package-server-manager: add a PodMonitor, expose metrics

Signed-off-by: Steve Kuznetsov <[email protected]>
openshift · Aug 24, 2023 · 09c6200 · 09c6200
1 parent 08aa6dd
commit 09c6200
Show file tree

Hide file tree

Showing 8 changed files with 191 additions and 1 deletion.
diff --git a/cmd/package-server-manager/main.go b/cmd/package-server-manager/main.go
@@ -62,6 +62,10 @@ func run(cmd *cobra.Command, args []string) error {
  if err != nil {
  return err
  }
+ metricsAddr, err := cmd.Flags().GetString("metrics")
+ if err != nil {
+ return err
+ }
 
  ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
  setupLog := ctrl.Log.WithName("setup")
@@ -73,7 +77,7 @@ func run(cmd *cobra.Command, args []string) error {
  mgr, err := ctrl.NewManager(restConfig, manager.Options{
  Scheme: setupScheme(),
  Namespace: namespace,
- MetricsBindAddress: defaultMetricsPort,
+ MetricsBindAddress: metricsAddr,
  LeaderElection: !disableLeaderElection,
  LeaderElectionNamespace: namespace,
  LeaderElectionID: leaderElectionConfigmapName,

diff --git a/cmd/package-server-manager/start.go b/cmd/package-server-manager/start.go
@@ -16,6 +16,7 @@ func newStartCmd() *cobra.Command {
  cmd.Flags().String("namespace", defaultNamespace, "configures the metadata.namespace that contains the packageserver csv resource")
  cmd.Flags().String("health", defaultHealthCheckPort, "configures the health check port that the kubelet is configured to probe")
  cmd.Flags().String("pprof", defaultPprofPort, "configures the pprof port that the process exposes")
+ cmd.Flags().String("metrics", defaultMetricsPort, "configures the metrics port that the process exposes")
  cmd.Flags().Bool("disable-leader-election", false, "configures whether leader election will be disabled")
 
  return cmd

diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
@@ -28,6 +28,32 @@ spec:
  serviceAccountName: olm-operator-serviceaccount
  priorityClassName: "system-cluster-critical"
  containers:
+ - args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:9090/
+ - --tls-cert-file=/etc/tls/private/tls.crt
+ - --tls-private-key-file=/etc/tls/private/tls.key
+ - --logtostderr=true
+ image: quay.io/openshift/origin-kube-rbac-proxy:latest
+ imagePullPolicy: IfNotPresent
+ name: kube-rbac-proxy
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ ports:
+ - containerPort: 8443
+ name: metrics
+ protocol: TCP
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/tls/private
+ name: package-server-manager-serving-cert
  - name: package-server-manager
  securityContext:
  allowPrivilegeEscalation: false
@@ -41,6 +67,7 @@ spec:
  - $(PACKAGESERVER_NAME)
  - --namespace
  - $(PACKAGESERVER_NAMESPACE)
+ - "--metrics=:9090"
  image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
  imagePullPolicy: IfNotPresent
  env:
@@ -85,3 +112,7 @@ spec:
  key: node.kubernetes.io/not-ready
  operator: Exists
  tolerationSeconds: 120
+ volumes:
+ - name: package-server-manager-serving-cert
+ secret:
+ secretName: package-server-manager-serving-cert
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -28,6 +28,32 @@ spec:
  serviceAccountName: olm-operator-serviceaccount
  priorityClassName: "system-cluster-critical"
  containers:
+ - args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:9090/
+ - --tls-cert-file=/etc/tls/private/tls.crt
+ - --tls-private-key-file=/etc/tls/private/tls.key
+ - --logtostderr=true
+ image: quay.io/openshift/origin-kube-rbac-proxy:latest
+ imagePullPolicy: IfNotPresent
+ name: kube-rbac-proxy
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ ports:
+ - containerPort: 8443
+ name: metrics
+ protocol: TCP
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/tls/private
+ name: package-server-manager-serving-cert
  - name: package-server-manager
  securityContext:
  allowPrivilegeEscalation: false
@@ -41,6 +67,7 @@ spec:
  - $(PACKAGESERVER_NAME)
  - --namespace
  - $(PACKAGESERVER_NAMESPACE)
+ - "--metrics=:9090"
  image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
  imagePullPolicy: IfNotPresent
  env:
@@ -86,3 +113,7 @@ spec:
  key: node.kubernetes.io/not-ready
  operator: Exists
  tolerationSeconds: 120
+ volumes:
+ - name: package-server-manager-serving-cert
+ secret:
+ secretName: package-server-manager-serving-cert
diff --git a/manifests/0000_50_olm_06-psm-operator.service.yaml b/manifests/0000_50_olm_06-psm-operator.service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ include.release.openshift.io/self-managed-high-availability: "true"
+ service.alpha.openshift.io/serving-cert-secret-name: package-server-manager-serving-cert
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ name: package-server-manager-metrics
+ namespace: openshift-operator-lifecycle-manager
+spec:
+ ports:
+ - name: metrics
+ port: 8443
+ protocol: TCP
+ targetPort: metrics
+ selector:
+ app: package-server-manager
+ sessionAffinity: None
+ type: ClusterIP
diff --git a/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml b/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: package-server-manager-metrics
+ namespace: openshift-operator-lifecycle-manager
+ annotations:
+ include.release.openshift.io/self-managed-high-availability: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+spec:
+ endpoints:
+ - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ interval: 30s
+ port: metrics
+ scheme: https
+ tlsConfig:
+ caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+ serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+ namespaceSelector:
+ matchNames:
+ - openshift-operator-lifecycle-manager
+ selector: {}
diff --git a/manifests/image-references b/manifests/image-references
@@ -10,3 +10,7 @@ spec:
  from:
  kind: DockerImage
  name: quay.io/operator-framework/configmap-operator-registry:latest
+ - name: kube-rbac-proxy
+ from:
+ kind: DockerImage
+ name: quay.io/openshift/origin-kube-rbac-proxy:latest
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
@@ -106,6 +106,10 @@ spec:
  from:
  kind: DockerImage
  name: quay.io/operator-framework/configmap-operator-registry:latest
+ - name: kube-rbac-proxy
+ from:
+ kind: DockerImage
+ name: quay.io/openshift/origin-kube-rbac-proxy:latest
 EOF
 
