MON-3902: add initial Monitoring CRD api #1929
Conversation
marioferh
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Hello @marioferh! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/L
marioferh
force-pushed
the
initial_cmo_api
branch
from
f5c996c
to
7ff5883
Compare
marioferh
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@marioferh: This pull request references MON-3902 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.17.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
marioferh
force-pushed
the
initial_cmo_api
branch
3 times, most recently
from
9603c29
to
9c70852
Compare
marioferh
force-pushed
the
initial_cmo_api
branch
from
9c70852
to
7ad01c2
Compare
marioferh
changed the title
marioferh
force-pushed
the
initial_cmo_api
branch
from
9cef41b
to
dd98b0c
Compare
marioferh
force-pushed
the
initial_cmo_api
branch
from
acd1f91
to
905b2a2
Compare
|
/retest-required |
|
/test e2e-upgrade-minor |
marioferh
force-pushed
the
initial_cmo_api
branch
from
905b2a2
to
d5ac7cc
Compare
|
/retest-required |
marioferh
force-pushed
the
initial_cmo_api
branch
from
6508ce9
to
57616ed
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jan--f, marioferh The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Please review https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#write-user-readable-documentation-in-godoc and update the godocs based on the guidance there
|
|
||
| // MonitoringOperatorSpec defines the desired state of Cluster Monitoring Operator | ||
| type ClusterMonitoringSpec struct { | ||
| // `UserWorkload` set the deployment mode for user-defined monitoring. |
There was a problem hiding this comment.
What is this actually doing? What is user defined monitoring?
There was a problem hiding this comment.
Hi, User Workload Monitoring is monitoring for user-defined Projects. This is also mentioned on the OpenShift documentation but IMHO it'd be a bit overkill to link that within the api comments.
There was a problem hiding this comment.
Yeah but we need some sort of description, at the moment someone doing an oc explain on this would have no cluster what this field controls
There was a problem hiding this comment.
oh, I see, then we could use something along the lines of
Extension to the existing cluster monitoring stack to enable observability of user namespaces
| const ( | ||
| // UserDefinedDisabled disables monitoring for user-defined projects. | ||
| UserDefinedDisabled UserDefinedMode = "Disabled" | ||
| // UserDefinedNamespace enables monitoring for user-defined projects with namespace scoped tenancy. |
There was a problem hiding this comment.
"namespace scoped tenancy" is too vague for users. We'd need to go in greater details (not sure if the reference docs are doing a better job).
There was a problem hiding this comment.
In a recent discussion you mentioned isolation in the context of this. I thought that might lead to a better name. Perhaps UserDefinedNamespaceIsolation UserDefinedMode = "NamespaceIsolation"
There was a problem hiding this comment.
Please flesh out and update the godoc here, need to explain what this actually does
|
New changes are detected. LGTM label has been removed. |
marioferh
force-pushed
the
initial_cmo_api
branch
from
d505f13
to
80e3a50
Compare
| // mode defines the different configurations of UserDefinedMontiring | ||
| // +kubebuilder:validation:Enum:="Disabled";"SingleNamespace" | ||
| Mode UserDefinedMode `json:"mode,omitempty"` |
There was a problem hiding this comment.
You need to expand the godoc to explain what the different available options are, and what they achieve
| const ( | ||
| // UserDefinedDisabled disables monitoring for user-defined projects. | ||
| UserDefinedDisabled UserDefinedMode = "Disabled" | ||
| // UserDefinedNamespace enables monitoring for user-defined projects with namespace scoped tenancy. |
There was a problem hiding this comment.
Please flesh out and update the godoc here, need to explain what this actually does
marioferh
force-pushed
the
initial_cmo_api
branch
3 times, most recently
from
f8befdc
to
0f7468a
Compare
|
/retest-required |
|
/test e2e-aws-ovn-hypershift |
| // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1929 | ||
| // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 | ||
| // +kubebuilder:object:root=true | ||
| // +kubebuilder:resource:path=clustermonitoring,scope=Cluster |
There was a problem hiding this comment.
If this is going to be used in HyperShift, is this considered to be a part of the guest cluster, and therefore not visible from the management layer? If so, Cluster still makes sense
There was a problem hiding this comment.
It is used in HyperShift
There was a problem hiding this comment.
Do you know on which side it is used? Is it on the management or guest cluster side?
There was a problem hiding this comment.
Not sure about it. @simonpasquier do you have this info?
There was a problem hiding this comment.
Iiuc, this should be used on the management cluster side, as this will eventually contain the settings for cluster admins. The guest clusters would rather use the UserDefinedMonitoring struct.
There was a problem hiding this comment.
I think we need to have a discussion with the HyperShift folks about this API then.
If this is cluster scoped, then it makes sense in the OCP world.
If it is namespace scoped, the it makes sense in HyperShift.
The converse of both of my previous statements are not true.
To be correct with our APIs, it would be preferable to have a Hosted<CRD> that is namespaced, and exists only in the management cluster, and then have no semblance of the feature exist within the guest cluster.
