MON-4361,MON-4380: Optional Monitoring Capability #2675
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@rexagod: This pull request references MON-4361 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rexagod The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
rexagod
force-pushed
the
MON-4361
branch
3 times, most recently
from
c4db7d8 to
a322ff8
Compare
There was a problem hiding this comment.
It might be good to wait for #2649 since it's migrating all the dashboards to static assets.
On the jsonnet implementation side, I wonder if it wouldn't easier to read/maintain if we inject the annotation into each component that needs it.
E.g. here for components for which all resources are OptionalMonitoring
cluster-monitoring-operator/jsonnet/main.jsonnet
Lines 520 to 539 in ea9a533
Or at the level of the jsonnet component file in case it's per resource.
CHANGELOG.md
Outdated
| - `KubePdbNotEnoughHealthyPods` | ||
| - `KubeNodePressure` | ||
| - `KubeNodeEviction` | ||
| - []() Allow cluster-admins to opt-into optional monitoring using the `OptionalMonitoring` capability. |
There was a problem hiding this comment.
I realize that adding the annotation to the manifests under the assets/ directory will have no direct effect since there's no logic in CMO to deploy these resources conditionally, right?
There was a problem hiding this comment.
I've raised a PR for that: https://github.com/openshift/cluster-monitoring-operator/pull/2688/files.
rexagod
force-pushed
the
MON-4361
branch
2 times, most recently
from
461f6b9 to
cbdd203
Compare
rexagod
changed the title
|
Reverted the |
| kind: ValidatingWebhookConfiguration | ||
| metadata: | ||
| annotations: | ||
| capability.openshift.io/name: OptionalMonitoring |
There was a problem hiding this comment.
If the service is optional (*), shouldn't we apply the annotation to all admission-webhook resources?
(*) there could be an argument that we still want the admission webhook for PrometheusRule resources because of telemetry?
There was a problem hiding this comment.
Yes that was my understanding as well, so I limited this to AM strictly.
There was a problem hiding this comment.
Ah I didn't realize that this webhook configuration was specifically for AlertmanagerConfig resources. I would still recommend that we document the rationale for not having all admission-webhook resources marked as optional (not sure where it should happen though).
There was a problem hiding this comment.
Added a description annotation on the object.
There was a problem hiding this comment.
Not directly related to this change but if the console is disabled, wouldn't it be logical to avoid deploying the monitoring plugin resources?
There was a problem hiding this comment.
True, I've moved the plugin to be independent of the OptionalMonitoring capability and instead made it dependent on the Console one, which is in-line with its task's behavior, PTAL at commit: 55d6da0.
| annotations: | ||
| api-approved.openshift.io: https://github.com/openshift/api/pull/1406 | ||
| api.openshift.io/merged-by-featuregates: "true" | ||
| capability.openshift.io/name: OptionalMonitoring |
There was a problem hiding this comment.
not sure that CMO will start if the CRDs aren't present.
| kind: CustomResourceDefinition | ||
| metadata: | ||
| annotations: | ||
| capability.openshift.io/name: OptionalMonitoring |
There was a problem hiding this comment.
same here: IIRC the Prometheus operator will (at the minimum) log errors if the CRDs aren't installed.
Metric rules and metrics exporters have not been opted-in to keep the telemetry rules functioning. Optional components include: * Alertmanager * AlertmanagerUWM * ClusterMonitoringOperatorDeps (partially, for AM) * MonitoringPlugin * PromtheusOperator (partially, for AM) * PromtheusOperatorUWM * ThanosRuler Signed-off-by: Pranshu Srivastava <[email protected]>
Drop `monitoring-plugin` from optional components as its deployment should only rely on the `Console` capability. This is in-line with its corresponding task's behavior as well. Also refactored the `jsonnet` code a bit. Signed-off-by: Pranshu Srivastava <[email protected]>
Enabling the `OptionalMonitoring` capability translates to enabling all optional monitoring components under CMO. Note that since capabilities cannot be disabled once enabled, so cleanup for optional monitoring resources is not necessary. To clarify further, there are two possible paths at install time: * capability is disabled -> enabled (no need to cleanup) * capability is enabled -/> (cannot be disabled) (no need to cleanup) Signed-off-by: Pranshu Srivastava <[email protected]>
|
x-posting from #2688:
I believe that would require us to bake that behavior into several I also think a per-component exclusion at component initialization lets us dodge the need for a cache-based EDIT: I've refactored the patch to not modify the tasks' orchestration, but the tasks themselves as I realised that we don't actually need to think about cleaning these up, quoting the third commit:
|
rexagod
changed the title
|
@rexagod: This pull request references MON-4361 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set. This pull request references MON-4380 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Excluding CRDs from optional monitoring as their absence can cause CMO and PO to crash or throw errors at the very least. Signed-off-by: Pranshu Srivastava <[email protected]>
pkg/client/client.go
Outdated
| } | ||
|
|
||
| func (c *Client) HasOptionalMonitoringCapability(ctx context.Context) (bool, error) { | ||
| return c.HasClusterCapability(ctx, "") |
There was a problem hiding this comment.
