From 929daf86046568ce45ece418736e2192f153937c Mon Sep 17 00:00:00 2001 From: Pranshu Srivastava Date: Tue, 30 Sep 2025 21:23:34 +0530 Subject: [PATCH 1/6] MON-4361: Annotate optional monitoring resources Metric rules and metrics exporters have not been opted-in to keep the telemetry rules functioning. Optional components include: * Alertmanager * AlertmanagerUWM * ClusterMonitoringOperatorDeps (partially, for AM) * MonitoringPlugin * PromtheusOperator (partially, for AM) * PromtheusOperatorUWM * ThanosRuler Signed-off-by: Pranshu Srivastava --- ...lertmanager-config-validating-webhook.yaml | 1 + .../alertmanager.yaml | 1 + .../cluster-role-binding.yaml | 2 ++ .../cluster-role.yaml | 2 ++ .../kube-rbac-proxy-metric-secret.yaml | 2 ++ .../kube-rbac-proxy-secret.yaml | 2 ++ .../kube-rbac-proxy-tenancy-secret.yaml | 2 ++ .../pod-disruption-budget.yaml | 2 ++ assets/alertmanager-user-workload/secret.yaml | 2 ++ .../service-account.yaml | 2 ++ .../service-monitor.yaml | 2 ++ .../alertmanager-user-workload/service.yaml | 1 + .../trusted-ca-bundle.yaml | 1 + assets/alertmanager/alertmanager.yaml | 1 + assets/alertmanager/cluster-role-binding.yaml | 2 ++ assets/alertmanager/cluster-role.yaml | 2 ++ .../kube-rbac-proxy-metric-secret.yaml | 2 ++ .../alertmanager/kube-rbac-proxy-secret.yaml | 2 ++ .../kube-rbac-proxy-web-secret.yaml | 2 ++ .../alertmanager/pod-disruption-budget.yaml | 2 ++ assets/alertmanager/prometheus-rule.yaml | 2 ++ assets/alertmanager/route.yaml | 1 + assets/alertmanager/secret.yaml | 2 ++ assets/alertmanager/service-account.yaml | 2 ++ assets/alertmanager/service-monitor.yaml | 2 ++ assets/alertmanager/service.yaml | 1 + assets/alertmanager/trusted-ca-bundle.yaml | 1 + .../alerting-edit-cluster-role.yaml | 2 ++ .../monitoring-alertmanager-edit-role.yaml | 2 ++ .../monitoring-alertmanager-view-role.yaml | 2 ++ ...user-workload-alertmanager-api-reader.yaml | 2 ++ ...user-workload-alertmanager-api-writer.yaml | 2 ++ .../user-workload-config-edit-role.yaml | 2 ++ assets/monitoring-plugin/console-plugin.yaml | 2 ++ assets/monitoring-plugin/deployment.yaml | 2 ++ .../pod-disruption-budget.yaml | 2 ++ assets/monitoring-plugin/service-account.yaml | 2 ++ assets/monitoring-plugin/service.yaml | 1 + .../cluster-role-binding.yaml | 2 ++ .../cluster-role.yaml | 2 ++ .../deployment.yaml | 2 ++ .../kube-rbac-proxy-secret.yaml | 2 ++ .../service-account.yaml | 2 ++ .../service-monitor.yaml | 2 ++ .../service.yaml | 1 + .../alertmanager-role-binding.yaml | 2 ++ ...ertmanager-user-workload-role-binding.yaml | 2 ++ .../cluster-role-binding.yaml | 2 ++ .../cluster-role.yaml | 2 ++ .../prometheus-user-workload/config-map.yaml | 2 ++ .../federate-route.yaml | 1 + .../grpc-tls-secret.yaml | 2 ++ .../kube-rbac-proxy-federate-secret.yaml | 2 ++ .../kube-rbac-proxy-metrics-secret.yaml | 2 ++ .../pod-disruption-budget.yaml | 2 ++ .../prometheus-user-workload/prometheus.yaml | 1 + .../role-binding-config.yaml | 2 ++ .../role-binding-specific-namespaces.yaml | 2 ++ .../prometheus-user-workload/role-config.yaml | 2 ++ .../role-specific-namespaces.yaml | 2 ++ .../service-account.yaml | 2 ++ .../service-monitor-thanos-sidecar.yaml | 2 ++ .../service-monitor.yaml | 2 ++ .../service-thanos-sidecar.yaml | 1 + assets/prometheus-user-workload/service.yaml | 1 + .../serving-certs-ca-bundle.yaml | 1 + .../trusted-ca-bundle.yaml | 1 + .../alertmanager-role-binding.yaml | 2 ++ ...ertmanager-user-workload-role-binding.yaml | 2 ++ .../alertmanagers-config-secret.yaml | 2 ++ .../cluster-role-binding-monitoring.yaml | 2 ++ assets/thanos-ruler/cluster-role-binding.yaml | 2 ++ assets/thanos-ruler/cluster-role.yaml | 2 ++ assets/thanos-ruler/grpc-tls-secret.yaml | 2 ++ .../kube-rbac-proxy-metrics-secret.yaml | 2 ++ .../kube-rbac-proxy-web-secret.yaml | 2 ++ .../thanos-ruler/pod-disruption-budget.yaml | 2 ++ assets/thanos-ruler/query-config-secret.yaml | 2 ++ assets/thanos-ruler/route.yaml | 1 + assets/thanos-ruler/service-account.yaml | 1 + assets/thanos-ruler/service-monitor.yaml | 2 ++ assets/thanos-ruler/service.yaml | 1 + .../thanos-ruler-prometheus-rule.yaml | 2 ++ assets/thanos-ruler/thanos-ruler.yaml | 1 + .../components/admission-webhook.libsonnet | 5 ++-- .../alertmanager-user-workload.libsonnet | 7 +++-- jsonnet/components/alertmanager.libsonnet | 7 +++-- .../cluster-monitoring-operator.libsonnet | 29 ++++++++++--------- .../components/monitoring-plugin.libsonnet | 6 ++-- ...rometheus-operator-user-workload.libsonnet | 7 +++-- .../components/prometheus-operator.libsonnet | 24 ++++++++++++++- .../prometheus-user-workload.libsonnet | 7 +++-- jsonnet/components/thanos-ruler.libsonnet | 7 +++-- ...rtingrules-custom-resource-definition.json | 2 +- ...belconfigs-custom-resource-definition.json | 2 +- .../opt-into-optional-monitoring.libsonnet | 27 +++++++++++++++++ ...rtingrules-custom-resource-definition.yaml | 1 + ...ger-config-custom-resource-definition.yaml | 1 + ...ertmanager-custom-resource-definition.yaml | 1 + ...belconfigs-custom-resource-definition.yaml | 1 + ..._00_0probe-custom-resource-definition.yaml | 1 + ...hanosruler-custom-resource-definition.yaml | 1 + ...-operator_02-alert-customization-role.yaml | 1 + 103 files changed, 254 insertions(+), 31 deletions(-) create mode 100644 jsonnet/utils/opt-into-optional-monitoring.libsonnet diff --git a/assets/admission-webhook/alertmanager-config-validating-webhook.yaml b/assets/admission-webhook/alertmanager-config-validating-webhook.yaml index 344fdb41cd..f958301294 100644 --- a/assets/admission-webhook/alertmanager-config-validating-webhook.yaml +++ b/assets/admission-webhook/alertmanager-config-validating-webhook.yaml @@ -2,6 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: + capability.openshift.io/name: OptionalMonitoring service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/component: controller diff --git a/assets/alertmanager-user-workload/alertmanager.yaml b/assets/alertmanager-user-workload/alertmanager.yaml index 5a401bc9eb..f97492d8f5 100644 --- a/assets/alertmanager-user-workload/alertmanager.yaml +++ b/assets/alertmanager-user-workload/alertmanager.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: Alertmanager metadata: annotations: + capability.openshift.io/name: OptionalMonitoring operator.prometheus.io/controller-id: openshift-user-workload-monitoring/prometheus-operator labels: app.kubernetes.io/component: alert-router diff --git a/assets/alertmanager-user-workload/cluster-role-binding.yaml b/assets/alertmanager-user-workload/cluster-role-binding.yaml index 67131fd71a..064194d24e 100644 --- a/assets/alertmanager-user-workload/cluster-role-binding.yaml +++ b/assets/alertmanager-user-workload/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager-user-workload/cluster-role.yaml b/assets/alertmanager-user-workload/cluster-role.yaml index 43ced39083..636e119875 100644 --- a/assets/alertmanager-user-workload/cluster-role.yaml +++ b/assets/alertmanager-user-workload/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml b/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml index fb936dff42..af19010987 100644 --- a/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml +++ b/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-user-workload diff --git a/assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml b/assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml index ab374ffbe6..4b854a7183 100644 --- a/assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml +++ b/assets/alertmanager-user-workload/kube-rbac-proxy-secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-user-workload diff --git a/assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml b/assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml index 9dbb3880cd..3407e7a58e 100644 --- a/assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml +++ b/assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-user-workload diff --git a/assets/alertmanager-user-workload/pod-disruption-budget.yaml b/assets/alertmanager-user-workload/pod-disruption-budget.yaml index 3b9139d2fb..cd62534810 100644 --- a/assets/alertmanager-user-workload/pod-disruption-budget.yaml +++ b/assets/alertmanager-user-workload/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: user-workload diff --git a/assets/alertmanager-user-workload/secret.yaml b/assets/alertmanager-user-workload/secret.yaml index 3d3780669f..66679f7eaa 100644 --- a/assets/alertmanager-user-workload/secret.yaml +++ b/assets/alertmanager-user-workload/secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: user-workload diff --git a/assets/alertmanager-user-workload/service-account.yaml b/assets/alertmanager-user-workload/service-account.yaml index 9a0593efbd..d403846f2e 100644 --- a/assets/alertmanager-user-workload/service-account.yaml +++ b/assets/alertmanager-user-workload/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: user-workload diff --git a/assets/alertmanager-user-workload/service-monitor.yaml b/assets/alertmanager-user-workload/service-monitor.yaml index 84d5a21c3d..8614e42ea3 100644 --- a/assets/alertmanager-user-workload/service-monitor.yaml +++ b/assets/alertmanager-user-workload/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: user-workload diff --git a/assets/alertmanager-user-workload/service.yaml b/assets/alertmanager-user-workload/service.yaml index 5cadee3e4a..a677eda3d3 100644 --- a/assets/alertmanager-user-workload/service.yaml +++ b/assets/alertmanager-user-workload/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: |- Expose the user-defined Alertmanager web server within the cluster on the following ports: * Port 9095 provides access to the Alertmanager endpoints. Granting access requires binding a user to the `monitoring-alertmanager-api-reader` role (for read-only operations) or `monitoring-alertmanager-api-writer` role in the `openshift-user-workload-monitoring` project. diff --git a/assets/alertmanager-user-workload/trusted-ca-bundle.yaml b/assets/alertmanager-user-workload/trusted-ca-bundle.yaml index 9ce49bd9f3..1806c83380 100644 --- a/assets/alertmanager-user-workload/trusted-ca-bundle.yaml +++ b/assets/alertmanager-user-workload/trusted-ca-bundle.yaml @@ -3,6 +3,7 @@ data: {} kind: ConfigMap metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/owning-component: Monitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/alertmanager/alertmanager.yaml b/assets/alertmanager/alertmanager.yaml index f074056bcc..fcc3933a0b 100644 --- a/assets/alertmanager/alertmanager.yaml +++ b/assets/alertmanager/alertmanager.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: Alertmanager metadata: annotations: + capability.openshift.io/name: OptionalMonitoring operator.prometheus.io/controller-id: openshift-monitoring/prometheus-operator labels: app.kubernetes.io/component: alert-router diff --git a/assets/alertmanager/cluster-role-binding.yaml b/assets/alertmanager/cluster-role-binding.yaml index 88b58b0d57..7202346c29 100644 --- a/assets/alertmanager/cluster-role-binding.yaml +++ b/assets/alertmanager/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager/cluster-role.yaml b/assets/alertmanager/cluster-role.yaml index bd6eff9f11..30e525f062 100644 --- a/assets/alertmanager/cluster-role.yaml +++ b/assets/alertmanager/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml b/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml index a028c4b31a..f480fa2616 100644 --- a/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml +++ b/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-main diff --git a/assets/alertmanager/kube-rbac-proxy-secret.yaml b/assets/alertmanager/kube-rbac-proxy-secret.yaml index 767f1c0dbe..cf17da6356 100644 --- a/assets/alertmanager/kube-rbac-proxy-secret.yaml +++ b/assets/alertmanager/kube-rbac-proxy-secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: alertmanager-main diff --git a/assets/alertmanager/kube-rbac-proxy-web-secret.yaml b/assets/alertmanager/kube-rbac-proxy-web-secret.yaml index bd8c0731c2..4c85826b00 100644 --- a/assets/alertmanager/kube-rbac-proxy-web-secret.yaml +++ b/assets/alertmanager/kube-rbac-proxy-web-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/alertmanager/pod-disruption-budget.yaml b/assets/alertmanager/pod-disruption-budget.yaml index a6e600259c..b139586d02 100644 --- a/assets/alertmanager/pod-disruption-budget.yaml +++ b/assets/alertmanager/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/prometheus-rule.yaml b/assets/alertmanager/prometheus-rule.yaml index b9b60b8842..8a19e8ff0c 100644 --- a/assets/alertmanager/prometheus-rule.yaml +++ b/assets/alertmanager/prometheus-rule.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/route.yaml b/assets/alertmanager/route.yaml index ada479a4a5..a2173b70b9 100644 --- a/assets/alertmanager/route.yaml +++ b/assets/alertmanager/route.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Route metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the `/api` endpoints of the `alertmanager-main` service via a router. labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/alertmanager/secret.yaml b/assets/alertmanager/secret.yaml index ba664f097b..cfe72864bd 100644 --- a/assets/alertmanager/secret.yaml +++ b/assets/alertmanager/secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/service-account.yaml b/assets/alertmanager/service-account.yaml index f55810dac3..495ffedcbd 100644 --- a/assets/alertmanager/service-account.yaml +++ b/assets/alertmanager/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/service-monitor.yaml b/assets/alertmanager/service-monitor.yaml index 0f133fbc8c..b06552bc38 100644 --- a/assets/alertmanager/service-monitor.yaml +++ b/assets/alertmanager/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: alert-router app.kubernetes.io/instance: main diff --git a/assets/alertmanager/service.yaml b/assets/alertmanager/service.yaml index 557dbb1dab..8777622e29 100644 --- a/assets/alertmanager/service.yaml +++ b/assets/alertmanager/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: |- Expose the Alertmanager web server within the cluster on the following ports: * Port 9094 provides access to all the Alertmanager endpoints. Granting access requires binding a user to the `monitoring-alertmanager-view` role (for read-only operations) or `monitoring-alertmanager-edit` role in the `openshift-monitoring` project. diff --git a/assets/alertmanager/trusted-ca-bundle.yaml b/assets/alertmanager/trusted-ca-bundle.yaml index 62f486b4b8..75b732479a 100644 --- a/assets/alertmanager/trusted-ca-bundle.yaml +++ b/assets/alertmanager/trusted-ca-bundle.yaml @@ -3,6 +3,7 @@ data: {} kind: ConfigMap metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/owning-component: Monitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml b/assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml index 06dd397f4d..0fb8bccd9f 100644 --- a/assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml +++ b/assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml b/assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml index e6f6a06133..36272e5838 100644 --- a/assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml +++ b/assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml b/assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml index 26ab78673f..53dcee738b 100644 --- a/assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml +++ b/assets/cluster-monitoring-operator/monitoring-alertmanager-view-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml b/assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml index 08709cfb5b..2be0aa17f1 100644 --- a/assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml +++ b/assets/cluster-monitoring-operator/user-workload-alertmanager-api-reader.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml b/assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml index 5c16b9a2c2..9ad6b09284 100644 --- a/assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml +++ b/assets/cluster-monitoring-operator/user-workload-alertmanager-api-writer.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml b/assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml index f0002e4ce5..a1fea86663 100644 --- a/assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml +++ b/assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/monitoring-plugin/console-plugin.yaml b/assets/monitoring-plugin/console-plugin.yaml index 03937afdf2..554797f528 100644 --- a/assets/monitoring-plugin/console-plugin.yaml +++ b/assets/monitoring-plugin/console-plugin.yaml @@ -1,6 +1,8 @@ apiVersion: console.openshift.io/v1 kind: ConsolePlugin metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/deployment.yaml b/assets/monitoring-plugin/deployment.yaml index b61d4b0063..060f69c7e0 100644 --- a/assets/monitoring-plugin/deployment.yaml +++ b/assets/monitoring-plugin/deployment.yaml @@ -1,6 +1,8 @@ apiVersion: apps/v1 kind: Deployment metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/pod-disruption-budget.yaml b/assets/monitoring-plugin/pod-disruption-budget.yaml index 5af34f82eb..216fb80219 100644 --- a/assets/monitoring-plugin/pod-disruption-budget.yaml +++ b/assets/monitoring-plugin/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/service-account.yaml b/assets/monitoring-plugin/service-account.yaml index 45c000f9a1..641e1d65ef 100644 --- a/assets/monitoring-plugin/service-account.yaml +++ b/assets/monitoring-plugin/service-account.