statisticsnorway · mallport · May 15, 2025 · Nov 29, 2024 · Nov 29, 2024 · Nov 29, 2024
diff --git a/.github/workflows/alert-deploy.yml b/.github/workflows/alert-deploy.yml
@@ -0,0 +1,65 @@
+name: Deploy alerts
+run-name: Deploy alerts for Pseudo Service to test and prod
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - ".nais/alerts.yaml"
+      - ".github/workflows/alert-deploy.yml"
+  workflow_dispatch:
+permissions:
+  id-token: write
+env:
+  TEAM: dapla-stat
+
+jobs:
+  test-deploy:
+    name: Deploy alerts to test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: actions/checkout@v4
+        name: Retrieve AlertManager configuration
+        with:
+          repository: "statisticsnorway/nais-alert-config"
+          path: "ext_alertconfig"
+          sparse-checkout: |
+            alertconfig.yaml
+          sparse-checkout-cone-mode: false
+
+      - name: Deploy to test
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: test
+          RESOURCE: .nais/alerts.yaml,ext_alertconfig/alertconfig.yaml
+          VAR: cluster=test,team=${{ env.TEAM }}
+          DEPLOY_SERVER: deploy.ssb.cloud.nais.io:443
+
+  prod-deploy:
+    name: Deploy alerts to prod
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: actions/checkout@v4
+        name: Retrieve AlertManager configuration
+        with:
+          repository: "statisticsnorway/nais-alert-config"
+          path: "ext_alertconfig"
+          sparse-checkout: |
+            alertconfig.yaml
+          sparse-checkout-cone-mode: false
+
+      - name: Deploy to prod
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: prod
+          RESOURCE: .nais/alerts.yaml,ext_alertconfig/alertconfig.yaml
+          VAR: cluster=prod,team=${{ env.TEAM }}
+          DEPLOY_SERVER: deploy.ssb.cloud.nais.io:443
+
diff --git a/.github/workflows/build-deploy-app.yml b/.github/workflows/build-deploy-app.yml
@@ -1,8 +1,4 @@
 on:
-  release:
-    types: [ published ]
-  pull_request: ## ONLY FOR TESTING, SHOULD BE REMOVED AFTER DEPLOY PR IS MERGED
-    branches: [nais-deploy]
   push:
     branches:
       - master

diff --git a/.github/workflows/deploy-to-nais.yml b/.github/workflows/deploy-to-nais.yml
@@ -74,11 +74,33 @@ jobs:
       id-token: "write"
     steps:
       - uses: actions/checkout@v4
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.DAPLA_BOT_APP_ID }}
+          private-key: ${{ secrets.DAPLA_BOT_PRIVATE_KEY }}
+          owner: statisticsnorway
+          repositories: dapla-pseudo-iac
+
+      - uses: actions/checkout@v4
+        name: Retrieve protected configuration
+        with:
+          repository: "statisticsnorway/dapla-pseudo-iac"
+          path: "ext-config"
+          token: ${{ steps.app-token.outputs.token }}
+          sparse-checkout: |
+            apps/nais/pseudo-service/${{ inputs.cluster }}
+
+      - name: Configure environment variables
+        run: |
+          ext_config_dir="ext-config/apps/nais/pseudo-service/${{ inputs.cluster }}"
+          echo "ext_config=${ext_config_dir}" >> $GITHUB_ENV
 
       - uses: nais/deploy/actions/deploy@v2
         env:
           CLUSTER: ${{ inputs.cluster }}
-          RESOURCE: ${{ inputs.nais-config-path }}
-          VAR: image=${{ inputs.registry }}/${{ secrets.NAIS_MANAGEMENT_PROJECT_ID }}/${{ inputs.repository }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
+          RESOURCE: ${{ inputs.nais-config-path }},${{ env.ext_config }}/app-roles.yml
+          VAR: image=${{ inputs.registry }}/${{ secrets.NAIS_MANAGEMENT_PROJECT_ID }}/${{ inputs.repository }}/${{ inputs.image-name }}:${{ inputs.image-tag }},team=dapla-stat
           DEPLOY_SERVER: deploy.ssb.cloud.nais.io:443
           REF: ${{ inputs.ref }}
diff --git a/.nais/alerts.yaml b/.nais/alerts.yaml
@@ -0,0 +1,86 @@
+apiVersion: "monitoring.coreos.com/v1"
+kind: PrometheusRule
+metadata:
+  name: alert-pseudo-service
+  namespace: dapla-stat
+  labels:
+    team: dapla-stat
+    cluster: "{{cluster}}"
+spec:
+  groups:
+    - name: dapla-stat
+      rules:
+        # This alert checks if no replicas of pseudo-service are available, indicating the service is unavailable.
