreamImportFailing", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-samples", "SamplesImagestreamImportFailing", jobType).pending().neverFail().toTests()...)
+	ret = append(ret, newAlertTest("bz-samples", "SamplesImagestreamImportFailing", jobType).firing().toTests()...)
 
-	ret = append(ret, newAlert("apiserver-auth", "PodSecurityViolation", jobType).firing().toTests()...)
+	ret = append(ret, newAlertTest("bz-apiserver-auth", "PodSecurityViolation", jobType).firing().toTests()...)
 
 	return ret
 }
diff --git a/pkg/monitortestlibrary/allowedalerts/basic_alert.go b/pkg/monitortestlibrary/allowedalerts/basic_alert.go
@@ -46,6 +46,7 @@ type alertBuilder struct {
 	bugzillaComponent  string
 	divideByNamespaces bool
 	alertName          string
+	alertNamespace     string
 	alertState         AlertState
 	jobType            *platformidentification2.JobType
 
@@ -62,7 +63,8 @@ type basicAlertTest struct {
 	allowanceCalculator AlertTestAllowanceCalculator
 }
 
-func newAlert(bugzillaComponent, alertName string, jobType *platformidentification2.JobType) *alertBuilder {
+// newAlertTest creates a single alert test with no consideration of namespace.
+func newAlertTest(bugzillaComponent, alertName string, jobType *platformidentification2.JobType) *alertBuilder {
 	return &alertBuilder{
 		bugzillaComponent:   bugzillaComponent,
 		alertName:           alertName,
@@ -72,7 +74,8 @@ func newAlert(bugzillaComponent, alertName string, jobType *platformidentificati
 	}
 }
 
-func newNamespacedAlert(alertName string, jobType *platformidentification2.JobType) *alertBuilder {
+// newAlertTestPerNamespace creates an alert test builder per entry in the hardcoded list of namespaces we're interested in.
+func newAlertTestPerNamespace(alertName string, jobType *platformidentification2.JobType) *alertBuilder {
 	return &alertBuilder{
 		divideByNamespaces:  true,
 		alertName:           alertName,
@@ -92,6 +95,12 @@ func (a *alertBuilder) pending() *alertBuilder {
 	return a
 }
 
+// inNamespace limits the alert test to a specific namespace.
+func (a *alertBuilder) inNamespace(namespace string) *alertBuilder {
+	a.alertNamespace = namespace
+	return a
+}
+
 func (a *alertBuilder) firing() *alertBuilder {
 	a.alertState = AlertInfo
 	return a
@@ -112,17 +121,27 @@ func (a *alertBuilder) neverFail() *alertBuilder {
 	return a
 }
 
+// alwaysFlake will flake the test if the alert enters the given state for any amount of time,
+// regardless of historical data.
 func (a *alertBuilder) alwaysFlake() *alertBuilder {
 	a.allowanceCalculator = alwaysFlake()
 	return a
 }
 
+// alwaysFail will fail the test if the alert enters the given state for any amount of time,
+// regardless of historical data.
+func (a *alertBuilder) alwaysFail() *alertBuilder {
+	a.allowanceCalculator = failOnAny()
+	return a
+}
+
 func (a *alertBuilder) toTests() []AlertTest {
 	if !a.divideByNamespaces {
 		return []AlertTest{
 			&basicAlertTest{
 				bugzillaComponent:   a.bugzillaComponent,
 				alertName:           a.alertName,
+				namespace:           a.alertNamespace, // will be populated if we're creating for a specific namespace
 				alertState:          a.alertState,
 				allowanceCalculator: a.allowanceCalculator,
 				jobType:             a.jobType,
@@ -156,11 +175,11 @@ func (a *alertBuilder) toTests() []AlertTest {
 func (a *basicAlertTest) InvariantTestName() string {
 	switch {
 	case len(a.namespace) == 0:
-		return fmt.Sprintf("[bz-%v][invariant] alert/%s should not be at or above %s", a.bugzillaComponent, a.alertName, a.alertState)
+		return fmt.Sprintf("[%v][invariant] alert/%s should not be at or above %s", a.bugzillaComponent, a.alertName, a.alertState)
 	case a.namespace == platformidentification2.NamespaceOther:
-		return fmt.Sprintf("[bz-%v][invariant] alert/%s should not be at or above %s in all the other namespaces", a.bugzillaComponent, a.alertName, a.alertState)
+		return fmt.Sprintf("[%v][invariant] alert/%s should not be at or above %s in all the other namespaces", a.bugzillaComponent, a.alertName, a.alertState)
 	default:
-		return fmt.Sprintf("[bz-%v][invariant] alert/%s should not be at or above %s in ns/%s", a.bugzillaComponent, a.alertName, a.alertState, a.namespace)
+		return fmt.Sprintf("[%v][invariant] alert/%s should not be at or above %s in ns/%s", a.bugzillaComponent, a.alertName, a.alertState, a.namespace)
 	}
 }
 
diff --git a/pkg/monitortestlibrary/allowedalerts/matches.go b/pkg/monitortestlibrary/allowedalerts/matches.go
@@ -6,6 +6,8 @@ import (
 	historicaldata2 "github.com/openshift/origin/pkg/monitortestlibrary/historicaldata"
 )
 
+// neverFailAllowance will ignore historical data and impose a FailAfter limit that should not be
+// reachable in a CI job run, so the test can never fail, only flake if beyond historical limits.
 type neverFailAllowance struct {
 	flakeDelegate AlertTestAllowanceCalculator
 }
@@ -71,3 +73,20 @@ func (d *alwaysFlakeAllowance) FailAfter(key historicaldata2.AlertDataKey) (time
 func (d *alwaysFlakeAllowance) FlakeAfter(key historicaldata2.AlertDataKey) time.Duration {
 	return 1 * time.Second
 }
+
+func failOnAny() AlertTestAllowanceCalculator {
+	return &alwaysFailAllowance{}
+}
+
+// alwaysFailAllowance is for alerts we want to fail a test if they occur at all.
+type alwaysFailAllowance struct {
+}
+
+func (d *alwaysFailAllowance) FailAfter(key historicaldata2.AlertDataKey) (time.Duration, error) {
+	return 1 * time.Second, nil
+}
+
+func (d *alwaysFailAllowance) FlakeAfter(key historicaldata2.AlertDataKey) time.Duration {
+	// flake is irrelevant here, we're going to fail on ANY duration
+	return 24 * time.Hour
+}
