package-server-manager: add a PodMonitor, expose metrics

stevekuznetsov · stevekuznetsov · commit 592327a2982c · 2023-09-08T06:54:38.000-06:00
Signed-off-by: Steve Kuznetsov &lt;skuznets@redhat.com&gt;
diff --git a/cmd/package-server-manager/main.go b/cmd/package-server-manager/main.go
@@ -67,6 +67,10 @@ func run(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+	metricsAddr, err := cmd.Flags().GetString("metrics")
+	if err != nil {
+		return err
+	}
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 	setupLog := ctrl.Log.WithName("setup")
@@ -78,7 +82,7 @@ func run(cmd *cobra.Command, args []string) error {
 	mgr, err := ctrl.NewManager(restConfig, manager.Options{
 		Scheme:                  setupScheme(),
 		Namespace:               namespace,
-		MetricsBindAddress:      defaultMetricsPort,
+		MetricsBindAddress:      metricsAddr,
 		LeaderElection:          !disableLeaderElection,
 		LeaderElectionNamespace: namespace,
 		LeaderElectionID:        leaderElectionConfigmapName,
diff --git a/cmd/package-server-manager/start.go b/cmd/package-server-manager/start.go
@@ -17,6 +17,7 @@ func newStartCmd() *cobra.Command {
 	cmd.Flags().String("health", defaultHealthCheckPort, "configures the health check port that the kubelet is configured to probe")
 	cmd.Flags().String("pprof", defaultPprofPort, "configures the pprof port that the process exposes")
 	cmd.Flags().String("interval", defaultInterval, "configures the wakeup interval for the packageserver csc resource")
+	cmd.Flags().String("metrics", defaultMetricsPort, "configures the metrics port that the process exposes")
 	cmd.Flags().Bool("disable-leader-election", false, "configures whether leader election will be disabled")
 
 	return cmd
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
@@ -28,6 +28,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+            - --secure-listen-address=0.0.0.0:8443
+            - --upstream=http://127.0.0.1:9090/
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+            - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -43,6 +69,7 @@ spec:
             - $(PACKAGESERVER_NAMESPACE)
             - --interval
             - $(PACKAGESERVER_INTERVAL)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -89,3 +116,7 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+        - name: package-server-manager-serving-cert
+          secret:
+            secretName: package-server-manager-serving-cert
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -28,6 +28,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+            - --secure-listen-address=0.0.0.0:8443
+            - --upstream=http://127.0.0.1:9090/
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+            - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -43,6 +69,7 @@ spec:
             - $(PACKAGESERVER_NAMESPACE)
             - --interval
             - $(PACKAGESERVER_INTERVAL)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -90,3 +117,7 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+        - name: package-server-manager-serving-cert
+          secret:
+            secretName: package-server-manager-serving-cert
diff --git a/manifests/0000_50_olm_06-psm-operator.service.yaml b/manifests/0000_50_olm_06-psm-operator.service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.alpha.openshift.io/serving-cert-secret-name: package-server-manager-serving-cert
+    include.release.openshift.io/ibm-cloud-managed: "true"
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+spec:
+  ports:
+    - name: metrics
+      port: 8443
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app: package-server-manager
+  sessionAffinity: None
+  type: ClusterIP
diff --git a/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml b/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      interval: 30s
+      port: metrics
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  namespaceSelector:
+    matchNames:
+      - openshift-operator-lifecycle-manager
+  selector: {}
diff --git a/manifests/image-references b/manifests/image-references
@@ -10,3 +10,7 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/operator-framework/configmap-operator-registry:latest
+  - name: kube-rbac-proxy
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-kube-rbac-proxy:latest
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
@@ -106,6 +106,10 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/operator-framework/configmap-operator-registry:latest
+  - name: kube-rbac-proxy
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-kube-rbac-proxy:latest
 EOF
 
 cat << EOF > manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -138,6 +142,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+          - --secure-listen-address=0.0.0.0:8443
+          - --upstream=http://127.0.0.1:9090/
+          - --tls-cert-file=/etc/tls/private/tls.crt
+          - --tls-private-key-file=/etc/tls/private/tls.key
+          - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+          - containerPort: 8443
+            name: metrics
+            protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+          - mountPath: /etc/tls/private
+            name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -153,6 +183,7 @@ spec:
             - \$(PACKAGESERVER_NAMESPACE)
             - --interval
             - \$(PACKAGESERVER_INTERVAL)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -200,6 +231,54 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+      - name: package-server-manager-serving-cert
+        secret:
+          secretName: package-server-manager-serving-cert
+EOF
+
+cat << EOF > manifests/0000_50_olm_06-psm-operator.service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.alpha.openshift.io/serving-cert-secret-name: package-server-manager-serving-cert
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+spec:
+  ports:
+  - name: metrics
+    port: 8443
+    protocol: TCP
+    targetPort: metrics
+  selector:
+    app: package-server-manager
+  sessionAffinity: None
+  type: ClusterIP
+EOF
+
+cat << EOF > manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
+    port: metrics
+    scheme: https
+    tlsConfig:
+      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  namespaceSelector:
+    matchNames:
+    - openshift-operator-lifecycle-manager
+  selector: {}
 EOF
 
 cat << EOF > manifests/0000_50_olm_00-pprof-config.yaml
