Openshift haproxy promcat (#227)

* openshift haproxy promcat

* Change json dashboards names

* change openshift version from 4.3 to 4.7

* add description to openshift-haproxy

* alerts format fix

* install and setup guide update

* dashboards update

* configuration error fixed

* fix absent alert and delete old images

* alert change

* fix promQL alert

Co-authored-by: David de Torres <[email protected]>

Author: Mak0tin

apps/openshift-haproxy-router.yaml

@@ -7,10 +7,10 @@ keywords:
   - Load-balancer
 availableVersions: 
   - "3.11"
-  - "4.3"
+  - "4.7"
 shortDescription: "HAProxy ingress router for OpenShift"
 description: |
-  # 
+  A highly available load balancer and proxy server for TCP and HTTP-based applications that automatically exposes services within the cluster through routes, and offers TLS termination, re-encryption, or SNI-passthrough on ports 80 and 443.
 icon: https://raw.githubusercontent.com/sysdiglabs/promcat-resources/master/apps/images/openshift-haproxy.png
 website: https://github.com/openshift/router
 available: true

resources/openshift-haproxy-router/INSTALL.v3.11.md

@@ -1,35 +1,21 @@
 # Getting the authentication of the HAProxy router
-The metrics endpoint of the HAProxy router in OpenShift 3.11 has a simple HTTP authentication configuration with username and password.
+The metrics endpoint of the HAProxy router in OpenShift 3.11 has a basic HTTP authentication configuration with username and password.
 
 To retrieve the username and password, run the following commands:
 ```
 # USER
-kubectl -n default get deploymentConfig router -o json | jq -r '.spec.template.spec.containers[].env[] | select( .name | contains("STATS_USERNAME")) | .value'
+export USER=`kubectl -n default get deploymentConfig router -o json | jq -r '.spec.template.spec.containers[].env[] | select( .name | contains("STATS_USERNAME")) | .value'`
 
 # PASSWORD
-kubectl -n default get deploymentConfig router -o json | jq -r '.spec.template.spec.containers[].env[] | select( .name | contains("STATS_PASSWORD")) | .value'
+export PASS=`kubectl -n default get deploymentConfig router -o json | jq -r '.spec.template.spec.containers[].env[] | select( .name | contains("STATS_PASSWORD")) | .value'`
 ```
 
 >Note: to execute these commands ou will need the tool [jq](https://stedolan.github.io/jq/)
 
-# Sysdig Agent configuration
-To configure Sysdig Agent to collect metrics from the HAProxy router in OpenShift 4.3, do the following:
+The Prometheus Monitoring stack is installed with OpenShift Container Platform by default so there is no need of additional configuration in prometheus.yml file
 
-1. Copy the values of the `USER` and `PASSWORD` retrieved in the previous step.
+You can now check haproxy router metrics (remember to port-forward port 1936):
 