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/service.yaml b/assets/monitoring-plugin/service.yaml index 4e4bfc2750..70d99918e1 100644 --- a/assets/monitoring-plugin/service.yaml +++ b/assets/monitoring-plugin/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the monitoring plugin service on port 9443. This port is for internal use, and no other usage is guaranteed. service.beta.openshift.io/serving-cert-secret-name: monitoring-plugin-cert labels: diff --git a/assets/prometheus-operator-user-workload/cluster-role-binding.yaml b/assets/prometheus-operator-user-workload/cluster-role-binding.yaml index f76857b012..dc38a02ac2 100644 --- a/assets/prometheus-operator-user-workload/cluster-role-binding.yaml +++ b/assets/prometheus-operator-user-workload/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/cluster-role.yaml b/assets/prometheus-operator-user-workload/cluster-role.yaml index 6ceb43bde6..b8397f8fa3 100644 --- a/assets/prometheus-operator-user-workload/cluster-role.yaml +++ b/assets/prometheus-operator-user-workload/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/deployment.yaml b/assets/prometheus-operator-user-workload/deployment.yaml index c2a2e77d8a..761aefd85c 100644 --- a/assets/prometheus-operator-user-workload/deployment.yaml +++ b/assets/prometheus-operator-user-workload/deployment.yaml @@ -1,6 +1,8 @@ apiVersion: apps/v1 kind: Deployment metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml b/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml index b7c4d8d441..1ded3c3636 100644 --- a/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml +++ b/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-operator-user-workload/service-account.yaml b/assets/prometheus-operator-user-workload/service-account.yaml index 369dad61e6..5ee6d1266a 100644 --- a/assets/prometheus-operator-user-workload/service-account.yaml +++ b/assets/prometheus-operator-user-workload/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/service-monitor.yaml b/assets/prometheus-operator-user-workload/service-monitor.yaml index 42d7ba0379..4559b70a58 100644 --- a/assets/prometheus-operator-user-workload/service-monitor.yaml +++ b/assets/prometheus-operator-user-workload/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: controller app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-operator-user-workload/service.yaml b/assets/prometheus-operator-user-workload/service.yaml index d3e10d32b3..82773020b7 100644 --- a/assets/prometheus-operator-user-workload/service.yaml +++ b/assets/prometheus-operator-user-workload/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the `/metrics` endpoint on port 8443. This port is for internal use, and no other usage is guaranteed. service.beta.openshift.io/serving-cert-secret-name: prometheus-operator-user-workload-tls labels: diff --git a/assets/prometheus-user-workload/alertmanager-role-binding.yaml b/assets/prometheus-user-workload/alertmanager-role-binding.yaml index 30a7b67b88..04304c4465 100644 --- a/assets/prometheus-user-workload/alertmanager-role-binding.yaml +++ b/assets/prometheus-user-workload/alertmanager-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/alertmanager-user-workload-role-binding.yaml b/assets/prometheus-user-workload/alertmanager-user-workload-role-binding.yaml index d10bf73219..fc2e3664b5 100644 --- a/assets/prometheus-user-workload/alertmanager-user-workload-role-binding.yaml +++ b/assets/prometheus-user-workload/alertmanager-user-workload-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/cluster-role-binding.yaml b/assets/prometheus-user-workload/cluster-role-binding.yaml index 3fc36b9bb4..d743d57e51 100644 --- a/assets/prometheus-user-workload/cluster-role-binding.yaml +++ b/assets/prometheus-user-workload/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/cluster-role.yaml b/assets/prometheus-user-workload/cluster-role.yaml index f538c1ba20..76ea95dace 100644 --- a/assets/prometheus-user-workload/cluster-role.yaml +++ b/assets/prometheus-user-workload/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/config-map.yaml b/assets/prometheus-user-workload/config-map.yaml index d283393d49..c1a62c565e 100644 --- a/assets/prometheus-user-workload/config-map.yaml +++ b/assets/prometheus-user-workload/config-map.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: ConfigMap metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/federate-route.yaml b/assets/prometheus-user-workload/federate-route.yaml index b2d97816f4..3947de0ddf 100644 --- a/assets/prometheus-user-workload/federate-route.yaml +++ b/assets/prometheus-user-workload/federate-route.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Route metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the `/federate` endpoint of the `prometheus-user-workload` service via a router. labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-user-workload/grpc-tls-secret.yaml b/assets/prometheus-user-workload/grpc-tls-secret.yaml index 67bad550a3..e4e336a493 100644 --- a/assets/prometheus-user-workload/grpc-tls-secret.yaml +++ b/assets/prometheus-user-workload/grpc-tls-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: prometheus-k8s diff --git a/assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml b/assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml index fdd9a420dd..d4eca82bec 100644 --- a/assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml +++ b/assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml b/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml index a7db24da31..b958ae9677 100644 --- a/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml +++ b/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/prometheus-user-workload/pod-disruption-budget.yaml b/assets/prometheus-user-workload/pod-disruption-budget.yaml index daae86eef3..26625029e8 100644 --- a/assets/prometheus-user-workload/pod-disruption-budget.yaml +++ b/assets/prometheus-user-workload/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/prometheus.yaml b/assets/prometheus-user-workload/prometheus.yaml index c608da0ac0..c1f976863f 100644 --- a/assets/prometheus-user-workload/prometheus.yaml +++ b/assets/prometheus-user-workload/prometheus.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: Prometheus metadata: annotations: + capability.openshift.io/name: OptionalMonitoring operator.prometheus.io/controller-id: openshift-user-workload-monitoring/prometheus-operator labels: app.kubernetes.io/component: prometheus diff --git a/assets/prometheus-user-workload/role-binding-config.yaml b/assets/prometheus-user-workload/role-binding-config.yaml index f16968db54..b8ca31e909 100644 --- a/assets/prometheus-user-workload/role-binding-config.yaml +++ b/assets/prometheus-user-workload/role-binding-config.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/role-binding-specific-namespaces.yaml b/assets/prometheus-user-workload/role-binding-specific-namespaces.yaml index 87f17e7447..1d5526c246 100644 --- a/assets/prometheus-user-workload/role-binding-specific-namespaces.yaml +++ b/assets/prometheus-user-workload/role-binding-specific-namespaces.yaml @@ -3,6 +3,8 @@ items: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/role-config.yaml b/assets/prometheus-user-workload/role-config.yaml index 7e67819024..11c3cb7816 100644 --- a/assets/prometheus-user-workload/role-config.yaml +++ b/assets/prometheus-user-workload/role-config.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/role-specific-namespaces.yaml b/assets/prometheus-user-workload/role-specific-namespaces.yaml index 20a03bcb08..6855f06fe9 100644 --- a/assets/prometheus-user-workload/role-specific-namespaces.yaml +++ b/assets/prometheus-user-workload/role-specific-namespaces.yaml @@ -3,6 +3,8 @@ items: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/service-account.yaml b/assets/prometheus-user-workload/service-account.yaml index 64ad0b2530..cf803a0dfa 100644 --- a/assets/prometheus-user-workload/service-account.yaml +++ b/assets/prometheus-user-workload/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/service-monitor-thanos-sidecar.yaml b/assets/prometheus-user-workload/service-monitor-thanos-sidecar.yaml index 97aba2a46d..c9bdd63f8e 100644 --- a/assets/prometheus-user-workload/service-monitor-thanos-sidecar.yaml +++ b/assets/prometheus-user-workload/service-monitor-thanos-sidecar.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: thanos-sidecar app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/service-monitor.yaml b/assets/prometheus-user-workload/service-monitor.yaml index 76ba2d168d..97c34044fd 100644 --- a/assets/prometheus-user-workload/service-monitor.yaml +++ b/assets/prometheus-user-workload/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: user-workload diff --git a/assets/prometheus-user-workload/service-thanos-sidecar.yaml b/assets/prometheus-user-workload/service-thanos-sidecar.yaml index fd38d75f4b..39d3977db7 100644 --- a/assets/prometheus-user-workload/service-thanos-sidecar.yaml +++ b/assets/prometheus-user-workload/service-thanos-sidecar.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring service.beta.openshift.io/serving-cert-secret-name: prometheus-user-workload-thanos-sidecar-tls labels: app.kubernetes.io/component: thanos-sidecar diff --git a/assets/prometheus-user-workload/service.yaml b/assets/prometheus-user-workload/service.yaml index d831e75dfd..4993f74820 100644 --- a/assets/prometheus-user-workload/service.yaml +++ b/assets/prometheus-user-workload/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: |- Expose the Prometheus web server within the cluster on the following ports: * Port 9091 provides access to the `/metrics` endpoint only. This port is for internal use, and no other usage is guaranteed. diff --git a/assets/prometheus-user-workload/serving-certs-ca-bundle.yaml b/assets/prometheus-user-workload/serving-certs-ca-bundle.yaml index 489150e295..e4f8c6c609 100644 --- a/assets/prometheus-user-workload/serving-certs-ca-bundle.yaml +++ b/assets/prometheus-user-workload/serving-certs-ca-bundle.yaml @@ -3,6 +3,7 @@ data: {} kind: ConfigMap metadata: annotations: + capability.openshift.io/name: OptionalMonitoring service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/prometheus-user-workload/trusted-ca-bundle.yaml b/assets/prometheus-user-workload/trusted-ca-bundle.yaml index a78bc20399..d81191f54f 100644 --- a/assets/prometheus-user-workload/trusted-ca-bundle.yaml +++ b/assets/prometheus-user-workload/trusted-ca-bundle.yaml @@ -3,6 +3,7 @@ data: {} kind: ConfigMap metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/owning-component: Monitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/thanos-ruler/alertmanager-role-binding.yaml b/assets/thanos-ruler/alertmanager-role-binding.yaml index f05a468612..d876491324 100644 --- a/assets/thanos-ruler/alertmanager-role-binding.yaml +++ b/assets/thanos-ruler/alertmanager-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/alertmanager-user-workload-role-binding.yaml b/assets/thanos-ruler/alertmanager-user-workload-role-binding.yaml index 8f38fad22f..3354542c46 100644 --- a/assets/thanos-ruler/alertmanager-user-workload-role-binding.yaml +++ b/assets/thanos-ruler/alertmanager-user-workload-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/alertmanagers-config-secret.yaml b/assets/thanos-ruler/alertmanagers-config-secret.yaml index 2b7e0a2126..b06dda27f1 100644 --- a/assets/thanos-ruler/alertmanagers-config-secret.yaml +++ b/assets/thanos-ruler/alertmanagers-config-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: thanos-ruler diff --git a/assets/thanos-ruler/cluster-role-binding-monitoring.yaml b/assets/thanos-ruler/cluster-role-binding-monitoring.yaml index 92f7a269f6..8fafc30c5b 100644 --- a/assets/thanos-ruler/cluster-role-binding-monitoring.yaml +++ b/assets/thanos-ruler/cluster-role-binding-monitoring.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/cluster-role-binding.yaml b/assets/thanos-ruler/cluster-role-binding.yaml index 5f1cca1f00..d25d6233cd 100644 --- a/assets/thanos-ruler/cluster-role-binding.yaml +++ b/assets/thanos-ruler/cluster-role-binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/cluster-role.yaml b/assets/thanos-ruler/cluster-role.yaml index ed0f77d538..23105d0c77 100644 --- a/assets/thanos-ruler/cluster-role.yaml +++ b/assets/thanos-ruler/cluster-role.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/grpc-tls-secret.yaml b/assets/thanos-ruler/grpc-tls-secret.yaml index 7e569f2035..92ac0fa6bb 100644 --- a/assets/thanos-ruler/grpc-tls-secret.yaml +++ b/assets/thanos-ruler/grpc-tls-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: thanos-ruler diff --git a/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml b/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml index 39cad389a0..113b2424fb 100644 --- a/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml +++ b/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/kube-rbac-proxy-web-secret.yaml b/assets/thanos-ruler/kube-rbac-proxy-web-secret.yaml index 43d233b5c4..eb28e8a1ce 100644 --- a/assets/thanos-ruler/kube-rbac-proxy-web-secret.yaml +++ b/assets/thanos-ruler/kube-rbac-proxy-web-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/pod-disruption-budget.yaml b/assets/thanos-ruler/pod-disruption-budget.yaml index 5d5b983c69..fd8219f5e9 100644 --- a/assets/thanos-ruler/pod-disruption-budget.yaml +++ b/assets/thanos-ruler/pod-disruption-budget.yaml @@ -1,6 +1,8 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/query-config-secret.yaml b/assets/thanos-ruler/query-config-secret.yaml index 5550318438..e1edbf511f 100644 --- a/assets/thanos-ruler/query-config-secret.yaml +++ b/assets/thanos-ruler/query-config-secret.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: {} kind: Secret metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: thanos-ruler diff --git a/assets/thanos-ruler/route.yaml b/assets/thanos-ruler/route.yaml index b075687973..cf7310aef2 100644 --- a/assets/thanos-ruler/route.yaml +++ b/assets/thanos-ruler/route.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Route metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: Expose the `/api` endpoints of the `thanos-ruler` service via a router. labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/thanos-ruler/service-account.yaml b/assets/thanos-ruler/service-account.yaml index be216f7210..7c2a9b61cb 100644 --- a/assets/thanos-ruler/service-account.yaml +++ b/assets/thanos-ruler/service-account.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: annotations: + capability.openshift.io/name: OptionalMonitoring serviceaccounts.openshift.io/oauth-redirectreference.thanos-ruler-: "" labels: app.kubernetes.io/component: rule-evaluation-engine diff --git a/assets/thanos-ruler/service-monitor.yaml b/assets/thanos-ruler/service-monitor.yaml index de5cf2e516..e143b548a0 100644 --- a/assets/thanos-ruler/service-monitor.yaml +++ b/assets/thanos-ruler/service-monitor.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/component: rule-evaluation-engine app.kubernetes.io/instance: thanos-ruler diff --git a/assets/thanos-ruler/service.yaml b/assets/thanos-ruler/service.yaml index 2e77562ea8..d37c375a5d 100644 --- a/assets/thanos-ruler/service.yaml +++ b/assets/thanos-ruler/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: + capability.openshift.io/name: OptionalMonitoring openshift.io/description: |- Expose the Thanos Ruler web server within the cluster on the following ports: * Port 9091 provides access to all Thanos Ruler endpoints. Granting access requires binding a user to the `cluster-monitoring-view` cluster role. diff --git a/assets/thanos-ruler/thanos-ruler-prometheus-rule.yaml b/assets/thanos-ruler/thanos-ruler-prometheus-rule.yaml index 761394633f..e5295907d6 100644 --- a/assets/thanos-ruler/thanos-ruler-prometheus-rule.yaml +++ b/assets/thanos-ruler/thanos-ruler-prometheus-rule.yaml @@ -1,6 +1,8 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: + annotations: + capability.openshift.io/name: OptionalMonitoring labels: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/thanos-ruler/thanos-ruler.yaml b/assets/thanos-ruler/thanos-ruler.yaml index 27f997c185..c5918a768a 100644 --- a/assets/thanos-ruler/thanos-ruler.yaml +++ b/assets/thanos-ruler/thanos-ruler.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ThanosRuler metadata: annotations: + capability.openshift.io/name: OptionalMonitoring operator.prometheus.io/controller-id: openshift-user-workload-monitoring/prometheus-operator labels: app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/jsonnet/components/admission-webhook.libsonnet b/jsonnet/components/admission-webhook.libsonnet index 75f1cde135..4fc9af2077 100644 --- a/jsonnet/components/admission-webhook.libsonnet +++ b/jsonnet/components/admission-webhook.libsonnet @@ -2,6 +2,7 @@ local tlsVolumeName = 'prometheus-operator-admission-webhook-tls'; local admissionWebhook = import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/admission-webhook.libsonnet'; local antiAffinity = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/addons/anti-affinity.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; +local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); function(params) local aw = admissionWebhook(params); @@ -128,7 +129,7 @@ function(params) ], }, - alertmanagerConfigValidatingWebhook: { + alertmanagerConfigValidatingWebhook: optIntoOptionalMonitoring.forObject({ apiVersion: 'admissionregistration.k8s.io/v1', kind: 'ValidatingWebhookConfiguration', metadata: { @@ -167,5 +168,5 @@ function(params) failurePolicy: 'Ignore', }, ], - }, + }), } diff --git a/jsonnet/components/alertmanager-user-workload.libsonnet b/jsonnet/components/alertmanager-user-workload.libsonnet index 5e0df6caab..ec6a33e216 100644 --- a/jsonnet/components/alertmanager-user-workload.libsonnet +++ b/jsonnet/components/alertmanager-user-workload.libsonnet @@ -6,13 +6,14 @@ local generateSecret = import '../utils/generate-secret.