 cat << EOF > manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -138,6 +142,32 @@ spec:
  serviceAccountName: olm-operator-serviceaccount
  priorityClassName: "system-cluster-critical"
  containers:
+ - args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:9090/
+ - --tls-cert-file=/etc/tls/private/tls.crt
+ - --tls-private-key-file=/etc/tls/private/tls.key
+ - --logtostderr=true
+ image: quay.io/openshift/origin-kube-rbac-proxy:latest
+ imagePullPolicy: IfNotPresent
+ name: kube-rbac-proxy
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ ports:
+ - containerPort: 8443
+ name: metrics
+ protocol: TCP
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /etc/tls/private
+ name: package-server-manager-serving-cert
  - name: package-server-manager
  securityContext:
  allowPrivilegeEscalation: false
@@ -151,6 +181,7 @@ spec:
  - \$(PACKAGESERVER_NAME)
  - --namespace
  - \$(PACKAGESERVER_NAMESPACE)
+ - "--metrics=:9090"
  image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
  imagePullPolicy: IfNotPresent
  env:
@@ -196,6 +227,54 @@ spec:
  key: node.kubernetes.io/not-ready
  operator: Exists
  tolerationSeconds: 120
+ volumes:
+ - name: package-server-manager-serving-cert
+ secret:
+ secretName: package-server-manager-serving-cert
+EOF
+
+cat << EOF > manifests/0000_50_olm_06-psm-operator.service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ include.release.openshift.io/self-managed-high-availability: "true"
+ service.alpha.openshift.io/serving-cert-secret-name: package-server-manager-serving-cert
+ name: package-server-manager-metrics
+ namespace: openshift-operator-lifecycle-manager
+spec:
+ ports:
+ - name: metrics
+ port: 8443
+ protocol: TCP
+ targetPort: metrics
+ selector:
+ app: package-server-manager
+ sessionAffinity: None
+ type: ClusterIP
+EOF
+
+cat << EOF > manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: package-server-manager-metrics
+ namespace: openshift-operator-lifecycle-manager
+ annotations:
+ include.release.openshift.io/self-managed-high-availability: "true"
+spec:
+ endpoints:
+ - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ interval: 30s
+ port: metrics
+ scheme: https
+ tlsConfig:
+ caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+ serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+ namespaceSelector:
+ matchNames:
+ - openshift-operator-lifecycle-manager
+ selector: {}
 EOF
 
 cat << EOF > manifests/0000_50_olm_00-pprof-config.yaml