diff --git a/canary-checker/docs/reference/1-alert-manager.mdx b/canary-checker/docs/reference/1-alert-manager.mdx
index 8809408d..92248a1c 100644
--- a/canary-checker/docs/reference/1-alert-manager.mdx
+++ b/canary-checker/docs/reference/1-alert-manager.mdx
@@ -47,7 +47,11 @@ spec:
description: "A list of alert prefix names to include",
scheme: '[]string'
},
-
+ {
+ field: "relationships",
+ description: "Link the check results to components and configs using lookup expressions.",
+ scheme: '[Relationships](#relationships)'
+ },
{
field: "ignore",
description: "A list of alert prefix names to exclude",
@@ -58,6 +62,104 @@ spec:
description: "A map of label to value prefixes to find alerts on",
scheme: "map[string]string"
}
-
]}/>
+## Relationships
+
+
+
+### Lookup
+
+
+
+#### Lookup selector
+
+Lookup specifies the type of lookup to perform.
+
+
+
+## Inserting checks into different namespaces
+
+You can specify different namespaces for checks using the `namespace` field. This is helpful when checks are dynamically generated via transformation
+and need to be assigned their respective namespace.
+
+```yaml title="alertmanager.yaml"
+apiVersion: canaries.flanksource.com/v1
+kind: Canary
+metadata:
+ name: alertmanager
+spec:
+ interval: 30
+ alertmanager:
+ - url: https://alertmanager.demo.aws.flanksource.com
+ name: alertmanager-check
+ alerts:
+ - .*
+ ignore:
+ - KubeScheduler.*
+ exclude_filters:
+ namespace: elastic-system
+ transform:
+ expr: |
+ results.alerts.map(r, {
+ 'name': r.name + r.fingerprint,
+ // highlight-next-line
+ 'namespace': 'namespace' in r.labels ? r.labels.namespace : '',
+ 'labels': r.labels,
+ 'icon': 'alert',
+ 'message': r.message,
+ 'description': r.message,
+ }).toJSON()
+```
+
+The above alertmanager canary can reside on any namespace and the check it generates are assigned the correct namespace derived from the alerts.
+
diff --git a/canary-checker/docs/reference/1-kubernetes.mdx b/canary-checker/docs/reference/1-kubernetes.mdx
index a0a18bb4..777d394b 100644
--- a/canary-checker/docs/reference/1-kubernetes.mdx
+++ b/canary-checker/docs/reference/1-kubernetes.mdx
@@ -7,8 +7,8 @@ sidebar_class_name: popular
The Kubernetes check performs requests on Kubernetes resources such as Pods to get the desired information.
-
```yaml title="junit.yaml" file=../../../modules/canary-checker/fixtures/k8s/kubernetes-minimal_pass.yaml
+
```
-## Ready
-
-Using `ready: true` is functionally equivalent to:
+## Healthy
+Using `healthy: true` is functionally equivalent to the test expression above:
```yaml
apiVersion: canaries.flanksource.com/v1
@@ -38,6 +37,8 @@ spec:
- namespace: kube-system
name: kube-system
kind: Pod
+ //highlight-next-line
+ healthy: true
resource:
labelSelector: k8s-app=kube-dns
namespaceSelector:
@@ -48,16 +49,26 @@ spec:
map(i, i.Object).
filter(i, !k8s.isHealthy(i)).
map(i, "%s/%s -> %s".format([i.metadata.namespace, i.metadata.name, k8s.getHealth(i).message])).join('\n')
- test:
- expr: dyn(results).all(x, k8s.isHealthy(x))
```
-See the CEL *Kubernetes* docs for more details on the `k8s.isHealthy` and other functions available
+See the CEL _Kubernetes_ docs for more details on the `k8s.isHealthy` and other functions available
+
+## Ready
+
+Similar to the `healthy` flag, there's also a `ready` flag which is functionally equivalent to having the following test expression
+
+```
+dyn(results).all(x, k8s.isReady(x))
+```
+
+---
```yaml title="junit.yaml" file=../../../modules/canary-checker/fixtures/k8s/certmanager.yaml
+
```
+
diff --git a/canary-checker/docs/reference/3-aws-ec2.mdx b/canary-checker/docs/reference/3-aws-ec2.mdx
deleted file mode 100644
index 9078dd98..00000000
--- a/canary-checker/docs/reference/3-aws-ec2.mdx
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: AWS EC2
-sidebar_class_name: beta
-sidebar_position: 1
-tags:
-- enterprise
----
-
-# EC2
-
-
-This check connects to an AWS account with the specified credentials, launch an EC2 instance with an option for `userData`.
-This test can be used to check the availability of an ami, account service limits, run backup & restore operations, etc.
-
-```yaml file=../../../modules/canary-checker/fixtures/aws/ec2_pass.yaml
-```
-
-
-
-
diff --git a/canary-checker/sidebars.js b/canary-checker/sidebars.js
index d880b062..d639fa21 100644
--- a/canary-checker/sidebars.js
+++ b/canary-checker/sidebars.js
@@ -67,7 +67,6 @@ module.exports = {
id: 'concepts/secret-management',
label: 'Secret Management'
},
-
{
type: 'category',
label: 'Expressions',
diff --git a/mission-control/docs/installation/aws-eks.mdx b/mission-control/docs/installation/aws-eks.mdx
index c9a86368..785d0969 100644
--- a/mission-control/docs/installation/aws-eks.mdx
+++ b/mission-control/docs/installation/aws-eks.mdx
@@ -125,24 +125,24 @@ helm install mission-control \
(b) Modify the trust policy of the IAM role by changing the OIDC arn, OIDC endpoint and the namespace below.