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredRoles = (import '../utils/add-annotations.libsonnet').requiredRoles; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; +local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); function(params) local cfg = params { replicas: 2, }; - alertmanager(cfg) { + local o = alertmanager(cfg) { // Hide resources which are not needed because already deployed in the openshift-monitoring namespace. prometheusRule:: {}, @@ -414,4 +415,6 @@ function(params) ], }, }, - } + }; + + optIntoOptionalMonitoring.forObjectWithWalk(o) diff --git a/jsonnet/components/alertmanager.libsonnet b/jsonnet/components/alertmanager.libsonnet index 896623b9fa..1c3ad7d498 100644 --- a/jsonnet/components/alertmanager.libsonnet +++ b/jsonnet/components/alertmanager.libsonnet @@ -7,13 +7,14 @@ local withDescription = (import '../utils/add-annotations.libsonnet').withDescri local testFilePlaceholder = (import '../utils/add-annotations.libsonnet').testFilePlaceholder; local requiredRoles = (import '../utils/add-annotations.libsonnet').requiredRoles; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; +local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); function(params) local cfg = params { replicas: 2, }; - alertmanager(cfg) { + local o = alertmanager(cfg) { trustedCaBundle: generateCertInjection.trustedCNOCaBundleCM(cfg.namespace, 'alertmanager-trusted-ca-bundle'), // OpenShift route to access the Alertmanager UI. @@ -440,4 +441,6 @@ function(params) ], }, }, - } + }; + + optIntoOptionalMonitoring.forObjectWithWalk(o) diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet index c9d2b9b8f5..0fdf9fb5ce 100644 --- a/jsonnet/components/cluster-monitoring-operator.libsonnet +++ b/jsonnet/components/cluster-monitoring-operator.libsonnet @@ -1,6 +1,7 @@ local metrics = import 'github.com/openshift/telemeter/jsonnet/telemeter/metrics.jsonnet'; local cmoRules = import './../rules.libsonnet'; +local optIntoOptionalMonitoring = import './../utils/opt-into-optional-monitoring.libsonnet'; local kubePrometheus = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/mixin/custom.libsonnet'; local defaults = { @@ -329,7 +330,7 @@ function(params) { // - get/list/watch permissions on alertingrules and alertrelabelconfigs to detect changes requiring reconciliation. // - all permissions on alertingrules/finalizers to set the `ownerReferences` field on generated prometheusrules. // - all permissions on alertingrules/status to set the status of alertingrules. - alertCustomizationRole: { + alertCustomizationRole: optIntoOptionalMonitoring.forObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -354,7 +355,7 @@ function(params) { verbs: ['*'], }, ], - }, + }), // This cluster role enables access to the Observe page in the admin console // and the different API services. @@ -422,7 +423,7 @@ function(params) { // This role enables read/write access to the platform Alertmanager API // through kube-rbac-proxy. - monitoringAlertmanagerEditRole: { + monitoringAlertmanagerEditRole: optIntoOptionalMonitoring.forObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -437,11 +438,11 @@ function(params) { verbs: ['*'], }, ], - }, + }), // This role enables read access to the platform Alertmanager API // through kube-rbac-proxy. - monitoringAlertmanagerViewRole: { + monitoringAlertmanagerViewRole: optIntoOptionalMonitoring.forObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -456,7 +457,7 @@ function(params) { verbs: ['get', 'list'], }, ], - }, + }), // This role provides read access to the user-workload Alertmanager API. // We use a fake subresource 'api' to map to the /api/* endpoints of the @@ -464,7 +465,7 @@ function(params) { // Using "nonResourceURLs" doesn't work because authenticated users and // service accounts are allowed to get /api/* by default. // See https://issues.redhat.com/browse/OCPBUGS-17850. - userWorkloadAlertmanagerApiReader: { + userWorkloadAlertmanagerApiReader: optIntoOptionalMonitoring.forObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -477,11 +478,11 @@ function(params) { resourceNames: ['user-workload'], verbs: ['get', 'list'], }], - }, + }), // This role provides read/write access to the user-workload Alertmanager API. // See the 'monitoring-alertmanager-api-reader' role for details. - userWorkloadAlertmanagerApiWriter: { + userWorkloadAlertmanagerApiWriter: optIntoOptionalMonitoring.forObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -494,7 +495,7 @@ function(params) { resourceNames: ['user-workload'], verbs: ['*'], }], - }, + }), monitoringEditClusterRole: { apiVersion: 'rbac.authorization.k8s.io/v1', @@ -538,7 +539,7 @@ function(params) { }, // This role provides read/write access to the user-workload monitoring configuration. - userWorkloadConfigEditRole: { + userWorkloadConfigEditRole: optIntoOptionalMonitoring.forObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -551,10 +552,10 @@ function(params) { resources: ['configmaps'], verbs: ['get', 'list', 'watch', 'patch', 'update'], }], - }, + }), // This cluster role can be referenced in a RoleBinding object to provide read/write access to AlertmanagerConfiguration objects for a project. - alertingEditClusterRole: { + alertingEditClusterRole: optIntoOptionalMonitoring.forObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'ClusterRole', metadata: { @@ -565,5 +566,5 @@ function(params) { resources: ['alertmanagerconfigs'], verbs: ['*'], }], - }, + }), } diff --git a/jsonnet/components/monitoring-plugin.libsonnet b/jsonnet/components/monitoring-plugin.libsonnet index 15de856eff..2370f57ed3 100644 --- a/jsonnet/components/monitoring-plugin.libsonnet +++ b/jsonnet/components/monitoring-plugin.libsonnet @@ -1,4 +1,5 @@ local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; +local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); function(params) local cfg = params; @@ -20,7 +21,7 @@ function(params) local tlsCertPath = tlsMountPath + '/tls.crt'; local tlsKeyPath = tlsMountPath + '/tls.key'; - { + local o = { _config+:: { name: pluginName, namespace: 'openshift-monitoring', @@ -223,4 +224,5 @@ function(params) }, // template }, // spec }, // deployment - } + }; + optIntoOptionalMonitoring.forObjectWithWalk(o) diff --git a/jsonnet/components/prometheus-operator-user-workload.libsonnet b/jsonnet/components/prometheus-operator-user-workload.libsonnet index 049b057c2e..efb9975deb 100644 --- a/jsonnet/components/prometheus-operator-user-workload.libsonnet +++ b/jsonnet/components/prometheus-operator-user-workload.libsonnet @@ -4,11 +4,12 @@ local operator = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/ local generateSecret = import '../utils/generate-secret.libsonnet'; local rbac = import '../utils/rbac.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; +local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); function(params) local po = operator(params); - po { + local opo = po { mixin:: null, prometheusRule:: null, @@ -196,4 +197,6 @@ function(params) ], }, }, - } + }; + + optIntoOptionalMonitoring.forObjectWithWalk(opo) diff --git a/jsonnet/components/prometheus-operator.libsonnet b/jsonnet/components/prometheus-operator.libsonnet index f6a5d2ae87..76f67a8634 100644 --- a/jsonnet/components/prometheus-operator.libsonnet +++ b/jsonnet/components/prometheus-operator.libsonnet @@ -6,14 +6,36 @@ local conversionWebhook = import 'github.com/prometheus-operator/prometheus-oper local generateSecret = import '../utils/generate-secret.libsonnet'; local rbac = import '../utils/rbac.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; +local optIntoOptionalMonitoring = import '../utils/opt-into-optional-monitoring.libsonnet'; function(params) local po = operator(params); po { + '0thanosrulerCustomResourceDefinition'+: { + metadata+: { + annotations+: { + 'capability.openshift.io/name': 'OptionalMonitoring', + }, + }, + }, + '0probeCustomResourceDefinition'+: { + metadata+: { + annotations+: { + 'capability.openshift.io/name': 'OptionalMonitoring', + }, + }, + }, + '0alertmanagerCustomResourceDefinition'+: { + metadata+: { + annotations+: { + 'capability.openshift.io/name': 'OptionalMonitoring', + }, + }, + }, '0alertmanagerConfigCustomResourceDefinition'+: // Add v1beta1 AlertmanagerConfig version. - (import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/alertmanagerconfigs-v1beta1-crd.libsonnet') + + optIntoOptionalMonitoring.forObject(import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/alertmanagerconfigs-v1beta1-crd.libsonnet') + // Enable conversion webhook. conversionWebhook(params.conversionWebhook), diff --git a/jsonnet/components/prometheus-user-workload.libsonnet b/jsonnet/components/prometheus-user-workload.libsonnet index 1b7c425732..37f5da9f05 100644 --- a/jsonnet/components/prometheus-user-workload.libsonnet +++ b/jsonnet/components/prometheus-user-workload.libsonnet @@ -2,12 +2,13 @@ local generateCertInjection = import '../utils/generate-certificate-injection.li local generateSecret = import '../utils/generate-secret.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; +local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); local prometheus = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/prometheus.libsonnet'; function(params) local cfg = params; - prometheus(cfg) + { + local o = prometheus(cfg) + { // Hide not needed resources prometheusRule:: {}, @@ -611,4 +612,6 @@ function(params) automountServiceAccountToken: false, }, - } + }; + + optIntoOptionalMonitoring.forObjectWithWalk(o) diff --git a/jsonnet/components/thanos-ruler.libsonnet b/jsonnet/components/thanos-ruler.libsonnet index 25457df563..9aff94b833 100644 --- a/jsonnet/components/thanos-ruler.libsonnet +++ b/jsonnet/components/thanos-ruler.libsonnet @@ -3,6 +3,7 @@ local generateSecret = import '../utils/generate-secret.libsonnet'; local ruler = import 'github.com/thanos-io/kube-thanos/jsonnet/kube-thanos/kube-thanos-rule.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; +local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); local defaults = { volumeClaimTemplate: {}, @@ -13,7 +14,7 @@ function(params) local cfg = defaults + params; local tr = ruler(cfg); - tr { + local o = tr { mixin:: (import 'github.com/thanos-io/thanos/mixin/alerts/rule.libsonnet') { targetGroups: { namespace: tr.config.namespace, @@ -569,4 +570,6 @@ function(params) statefulSet:: {}, - } + }; + + optIntoOptionalMonitoring.forObjectWithWalk(o) diff --git a/jsonnet/crds/alertingrules-custom-resource-definition.json b/jsonnet/crds/alertingrules-custom-resource-definition.json index 16a24f3d19..8288e32c73 100644 --- a/jsonnet/crds/alertingrules-custom-resource-definition.json +++ b/jsonnet/crds/alertingrules-custom-resource-definition.json @@ -1 +1 @@ -{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"api-approved.openshift.io":"https://github.com/openshift/api/pull/1406","api.openshift.io/merged-by-featuregates":"true","description":"OpenShift Monitoring alerting rules","include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true"},"name":"alertingrules.monitoring.openshift.io"},"spec":{"group":"monitoring.openshift.io","names":{"kind":"AlertingRule","listKind":"AlertingRuleList","plural":"alertingrules","singular":"alertingrule"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"description":"AlertingRule represents a set of user-defined Prometheus rule groups containing\nalerting rules. This resource is the supported method for cluster admins to\ncreate alerts based on metrics recorded by the platform monitoring stack in\nOpenShift, i.e. the Prometheus instance deployed to the openshift-monitoring\nnamespace. You might use this to create custom alerting rules not shipped with\nOpenShift based on metrics from components such as the node_exporter, which\nprovides machine-level metrics such as CPU usage, or kube-state-metrics, which\nprovides metrics on Kubernetes usage.\n\nThe API is mostly compatible with the upstream PrometheusRule type from the\nprometheus-operator. The primary difference being that recording rules are not\nallowed here -- only alerting rules. For each AlertingRule resource created, a\ncorresponding PrometheusRule will be created in the openshift-monitoring\nnamespace. OpenShift requires admins to use the AlertingRule resource rather\nthan the upstream type in order to allow better OpenShift specific defaulting\nand validation, while not modifying the upstream APIs directly.\n\nYou can find upstream API documentation for PrometheusRule resources here:\n\nhttps://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"spec describes the desired state of this AlertingRule object.","properties":{"groups":{"description":"groups is a list of grouped alerting rules. Rule groups are the unit at\nwhich Prometheus parallelizes rule processing. All rules in a single group\nshare a configured evaluation interval. All rules in the group will be\nprocessed together on this interval, sequentially, and all rules will be\nprocessed.\n\nIt's common to group related alerting rules into a single AlertingRule\nresources, and within that resource, closely related alerts, or simply\nalerts with the same interval, into individual groups. You are also free\nto create AlertingRule resources with only a single rule group, but be\naware that this can have a performance impact on Prometheus if the group is\nextremely large or has very complex query expressions to evaluate.\nSpreading very complex rules across multiple groups to allow them to be\nprocessed in parallel is also a common use-case.","items":{"description":"RuleGroup is a list of sequentially evaluated alerting rules.","properties":{"interval":{"description":"interval is how often rules in the group are evaluated. If not specified,\nit defaults to the global.evaluation_interval configured in Prometheus,\nwhich itself defaults to 30 seconds. You can check if this value has been\nmodified from the default on your cluster by inspecting the platform\nPrometheus configuration:\nThe relevant field in that resource is: spec.evaluationInterval","maxLength":2048,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$","type":"string"},"name":{"description":"name is the name of the group.","maxLength":2048,"minLength":1,"type":"string"},"rules":{"description":"rules is a list of sequentially evaluated alerting rules. Prometheus may\nprocess rule groups in parallel, but rules within a single group are always\nprocessed sequentially, and all rules are processed.","items":{"description":"Rule describes an alerting rule.\nSee Prometheus documentation:\n- https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules","properties":{"alert":{"description":"alert is the name of the alert. Must be a valid label value, i.e. may\ncontain any Unicode character.","maxLength":2048,"minLength":1,"type":"string"},"annotations":{"additionalProperties":{"type":"string"},"description":"annotations to add to each alert. These are values that can be used to\nstore longer additional information that you won't query on, such as alert\ndescriptions or runbook links.","type":"object"},"expr":{"anyOf":[{"type":"integer"},{"type":"string"}],"description":"expr is the PromQL expression to evaluate. Every evaluation cycle this is\nevaluated at the current time, and all resultant time series become pending\nor firing alerts. This is most often a string representing a PromQL\nexpression, e.g.: mapi_current_pending_csr \u003e mapi_max_pending_csr\nIn rare cases this could be a simple integer, e.g. a simple \"1\" if the\nintent is to create an alert that is always firing. This is sometimes used\nto create an always-firing \"Watchdog\" alert in order to ensure the alerting\npipeline is functional.","x-kubernetes-int-or-string":true},"for":{"description":"for is the time period after which alerts are considered firing after first\nreturning results. Alerts which have not yet fired for long enough are\nconsidered pending.","maxLength":2048,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$","type":"string"},"labels":{"additionalProperties":{"type":"string"},"description":"labels to add or overwrite for each alert. The results of the PromQL\nexpression for the alert will result in an existing set of labels for the\nalert, after evaluating the expression, for any label specified here with\nthe same name as a label in that set, the label here wins and overwrites\nthe previous value. These should typically be short identifying values\nthat may be useful to query against. A common example is the alert\nseverity, where one sets `severity: warning` under the `labels` key:","type":"object"}},"required":["alert","expr"],"type":"object"},"minItems":1,"type":"array"}},"required":["name","rules"],"type":"object"},"minItems":1,"type":"array","x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}},"required":["groups"],"type":"object"},"status":{"description":"status describes the current state of this AlertOverrides object.","properties":{"observedGeneration":{"description":"observedGeneration is the last generation change you've dealt with.","format":"int64","type":"integer"},"prometheusRule":{"description":"prometheusRule is the generated PrometheusRule for this AlertingRule. Each\nAlertingRule instance results in a generated PrometheusRule object in the\nsame namespace, which is always the openshift-monitoring namespace.","properties":{"name":{"description":"name of the referenced PrometheusRule.","maxLength":2048,"minLength":1,"type":"string"}},"required":["name"],"type":"object"}},"type":"object"}},"required":["spec"],"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} \ No newline at end of file +{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"capability.openshift.io/name":"OptionalMonitoring", "api-approved.openshift.io":"https://github.com/openshift/api/pull/1406","api.openshift.io/merged-by-featuregates":"true","description":"OpenShift Monitoring alerting rules","include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true"},"name":"alertingrules.monitoring.openshift.io"},"spec":{"group":"monitoring.openshift.io","names":{"kind":"AlertingRule","listKind":"AlertingRuleList","plural":"alertingrules","singular":"alertingrule"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"description":"AlertingRule represents a set of user-defined Prometheus rule groups containing\nalerting rules. This resource is the supported method for cluster admins to\ncreate alerts based on metrics recorded by the platform monitoring stack in\nOpenShift, i.e. the Prometheus instance deployed to the openshift-monitoring\nnamespace. You might use this to create custom alerting rules not shipped with\nOpenShift based on metrics from components such as the node_exporter, which\nprovides machine-level metrics such as CPU usage, or kube-state-metrics, which\nprovides metrics on Kubernetes usage.