package-server-manager: add a PodMonitor, expose metrics

stevekuznetsov · stevekuznetsov · commit 09c620018720 · 2023-08-24T07:04:55.000-06:00
Signed-off-by: Steve Kuznetsov &lt;skuznets@redhat.com&gt;
diff --git a/cmd/package-server-manager/main.go b/cmd/package-server-manager/main.go
@@ -62,6 +62,10 @@ func run(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+	metricsAddr, err := cmd.Flags().GetString("metrics")
+	if err != nil {
+		return err
+	}
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 	setupLog := ctrl.Log.WithName("setup")
@@ -73,7 +77,7 @@ func run(cmd *cobra.Command, args []string) error {
 	mgr, err := ctrl.NewManager(restConfig, manager.Options{
 		Scheme:                  setupScheme(),
 		Namespace:               namespace,
-		MetricsBindAddress:      defaultMetricsPort,
+		MetricsBindAddress:      metricsAddr,
 		LeaderElection:          !disableLeaderElection,
 		LeaderElectionNamespace: namespace,
 		LeaderElectionID:        leaderElectionConfigmapName,
diff --git a/cmd/package-server-manager/start.go b/cmd/package-server-manager/start.go
@@ -16,6 +16,7 @@ func newStartCmd() *cobra.Command {
 	cmd.Flags().String("namespace", defaultNamespace, "configures the metadata.namespace that contains the packageserver csv resource")
 	cmd.Flags().String("health", defaultHealthCheckPort, "configures the health check port that the kubelet is configured to probe")
 	cmd.Flags().String("pprof", defaultPprofPort, "configures the pprof port that the process exposes")
+	cmd.Flags().String("metrics", defaultMetricsPort, "configures the metrics port that the process exposes")
 	cmd.Flags().Bool("disable-leader-election", false, "configures whether leader election will be disabled")
 
 	return cmd
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
@@ -28,6 +28,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+            - --secure-listen-address=0.0.0.0:8443
+            - --upstream=http://127.0.0.1:9090/
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+            - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -41,6 +67,7 @@ spec:
             - $(PACKAGESERVER_NAME)
             - --namespace
             - $(PACKAGESERVER_NAMESPACE)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -85,3 +112,7 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+        - name: package-server-manager-serving-cert
+          secret:
+            secretName: package-server-manager-serving-cert
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -28,6 +28,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+            - --secure-listen-address=0.0.0.0:8443
+            - --upstream=http://127.0.0.1:9090/
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+            - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -41,6 +67,7 @@ spec:
             - $(PACKAGESERVER_NAME)
             - --namespace
             - $(PACKAGESERVER_NAMESPACE)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -86,3 +113,7 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+        - name: package-server-manager-serving-cert
+          secret:
+            secretName: package-server-manager-serving-cert
diff --git a/manifests/0000_50_olm_06-psm-operator.service.yaml b/manifests/0000_50_olm_06-psm-operator.service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.alpha.openshift.io/serving-cert-secret-name: package-server-manager-serving-cert
+    include.release.openshift.io/ibm-cloud-managed: "true"
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+spec:
+  ports:
+    - name: metrics
+      port: 8443
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app: package-server-manager
+  sessionAffinity: None
+  type: ClusterIP
diff --git a/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml b/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      interval: 30s
+      port: metrics
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  namespaceSelector:
+    matchNames:
+      - openshift-operator-lifecycle-manager
+  selector: {}
diff --git a/manifests/image-references b/manifests/image-references
@@ -10,3 +10,7 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/operator-framework/configmap-operator-registry:latest
+  - name: kube-rbac-proxy
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-kube-rbac-proxy:latest
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
@@ -106,6 +106,10 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/operator-framework/configmap-operator-registry:latest
+  - name: kube-rbac-proxy
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-kube-rbac-proxy:latest
 EOF
 
 cat << EOF > manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -138,6 +142,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+          - --secure-listen-address=0.0.0.0:8443
+          - --upstream=http://127.0.0.1:9090/
+          - --tls-cert-file=/etc/tls/private/tls.crt
+          - --tls-private-key-file=/etc/tls/private/tls.key
+          - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+          - containerPort: 8443
+            name: metrics
+            protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+          - mountPath: /etc/tls/private
+            name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -151,6 +181,7 @@ spec:
             - \$(PACKAGESERVER_NAME)
             - --namespace
             - \$(PACKAGESERVER_NAMESPACE)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -196,6 +227,54 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+      - name: package-server-manager-serving-cert
+        secret:
+          secretName: package-server-manager-serving-cert
+EOF
+
+cat << EOF > manifests/0000_50_olm_06-psm-operator.service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.alpha.openshift.io/serving-cert-secret-name: package-server-manager-serving-cert
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+spec:
+  ports:
+  - name: metrics
+    port: 8443
+    protocol: TCP
+    targetPort: metrics
+  selector:
+    app: package-server-manager
+  sessionAffinity: None
+  type: ClusterIP
+EOF
+
+cat << EOF > manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
+    port: metrics
+    scheme: https
+    tlsConfig:
+      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  namespaceSelector:
+    matchNames:
+    - openshift-operator-lifecycle-manager
+  selector: {}
 EOF
 
 cat << EOF > manifests/0000_50_olm_00-pprof-config.yaml