This pattern is coming up a lot at the moment with new designs for CRDs, will need to come up with a common path forward
CC @enxebre
|
|
||
| // ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator | ||
| type ClusterMonitoringSpec struct { | ||
| // userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. |
There was a problem hiding this comment.
If this is not present, what does it mean?
There was a problem hiding this comment.
at the begging was optional and default disabled, but there were some issues with mandatory fields, at this point I think we can move it to mandatory and select between disabled and NamespaceIsolation.
In ConfigMap default is Disabled.
There was a problem hiding this comment.
Up to you, you could default it if you prefer, though we tend to avoid defaulting configuration APIs. What we typically do if there is a default is allow the value to be omitted and write something like
// Valid values are Disabled, NamespaceIsolation and omitted.
// When omitted this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
// The current default is Disabled.
There was a problem hiding this comment.
We declared it as mandatory, so the user has to add the field.
| // UserDefinedDisabled disables monitoring for user-defined projects. This restrics the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. | ||
| UserDefinedDisabled UserDefinedMode = "Disabled" |
There was a problem hiding this comment.
Does this supersede the presence of the user monitoring CRs that you plan to add? Could we validate somehow that disabling this disallows the creation of those CRs? And this cannot be disabled if user monitoring CRs are present?
There was a problem hiding this comment.
If this is disabled the user-defined projects are not enabled. The CR could be there just its not taking the config to create user-defined projects. As in the current ConfigMap we can switch the mode and activate user-defined projects.
There was a problem hiding this comment.
The CR could be there just its not taking the config to create user-defined projects.
Would this be surprising to a user who has configured their monitoring, how do they understand that the monitoring is not currently enabled, is something going to tell them?
There was a problem hiding this comment.
When we add the user defined monitoring CRD, we'll communicate in its status if user defined monitoring is enabled or not.
I think this is better then preventing its creation. The prevention path would raise the question of what to do with existing user defined objects when user defined is disabled. We wouldn't want to delete them (disabling them might be temporary) so preventing addition (and editing) seems like not the best solution.
There was a problem hiding this comment.
What is the use case for being able to disable?
Could you prevent disabling, unless there were no user defined CRDs?
Add UserDefinedMonitoring Add tests Add FeatureGate generate files Signed-off-by: Mario Fernandez <mariofer@redhat.com>
Co-authored-by: Eliska Romanova <eromanov@redhat.com>
marioferh
force-pushed
the
initial_cmo_api
branch
from
e35b5d4
to
2755086
Compare
Signed-off-by: Mario Fernandez <mariofer@redhat.com>
marioferh
force-pushed
the
initial_cmo_api
branch
from
2755086
to
c2f1c43
Compare
Signed-off-by: Jan Fajerski <jfajersk@redhat.com>
|
@JoelSpeed Just fyi I'll take this over in @marioferh's absence. |
|
/retest |
|
@JoelSpeed PTAL? |
| // UserDefinedMonitoring config for user-defined projects. | ||
| type UserDefinedMonitoring struct { | ||
| // mode defines the different configurations of UserDefinedMonitoring | ||
| // Valid values are UserDefinedDisabled and UserDefinedNamespaceIsolation |
There was a problem hiding this comment.
The valid values should be the yaml, not Go versions
| // Valid values are UserDefinedDisabled and UserDefinedNamespaceIsolation | |
| // Valid values are Disabled and NamespaceIsolation. |
| // UserDefinedDisabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. | ||
| UserDefinedDisabled UserDefinedMode = "Disabled" | ||
| // UserDefinedNamespaceIsolation enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. | ||
| UserDefinedNamespaceIsolation UserDefinedMode = "NamespaceIsolation" |
There was a problem hiding this comment.
Should this really be NamespaceIsolated?
There was a problem hiding this comment.
I don't feel strongly about this but I'd argue the current NamespaceIsolation is better. Its not the namespace that is isloated but the metrics access that is isolated by namespace values.
There was a problem hiding this comment.
Its not the namespace that is isloated but the metrics access that is isolated by namespace values.
You've used the word isolated to describe how the metrics are accessed here, and I think to you're point, if it were IsolatedNamespace, I'd agree that this would imply the namespace is isolated, but my suggestions was NamespaceIsolated
I'm fine with either, but my thought was that NamespaceIsolated felt more declarative, and inline with Disabled. Isolation is a process, Isolated is a state, and it's the state that declarative APIs are supposed to represent
Signed-off-by: Jan Fajerski <jfajersk@redhat.com>
|
@marioferh: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Initial Implementation of Configuration CRD for the Cluster Monitoring Operator
Related: [link]
As we have a FeatureGate, the idea is to implement component by component to verify the correct behavior and facilitate the reviews.
The API comes from https://github.com/openshift/cluster-monitoring-operator/blob/7015893ece5ed0a6f888fffe09b6d10a807d6901/pkg/manifests/config.go#L51