Operator to manage deadmanssnitch configs for Openshift Dedicated
The operator runs on hive. It has a single controller. It:
- Requires a master Secret to talk to the Dead Man's Snitch API.
This secret is expected to be named
deadmanssnitch-api-keyand live in thedeadmanssnitch-operatornamespace. - Pays attention to ClusterDeployments that are:
- Installed (
spec.installed=true) - Managed (label
api.openshift.com/managed="true")
- Installed (
- For each such ClusterDeployment:
- Adds a finalizer to the ClusterDeployment to ensure we get a chance to clean up when it is deleted.
- Creates a Snitch
- Creates a Secret in the ClusterDeployment's namespace named
{clusterdeploymentname}-dms-secret. The Secret contains the Snitch URL. - Creates a SyncSet in the ClusterDeployment's namespace named
{clusterdeploymentname}-dms}. The SyncSet creates a SecretMapping that makes the above Secret appear inside the cluster asdms-secretin theopenshift-monitoringnamespace.
metricDeadMansSnitchHeartbeat: Every 5 minutes, makes a request to the Dead Man's Snitch API using the API key and updates the gauge to 1 when the response code is between 200-299.
- DeadMansSnitchAPIUnavailable - Unable to communicate with Dead Man's Snitch API for 15 minutes.
- Create an account on https://deadmanssnitch.com/
- Choose a plan that allows enhanced snitch intervals(Private eye or above)
- Create an API key
- Create the following secret which is required for deadmanssnitch-operator to create snitches
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: deadmanssnitch-api-key
namespace: deadmanssnitch-operator
data:
tags: <Tag for snitches>
deadmanssnitch-api-key: <deadmanssnitch API key here>- Build a docker image and replace
REPLACE_IMAGEoperator.yaml field with that image- you can do that using
oc create -f https://github.com/openshift/deadmanssnitch-operator/raw/master/deploy/operator.yaml --dry-run=client -oyaml | oc set image --local -f - --dry-run=client -oyaml *=REPLACE_IMAGE
- you can do that using
- Deploy using
oc apply -f deploy/
how to develop this locally
Methods include:
Hive CRDs need to be installed on the cluster.
Clone hive repo and run
git clone https://github.com/openshift/hive.git
oc apply -f hive/config/crds
Install the DeadMansSnitchIntegration CRD, create the operator namespace and other operator dependencies:
oc apply -f deploy/crds/deadmanssnitch.managed.openshift.io_deadmanssnitchintegrations.yaml
oc new-project deadmanssnitch-operator
oc apply -f deploy/role.yaml
oc apply -f deploy/service_account.yaml
oc apply -f deploy/role_binding.yaml
Create a secret which will contain the DeadMansSnitch API Key and Hive Cluster Tag.
You will require an API Key signed up to a DeadMansSnitch plan that allows for enhanced snitch intervals (the "Private Eye" plan). You can alternatively test the deadmanssnitch-operator by signing up to the free tier DeadMansSnitch plan (limited to 1 snitch), but doing so will require you to customize the snitch interval from 15_minute to hourly. This can be performed in deadmanssnitchintegration_controller.go
Adjust the example below and apply the file with oc apply -f <file>. Note that the values for tags and deadmanssnitch-api-key need to be base64 encoded. This can be performed using echo -n <text> | base64.
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: deadmanssnitch-api-key
namespace: deadmanssnitch-operator
data:
tags: <value>
deadmanssnitch-api-key: <value>Create a DeadMansSnitchIntegration CR which will be used to identify clusters to apply DMS to.
The example below will target clusterdeployments that have a api.openshift.com/test label set to "true". Apply it using oc apply -f <file>.
apiVersion: deadmanssnitch.managed.openshift.io/v1alpha1
kind: DeadmansSnitchIntegration
metadata:
finalizers:
- dms.managed.openshift.io/deadmanssnitch-osd
name: test-dmsi
namespace: deadmanssnitch-operator
spec:
clusterDeploymentSelector:
matchExpressions:
- key: api.openshift.com/test
operator: In
values:
- "true"
dmsAPIKeySecretRef:
name: deadmanssnitch-api-key
namespace: deadmanssnitch-operator
snitchNamePostFix: "test"
tags:
- test
targetSecretRef:
name: dms-secret-test
namespace: openshift-monitoringexport OPERATOR_NAME=deadmanssnitch-operator
go run main.go
You can create a dummy ClusterDeployment by copying a real one from an active hive
real-hive$ oc get cd -n <namespace> <cdname> -o yaml > /tmp/fake-clusterdeployment.yaml
...
$ oc create namespace fake-cluster-namespace
$ oc apply -f /tmp/fake-clusterdeployment.yaml
deadmanssnitch-operator doesn't start reconciling clusters until the clusterdeployment's spec.installed is set to true. If present, set spec.installed to true.
oc edit clusterdeployment fake-cluster -n fake-cluster-namespace
Ensure that the ClusterDeployment is labelled with the label from your DMSI's clusterDeploymentSelector clause.
Using the example from earlier:
oc label clusterdeployment -n <namespace> <cdname> api.openshift.com/test=true
To trigger deadmanssnitch-operator to remove the service in DeadMansSnitch, you can either delete the clusterdeployment or remove the clusterDeploymentSelector label:
oc delete clusterdeployment fake-cluster -n fake-cluster-namespace
If deleting the clusterdeployment, you may need to remove dangling finalizers from the clusterdeployment object.
oc edit clusterdeployment fake-cluster -n fake-cluster-namespace