-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[metrics 2/x] Configure Prometheus Operator #687
base: master
Are you sure you want to change the base?
[metrics 2/x] Configure Prometheus Operator #687
Conversation
Thanks for your PR,
To skip the vendors CIs use one of:
|
06e880c
to
75e8305
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
75e8305
to
06c86e1
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
Pull Request Test Coverage Report for Build 9746872108Details
💛 - Coveralls |
06c86e1
to
37fbdf4
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
37fbdf4
to
7999f7e
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
7999f7e
to
58b9fb3
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
@@ -18,6 +18,7 @@ spec: | |||
name: sriov-network-metrics | |||
port: {{ .MetricsExporterPort }} | |||
targetPort: {{ .MetricsExporterPort }} | |||
{{ if .IsOpenshift }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think here we can also support k8s
lets check if the ServiceMonitor CRD exist in the cluster and deploy it instead of checking only for openshift WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good idea, working on that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, I used the unstructured client to check if the ServiceMonitore resource definition is available in the cluster. Does it sound good?
58b9fb3
to
9b5e4cf
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
9b5e4cf
to
2bddf42
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
2bddf42
to
cec70bd
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
cec70bd
to
6da499a
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
6da499a
to
e87a82d
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
deploy/role.yaml
Outdated
@@ -32,6 +32,7 @@ rules: | |||
verbs: | |||
- get | |||
- create | |||
- list |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need this one also under the config folder so it will be generated for the bundle
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
controllers/helper.go
Outdated
|
||
func isPrometheusOperatorInstalled(ctx context.Context, client k8sclient.Reader) bool { | ||
u := &uns.UnstructuredList{} | ||
u.SetGroupVersionKind(schema.GroupVersionKind{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking (maybe that is not the right way) to do a kubectl get crd servicemonitor not to search if there is any server monitor object in the cluster :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can try getting the CRD (e.g. see this).
The drawback is that we have to add the permission (ClusterRole,ClusterRoleBinding,...) to make the operator read that CustomResourceDefinition resource, but it might end up cleaner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it should be ok to add get
for CRD that should not expose the operator to any security issues :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had to add the permission to the ClusterRole (instead of Role), as the CustomResourceDefinition is not namespaced.
For the same reason, I had to add a non-namespace client to the SriovOperatorConfigReconicler.
please, take a look
} | ||
|
||
if r.PlatformHelper.IsOpenshiftCluster() { | ||
err = utils.AddLabelToNamespace(ctx, vars.Namespace, "openshift.io/cluster-monitoring", "true", r.Client) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to put this in the namespace creation template and not let the operator have permission to upgrade namespace that sounds a security risk
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good. Maybe we can leverage the operatorframework.io/cluster-monitoring
annotation in the CSV, in the openshift fork
@zeeke can you rebase this one ? |
e87a82d
to
17dabd0
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
/hold |
391a8ca
to
686a48c
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
686a48c
to
63f4fe3
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
Package `github.com/prometheus-operator/prometheus-operator/pkg/client` can be used for testing purpose. Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
63f4fe3
to
ed8f86f
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
ed8f86f
to
de99a66
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
de99a66
to
7aacaae
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
7aacaae
to
2faab1d
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
2faab1d
to
19e5be7
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
19e5be7
to
41106a5
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
@adrianchiris , @SchSeba please take another look |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just some small comments :)
subjects: | ||
- kind: ServiceAccount | ||
name: prometheus-k8s | ||
namespace: openshift-monitoring |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is good for openshift on vanilla k8s please add a variable to the helmchart something like
https://github.com/metallb/metallb/blob/21dd75560f3b8614c14b1bb55a79dbcc231e36a7/charts/metallb/templates/servicemonitor.yaml#L192
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added environment variables and Helm stuff to make the subject configurable.
@@ -36,6 +36,9 @@ rules: | |||
- apiGroups: ["config.openshift.io"] | |||
resources: ["infrastructures"] | |||
verbs: ["get", "list", "watch"] | |||
- apiGroups: ["apiextensions.k8s.io"] | |||
resources: ["customresourcedefinitions"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should add this one also to the config folder this way when we generate the csv file for OLM it should be also in place
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added, though I think we still need some cleanup in that folder.
pkg/utils/cluster.go
Outdated
@@ -161,3 +161,28 @@ func AnnotateNode(ctx context.Context, nodeName string, key, value string, c cli | |||
|
|||
return AnnotateObject(ctx, node, key, value, c) | |||
} | |||
|
|||
func AddLabelToNamespace(ctx context.Context, namespaceName, key, value string, c client.Client) error { | |||
ns := &corev1.Namespace{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was not able to find where we use this one.
in general I think we should document the need to add a label for monitoring on namespace creation and not add a rbac to allow the operator to update namespace object
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed the function. I will re-add it in the e2e test PR.
About permissions, the operator already had the RBAC to write on namespaces (see deploy/clusterrole.yaml and openshift CSV). No permission has been added in this PR for namespaces.
I'll take care of documenting the namespace configuration in OpenShift
Thanks for your PR,
To skip the vendors CIs use one of:
|
Deploy the needed configuration to make the prometheus operator to find and scrape the sriov-network-metrics-exporter endpoints, including the ServiceMonitor, Role and RoleBinding. Resources are installed only if the Prometheus operator is installed. Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
When useing `ServiceMonitors`, Prometheus Operator needs permissions to read Services,Endpoint and Pods in the monitored namespace (i.e. the SRIOV operator ns). Make the ServiceAccount subject configurable via environment variables. Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
a39a440
to
108ef15
Compare
Thanks for your PR,
To skip the vendors CIs use one of:
|
@adrianchiris , @SchSeba please take another look |
Deploy the needed configuration to make the prometheus
operator to find and scrape the sriov-network-metrics-exporter
endpoints, including the ServiceMonitor, Role and RoleBinding
depends on:
sriov-network-metrics-exporter
#655