\n\nThe API is mostly compatible with the upstream PrometheusRule type from the\nprometheus-operator. The primary difference being that recording rules are not\nallowed here -- only alerting rules. For each AlertingRule resource created, a\ncorresponding PrometheusRule will be created in the openshift-monitoring\nnamespace. OpenShift requires admins to use the AlertingRule resource rather\nthan the upstream type in order to allow better OpenShift specific defaulting\nand validation, while not modifying the upstream APIs directly.\n\nYou can find upstream API documentation for PrometheusRule resources here:\n\nhttps://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"spec describes the desired state of this AlertingRule object.","properties":{"groups":{"description":"groups is a list of grouped alerting rules. Rule groups are the unit at\nwhich Prometheus parallelizes rule processing. All rules in a single group\nshare a configured evaluation interval. All rules in the group will be\nprocessed together on this interval, sequentially, and all rules will be\nprocessed.\n\nIt's common to group related alerting rules into a single AlertingRule\nresources, and within that resource, closely related alerts, or simply\nalerts with the same interval, into individual groups. You are also free\nto create AlertingRule resources with only a single rule group, but be\naware that this can have a performance impact on Prometheus if the group is\nextremely large or has very complex query expressions to evaluate.\nSpreading very complex rules across multiple groups to allow them to be\nprocessed in parallel is also a common use-case.","items":{"description":"RuleGroup is a list of sequentially evaluated alerting rules.","properties":{"interval":{"description":"interval is how often rules in the group are evaluated. If not specified,\nit defaults to the global.evaluation_interval configured in Prometheus,\nwhich itself defaults to 30 seconds. You can check if this value has been\nmodified from the default on your cluster by inspecting the platform\nPrometheus configuration:\nThe relevant field in that resource is: spec.evaluationInterval","maxLength":2048,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$","type":"string"},"name":{"description":"name is the name of the group.","maxLength":2048,"minLength":1,"type":"string"},"rules":{"description":"rules is a list of sequentially evaluated alerting rules. Prometheus may\nprocess rule groups in parallel, but rules within a single group are always\nprocessed sequentially, and all rules are processed.","items":{"description":"Rule describes an alerting rule.\nSee Prometheus documentation:\n- https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules","properties":{"alert":{"description":"alert is the name of the alert. Must be a valid label value, i.e. may\ncontain any Unicode character.","maxLength":2048,"minLength":1,"type":"string"},"annotations":{"additionalProperties":{"type":"string"},"description":"annotations to add to each alert. These are values that can be used to\nstore longer additional information that you won't query on, such as alert\ndescriptions or runbook links.","type":"object"},"expr":{"anyOf":[{"type":"integer"},{"type":"string"}],"description":"expr is the PromQL expression to evaluate. Every evaluation cycle this is\nevaluated at the current time, and all resultant time series become pending\nor firing alerts. This is most often a string representing a PromQL\nexpression, e.g.: mapi_current_pending_csr \u003e mapi_max_pending_csr\nIn rare cases this could be a simple integer, e.g. a simple \"1\" if the\nintent is to create an alert that is always firing. This is sometimes used\nto create an always-firing \"Watchdog\" alert in order to ensure the alerting\npipeline is functional.","x-kubernetes-int-or-string":true},"for":{"description":"for is the time period after which alerts are considered firing after first\nreturning results. Alerts which have not yet fired for long enough are\nconsidered pending.","maxLength":2048,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$","type":"string"},"labels":{"additionalProperties":{"type":"string"},"description":"labels to add or overwrite for each alert. The results of the PromQL\nexpression for the alert will result in an existing set of labels for the\nalert, after evaluating the expression, for any label specified here with\nthe same name as a label in that set, the label here wins and overwrites\nthe previous value. These should typically be short identifying values\nthat may be useful to query against. A common example is the alert\nseverity, where one sets `severity: warning` under the `labels` key:","type":"object"}},"required":["alert","expr"],"type":"object"},"minItems":1,"type":"array"}},"required":["name","rules"],"type":"object"},"minItems":1,"type":"array","x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}},"required":["groups"],"type":"object"},"status":{"description":"status describes the current state of this AlertOverrides object.","properties":{"observedGeneration":{"description":"observedGeneration is the last generation change you've dealt with.","format":"int64","type":"integer"},"prometheusRule":{"description":"prometheusRule is the generated PrometheusRule for this AlertingRule. Each\nAlertingRule instance results in a generated PrometheusRule object in the\nsame namespace, which is always the openshift-monitoring namespace.","properties":{"name":{"description":"name of the referenced PrometheusRule.","maxLength":2048,"minLength":1,"type":"string"}},"required":["name"],"type":"object"}},"type":"object"}},"required":["spec"],"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} diff --git a/jsonnet/crds/alertrelabelconfigs-custom-resource-definition.json b/jsonnet/crds/alertrelabelconfigs-custom-resource-definition.json index 804ff9d413..a18f5d4f70 100644 --- a/jsonnet/crds/alertrelabelconfigs-custom-resource-definition.json +++ b/jsonnet/crds/alertrelabelconfigs-custom-resource-definition.json @@ -1 +1 @@ -{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"api-approved.openshift.io":"https://github.com/openshift/api/pull/1406","api.openshift.io/merged-by-featuregates":"true","description":"OpenShift Monitoring alert relabel configurations","include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true"},"name":"alertrelabelconfigs.monitoring.openshift.io"},"spec":{"group":"monitoring.openshift.io","names":{"kind":"AlertRelabelConfig","listKind":"AlertRelabelConfigList","plural":"alertrelabelconfigs","singular":"alertrelabelconfig"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"description":"AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"spec describes the desired state of this AlertRelabelConfig object.","properties":{"configs":{"description":"configs is a list of sequentially evaluated alert relabel configs.","items":{"description":"RelabelConfig allows dynamic rewriting of label sets for alerts.\nSee Prometheus documentation:\n- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs\n- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","properties":{"action":{"default":"Replace","description":"action to perform based on regex matching. Must be one of: 'Replace', 'Keep',\n'Drop', 'HashMod', 'LabelMap', 'LabelDrop', or 'LabelKeep'. Default is: 'Replace'","enum":["Replace","Keep","Drop","HashMod","LabelMap","LabelDrop","LabelKeep"],"type":"string"},"modulus":{"description":"modulus to take of the hash of the source label values. This can be\ncombined with the 'HashMod' action to set 'target_label' to the 'modulus'\nof a hash of the concatenated 'source_labels'. This is only valid if\nsourceLabels is not empty and action is not 'LabelKeep' or 'LabelDrop'.","format":"int64","type":"integer"},"regex":{"default":"(.*)","description":"regex against which the extracted value is matched. Default is: '(.*)'\nregex is required for all actions except 'HashMod'","maxLength":2048,"type":"string"},"replacement":{"description":"replacement value against which a regex replace is performed if the regular\nexpression matches. This is required if the action is 'Replace' or\n'LabelMap' and forbidden for actions 'LabelKeep' and 'LabelDrop'.\nRegex capture groups are available. Default is: '$1'","maxLength":2048,"type":"string"},"separator":{"description":"separator placed between concatenated source label values. When omitted,\nPrometheus will use its default value of ';'.","maxLength":2048,"type":"string"},"sourceLabels":{"description":"sourceLabels select values from existing labels. Their content is\nconcatenated using the configured separator and matched against the\nconfigured regular expression for the 'Replace', 'Keep', and 'Drop' actions.\nNot allowed for actions 'LabelKeep' and 'LabelDrop'.","items":{"description":"LabelName is a valid Prometheus label name which may only contain ASCII\nletters, numbers, and underscores.","maxLength":2048,"pattern":"^[a-zA-Z_][a-zA-Z0-9_]*$","type":"string"},"type":"array"},"targetLabel":{"description":"targetLabel to which the resulting value is written in a 'Replace' action.\nIt is required for 'Replace' and 'HashMod' actions and forbidden for\nactions 'LabelKeep' and 'LabelDrop'. Regex capture groups\nare available.","maxLength":2048,"type":"string"}},"type":"object","x-kubernetes-validations":[{"message":"relabel action hashmod requires non-zero modulus","rule":"self.action != 'HashMod' || self.modulus != 0"},{"message":"targetLabel is required when action is Replace or HashMod","rule":"(self.action != 'Replace' \u0026\u0026 self.action != 'HashMod') || has(self.targetLabel)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found sourceLabels)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.sourceLabels)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found targetLabel)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.targetLabel)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found modulus)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.modulus)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found separator)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.separator)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found replacement)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.replacement)"},{"message":"modulus requires sourceLabels to be present","rule":"!has(self.modulus) || (has(self.modulus) \u0026\u0026 size(self.sourceLabels) \u003e 0)"},{"message":"sourceLabels is required for actions Replace, Keep, Drop, HashMod and LabelMap","rule":"(self.action == 'LabelDrop' || self.action == 'LabelKeep') || has(self.sourceLabels)"},{"message":"replacement is required for actions Replace and LabelMap","rule":"(self.action != 'Replace' \u0026\u0026 self.action != 'LabelMap') || has(self.replacement)"}]},"minItems":1,"type":"array"}},"required":["configs"],"type":"object"},"status":{"description":"status describes the current state of this AlertRelabelConfig object.","properties":{"conditions":{"description":"conditions contains details on the state of the AlertRelabelConfig, may be\nempty.","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","format":"date-time","type":"string"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","maxLength":32768,"type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","format":"int64","minimum":0,"type":"integer"},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown.","enum":["True","False","Unknown"],"type":"string"},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$","type":"string"}},"required":["lastTransitionTime","message","reason","status","type"],"type":"object"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"}},"type":"object"}},"required":["spec"],"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} \ No newline at end of file +{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"capability.openshift.io/name":"OptionalMonitoring", "api-approved.openshift.io":"https://github.com/openshift/api/pull/1406","api.openshift.io/merged-by-featuregates":"true","description":"OpenShift Monitoring alert relabel configurations","include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true"},"name":"alertrelabelconfigs.monitoring.openshift.io"},"spec":{"group":"monitoring.openshift.io","names":{"kind":"AlertRelabelConfig","listKind":"AlertRelabelConfigList","plural":"alertrelabelconfigs","singular":"alertrelabelconfig"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"description":"AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"spec describes the desired state of this AlertRelabelConfig object.","properties":{"configs":{"description":"configs is a list of sequentially evaluated alert relabel configs.","items":{"description":"RelabelConfig allows dynamic rewriting of label sets for alerts.\nSee Prometheus documentation:\n- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs\n- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","properties":{"action":{"default":"Replace","description":"action to perform based on regex matching. Must be one of: 'Replace', 'Keep',\n'Drop', 'HashMod', 'LabelMap', 'LabelDrop', or 'LabelKeep'. Default is: 'Replace'","enum":["Replace","Keep","Drop","HashMod","LabelMap","LabelDrop","LabelKeep"],"type":"string"},"modulus":{"description":"modulus to take of the hash of the source label values. This can be\ncombined with the 'HashMod' action to set 'target_label' to the 'modulus'\nof a hash of the concatenated 'source_labels'. This is only valid if\nsourceLabels is not empty and action is not 'LabelKeep' or 'LabelDrop'.","format":"int64","type":"integer"},"regex":{"default":"(.*)","description":"regex against which the extracted value is matched. Default is: '(.*)'\nregex is required for all actions except 'HashMod'","maxLength":2048,"type":"string"},"replacement":{"description":"replacement value against which a regex replace is performed if the regular\nexpression matches. This is required if the action is 'Replace' or\n'LabelMap' and forbidden for actions 'LabelKeep' and 'LabelDrop'.\nRegex capture groups are available. Default is: '$1'","maxLength":2048,"type":"string"},"separator":{"description":"separator placed between concatenated source label values. When omitted,\nPrometheus will use its default value of ';'.","maxLength":2048,"type":"string"},"sourceLabels":{"description":"sourceLabels select values from existing labels. Their content is\nconcatenated using the configured separator and matched against the\nconfigured regular expression for the 'Replace', 'Keep', and 'Drop' actions.\nNot allowed for actions 'LabelKeep' and 'LabelDrop'.","items":{"description":"LabelName is a valid Prometheus label name which may only contain ASCII\nletters, numbers, and underscores.","maxLength":2048,"pattern":"^[a-zA-Z_][a-zA-Z0-9_]*$","type":"string"},"type":"array"},"targetLabel":{"description":"targetLabel to which the resulting value is written in a 'Replace' action.\nIt is required for 'Replace' and 'HashMod' actions and forbidden for\nactions 'LabelKeep' and 'LabelDrop'. Regex capture groups\nare available.","maxLength":2048,"type":"string"}},"type":"object","x-kubernetes-validations":[{"message":"relabel action hashmod requires non-zero modulus","rule":"self.action != 'HashMod' || self.modulus != 0"},{"message":"targetLabel is required when action is Replace or HashMod","rule":"(self.action != 'Replace' \u0026\u0026 self.action != 'HashMod') || has(self.targetLabel)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found sourceLabels)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.sourceLabels)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found targetLabel)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.targetLabel)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found modulus)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.modulus)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found separator)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.separator)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found replacement)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.replacement)"},{"message":"modulus requires sourceLabels to be present","rule":"!has(self.modulus) || (has(self.modulus) \u0026\u0026 size(self.sourceLabels) \u003e 0)"},{"message":"sourceLabels is required for actions Replace, Keep, Drop, HashMod and LabelMap","rule":"(self.action == 'LabelDrop' || self.action == 'LabelKeep') || has(self.sourceLabels)"},{"message":"replacement is required for actions Replace and LabelMap","rule":"(self.action != 'Replace' \u0026\u0026 self.action != 'LabelMap') || has(self.replacement)"}]},"minItems":1,"type":"array"}},"required":["configs"],"type":"object"},"status":{"description":"status describes the current state of this AlertRelabelConfig object.","properties":{"conditions":{"description":"conditions contains details on the state of the AlertRelabelConfig, may be\nempty.","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","format":"date-time","type":"string"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","maxLength":32768,"type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","format":"int64","minimum":0,"type":"integer"},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown.","enum":["True","False","Unknown"],"type":"string"},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$","type":"string"}},"required":["lastTransitionTime","message","reason","status","type"],"type":"object"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"}},"type":"object"}},"required":["spec"],"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} diff --git a/jsonnet/utils/opt-into-optional-monitoring.libsonnet b/jsonnet/utils/opt-into-optional-monitoring.libsonnet new file mode 100644 index 0000000000..6cc6a9625c --- /dev/null +++ b/jsonnet/utils/opt-into-optional-monitoring.libsonnet @@ -0,0 +1,27 @@ +{ + local addAnnotationToChild(parent, annotationKey, annotationValue) = + parent { + metadata+: { + annotations+: { + [annotationKey]: annotationValue, + }, + }, + }, + local addAnnotationToChildren(parent, annotationKey, annotationValue) = + local listKinds = std.set(['RoleList', 'RoleBindingList']); + parent { + [k]: + if std.objectHas(parent[k], 'kind') && std.setMember(parent[k].kind, listKinds) && std.objectHas(parent[k], 'items') + then + parent[k] { + items: [addAnnotationToChild(item, annotationKey, annotationValue) for item in parent[k].items], + } + else + addAnnotationToChild(parent[k], annotationKey, annotationValue) + for k in std.objectFields(parent) + }, + local annotationKey = 'capability.openshift.io/name', + local annotationValue = 'OptionalMonitoring', + forObject(o): addAnnotationToChild(o, annotationKey, annotationValue), + forObjectWithWalk(o): addAnnotationToChildren(o, annotationKey, annotationValue), +} diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0alertingrules-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0alertingrules-custom-resource-definition.yaml index 4eebca4cb8..c2402a8cbb 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0alertingrules-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0alertingrules-custom-resource-definition.yaml @@ -4,6 +4,7 @@ metadata: annotations: api-approved.openshift.io: https://github.com/openshift/api/pull/1406 api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: OptionalMonitoring description: OpenShift Monitoring alerting rules include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-config-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-config-custom-resource-definition.yaml index f324cc1bd5..d5ace4020f 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-config-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-config-custom-resource-definition.