[metrics 2/x] Configure Prometheus Operator #687
Conversation
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
changed the title
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
06e880c
to
75e8305
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
75e8305
to
06c86e1
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
Pull Request Test Coverage Report for Build 9746872108Details
💛 - Coveralls |
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
06c86e1
to
37fbdf4
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
37fbdf4
to
7999f7e
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
7999f7e
to
58b9fb3
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
| @@ -18,6 +18,7 @@ spec: | |||
| name: sriov-network-metrics | |||
| port: {{ .MetricsExporterPort }} | |||
| targetPort: {{ .MetricsExporterPort }} | |||
| {{ if .IsOpenshift }} | |||
There was a problem hiding this comment.
I think here we can also support k8s
lets check if the ServiceMonitor CRD exist in the cluster and deploy it instead of checking only for openshift WDYT?
There was a problem hiding this comment.
good idea, working on that
There was a problem hiding this comment.
Done, I used the unstructured client to check if the ServiceMonitore resource definition is available in the cluster. Does it sound good?
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
58b9fb3
to
9b5e4cf
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
9b5e4cf
to
2bddf42
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
2bddf42
to
cec70bd
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
cec70bd
to
6da499a
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
6da499a
to
e87a82d
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
deploy/role.yaml
Outdated
| @@ -32,6 +32,7 @@ rules: | |||
| verbs: | |||
| - get | |||
| - create | |||
| - list | |||
There was a problem hiding this comment.
I think we need this one also under the config folder so it will be generated for the bundle
controllers/helper.go
Outdated
|
|
||
| func isPrometheusOperatorInstalled(ctx context.Context, client k8sclient.Reader) bool { | ||
| u := &uns.UnstructuredList{} | ||
| u.SetGroupVersionKind(schema.GroupVersionKind{ |
There was a problem hiding this comment.
I was thinking (maybe that is not the right way) to do a kubectl get crd servicemonitor not to search if there is any server monitor object in the cluster :)
There was a problem hiding this comment.
I think we can try getting the CRD (e.g. see this).
The drawback is that we have to add the permission (ClusterRole,ClusterRoleBinding,...) to make the operator read that CustomResourceDefinition resource, but it might end up cleaner.
There was a problem hiding this comment.
I think it should be ok to add get for CRD that should not expose the operator to any security issues :)
There was a problem hiding this comment.
I had to add the permission to the ClusterRole (instead of Role), as the CustomResourceDefinition is not namespaced.
For the same reason, I had to add a non-namespace client to the SriovOperatorConfigReconicler.
please, take a look
| } | ||
|
|
||
| if r.PlatformHelper.IsOpenshiftCluster() { | ||
| err = utils.AddLabelToNamespace(ctx, vars.Namespace, "openshift.io/cluster-monitoring", "true", r.Client) |
There was a problem hiding this comment.
I think we need to put this in the namespace creation template and not let the operator have permission to upgrade namespace that sounds a security risk
There was a problem hiding this comment.
Sounds good. Maybe we can leverage the operatorframework.io/cluster-monitoring annotation in the CSV, in the openshift fork
|
@zeeke can you rebase this one ? |
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
e87a82d
to
17dabd0
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
|
/hold |
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
391a8ca
to
686a48c
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
686a48c
to
63f4fe3
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
Package `github.com/prometheus-operator/prometheus-operator/pkg/client` can be used for testing purpose. Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
63f4fe3
to
ed8f86f
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
ed8f86f
to
de99a66
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
de99a66
to
7aacaae
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
7aacaae
to
2faab1d
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
2faab1d
to
19e5be7
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
19e5be7
to
41106a5
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
|
@adrianchiris , @SchSeba please take another look |
| subjects: | ||
| - kind: ServiceAccount | ||
| name: prometheus-k8s | ||
| namespace: openshift-monitoring |
There was a problem hiding this comment.
this is good for openshift on vanilla k8s please add a variable to the helmchart something like
https://github.com/metallb/metallb/blob/21dd75560f3b8614c14b1bb55a79dbcc231e36a7/charts/metallb/templates/servicemonitor.yaml#L192
There was a problem hiding this comment.
Added environment variables and Helm stuff to make the subject configurable.
| @@ -36,6 +36,9 @@ rules: | |||
| - apiGroups: ["config.openshift.io"] | |||
| resources: ["infrastructures"] | |||
| verbs: ["get", "list", "watch"] | |||
| - apiGroups: ["apiextensions.k8s.io"] | |||
| resources: ["customresourcedefinitions"] | |||
There was a problem hiding this comment.
I think we should add this one also to the config folder this way when we generate the csv file for OLM it should be also in place
There was a problem hiding this comment.
Added, though I think we still need some cleanup in that folder.
pkg/utils/cluster.go
Outdated
| @@ -161,3 +161,28 @@ func AnnotateNode(ctx context.Context, nodeName string, key, value string, c cli | |||
|
|
|||
| return AnnotateObject(ctx, node, key, value, c) | |||
| } | |||
|
|
|||
| func AddLabelToNamespace(ctx context.Context, namespaceName, key, value string, c client.Client) error { | |||
| ns := &corev1.Namespace{} | |||
There was a problem hiding this comment.
I was not able to find where we use this one.
in general I think we should document the need to add a label for monitoring on namespace creation and not add a rbac to allow the operator to update namespace object
There was a problem hiding this comment.
I removed the function. I will re-add it in the e2e test PR.
About permissions, the operator already had the RBAC to write on namespaces (see deploy/clusterrole.yaml and openshift CSV). No permission has been added in this PR for namespaces.
I'll take care of documenting the namespace configuration in OpenShift
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
Deploy the needed configuration to make the prometheus operator to find and scrape the sriov-network-metrics-exporter endpoints, including the ServiceMonitor, Role and RoleBinding. Resources are installed only if the Prometheus operator is installed. Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
When useing `ServiceMonitors`, Prometheus Operator needs permissions to read Services,Endpoint and Pods in the monitored namespace (i.e. the SRIOV operator ns). Make the ServiceAccount subject configurable via environment variables. Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
zeeke
force-pushed
the
metrics-exporter-prometheus
branch
from
a39a440
to
108ef15
Compare
|
Thanks for your PR,
To skip the vendors CIs use one of:
|
|
@adrianchiris , @SchSeba please take another look |
Deploy the needed configuration to make the prometheus
operator to find and scrape the sriov-network-metrics-exporter
endpoints, including the ServiceMonitor, Role and RoleBinding
depends on:
sriov-network-metrics-exporter#655