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Federated": "arn:aws:iam::7458xxxxxxxx:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx"
- },
- "Action": "sts:AssumeRoleWithWebIdentity",
- "Condition": {
- "StringEquals": {
- "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:config-db-sa",
- "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:mission-control-sa",
- "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:canary-checker-sa",
- "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:aud": "sts.amazonaws.com"
- }
- }
- }
- ]
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "Federated": "arn:aws:iam::7458xxxxxxxx:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx"
+ },
+ "Action": "sts:AssumeRoleWithWebIdentity",
+ "Condition": {
+ "StringEquals": {
+ "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:config-db-sa",
+ "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:mission-control-sa",
+ "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:canary-checker-sa",
+ "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:aud": "sts.amazonaws.com"
+ }
+ }
+ }
+ ]
}
```
diff --git a/mission-control/docs/installation/chart-permissions.md b/mission-control/docs/installation/chart-permissions.md
new file mode 100644
index 00000000..a484e5b6
--- /dev/null
+++ b/mission-control/docs/installation/chart-permissions.md
@@ -0,0 +1,36 @@
+# Fine tuning permission
+
+## Canary Checker
+
+Canary Checker, by default, uses a highly permissive service account.
+You can configure the permissions on that service account via the helm values.
+
+```yaml title="values.yaml"
+....
+rbac:
+ # Whether to create cluster-wide or namespaced roles
+ cluster_role: false
+
+ # for secret management with valueFrom
+ tokenRequest: true
+ secrets: true
+ configmaps: true
+
+ # for use with kubernetes resource lookups
+ readAll: true
+
+ # for pod and junit canaries
+ podsCreateAndDelete: true
+
+ # for pod canary
+ ingressCreateAndDelete: true
+
+ # for kubernetes resource check & namespace check
+ namespaceCreateAndDelete: true
+```
+
+The first thing to decide on is whether to grant cluster role access or namespace access
+to the service account.
+
+If certain checks do not need to be performed, the corresponding permissions required for them can be disabled.
+Example: the `readAll` permission is essential to run the Kubernetes lookup check.
diff --git a/mission-control/modules/canary-checker b/mission-control/modules/canary-checker
index 8bed8b91..0f2a3389 160000
--- a/mission-control/modules/canary-checker
+++ b/mission-control/modules/canary-checker
@@ -1 +1 @@
-Subproject commit 8bed8b9176e19bd3fcdf2f995ef31fc1ccd572f8
+Subproject commit 0f2a33894abdf193b507d5a8078a3e4741b6aaff
diff --git a/mission-control/modules/mission-control b/mission-control/modules/mission-control
index e1afeb6f..780ba02d 160000
--- a/mission-control/modules/mission-control
+++ b/mission-control/modules/mission-control
@@ -1 +1 @@
-Subproject commit e1afeb6f1219434685fa57b6ab45a4171126d752
+Subproject commit 780ba02d051367f5733e50772720d837d185f50a
diff --git a/mission-control/sidebars.js b/mission-control/sidebars.js
index f1dedff3..bb608473 100644
--- a/mission-control/sidebars.js
+++ b/mission-control/sidebars.js
@@ -41,8 +41,7 @@ const sidebars = {
type: 'doc',
id: 'canary-checker/cli',
label: 'CLI'
- },
-
+ }
]
},
{
@@ -59,7 +58,6 @@ const sidebars = {
id: 'canary-checker/concepts/grafana',
label: 'Grafana'
},
-
{
type: 'category',
label: 'Expressions',
@@ -96,13 +94,12 @@ const sidebars = {
]
},
-
{
type: 'category',
- label: "Checks",
+ label: 'Checks',
items: [
{
- className: "condensed",
+ className: 'condensed',
type: 'autogenerated',
dirName: 'canary-checker/reference'
}
@@ -118,34 +115,25 @@ const sidebars = {
label: 'Blackbox Exporter'
}
]
- },
-
+ }
],
configdbSidebar: [
{
type: 'autogenerated',
dirName: 'config-db'
-
- },
+ }
],
playbooksSidebar: [
-
{
type: 'autogenerated',
dirName: 'playbooks'
-
- },
-
+ }
],
topologySidebar: [
-
-
{
type: 'autogenerated',
dirName: 'topology'
-
- },
-
+ }
],
notificationsSidebar: [
{
@@ -187,7 +175,7 @@ const sidebars = {
type: 'doc',
id: 'notifications/events/health-checks',
label: 'Health Checks'
- },
+ }
// {
// type: 'doc',
// id: 'notifications/events/incidents',
@@ -232,7 +220,7 @@ const sidebars = {
reference: [
{
type: 'autogenerated',
- dirName: "reference"
+ dirName: 'reference'
}
],
overview: [
@@ -255,7 +243,6 @@ const sidebars = {
label: 'SaaS',
id: 'installation/saas'
},
-
{
type: 'category',
label: 'Self-Hosted',
@@ -280,11 +267,11 @@ const sidebars = {
id: 'installation/monitoring-and-tracing',
label: 'Monitoring & Tracing'
},
- // {
- // type: 'doc',
- // id: 'installation/artifacts',
- // label: 'Artifacts'
- // },
+ {
+ type: 'doc',
+ id: 'installation/chart-permissions',
+ label: 'Security'
+ }
]
},