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: OptionalMonitoring controller-gen.kubebuilder.io/version: v0.19.0 include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-custom-resource-definition.yaml index c356dcc8d5..8387e0eea0 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0alertmanager-custom-resource-definition.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: OptionalMonitoring controller-gen.kubebuilder.io/version: v0.19.0 include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0alertrelabelconfigs-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0alertrelabelconfigs-custom-resource-definition.yaml index ef0b4577bf..2f05eb7945 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0alertrelabelconfigs-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0alertrelabelconfigs-custom-resource-definition.yaml @@ -4,6 +4,7 @@ metadata: annotations: api-approved.openshift.io: https://github.com/openshift/api/pull/1406 api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: OptionalMonitoring description: OpenShift Monitoring alert relabel configurations include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0probe-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0probe-custom-resource-definition.yaml index 7b92fde141..58ee9aefae 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0probe-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0probe-custom-resource-definition.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: OptionalMonitoring controller-gen.kubebuilder.io/version: v0.19.0 include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0thanosruler-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0thanosruler-custom-resource-definition.yaml index 9f13bef1e6..3d1e5010bd 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0thanosruler-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0thanosruler-custom-resource-definition.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: OptionalMonitoring controller-gen.kubebuilder.io/version: v0.19.0 include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_02-alert-customization-role.yaml b/manifests/0000_50_cluster-monitoring-operator_02-alert-customization-role.yaml index d724c6a5b8..98464709bd 100644 --- a/manifests/0000_50_cluster-monitoring-operator_02-alert-customization-role.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_02-alert-customization-role.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: + capability.openshift.io/name: OptionalMonitoring include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" From 55d6da0e17313626b46823ebe1da6592a0d59432 Mon Sep 17 00:00:00 2001 From: Pranshu Srivastava Date: Tue, 7 Oct 2025 18:08:55 +0530 Subject: [PATCH 2/6] MON-4361,MON-4380: Opt `monitoring-plugin` into Console capability Drop `monitoring-plugin` from optional components as its deployment should only rely on the `Console` capability. This is in-line with its corresponding task's behavior as well. Also refactored the `jsonnet` code a bit. Signed-off-by: Pranshu Srivastava --- assets/monitoring-plugin/console-plugin.yaml | 2 +- assets/monitoring-plugin/deployment.yaml | 2 +- .../pod-disruption-budget.yaml | 2 +- assets/monitoring-plugin/service-account.yaml | 2 +- assets/monitoring-plugin/service.yaml | 2 +- .../components/admission-webhook.libsonnet | 4 +-- .../alertmanager-user-workload.libsonnet | 4 +-- jsonnet/components/alertmanager.libsonnet | 4 +-- .../cluster-monitoring-operator.libsonnet | 16 +++++----- .../components/monitoring-plugin.libsonnet | 5 +-- ...rometheus-operator-user-workload.libsonnet | 4 +-- .../components/prometheus-operator.libsonnet | 4 +-- .../prometheus-user-workload.libsonnet | 4 +-- jsonnet/components/thanos-ruler.libsonnet | 4 +-- jsonnet/utils/opt-into-capability.libsonnet | 31 +++++++++++++++++++ .../opt-into-optional-monitoring.libsonnet | 27 ---------------- 16 files changed, 61 insertions(+), 56 deletions(-) create mode 100644 jsonnet/utils/opt-into-capability.libsonnet delete mode 100644 jsonnet/utils/opt-into-optional-monitoring.libsonnet diff --git a/assets/monitoring-plugin/console-plugin.yaml b/assets/monitoring-plugin/console-plugin.yaml index 554797f528..65bf2950f1 100644 --- a/assets/monitoring-plugin/console-plugin.yaml +++ b/assets/monitoring-plugin/console-plugin.yaml @@ -2,7 +2,7 @@ apiVersion: console.openshift.io/v1 kind: ConsolePlugin metadata: annotations: - capability.openshift.io/name: OptionalMonitoring + capability.openshift.io/name: Console labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/deployment.yaml b/assets/monitoring-plugin/deployment.yaml index 060f69c7e0..21977d8534 100644 --- a/assets/monitoring-plugin/deployment.yaml +++ b/assets/monitoring-plugin/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - capability.openshift.io/name: OptionalMonitoring + capability.openshift.io/name: Console labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/pod-disruption-budget.yaml b/assets/monitoring-plugin/pod-disruption-budget.yaml index 216fb80219..7badc26d9a 100644 --- a/assets/monitoring-plugin/pod-disruption-budget.yaml +++ b/assets/monitoring-plugin/pod-disruption-budget.yaml @@ -2,7 +2,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: annotations: - capability.openshift.io/name: OptionalMonitoring + capability.openshift.io/name: Console labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/service-account.yaml b/assets/monitoring-plugin/service-account.yaml index 641e1d65ef..0f7640edf2 100644 --- a/assets/monitoring-plugin/service-account.yaml +++ b/assets/monitoring-plugin/service-account.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: annotations: - capability.openshift.io/name: OptionalMonitoring + capability.openshift.io/name: Console labels: app.kubernetes.io/component: monitoring-plugin app.kubernetes.io/managed-by: cluster-monitoring-operator diff --git a/assets/monitoring-plugin/service.yaml b/assets/monitoring-plugin/service.yaml index 70d99918e1..bc19eed4b4 100644 --- a/assets/monitoring-plugin/service.yaml +++ b/assets/monitoring-plugin/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - capability.openshift.io/name: OptionalMonitoring + capability.openshift.io/name: Console openshift.io/description: Expose the monitoring plugin service on port 9443. This port is for internal use, and no other usage is guaranteed. service.beta.openshift.io/serving-cert-secret-name: monitoring-plugin-cert labels: diff --git a/jsonnet/components/admission-webhook.libsonnet b/jsonnet/components/admission-webhook.libsonnet index 4fc9af2077..3f20d14654 100644 --- a/jsonnet/components/admission-webhook.libsonnet +++ b/jsonnet/components/admission-webhook.libsonnet @@ -2,7 +2,7 @@ local tlsVolumeName = 'prometheus-operator-admission-webhook-tls'; local admissionWebhook = import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/admission-webhook.libsonnet'; local antiAffinity = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/addons/anti-affinity.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; -local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local aw = admissionWebhook(params); @@ -129,7 +129,7 @@ function(params) ], }, - alertmanagerConfigValidatingWebhook: optIntoOptionalMonitoring.forObject({ + alertmanagerConfigValidatingWebhook: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'admissionregistration.k8s.io/v1', kind: 'ValidatingWebhookConfiguration', metadata: { diff --git a/jsonnet/components/alertmanager-user-workload.libsonnet b/jsonnet/components/alertmanager-user-workload.libsonnet index ec6a33e216..6110babfa3 100644 --- a/jsonnet/components/alertmanager-user-workload.libsonnet +++ b/jsonnet/components/alertmanager-user-workload.libsonnet @@ -6,7 +6,7 @@ local generateSecret = import '../utils/generate-secret.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredRoles = (import '../utils/add-annotations.libsonnet').requiredRoles; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; -local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local cfg = params { @@ -417,4 +417,4 @@ function(params) }, }; - optIntoOptionalMonitoring.forObjectWithWalk(o) + optIntoCapability.optionalMonitoringForObjectWithWalk(o) diff --git a/jsonnet/components/alertmanager.libsonnet b/jsonnet/components/alertmanager.libsonnet index 1c3ad7d498..de836b1452 100644 --- a/jsonnet/components/alertmanager.libsonnet +++ b/jsonnet/components/alertmanager.libsonnet @@ -7,7 +7,7 @@ local withDescription = (import '../utils/add-annotations.libsonnet').withDescri local testFilePlaceholder = (import '../utils/add-annotations.libsonnet').testFilePlaceholder; local requiredRoles = (import '../utils/add-annotations.libsonnet').requiredRoles; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; -local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local cfg = params { @@ -443,4 +443,4 @@ function(params) }, }; - optIntoOptionalMonitoring.forObjectWithWalk(o) + optIntoCapability.optionalMonitoringForObjectWithWalk(o) diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet index 0fdf9fb5ce..58f1b3f89a 100644 --- a/jsonnet/components/cluster-monitoring-operator.libsonnet +++ b/jsonnet/components/cluster-monitoring-operator.libsonnet @@ -1,7 +1,7 @@ local metrics = import 'github.com/openshift/telemeter/jsonnet/telemeter/metrics.jsonnet'; local cmoRules = import './../rules.libsonnet'; -local optIntoOptionalMonitoring = import './../utils/opt-into-optional-monitoring.libsonnet'; +local optIntoCapability = import './../utils/opt-into-capability.libsonnet'; local kubePrometheus = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/mixin/custom.libsonnet'; local defaults = { @@ -330,7 +330,7 @@ function(params) { // - get/list/watch permissions on alertingrules and alertrelabelconfigs to detect changes requiring reconciliation. // - all permissions on alertingrules/finalizers to set the `ownerReferences` field on generated prometheusrules. // - all permissions on alertingrules/status to set the status of alertingrules. - alertCustomizationRole: optIntoOptionalMonitoring.forObject({ + alertCustomizationRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -423,7 +423,7 @@ function(params) { // This role enables read/write access to the platform Alertmanager API // through kube-rbac-proxy. - monitoringAlertmanagerEditRole: optIntoOptionalMonitoring.forObject({ + monitoringAlertmanagerEditRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -442,7 +442,7 @@ function(params) { // This role enables read access to the platform Alertmanager API // through kube-rbac-proxy. - monitoringAlertmanagerViewRole: optIntoOptionalMonitoring.forObject({ + monitoringAlertmanagerViewRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -465,7 +465,7 @@ function(params) { // Using "nonResourceURLs" doesn't work because authenticated users and // service accounts are allowed to get /api/* by default. // See https://issues.redhat.com/browse/OCPBUGS-17850. - userWorkloadAlertmanagerApiReader: optIntoOptionalMonitoring.forObject({ + userWorkloadAlertmanagerApiReader: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -482,7 +482,7 @@ function(params) { // This role provides read/write access to the user-workload Alertmanager API. // See the 'monitoring-alertmanager-api-reader' role for details. - userWorkloadAlertmanagerApiWriter: optIntoOptionalMonitoring.forObject({ + userWorkloadAlertmanagerApiWriter: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -539,7 +539,7 @@ function(params) { }, // This role provides read/write access to the user-workload monitoring configuration. - userWorkloadConfigEditRole: optIntoOptionalMonitoring.forObject({ + userWorkloadConfigEditRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role', metadata: { @@ -555,7 +555,7 @@ function(params) { }), // This cluster role can be referenced in a RoleBinding object to provide read/write access to AlertmanagerConfiguration objects for a project. - alertingEditClusterRole: optIntoOptionalMonitoring.forObject({ + alertingEditClusterRole: optIntoCapability.optionalMonitoringForObject({ apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'ClusterRole', metadata: { diff --git a/jsonnet/components/monitoring-plugin.libsonnet b/jsonnet/components/monitoring-plugin.libsonnet index 2370f57ed3..d07c169aeb 100644 --- a/jsonnet/components/monitoring-plugin.libsonnet +++ b/jsonnet/components/monitoring-plugin.libsonnet @@ -1,5 +1,5 @@ local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; -local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local cfg = params; @@ -225,4 +225,5 @@ function(params) }, // spec }, // deployment }; - optIntoOptionalMonitoring.forObjectWithWalk(o) + + optIntoCapability.consoleForObjectWithWalk(o) diff --git a/jsonnet/components/prometheus-operator-user-workload.libsonnet b/jsonnet/components/prometheus-operator-user-workload.libsonnet index efb9975deb..ee6f5157f9 100644 --- a/jsonnet/components/prometheus-operator-user-workload.libsonnet +++ b/jsonnet/components/prometheus-operator-user-workload.libsonnet @@ -4,7 +4,7 @@ local operator = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/ local generateSecret = import '../utils/generate-secret.libsonnet'; local rbac = import '../utils/rbac.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; -local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); function(params) local po = operator(params); @@ -199,4 +199,4 @@ function(params) }, }; - optIntoOptionalMonitoring.forObjectWithWalk(opo) + optIntoCapability.optionalMonitoringForObjectWithWalk(opo) diff --git a/jsonnet/components/prometheus-operator.libsonnet b/jsonnet/components/prometheus-operator.libsonnet index 76f67a8634..84e8b75fc1 100644 --- a/jsonnet/components/prometheus-operator.libsonnet +++ b/jsonnet/components/prometheus-operator.libsonnet @@ -6,7 +6,7 @@ local conversionWebhook = import 'github.com/prometheus-operator/prometheus-oper local generateSecret = import '../utils/generate-secret.libsonnet'; local rbac = import '../utils/rbac.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; -local optIntoOptionalMonitoring = import '../utils/opt-into-optional-monitoring.libsonnet'; +local optIntoCapability = import '../utils/opt-into-capability.libsonnet'; function(params) local po = operator(params); @@ -35,7 +35,7 @@ function(params) }, '0alertmanagerConfigCustomResourceDefinition'+: // Add v1beta1 AlertmanagerConfig version. - optIntoOptionalMonitoring.forObject(import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/alertmanagerconfigs-v1beta1-crd.libsonnet') + + optIntoCapability.optionalMonitoringForObject(import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/alertmanagerconfigs-v1beta1-crd.libsonnet') + // Enable conversion webhook. conversionWebhook(params.conversionWebhook), diff --git a/jsonnet/components/prometheus-user-workload.libsonnet b/jsonnet/components/prometheus-user-workload.libsonnet index 37f5da9f05..e948ecddc3 100644 --- a/jsonnet/components/prometheus-user-workload.libsonnet +++ b/jsonnet/components/prometheus-user-workload.libsonnet @@ -2,7 +2,7 @@ local generateCertInjection = import '../utils/generate-certificate-injection.li local generateSecret = import '../utils/generate-secret.