-2. Add them to the job section of the `prometheus.yaml` file as follows:
-```yaml
-scrape_configs:
-  - job_name: 'haproxy-router'
-      basic_auth:
-        username: USER
-        password: PASSWORD
-      relabel_configs:
-      - action: keep
-        source_labels:
-        - __meta_kubernetes_namespace
-        - __meta_kubernetes_pod_name
-        separator: '/'
-        regex: 'default/router-1-.+'
 ```
-See the example configuration given below.
+curl -u $USER:$PASS http://ROUTERIP:1936/metrics
+```

resources/openshift-haproxy-router/INSTALL.v4.3.md

@@ -0,0 +1,21 @@
+# Getting the authentication of the HAProxy router
+The metrics endpoint of the HAProxy router in OpenShift 4.7 has a basic HTTP authentication configuration with username and password.
+
+To retrieve the username and password, run the following commands:
+```
+# USER
+export USER=`echo $(kubectl -n openshift-ingress get secret router-stats-default -o json | jq -r '.data.statsUsername') | base64 --decode`
+
+# PASSWORD
+export PASS=`echo $(kubectl -n openshift-ingress get secret router-stats-default -o json | jq -r '.data.statsPassword') | base64 --decode`
+```
+
+>Note: to execute these commands ou will need the tool [jq](https://stedolan.github.io/jq/)
+
+The Prometheus Monitoring stack is installed with OpenShift Container Platform by default so there is no need of additional configuration in prometheus.yml file
+
+You can now check haproxy router metrics (remember to port-forward port 1936):
+
+```
+curl -u $USER:$PASS http://ROUTERIP:1936/metrics
+```

resources/openshift-haproxy-router/INSTALL.v4.7.md

@@ -2,12 +2,12 @@
 OpenShift offers different options as ingress router, one of them is based in HAProxy 2.0.
 
 # Metrics
-The HAProxy ingress router instruments Prometheus metrics, and in OpenShift the endpoint is protected with user and password.
+The HAProxy ingress router instruments Prometheus metrics, in OpenShift the endpoint is protected with user and password by default.
 
 ## Number of time series generated
-The HAProxy ingress router generates ~400 time series.
+The HAProxy ingress router generates ~400 time series per HAProxy router pod.
 
 # Attributions
 The configuration files, dashboards, and alerts are maintained by [Sysdig team](https://sysdig.com/).
 
-Using the [HAProxy Kubernetes ingress controller](https://github.com/haproxytech/kubernetes-ingress) and [OpenShift router](https://github.com/openshift/router) with the Apache 2.0 license.
+Using the [HAProxy Kubernetes ingress controller](https://github.com/haproxytech/kubernetes-ingress) and [OpenShift router](https://github.com/openshift/router) with the Apache 2.0 license.

resources/openshift-haproxy-router/README.md

@@ -1,79 +1,78 @@
 apiVersion: v1
 kind: Alert
-app: OpenShift HAProxy Router
+app: 'OpenShift HAProxy Router'
 version: 1.0.0
 appVersion:
 - '3.11'
-- '4.3'
+- '4.7'
 descriptionFile: ALERTS.md
 configurations:
 - kind: Prometheus
   data: |
     groups:
     - name: OpenShift-HAProxy-Router
       rules:
-      - alert: RouterDown
-        expr: |
-          absent((count(haproxy_process_start_time_seconds) < 1))
-        for: 10m
-        labels:
-          severity: page
-        annotations:
-          summary: Router HAProxy down. No instances running.
-      - alert: DownTimeInService
-        expr: |
-          haproxy_backend_downtime_seconds_total > 0
-        for: 10m
-        labels:
-          severity: page
-        annotations:
-          summary: DownTime detected in service. Route {{$labels.route}}, pod {{labels.pod}}
-      - alert: RouteDown
-        expr: |
-          sum by (route) (haproxy_server_up==1) == 0
-        for: 10m
-        labels:
-          severity: page
-        annotations:
-          summary: All servers are down in route {{$labels.route}}
-      - alert: HighLatency
-        expr: |
-          max by (route)(haproxy_server_http_average_response_latency_milliseconds{route!=""}) > 250
-        for: 10m
-        labels:
-          severity: page
-        annotations:
-          summary: High latency in at least one server for the route {{$labels.route}}
-      - alert: PodHealthCheckFailure
-        expr: |
-          rate(haproxy_server_check_failures_total[5m]) > 0
-        for: 10m
-        labels:
-          severity: page
-        annotations:
-          summary: Recurrent health check failure in pod {{$labels.pod}} and route {{$labels.route}}
-      - alert: QueueNotEmptyInRoute
-        expr: |
-          sum by (route)(haproxy_server_current_queue{route!=""}) > 0
-        for: 10m
-        labels:
-          severity: page
-        annotations:
-          summary: Queue not empty in route {{$labels.route}}
-      - alert: HighErrorRateInRoute
-        expr: |
-          sum by (route) (rate(haproxy_server_http_responses_total{code!="2xx"}[5m])) /