/hold
Needs openshift/api#2468
openshift-ci
bot
added
the
do-not-merge/hold
| kind: ValidatingWebhookConfiguration | ||
| metadata: | ||
| annotations: | ||
| capability.openshift.io/name: OptionalMonitoring |
There was a problem hiding this comment.
Ah I didn't realize that this webhook configuration was specifically for AlertmanagerConfig resources. I would still recommend that we document the rationale for not having all admission-webhook resources marked as optional (not sure where it should happen though).
| }, | ||
| }, | ||
| }, | ||
| local addAnnotationToChildren(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) = |
There was a problem hiding this comment.
| local addAnnotationToChildren(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) = | |
| local addAnnotationToChildren(parent, key, value) = |
| @@ -0,0 +1,31 @@ | |||
| { | |||
| local addAnnotationToChild(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) = | |||
There was a problem hiding this comment.
(nit) o (for object) instead of parent?
| local addAnnotationToChild(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) = | |
| local addAnnotationToChild(o, key, value) = |
| local annotationKeyCapability = 'capability.openshift.io/name', | ||
| local annotationValueConsoleCapability = 'Console', | ||
| local annotationValueOptionalMonitoringCapability = 'OptionalMonitoring', | ||
| consoleForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueConsoleCapability), |
There was a problem hiding this comment.
(suggestion) can we add a small comment before each function to describe what it does?
pkg/tasks/alertmanager.go
Outdated
|
|
||
| func (t *AlertmanagerTask) Run(ctx context.Context) error { | ||
| if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { | ||
| optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) |
There was a problem hiding this comment.
Can we have the operator retrieve the information about monitoring capability once before reconciling and provide the information to each task runner?
In the same vein, we create a small helper which would wrap a "Task" and run it only if the monitoring capability is enabled (e.g. useful for "Task"s for which all managed resources are dependent on the capability).
jsonnet/versions.yaml
Outdated
| nodeExporter: 1.9.1 | ||
| promLabelProxy: 0.12.1 | ||
| prometheus: 3.5.0 | ||
| prometheus: 3.6.0 |
There was a problem hiding this comment.
(nit) don't bother about updating the versions.yaml file in this PR.
Signed-off-by: Pranshu Srivastava <[email protected]>
| kind: CustomResourceDefinition | ||
| metadata: | ||
| annotations: | ||
| capability.openshift.io/name: OptionalMonitoring |
There was a problem hiding this comment.
Nit: OptionalMonitoring seems like a fairly redundant name for an optional capability? Is there no more specific/descriptive name we can use for the portion of the monitoring component that's covered by this capability name? If the naming has already been hashed out in an enhancement or something, just point me at that discussion. I'm not trying to re-open something that's already settled.
There was a problem hiding this comment.
OptionalMonitoring indicates a capability that targets the optional components of the monitoring stack. Internally, we've used the same terminology for all components that are not required for telemetry. In retrospect, this seemed better than, say, NonTelemetryComponents, but open to ideas.
There was a problem hiding this comment.
(I followed these steps to go about implementing this capability, so I didn't create an EP, but PLMK if that's necessary)
Signed-off-by: Pranshu Srivastava <[email protected]>
|
Trying to spin up a cluster for the better part of today, but no luck, so I still need to test out the latest commit(s) just to be sure. |
|
@rexagod: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Missed this part, on it. |
4 participants
Metric rules and metrics exporters have not been opted-in to keep the telemetry rules functioning.