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; -local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); local prometheus = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/prometheus.libsonnet'; @@ -614,4 +614,4 @@ function(params) }; - optIntoOptionalMonitoring.forObjectWithWalk(o) + optIntoCapability.optionalMonitoringForObjectWithWalk(o) diff --git a/jsonnet/components/thanos-ruler.libsonnet b/jsonnet/components/thanos-ruler.libsonnet index 9aff94b833..6549920916 100644 --- a/jsonnet/components/thanos-ruler.libsonnet +++ b/jsonnet/components/thanos-ruler.libsonnet @@ -3,7 +3,7 @@ local generateSecret = import '../utils/generate-secret.libsonnet'; local ruler = import 'github.com/thanos-io/kube-thanos/jsonnet/kube-thanos/kube-thanos-rule.libsonnet'; local withDescription = (import '../utils/add-annotations.libsonnet').withDescription; local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles; -local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet'); +local optIntoCapability = (import '../utils/opt-into-capability.libsonnet'); local defaults = { volumeClaimTemplate: {}, @@ -572,4 +572,4 @@ function(params) }; - optIntoOptionalMonitoring.forObjectWithWalk(o) + optIntoCapability.optionalMonitoringForObjectWithWalk(o) diff --git a/jsonnet/utils/opt-into-capability.libsonnet b/jsonnet/utils/opt-into-capability.libsonnet new file mode 100644 index 0000000000..4aab8625f6 --- /dev/null +++ b/jsonnet/utils/opt-into-capability.libsonnet @@ -0,0 +1,31 @@ +{ + local addAnnotationToChild(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) = + parent { + metadata+: { + annotations+: { + [annotationKeyCapability]: annotationValueOptionalMonitoringCapability, + }, + }, + }, + local addAnnotationToChildren(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) = + local listKinds = std.set(['RoleList', 'RoleBindingList']); + parent { + [k]: + if std.objectHas(parent[k], 'kind') && std.setMember(parent[k].kind, listKinds) && std.objectHas(parent[k], 'items') + then + parent[k] { + items: [addAnnotationToChild(item, annotationKeyCapability, annotationValueOptionalMonitoringCapability) for item in parent[k].items], + } + else + addAnnotationToChild(parent[k], annotationKeyCapability, annotationValueOptionalMonitoringCapability) + for k in std.objectFields(parent) + }, + + local annotationKeyCapability = 'capability.openshift.io/name', + local annotationValueConsoleCapability = 'Console', + local annotationValueOptionalMonitoringCapability = 'OptionalMonitoring', + consoleForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueConsoleCapability), + consoleForObjectWithWalk(o): addAnnotationToChildren(o, annotationKeyCapability, annotationValueConsoleCapability), + optionalMonitoringForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueOptionalMonitoringCapability), + optionalMonitoringForObjectWithWalk(o): addAnnotationToChildren(o, annotationKeyCapability, annotationValueOptionalMonitoringCapability), +} diff --git a/jsonnet/utils/opt-into-optional-monitoring.libsonnet b/jsonnet/utils/opt-into-optional-monitoring.libsonnet deleted file mode 100644 index 6cc6a9625c..0000000000 --- a/jsonnet/utils/opt-into-optional-monitoring.libsonnet +++ /dev/null @@ -1,27 +0,0 @@ -{ - local addAnnotationToChild(parent, annotationKey, annotationValue) = - parent { - metadata+: { - annotations+: { - [annotationKey]: annotationValue, - }, - }, - }, - local addAnnotationToChildren(parent, annotationKey, annotationValue) = - local listKinds = std.set(['RoleList', 'RoleBindingList']); - parent { - [k]: - if std.objectHas(parent[k], 'kind') && std.setMember(parent[k].kind, listKinds) && std.objectHas(parent[k], 'items') - then - parent[k] { - items: [addAnnotationToChild(item, annotationKey, annotationValue) for item in parent[k].items], - } - else - addAnnotationToChild(parent[k], annotationKey, annotationValue) - for k in std.objectFields(parent) - }, - local annotationKey = 'capability.openshift.io/name', - local annotationValue = 'OptionalMonitoring', - forObject(o): addAnnotationToChild(o, annotationKey, annotationValue), - forObjectWithWalk(o): addAnnotationToChildren(o, annotationKey, annotationValue), -} From 07101a12f117e039dee185d3795c085727df35fc Mon Sep 17 00:00:00 2001 From: Pranshu Srivastava Date: Sat, 11 Oct 2025 22:14:38 +0530 Subject: [PATCH 3/6] MON-4361,MON-4380: Add optional monitoring logic Enabling the `OptionalMonitoring` capability translates to enabling all optional monitoring components under CMO. Note that since capabilities cannot be disabled once enabled, so cleanup for optional monitoring resources is not necessary. To clarify further, there are two possible paths at install time: * capability is disabled -> enabled (no need to cleanup) * capability is enabled -/> (cannot be disabled) (no need to cleanup) Signed-off-by: Pranshu Srivastava --- pkg/client/client.go | 4 ++ pkg/tasks/alertmanager.go | 6 +- pkg/tasks/alertmanager_user_workload.go | 6 +- pkg/tasks/clustermonitoringoperator.go | 66 +++++++++++-------- pkg/tasks/configsharing.go | 6 +- pkg/tasks/prometheus.go | 6 +- pkg/tasks/prometheus_user_workload.go | 6 +- pkg/tasks/prometheusoperator.go | 16 +++-- pkg/tasks/prometheusoperator_user_workload.go | 6 +- pkg/tasks/thanos_ruler_user_workload.go | 6 +- 10 files changed, 87 insertions(+), 41 deletions(-) diff --git a/pkg/client/client.go b/pkg/client/client.go index e9058276f3..f8c8c7c010 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -1748,6 +1748,10 @@ func (c *Client) HasConsoleCapability(ctx context.Context) (bool, error) { return c.HasClusterCapability(ctx, configv1.ClusterVersionCapabilityConsole) } +func (c *Client) HasOptionalMonitoringCapability(ctx context.Context) (bool, error) { + return c.HasClusterCapability(ctx, "") +} + // CreateOrUpdateConsolePlugin function uses retries because API requests related to the ConsolePlugin resource // may depend on the availability of a conversion container. This container is part of the console-operator Pod, which is not duplicated. // If this pod is down (due to restarts for upgrades or other reasons), transient failures will be reported. diff --git a/pkg/tasks/alertmanager.go b/pkg/tasks/alertmanager.go index 39eedb2e7d..b4f530f938 100644 --- a/pkg/tasks/alertmanager.go +++ b/pkg/tasks/alertmanager.go @@ -44,7 +44,11 @@ func NewAlertmanagerTask( } func (t *AlertmanagerTask) Run(ctx context.Context) error { - if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() && optionalMonitoringEnabled { return t.create(ctx) } diff --git a/pkg/tasks/alertmanager_user_workload.go b/pkg/tasks/alertmanager_user_workload.go index c5cb88a86b..33931e9a8e 100644 --- a/pkg/tasks/alertmanager_user_workload.go +++ b/pkg/tasks/alertmanager_user_workload.go @@ -44,7 +44,11 @@ func NewAlertmanagerUserWorkloadTask( } func (t *AlertmanagerUserWorkloadTask) Run(ctx context.Context) error { - if t.config.UserWorkloadConfiguration.Alertmanager.Enabled { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if t.config.UserWorkloadConfiguration.Alertmanager.Enabled && optionalMonitoringEnabled { return t.create(ctx) } diff --git a/pkg/tasks/clustermonitoringoperator.go b/pkg/tasks/clustermonitoringoperator.go index 843f15ad59..0f601e9f1d 100644 --- a/pkg/tasks/clustermonitoringoperator.go +++ b/pkg/tasks/clustermonitoringoperator.go @@ -45,15 +45,23 @@ func NewClusterMonitoringOperatorTask( } func (t *ClusterMonitoringOperatorTask) Run(ctx context.Context) error { - for name, crf := range map[string]func() (*rbacv1.ClusterRole, error){ + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + + crfs := map[string]func() (*rbacv1.ClusterRole, error){ "cluster-monitoring-view": t.factory.ClusterMonitoringClusterRoleView, "system:aggregated-metrics-reader": t.factory.ClusterMonitoringClusterRoleAggregatedMetricsReader, "pod-metrics-reader": t.factory.ClusterMonitoringClusterRolePodMetricsReader, "monitoring-rules-edit": t.factory.ClusterMonitoringRulesEditClusterRole, "monitoring-rules-view": t.factory.ClusterMonitoringRulesViewClusterRole, "monitoring-edit": t.factory.ClusterMonitoringEditClusterRole, - "alert-routing-edit": t.factory.ClusterMonitoringAlertingEditClusterRole, - } { + } + if optionalMonitoringEnabled { + crfs["alert-routing-edit"] = t.factory.ClusterMonitoringAlertingEditClusterRole + } + for name, crf := range crfs { cr, err := crf() if err != nil { return fmt.Errorf("initializing %s ClusterRole failed: %w", name, err) @@ -65,34 +73,35 @@ func (t *ClusterMonitoringOperatorTask) Run(ctx context.Context) error { } } - uwcr, err := t.factory.ClusterMonitoringEditUserWorkloadConfigRole() - if err != nil { - return fmt.Errorf("initializing UserWorkloadConfigEdit Role failed: %w", err) - } - - err = t.client.CreateOrUpdateRole(ctx, uwcr) - if err != nil { - return fmt.Errorf("reconciling UserWorkloadConfigEdit Role failed: %w", err) - } + if optionalMonitoringEnabled { + uwcr, err := t.factory.ClusterMonitoringEditUserWorkloadConfigRole() + if err != nil { + return fmt.Errorf("initializing UserWorkloadConfigEdit Role failed: %w", err) + } - uwar, err := t.factory.ClusterMonitoringEditUserWorkloadAlertmanagerApiReader() - if err != nil { - return fmt.Errorf("initializing UserWorkloadAlertmanagerApiReader Role failed: %w", err) - } + err = t.client.CreateOrUpdateRole(ctx, uwcr) + if err != nil { + return fmt.Errorf("reconciling UserWorkloadConfigEdit Role failed: %w", err) + } + uwar, err := t.factory.ClusterMonitoringEditUserWorkloadAlertmanagerApiReader() + if err != nil { + return fmt.Errorf("initializing UserWorkloadAlertmanagerApiReader Role failed: %w", err) + } - err = t.client.CreateOrUpdateRole(ctx, uwar) - if err != nil { - return fmt.Errorf("reconciling UserWorkloadAlertmanagerApiReader Role failed: %w", err) - } + err = t.client.CreateOrUpdateRole(ctx, uwar) + if err != nil { + return fmt.Errorf("reconciling UserWorkloadAlertmanagerApiReader Role failed: %w", err) + } - uwaw, err := t.factory.ClusterMonitoringEditUserWorkloadAlertmanagerApiWriter() - if err != nil { - return fmt.Errorf("initializing UserWorkloadAlertmanagerApiWriter Role failed: %w", err) - } + uwaw, err := t.factory.ClusterMonitoringEditUserWorkloadAlertmanagerApiWriter() + if err != nil { + return fmt.Errorf("initializing UserWorkloadAlertmanagerApiWriter Role failed: %w", err) + } - err = t.client.CreateOrUpdateRole(ctx, uwaw) - if err != nil { - return fmt.Errorf("reconciling UserWorkloadAlertmanagerApiWriter Role failed: %w", err) + err = t.client.CreateOrUpdateRole(ctx, uwaw) + if err != nil { + return fmt.Errorf("reconciling UserWorkloadAlertmanagerApiWriter Role failed: %w", err) + } } amrr, err := t.factory.ClusterMonitoringAlertManagerViewRole() @@ -104,8 +113,7 @@ func (t *ClusterMonitoringOperatorTask) Run(ctx context.Context) error { if err != nil { return fmt.Errorf("initializing AlertmanagerWrite Role failed: %w", err) } - - if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { + if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() && optionalMonitoringEnabled { if err = t.client.CreateOrUpdateRole(ctx, amwr); err != nil { return fmt.Errorf("reconciling AlertmanagerWrite Role failed: %w", err) } diff --git a/pkg/tasks/configsharing.go b/pkg/tasks/configsharing.go index d91e5ca780..aef2205747 100644 --- a/pkg/tasks/configsharing.go +++ b/pkg/tasks/configsharing.go @@ -57,7 +57,11 @@ func (t *ConfigSharingTask) Run(ctx context.Context) error { return fmt.Errorf("failed to retrieve Prometheus host: %w", err) } - if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() && optionalMonitoringEnabled { amRoute, err := t.factory.AlertmanagerRoute() if err != nil { return fmt.Errorf("initializing Alertmanager Route failed: %w", err) diff --git a/pkg/tasks/prometheus.go b/pkg/tasks/prometheus.go index ba67e70641..449b71d87f 100644 --- a/pkg/tasks/prometheus.go +++ b/pkg/tasks/prometheus.go @@ -173,7 +173,11 @@ func (t *PrometheusTask) create(ctx context.Context) error { return fmt.Errorf("initializing Prometheus Alertmanager RoleBinding failed: %w", err) } - if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() && optionalMonitoringEnabled { if err = t.client.CreateOrUpdateRoleBinding(ctx, amrb); err != nil { return fmt.Errorf("reconciling Prometheus Alertmanager RoleBinding failed: %w", err) } diff --git a/pkg/tasks/prometheus_user_workload.go b/pkg/tasks/prometheus_user_workload.go index ddda8061d8..9fa55eeb6b 100644 --- a/pkg/tasks/prometheus_user_workload.go +++ b/pkg/tasks/prometheus_user_workload.go @@ -40,7 +40,11 @@ func NewPrometheusUserWorkloadTask(client *client.Client, factory *manifests.Fac } func (t *PrometheusUserWorkloadTask) Run(ctx context.Context) error { - if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled && optionalMonitoringEnabled { return t.create(ctx) } diff --git a/pkg/tasks/prometheusoperator.go b/pkg/tasks/prometheusoperator.go index 4ecb05e078..c53986df19 100644 --- a/pkg/tasks/prometheusoperator.go +++ b/pkg/tasks/prometheusoperator.go @@ -180,14 +180,20 @@ func (t *PrometheusOperatorTask) runAdmissionWebhook(ctx context.Context) error return fmt.Errorf("reconciling Prometheus Rule Validating Webhook failed: %w", err) } - aw, err := t.factory.AlertManagerConfigValidatingWebhook() + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) if err != nil { - return fmt.Errorf("initializing AlertManagerConfig Validating Webhook failed: %w", err) + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) } + if optionalMonitoringEnabled { + aw, err := t.factory.AlertManagerConfigValidatingWebhook() + if err != nil { + return fmt.Errorf("initializing AlertManagerConfig Validating Webhook failed: %w", err) + } - err = t.client.CreateOrUpdateValidatingWebhookConfiguration(ctx, aw) - if err != nil { - return fmt.Errorf("reconciling AlertManagerConfig Validating Webhook failed: %w", err) + err = t.client.CreateOrUpdateValidatingWebhookConfiguration(ctx, aw) + if err != nil { + return fmt.Errorf("reconciling AlertManagerConfig Validating Webhook failed: %w", err) + } } return nil diff --git a/pkg/tasks/prometheusoperator_user_workload.go b/pkg/tasks/prometheusoperator_user_workload.go index 6bfc970ac7..06cd91e61c 100644 --- a/pkg/tasks/prometheusoperator_user_workload.go +++ b/pkg/tasks/prometheusoperator_user_workload.go @@ -39,7 +39,11 @@ func NewPrometheusOperatorUserWorkloadTask(client *client.Client, factory *manif } func (t *PrometheusOperatorUserWorkloadTask) Run(ctx context.Context) error { - if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled && optionalMonitoringEnabled { return t.create(ctx) } diff --git a/pkg/tasks/thanos_ruler_user_workload.go b/pkg/tasks/thanos_ruler_user_workload.go index 8956509b06..26c980f3cb 100644 --- a/pkg/tasks/thanos_ruler_user_workload.go +++ b/pkg/tasks/thanos_ruler_user_workload.go @@ -39,7 +39,11 @@ func NewThanosRulerUserWorkloadTask(client *client.Client, factory *manifests.Fa } func (t *ThanosRulerUserWorkloadTask) Run(ctx context.Context) error { - if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled { + optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) + if err != nil { + return fmt.Errorf("checking for optional monitoring capability failed: %w", err) + } + if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled && optionalMonitoringEnabled { return t.create(ctx) } From b3df6bf918c0fad87181c1116367a3e0e2bc4139 Mon Sep 17 00:00:00 2001 From: Pranshu Srivastava Date: Mon, 13 Oct 2025 00:30:13 +0530 Subject: [PATCH 4/6] MON-4361,MON-4380: Make CRDs non-optional Excluding CRDs from optional monitoring as their absence can cause CMO and PO to crash or throw errors at the very least. Signed-off-by: Pranshu Srivastava --- jsonnet/crds/alertingrules-custom-resource-definition.json | 2 +- .../crds/alertrelabelconfigs-custom-resource-definition.json | 2 +- ...g-operator_00_0alertingrules-custom-resource-definition.yaml | 1 - ...ator_00_0alertrelabelconfigs-custom-resource-definition.yaml | 1 - 4 files changed, 2 insertions(+), 4 deletions(-) diff --git a/jsonnet/crds/alertingrules-custom-resource-definition.json b/jsonnet/crds/alertingrules-custom-resource-definition.json index 8288e32c73..16a24f3d19 100644 --- a/jsonnet/crds/alertingrules-custom-resource-definition.json +++ b/jsonnet/crds/alertingrules-custom-resource-definition.json @@ -1 +1 @@ -{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"capability.openshift.io/name":"OptionalMonitoring", "api-approved.openshift.io":"https://github.com/openshift/api/pull/1406","api.openshift.io/merged-by-featuregates":"true","description":"OpenShift Monitoring alerting rules","include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true"},"name":"alertingrules.monitoring.openshift.io"},"spec":{"group":"monitoring.openshift.io","names":{"kind":"AlertingRule","listKind":"AlertingRuleList","plural":"alertingrules","singular":"alertingrule"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"description":"AlertingRule represents a set of user-defined Prometheus rule groups containing\nalerting rules. This resource is the supported method for cluster admins to\ncreate alerts based on metrics recorded by the platform monitoring stack in\nOpenShift, i.e. the Prometheus instance deployed to the openshift-monitoring\nnamespace. You might use this to create custom alerting rules not shipped with\nOpenShift based on metrics from components such as the node_exporter, which\nprovides machine-level metrics such as CPU usage, or kube-state-metrics, which\nprovides metrics on Kubernetes usage.\n\nThe API is mostly compatible with the upstream PrometheusRule type from the\nprometheus-operator. The primary difference being that recording rules are not\nallowed here -- only alerting rules. For each AlertingRule resource created, a\ncorresponding PrometheusRule will be created in the openshift-monitoring\nnamespace. OpenShift requires admins to use the AlertingRule resource rather\nthan the upstream type in order to allow better OpenShift specific defaulting\nand validation, while not modifying the upstream APIs directly.\n\nYou can find upstream API documentation for PrometheusRule resources here:\n\nhttps://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"spec describes the desired state of this AlertingRule object.","properties":{"groups":{"description":"groups is a list of grouped alerting rules. Rule groups are the unit at\nwhich Prometheus parallelizes rule processing. All rules in a single group\nshare a configured evaluation interval. All rules in the group will be\nprocessed together on this interval, sequentially, and all rules will be\nprocessed.\n\nIt's common to group related alerting rules into a single AlertingRule\nresources, and within that resource, closely related alerts, or simply\nalerts with the same interval, into individual groups. You are also free\nto create AlertingRule resources with only a single rule group, but be\naware that this can have a performance impact on Prometheus if the group is\nextremely large or has very complex query expressions to evaluate.