-            sum  by (route) (rate(haproxy_server_http_responses_total{}[5m]))
-        for: 10m
-        labels:
-          severity: page
-        annotations:
-          summary: High error rate in route {{$labels.route}}
-      - alert: ConnectionErrorsInRoute
-        expr: |
-          sum by (route)(rate(haproxy_server_connection_errors_total{route!=""}[5m])) > 0
-        for: 10m
-        labels:
-          severity: page
-        annotations:
-          summary: Recurring connection errors in route {{$labels.route}}
+        - alert: '[OpenShift-HAProxy-Router] Router Down'
+          expr: |
+            absent(haproxy_process_start_time_seconds) == 1
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            description: Router HAProxy down. No instances running.
+        - alert: '[OpenShift-HAProxy-Router] Percentage of routers low'
+          expr: |
+            count (haproxy_process_start_time_seconds)/sum (kube_workload_status_desired) < 0.75
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            description: Less than 75% Routers are up
+        - alert: '[OpenShift-HAProxy-Router] Route Down'
+          expr: |
+            sum by (namespace,route)(haproxy_server_up) < 1
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            description: This alert detects if all servers are down in a route
+        - alert: '[OpenShift-HAProxy-Router] High Latency'
+          expr: |
+            max by (namespace,route)(haproxy_server_http_average_response_latency_milliseconds{route!=""}) > 250
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            description: This alert detects high latency in at least one server of the route
+        - alert: '[OpenShift-HAProxy-Router] Pod Health Check Failure'
+          expr: |
+            sum by (namespace,route,pod)(rate(haproxy_server_check_failures_total[5m])) > 0
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            description: This alert triggers when there is a recurrent pod health check failure.
+        - alert: '[OpenShift-HAProxy-Router] Queue not empty in route'
+          expr: |
+            sum by (namespace,route)(haproxy_server_current_queue{route!=""}) > 0
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            description: This alert triggers when a queue is not empty in a route
+        - alert: '[OpenShift-HAProxy-Router] High error rate in route'
+          expr: |
+            sum by (namespace,route) (rate(haproxy_server_http_responses_total{code!="2xx"}[5m])) /sum by (namespace,route) (rate(haproxy_server_http_responses_total[5m]))> 0.15
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            description: This alert triggers when there is a high error rate in a route.
+        - alert: '[OpenShift-HAProxy-Router] Connection errors in route'
+          expr: |
+            sum by (namespace,route)(rate(haproxy_server_connection_errors_total{route!=""}[5m])) > 0
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            description: This alert triggers when there are recurring connection errors in a route

resources/openshift-haproxy-router/alerts.yaml

@@ -4,11 +4,11 @@ app: 'OpenShift HAProxy Router'
 version: 1.0.0
 appVersion:
   - "3.11"
-  - "4.3"
+  - "4.7"
 configurations:
 - name: 'HAProxy OC Ingress Overview'
   kind: Sysdig
-  image: 'openshift-haproxy-router/images/HAProxy_OC_Ingress_Overview-sysdig-dashboard.png'
+  image: 'openshift-haproxy-router/images/HAProxy_OC_Ingress_Overview-sysdig-dashboard-v4.7.png'
   description: |
     This dashboard offers information on:
     * Up Time
@@ -29,10 +29,10 @@ configurations:
     * Frontend Connections
     * Frontend Bytes Out
     * Frontend HTTP Requests
-  file: include/HAProxy_OC_Ingress_Overview-sysdig-dashboard.json
+  file: include/HAProxy_OC_Ingress_Overview-sysdig-dashboard-v4.7.json
 - name: 'HAProxy OC Service Golden Signals'
   kind: Sysdig
-  image: 'openshift-haproxy-router/images/HAProxy_OC_Service_Golden_Signals-sysdig-dashboard.png'
+  image: 'openshift-haproxy-router/images/HAProxy_OC_Service_Golden_Signals-sysdig-dashboard-v4.7.png'
   description: |
     This dashboard offers information on:
     * Servers
@@ -46,7 +46,7 @@ configurations:
     * Responses OK
     * Bytes Inbound
     * Bytes Outbound
-  file: include/HAProxy_OC_Service_Golden_Signals-sysdig-dashboard.json
+  file: include/HAProxy_OC_Service_Golden_Signals-sysdig-dashboard-v4.7.json
 - name: 'HAProxy OC Ingress Overview'
   kind: Grafana
   image: 'openshift-haproxy-router/images/HAProxy_OC_Ingress_Overview-grafana-dashboard.png'

resources/openshift-haproxy-router/dashboards.yaml

@@ -4,5 +4,5 @@ app: 'OpenShift HAProxy Router'
 version: 1.0.0
 appVersion:
   - "3.11"
-  - "4.3"
+  - "4.7"
 descriptionFile: README.md