+        - alert: PseudoServiceUnavailable
+          expr: kube_deployment_status_replicas_available{deployment="pseudo-service"} == 0
+          for: 1m
+          annotations:
+            title: "Pseudo-service is unavailable"
+            consequence: "The service is unavailable to users. Immediate investigation required."
+            action: "Check the deployment status and logs for issues."
+          labels:
+            service: pseudo-service
+            namespace: dapla-stat
+            severity: critical
+            alertmanager_custom_config: dapla-stat
+            alert_type: custom
+
+        # This alert detects high CPU usage by calculating the CPU time used over 5 minutes.
+        - alert: HighCPUUsage
+          expr: rate(process_cpu_seconds_total{app="pseudo-service"}[5m]) > 0.8
+          for: 5m
+          annotations:
+            title: "High CPU usage detected"
+            consequence: "The service might experience performance degradation."
+            action: "Investigate the cause of high CPU usage and optimize if necessary."
+          labels:
+            service: pseudo-service
+            namespace: dapla-stat
+            severity: warning
+            alertmanager_custom_config: dapla-stat
+            alert_type: custom
+
+        # This alert checks if memory usage exceeds 90% of the 12GB limit, which could cause instability.
+        - alert: HighMemoryUsage
+          expr: sum by (namespace, pod) (container_memory_working_set_bytes{namespace="dapla-stat", pod=~"pseudo-service-.*"}) > 0.9 * sum by (namespace, pod) (kube_pod_container_resource_limits_memory_bytes{namespace="dapla-stat", pod=~"pseudo-service-.*"})
+          for: 5m
+          annotations:
+            title: "High memory usage detected"
+            consequence: "The service might experience instability due to high memory usage."
+            action: "Check memory utilization and consider increasing resources or optimizing the service."
+          labels:
+            service: pseudo-service
+            namespace: dapla-stat
+            severity: warning
+            alertmanager_custom_config: dapla-stat
+            alert_type: custom
+
+        # This alert detects a high number of error logs in pseudo-service.
+        - alert: HighNumberOfErrors
+          expr: (100 * sum by (app, namespace) (rate(log_messages_errors{app="pseudo-service", level=~"Error"}[3m])) / sum by (app, namespace) (rate(log_messages_total{app="pseudo-service"}[3m]))) > 10
+          for: 3m
+          annotations:
+            title: "High number of errors logged in pseudo-service"
+            consequence: "The application is logging a significant number of errors."
+            action: "Check the service logs for errors and address the root cause."
+          labels:
+            service: pseudo-service
+            namespace: dapla-stat
+            severity: critical
+            alertmanager_custom_config: dapla-stat
+            alert_type: custom
+
+        # This alert monitors the number of pod restarts for pseudo-service and triggers if more than 3 restarts occur within 15 minutes.
+        - alert: HighPodRestarts
+          expr: increase(kube_pod_container_status_restarts_total{namespace="dapla-stat", app="pseudo-service"}[15m]) > 3
+          for: 15m
+          annotations:
+            title: "High number of pod restarts"
+            consequence: "The service may be unstable or misconfigured."
+            action: "Investigate the cause of pod restarts and fix configuration or resource issues."
+          labels:
+            service: pseudo-service
+            namespace: dapla-stat
+            severity: warning
+            alertmanager_custom_config: dapla-stat
+            alert_type: custom