\nSpreading very complex rules across multiple groups to allow them to be\nprocessed in parallel is also a common use-case.","items":{"description":"RuleGroup is a list of sequentially evaluated alerting rules.","properties":{"interval":{"description":"interval is how often rules in the group are evaluated. If not specified,\nit defaults to the global.evaluation_interval configured in Prometheus,\nwhich itself defaults to 30 seconds. You can check if this value has been\nmodified from the default on your cluster by inspecting the platform\nPrometheus configuration:\nThe relevant field in that resource is: spec.evaluationInterval","maxLength":2048,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$","type":"string"},"name":{"description":"name is the name of the group.","maxLength":2048,"minLength":1,"type":"string"},"rules":{"description":"rules is a list of sequentially evaluated alerting rules. Prometheus may\nprocess rule groups in parallel, but rules within a single group are always\nprocessed sequentially, and all rules are processed.","items":{"description":"Rule describes an alerting rule.\nSee Prometheus documentation:\n- https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules","properties":{"alert":{"description":"alert is the name of the alert. Must be a valid label value, i.e. may\ncontain any Unicode character.","maxLength":2048,"minLength":1,"type":"string"},"annotations":{"additionalProperties":{"type":"string"},"description":"annotations to add to each alert. These are values that can be used to\nstore longer additional information that you won't query on, such as alert\ndescriptions or runbook links.","type":"object"},"expr":{"anyOf":[{"type":"integer"},{"type":"string"}],"description":"expr is the PromQL expression to evaluate. Every evaluation cycle this is\nevaluated at the current time, and all resultant time series become pending\nor firing alerts. This is most often a string representing a PromQL\nexpression, e.g.: mapi_current_pending_csr \u003e mapi_max_pending_csr\nIn rare cases this could be a simple integer, e.g. a simple \"1\" if the\nintent is to create an alert that is always firing. This is sometimes used\nto create an always-firing \"Watchdog\" alert in order to ensure the alerting\npipeline is functional.","x-kubernetes-int-or-string":true},"for":{"description":"for is the time period after which alerts are considered firing after first\nreturning results. Alerts which have not yet fired for long enough are\nconsidered pending.","maxLength":2048,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$","type":"string"},"labels":{"additionalProperties":{"type":"string"},"description":"labels to add or overwrite for each alert. The results of the PromQL\nexpression for the alert will result in an existing set of labels for the\nalert, after evaluating the expression, for any label specified here with\nthe same name as a label in that set, the label here wins and overwrites\nthe previous value. These should typically be short identifying values\nthat may be useful to query against. A common example is the alert\nseverity, where one sets `severity: warning` under the `labels` key:","type":"object"}},"required":["alert","expr"],"type":"object"},"minItems":1,"type":"array"}},"required":["name","rules"],"type":"object"},"minItems":1,"type":"array","x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}},"required":["groups"],"type":"object"},"status":{"description":"status describes the current state of this AlertOverrides object.","properties":{"observedGeneration":{"description":"observedGeneration is the last generation change you've dealt with.","format":"int64","type":"integer"},"prometheusRule":{"description":"prometheusRule is the generated PrometheusRule for this AlertingRule. Each\nAlertingRule instance results in a generated PrometheusRule object in the\nsame namespace, which is always the openshift-monitoring namespace.","properties":{"name":{"description":"name of the referenced PrometheusRule.","maxLength":2048,"minLength":1,"type":"string"}},"required":["name"],"type":"object"}},"type":"object"}},"required":["spec"],"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} +{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"api-approved.openshift.io":"https://github.com/openshift/api/pull/1406","api.openshift.io/merged-by-featuregates":"true","description":"OpenShift Monitoring alerting rules","include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true"},"name":"alertingrules.monitoring.openshift.io"},"spec":{"group":"monitoring.openshift.io","names":{"kind":"AlertingRule","listKind":"AlertingRuleList","plural":"alertingrules","singular":"alertingrule"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"description":"AlertingRule represents a set of user-defined Prometheus rule groups containing\nalerting rules. This resource is the supported method for cluster admins to\ncreate alerts based on metrics recorded by the platform monitoring stack in\nOpenShift, i.e. the Prometheus instance deployed to the openshift-monitoring\nnamespace. You might use this to create custom alerting rules not shipped with\nOpenShift based on metrics from components such as the node_exporter, which\nprovides machine-level metrics such as CPU usage, or kube-state-metrics, which\nprovides metrics on Kubernetes usage.\n\nThe API is mostly compatible with the upstream PrometheusRule type from the\nprometheus-operator. The primary difference being that recording rules are not\nallowed here -- only alerting rules. For each AlertingRule resource created, a\ncorresponding PrometheusRule will be created in the openshift-monitoring\nnamespace. OpenShift requires admins to use the AlertingRule resource rather\nthan the upstream type in order to allow better OpenShift specific defaulting\nand validation, while not modifying the upstream APIs directly.\n\nYou can find upstream API documentation for PrometheusRule resources here:\n\nhttps://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"spec describes the desired state of this AlertingRule object.","properties":{"groups":{"description":"groups is a list of grouped alerting rules. Rule groups are the unit at\nwhich Prometheus parallelizes rule processing. All rules in a single group\nshare a configured evaluation interval. All rules in the group will be\nprocessed together on this interval, sequentially, and all rules will be\nprocessed.\n\nIt's common to group related alerting rules into a single AlertingRule\nresources, and within that resource, closely related alerts, or simply\nalerts with the same interval, into individual groups. You are also free\nto create AlertingRule resources with only a single rule group, but be\naware that this can have a performance impact on Prometheus if the group is\nextremely large or has very complex query expressions to evaluate.\nSpreading very complex rules across multiple groups to allow them to be\nprocessed in parallel is also a common use-case.","items":{"description":"RuleGroup is a list of sequentially evaluated alerting rules.","properties":{"interval":{"description":"interval is how often rules in the group are evaluated. If not specified,\nit defaults to the global.evaluation_interval configured in Prometheus,\nwhich itself defaults to 30 seconds. You can check if this value has been\nmodified from the default on your cluster by inspecting the platform\nPrometheus configuration:\nThe relevant field in that resource is: spec.evaluationInterval","maxLength":2048,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$","type":"string"},"name":{"description":"name is the name of the group.","maxLength":2048,"minLength":1,"type":"string"},"rules":{"description":"rules is a list of sequentially evaluated alerting rules. Prometheus may\nprocess rule groups in parallel, but rules within a single group are always\nprocessed sequentially, and all rules are processed.","items":{"description":"Rule describes an alerting rule.\nSee Prometheus documentation:\n- https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules","properties":{"alert":{"description":"alert is the name of the alert. Must be a valid label value, i.e. may\ncontain any Unicode character.","maxLength":2048,"minLength":1,"type":"string"},"annotations":{"additionalProperties":{"type":"string"},"description":"annotations to add to each alert. These are values that can be used to\nstore longer additional information that you won't query on, such as alert\ndescriptions or runbook links.","type":"object"},"expr":{"anyOf":[{"type":"integer"},{"type":"string"}],"description":"expr is the PromQL expression to evaluate. Every evaluation cycle this is\nevaluated at the current time, and all resultant time series become pending\nor firing alerts. This is most often a string representing a PromQL\nexpression, e.g.: mapi_current_pending_csr \u003e mapi_max_pending_csr\nIn rare cases this could be a simple integer, e.g. a simple \"1\" if the\nintent is to create an alert that is always firing. This is sometimes used\nto create an always-firing \"Watchdog\" alert in order to ensure the alerting\npipeline is functional.","x-kubernetes-int-or-string":true},"for":{"description":"for is the time period after which alerts are considered firing after first\nreturning results. Alerts which have not yet fired for long enough are\nconsidered pending.","maxLength":2048,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$","type":"string"},"labels":{"additionalProperties":{"type":"string"},"description":"labels to add or overwrite for each alert. The results of the PromQL\nexpression for the alert will result in an existing set of labels for the\nalert, after evaluating the expression, for any label specified here with\nthe same name as a label in that set, the label here wins and overwrites\nthe previous value. These should typically be short identifying values\nthat may be useful to query against. A common example is the alert\nseverity, where one sets `severity: warning` under the `labels` key:","type":"object"}},"required":["alert","expr"],"type":"object"},"minItems":1,"type":"array"}},"required":["name","rules"],"type":"object"},"minItems":1,"type":"array","x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}},"required":["groups"],"type":"object"},"status":{"description":"status describes the current state of this AlertOverrides object.","properties":{"observedGeneration":{"description":"observedGeneration is the last generation change you've dealt with.","format":"int64","type":"integer"},"prometheusRule":{"description":"prometheusRule is the generated PrometheusRule for this AlertingRule. Each\nAlertingRule instance results in a generated PrometheusRule object in the\nsame namespace, which is always the openshift-monitoring namespace.","properties":{"name":{"description":"name of the referenced PrometheusRule.","maxLength":2048,"minLength":1,"type":"string"}},"required":["name"],"type":"object"}},"type":"object"}},"required":["spec"],"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} \ No newline at end of file diff --git a/jsonnet/crds/alertrelabelconfigs-custom-resource-definition.json b/jsonnet/crds/alertrelabelconfigs-custom-resource-definition.json index a18f5d4f70..804ff9d413 100644 --- a/jsonnet/crds/alertrelabelconfigs-custom-resource-definition.json +++ b/jsonnet/crds/alertrelabelconfigs-custom-resource-definition.json @@ -1 +1 @@ -{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"capability.openshift.io/name":"OptionalMonitoring", "api-approved.openshift.io":"https://github.com/openshift/api/pull/1406","api.openshift.io/merged-by-featuregates":"true","description":"OpenShift Monitoring alert relabel configurations","include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true"},"name":"alertrelabelconfigs.monitoring.openshift.io"},"spec":{"group":"monitoring.openshift.io","names":{"kind":"AlertRelabelConfig","listKind":"AlertRelabelConfigList","plural":"alertrelabelconfigs","singular":"alertrelabelconfig"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"description":"AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"spec describes the desired state of this AlertRelabelConfig object.","properties":{"configs":{"description":"configs is a list of sequentially evaluated alert relabel configs.","items":{"description":"RelabelConfig allows dynamic rewriting of label sets for alerts.\nSee Prometheus documentation:\n- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs\n- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","properties":{"action":{"default":"Replace","description":"action to perform based on regex matching. Must be one of: 'Replace', 'Keep',\n'Drop', 'HashMod', 'LabelMap', 'LabelDrop', or 'LabelKeep'. Default is: 'Replace'","enum":["Replace","Keep","Drop","HashMod","LabelMap","LabelDrop","LabelKeep"],"type":"string"},"modulus":{"description":"modulus to take of the hash of the source label values. This can be\ncombined with the 'HashMod' action to set 'target_label' to the 'modulus'\nof a hash of the concatenated 'source_labels'. This is only valid if\nsourceLabels is not empty and action is not 'LabelKeep' or 'LabelDrop'.","format":"int64","type":"integer"},"regex":{"default":"(.*)","description":"regex against which the extracted value is matched. Default is: '(.*)'\nregex is required for all actions except 'HashMod'","maxLength":2048,"type":"string"},"replacement":{"description":"replacement value against which a regex replace is performed if the regular\nexpression matches. This is required if the action is 'Replace' or\n'LabelMap' and forbidden for actions 'LabelKeep' and 'LabelDrop'.\nRegex capture groups are available. Default is: '$1'","maxLength":2048,"type":"string"},"separator":{"description":"separator placed between concatenated source label values. When omitted,\nPrometheus will use its default value of ';'.","maxLength":2048,"type":"string"},"sourceLabels":{"description":"sourceLabels select values from existing labels. Their content is\nconcatenated using the configured separator and matched against the\nconfigured regular expression for the 'Replace', 'Keep', and 'Drop' actions.\nNot allowed for actions 'LabelKeep' and 'LabelDrop'.","items":{"description":"LabelName is a valid Prometheus label name which may only contain ASCII\nletters, numbers, and underscores.","maxLength":2048,"pattern":"^[a-zA-Z_][a-zA-Z0-9_]*$","type":"string"},"type":"array"},"targetLabel":{"description":"targetLabel to which the resulting value is written in a 'Replace' action.\nIt is required for 'Replace' and 'HashMod' actions and forbidden for\nactions 'LabelKeep' and 'LabelDrop'. Regex capture groups\nare available.","maxLength":2048,"type":"string"}},"type":"object","x-kubernetes-validations":[{"message":"relabel action hashmod requires non-zero modulus","rule":"self.action != 'HashMod' || self.modulus != 0"},{"message":"targetLabel is required when action is Replace or HashMod","rule":"(self.action != 'Replace' \u0026\u0026 self.action != 'HashMod') || has(self.targetLabel)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found sourceLabels)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.sourceLabels)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found targetLabel)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.targetLabel)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found modulus)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.modulus)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found separator)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.separator)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found replacement)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.replacement)"},{"message":"modulus requires sourceLabels to be present","rule":"!has(self.modulus) || (has(self.modulus) \u0026\u0026 size(self.sourceLabels) \u003e 0)"},{"message":"sourceLabels is required for actions Replace, Keep, Drop, HashMod and LabelMap","rule":"(self.action == 'LabelDrop' || self.action == 'LabelKeep') || has(self.sourceLabels)"},{"message":"replacement is required for actions Replace and LabelMap","rule":"(self.action != 'Replace' \u0026\u0026 self.action != 'LabelMap') || has(self.replacement)"}]},"minItems":1,"type":"array"}},"required":["configs"],"type":"object"},"status":{"description":"status describes the current state of this AlertRelabelConfig object.","properties":{"conditions":{"description":"conditions contains details on the state of the AlertRelabelConfig, may be\nempty.","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","format":"date-time","type":"string"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","maxLength":32768,"type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","format":"int64","minimum":0,"type":"integer"},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown.","enum":["True","False","Unknown"],"type":"string"},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$","type":"string"}},"required":["lastTransitionTime","message","reason","status","type"],"type":"object"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"}},"type":"object"}},"required":["spec"],"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} +{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"api-approved.openshift.io":"https://github.com/openshift/api/pull/1406","api.openshift.io/merged-by-featuregates":"true","description":"OpenShift Monitoring alert relabel configurations","include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true"},"name":"alertrelabelconfigs.monitoring.openshift.io"},"spec":{"group":"monitoring.openshift.io","names":{"kind":"AlertRelabelConfig","listKind":"AlertRelabelConfigList","plural":"alertrelabelconfigs","singular":"alertrelabelconfig"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"description":"AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"spec describes the desired state of this AlertRelabelConfig object.","properties":{"configs":{"description":"configs is a list of sequentially evaluated alert relabel configs.","items":{"description":"RelabelConfig allows dynamic rewriting of label sets for alerts.\nSee Prometheus documentation:\n- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs\n- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","properties":{"action":{"default":"Replace","description":"action to perform based on regex matching. Must be one of: 'Replace', 'Keep',\n'Drop', 'HashMod', 'LabelMap', 'LabelDrop', or 'LabelKeep'. Default is: 'Replace'","enum":["Replace","Keep","Drop","HashMod","LabelMap","LabelDrop","LabelKeep"],"type":"string"},"modulus":{"description":"modulus to take of the hash of the source label values. This can be\ncombined with the 'HashMod' action to set 'target_label' to the 'modulus'\nof a hash of the concatenated 'source_labels'. This is only valid if\nsourceLabels is not empty and action is not 'LabelKeep' or 'LabelDrop'.","format":"int64","type":"integer"},"regex":{"default":"(.*)","description":"regex against which the extracted value is matched. Default is: '(.*)'\nregex is required for all actions except 'HashMod'","maxLength":2048,"type":"string"},"replacement":{"description":"replacement value against which a regex replace is performed if the regular\nexpression matches. This is required if the action is 'Replace' or\n'LabelMap' and forbidden for actions 'LabelKeep' and 'LabelDrop'.\nRegex capture groups are available. Default is: '$1'","maxLength":2048,"type":"string"},"separator":{"description":"separator placed between concatenated source label values. When omitted,\nPrometheus will use its default value of ';'.","maxLength":2048,"type":"string"},"sourceLabels":{"description":"sourceLabels select values from existing labels. Their content is\nconcatenated using the configured separator and matched against the\nconfigured regular expression for the 'Replace', 'Keep', and 'Drop' actions.\nNot allowed for actions 'LabelKeep' and 'LabelDrop'.","items":{"description":"LabelName is a valid Prometheus label name which may only contain ASCII\nletters, numbers, and underscores.","maxLength":2048,"pattern":"^[a-zA-Z_][a-zA-Z0-9_]*$","type":"string"},"type":"array"},"targetLabel":{"description":"targetLabel to which the resulting value is written in a 'Replace' action.\nIt is required for 'Replace' and 'HashMod' actions and forbidden for\nactions 'LabelKeep' and 'LabelDrop'. Regex capture groups\nare available.","maxLength":2048,"type":"string"}},"type":"object","x-kubernetes-validations":[{"message":"relabel action hashmod requires non-zero modulus","rule":"self.action != 'HashMod' || self.modulus != 0"},{"message":"targetLabel is required when action is Replace or HashMod","rule":"(self.action != 'Replace' \u0026\u0026 self.action != 'HashMod') || has(self.targetLabel)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found sourceLabels)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.sourceLabels)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found targetLabel)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.targetLabel)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found modulus)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.modulus)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found separator)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.separator)"},{"message":"LabelKeep and LabelDrop actions require only 'regex', and no other fields (found replacement)","rule":"(self.action != 'LabelDrop' \u0026\u0026 self.action != 'LabelKeep') || !has(self.replacement)"},{"message":"modulus requires sourceLabels to be present","rule":"!has(self.modulus) || (has(self.modulus) \u0026\u0026 size(self.sourceLabels) \u003e 0)"},{"message":"sourceLabels is required for actions Replace, Keep, Drop, HashMod and LabelMap","rule":"(self.action == 'LabelDrop' || self.action == 'LabelKeep') || has(self.sourceLabels)"},{"message":"replacement is required for actions Replace and LabelMap","rule":"(self.action != 'Replace' \u0026\u0026 self.action != 'LabelMap') || has(self.replacement)"}]},"minItems":1,"type":"array"}},"required":["configs"],"type":"object"},"status":{"description":"status describes the current state of this AlertRelabelConfig object.","properties":{"conditions":{"description":"conditions contains details on the state of the AlertRelabelConfig, may be\nempty.","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","format":"date-time","type":"string"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","maxLength":32768,"type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","format":"int64","minimum":0,"type":"integer"},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown.","enum":["True","False","Unknown"],"type":"string"},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$","type":"string"}},"required":["lastTransitionTime","message","reason","status","type"],"type":"object"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"}},"type":"object"}},"required":["spec"],"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} \ No newline at end of file diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0alertingrules-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0alertingrules-custom-resource-definition.yaml index c2402a8cbb..4eebca4cb8 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0alertingrules-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0alertingrules-custom-resource-definition.yaml @@ -4,7 +4,6 @@ metadata: annotations: api-approved.openshift.io: https://github.com/openshift/api/pull/1406 api.openshift.io/merged-by-featuregates: "true" - capability.openshift.io/name: OptionalMonitoring description: OpenShift Monitoring alerting rules include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" diff --git a/manifests/0000_50_cluster-monitoring-operator_00_0alertrelabelconfigs-custom-resource-definition.yaml b/manifests/0000_50_cluster-monitoring-operator_00_0alertrelabelconfigs-custom-resource-definition.yaml index 2f05eb7945..ef0b4577bf 100644 --- a/manifests/0000_50_cluster-monitoring-operator_00_0alertrelabelconfigs-custom-resource-definition.yaml +++ b/manifests/0000_50_cluster-monitoring-operator_00_0alertrelabelconfigs-custom-resource-definition.yaml @@ -4,7 +4,6 @@ metadata: annotations: api-approved.openshift.io: https://github.com/openshift/api/pull/1406 api.openshift.io/merged-by-featuregates: "true" - capability.openshift.io/name: OptionalMonitoring description: OpenShift Monitoring alert relabel configurations include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" From 0909bd76458e516efb57e1994be23a71c674c02c Mon Sep 17 00:00:00 2001 From: Pranshu Srivastava Date: Mon, 13 Oct 2025 17:22:28 +0530 Subject: [PATCH 5/6] MON-4361,MON-4380: Add webhook description and refactor jsonnet/ Signed-off-by: Pranshu Srivastava --- Documentation/resources.adoc | 11 ++++++++ Documentation/resources.md | 10 +++++++ ...lertmanager-config-validating-webhook.yaml | 1 + .../prometheus-rule-validating-webhook.yaml | 1 + .../components/admission-webhook.libsonnet | 4 +-- jsonnet/utils/opt-into-capability.libsonnet | 28 ++++++++++++------- 6 files changed, 43 insertions(+), 12 deletions(-) diff --git a/Documentation/resources.adoc b/Documentation/resources.adoc index ca237453a9..038fc6e9d7 100644 --- a/Documentation/resources.adoc +++ b/Documentation/resources.adoc @@ -149,3 +149,14 @@ This also exposes the gRPC endpoints on port 10901. This port is for internal us Expose the `/metrics` and `/validate-webhook` endpoints on port 8443. This port is for internal use, and no other usage is guaranteed. +[id="cmo-validatingwebhookconfigurations-resources"] +== CMO validatingwebhookconfigurations resources + +=== /alertmanagerconfigs.openshift.io + +Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled. + +=== /prometheusrules.openshift.io + +Validating webhook for `PrometheusRule` custom resources. + diff --git a/Documentation/resources.md b/Documentation/resources.md index 68c25fd1dc..3cd767538f 100644 --- a/Documentation/resources.md +++ b/Documentation/resources.md @@ -165,3 +165,13 @@ This also exposes the gRPC endpoints on port 10901. This port is for internal us Expose the `/metrics` and `/validate-webhook` endpoints on port 8443. This port is for internal use, and no other usage is guaranteed. +## ValidatingWebhookConfigurations + +### /alertmanagerconfigs.openshift.io + +Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled. + +### /prometheusrules.openshift.io + +Validating webhook for `PrometheusRule` custom resources. + diff --git a/assets/admission-webhook/alertmanager-config-validating-webhook.yaml b/assets/admission-webhook/alertmanager-config-validating-webhook.yaml index f958301294..67ba7bc37d 100644 --- a/assets/admission-webhook/alertmanager-config-validating-webhook.yaml +++ b/assets/admission-webhook/alertmanager-config-validating-webhook.yaml @@ -3,6 +3,7 @@ kind: ValidatingWebhookConfiguration metadata: annotations: capability.openshift.io/name: OptionalMonitoring + openshift.io/description: Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled. service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/component: controller diff --git a/assets/admission-webhook/prometheus-rule-validating-webhook.yaml b/assets/admission-webhook/prometheus-rule-validating-webhook.yaml index 364e8b4aad..89e6675619 100644 --- a/assets/admission-webhook/prometheus-rule-validating-webhook.yaml +++ b/assets/admission-webhook/prometheus-rule-validating-webhook.yaml @@ -2,6 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: + openshift.io/description: Validating webhook for `PrometheusRule` custom resources. service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/component: controller diff --git a/jsonnet/components/admission-webhook.libsonnet b/jsonnet/components/admission-webhook.libsonnet index 3f20d14654..ff1f83a506 100644 --- a/jsonnet/components/admission-webhook.libsonnet +++ b/jsonnet/components/admission-webhook.libsonnet @@ -99,7 +99,7 @@ function(params) }, annotations: { 'service.beta.openshift.io/inject-cabundle': 'true', - }, + } + withDescription('Validating webhook for `PrometheusRule` custom resources.'), }, webhooks: [ { @@ -140,7 +140,7 @@ function(params) }, annotations: { 'service.beta.openshift.io/inject-cabundle': 'true', - }, + } + withDescription('Validating webhook for `AlertmanagerConfig` custom resources. Note that this webhook is a part of optional monitoring, and will only be deployed if the `OptionalMonitoring` capability is enabled.'), }, webhooks: [ { diff --git a/jsonnet/utils/opt-into-capability.libsonnet b/jsonnet/utils/opt-into-capability.libsonnet index 4aab8625f6..30ff66a9c7 100644 --- a/jsonnet/utils/opt-into-capability.libsonnet +++ b/jsonnet/utils/opt-into-capability.libsonnet @@ -1,31 +1,39 @@ { - local addAnnotationToChild(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) = - parent { + local addAnnotationToChild(o, key, value) = + o { metadata+: { annotations+: { - [annotationKeyCapability]: annotationValueOptionalMonitoringCapability, + [key]: value, }, }, }, - local addAnnotationToChildren(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) = + local addAnnotationToChildren(o, key, value) = local listKinds = std.set(['RoleList', 'RoleBindingList']); - parent { + o { [k]: - if std.objectHas(parent[k], 'kind') && std.setMember(parent[k].kind, listKinds) && std.objectHas(parent[k], 'items') + if std.objectHas(o[k], 'kind') && std.setMember(o[k].kind, listKinds) && std.objectHas(o[k], 'items') then - parent[k] { - items: [addAnnotationToChild(item, annotationKeyCapability, annotationValueOptionalMonitoringCapability) for item in parent[k].items], + o[k] { + items: [addAnnotationToChild(item, key, value) for item in o[k].items], } else - addAnnotationToChild(parent[k], annotationKeyCapability, annotationValueOptionalMonitoringCapability) - for k in std.objectFields(parent) + addAnnotationToChild(o[k], key, value) + for k in std.objectFields(o) }, local annotationKeyCapability = 'capability.openshift.io/name', local annotationValueConsoleCapability = 'Console', local annotationValueOptionalMonitoringCapability = 'OptionalMonitoring', + + // consoleForObject adds the Console capability annotation to a single object. consoleForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueConsoleCapability), + + // consoleForObjectWithWalk adds the Console capability annotation to all objects in the given parent object, iteratively. consoleForObjectWithWalk(o): addAnnotationToChildren(o, annotationKeyCapability, annotationValueConsoleCapability), + + // optionalMonitoringForObject adds the OptionalMonitoring capability annotation to a single object. optionalMonitoringForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueOptionalMonitoringCapability), + + // optionalMonitoringForObjectWithWalk adds the OptionalMonitoring capability annotation to all objects in the given parent object, iteratively. optionalMonitoringForObjectWithWalk(o): addAnnotationToChildren(o, annotationKeyCapability, annotationValueOptionalMonitoringCapability), } From 2dff19587c381adfdd21ccb7924d1821853cd36e Mon Sep 17 00:00:00 2001 From: Pranshu Srivastava Date: Mon, 13 Oct 2025 23:18:45 +0530 Subject: [PATCH 6/6] MON-4361,MON-4380: Refactor optional monitoring logic Signed-off-by: Pranshu Srivastava --- pkg/client/client.go | 2 +- pkg/operator/operator.go | 41 +++++++------ pkg/tasks/alertmanager.go | 6 +- pkg/tasks/alertmanager_user_workload.go | 6 +- pkg/tasks/prometheus_user_workload.go | 6 +- pkg/tasks/prometheusoperator_user_workload.go | 6 +- pkg/tasks/tasks.go | 60 +++++++++++++++++++ pkg/tasks/thanos_ruler_user_workload.go | 6 +- 8 files changed, 89 insertions(+), 44 deletions(-) diff --git a/pkg/client/client.go b/pkg/client/client.go index f8c8c7c010..e6b79aef0c 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -1749,7 +1749,7 @@ func (c *Client) HasConsoleCapability(ctx context.Context) (bool, error) { } func (c *Client) HasOptionalMonitoringCapability(ctx context.Context) (bool, error) { - return c.HasClusterCapability(ctx, "") + return true, nil // TODO: implement when the capability is added in /api } // CreateOrUpdateConsolePlugin function uses retries because API requests related to the ConsolePlugin resource diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 91f8e6ecc7..1e163349bb 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -798,35 +798,40 @@ func (o *Operator) sync(ctx context.Context, key string) error { // should also be created first because it is referenced by Prometheus. tasks.NewTaskGroup( []*tasks.TaskSpec{ - newTaskSpec("MetricsScrapingClientCA", tasks.NewMetricsClientCATask(o.client, factory, config)), - newTaskSpec("PrometheusOperator", tasks.NewPrometheusOperatorTask(o.client, factory)), + newTaskSpec(tasks.MetricsClientCATaskName, tasks.NewMetricsClientCATask(o.client, factory, config)), + newTaskSpec(tasks.PrometheusOperatorTaskName, tasks.NewPrometheusOperatorTask(o.client, factory)), }), tasks.NewTaskGroup( []*tasks.TaskSpec{ - newTaskSpec("ClusterMonitoringOperatorDeps", tasks.NewClusterMonitoringOperatorTask(o.client, factory, config)), - newTaskSpec("Prometheus", tasks.NewPrometheusTask(o.client, factory, config)), - newTaskSpec("Alertmanager", tasks.NewAlertmanagerTask(o.client, factory, config)), - newTaskSpec("NodeExporter", tasks.NewNodeExporterTask(o.client, factory)), - newTaskSpec("KubeStateMetrics", tasks.NewKubeStateMetricsTask(o.client, factory)), - newTaskSpec("OpenshiftStateMetrics", tasks.NewOpenShiftStateMetricsTask(o.client, factory)), - newTaskSpec("MetricsServer", tasks.NewMetricsServerTask(ctx, o.namespace, o.client, factory, config)), - newTaskSpec("TelemeterClient", tasks.NewTelemeterClientTask(o.client, factory, config)), - newTaskSpec("ThanosQuerier", tasks.NewThanosQuerierTask(o.client, factory, config)), - newTaskSpec("ControlPlaneComponents", tasks.NewControlPlaneTask(o.client, factory, config)), - newTaskSpec("ConsolePluginComponents", tasks.NewMonitoringPluginTask(o.client, factory, config)), + newTaskSpec(tasks.ClusterMonitoringOperatorTaskName, tasks.NewClusterMonitoringOperatorTask(o.client, factory, config)), + newTaskSpec(tasks.PrometheusTaskName, tasks.NewPrometheusTask(o.client, factory, config)), + newTaskSpec(tasks.AlertmanagerTaskName, tasks.NewAlertmanagerTask(o.client, factory, config)), + newTaskSpec(tasks.NodeExporterTaskName, tasks.NewNodeExporterTask(o.client, factory)), + newTaskSpec(tasks.KubeStateMetricsTaskName, tasks.NewKubeStateMetricsTask(o.client, factory)), + newTaskSpec(tasks.OpenshiftStateMetricsTaskName, tasks.NewOpenShiftStateMetricsTask(o.client, factory)), + newTaskSpec(tasks.MetricsServerTaskName, tasks.NewMetricsServerTask(ctx, o.namespace, o.client, factory, config)), + newTaskSpec(tasks.TelemeterClientTaskName, tasks.NewTelemeterClientTask(o.client, factory, config)), + newTaskSpec(tasks.ThanosQuerierTaskName, tasks.NewThanosQuerierTask(o.client, factory, config)), + newTaskSpec(tasks.ControlPlaneTaskName, tasks.NewControlPlaneTask(o.client, factory, config)), + newTaskSpec(tasks.MonitoringPluginTaskName, tasks.NewMonitoringPluginTask(o.client, factory, config)), // Tried to run the UWM prom-operator in the first group, but some e2e tests started failing. - newUWMTaskSpec("PrometheusOperator", tasks.NewPrometheusOperatorUserWorkloadTask(o.client, factory, config)), - newUWMTaskSpec("Prometheus", tasks.NewPrometheusUserWorkloadTask(o.client, factory, config)), - newUWMTaskSpec("Alertmanager", tasks.NewAlertmanagerUserWorkloadTask(o.client, factory, config)), - newUWMTaskSpec("ThanosRuler", tasks.NewThanosRulerUserWorkloadTask(o.client, factory, config)), + newUWMTaskSpec(tasks.PrometheusOperatorUWMTaskName, tasks.NewPrometheusOperatorUserWorkloadTask(o.client, factory, config)), + newUWMTaskSpec(tasks.PrometheusUWMTaskName, tasks.NewPrometheusUserWorkloadTask(o.client, factory, config)), + newUWMTaskSpec(tasks.AlertmanagerUWMTaskName, tasks.NewAlertmanagerUserWorkloadTask(o.client, factory, config)), + newUWMTaskSpec(tasks.ThanosRulerUWMTaskName, tasks.NewThanosRulerUserWorkloadTask(o.client, factory, config)), }), // The shared configmap depends on resources being created by the previous tasks hence run it last. tasks.NewTaskGroup( []*tasks.TaskSpec{ - newTaskSpec("ConfigurationSharing", tasks.NewConfigSharingTask(o.client, factory, config)), + newTaskSpec(tasks.ConfigSharingTaskName, tasks.NewConfigSharingTask(o.client, factory, config)), }, ), ) + // Skip optional tasks if OptionalMonitoring capability is disabled. + err = tl.MaybeSkipOptionalTasks() + if err != nil { + return fmt.Errorf("failed to assess optional tasks: %w", err) + } klog.Info("Updating ClusterOperator status to InProgress.") err = o.client.StatusReporter().SetRollOutInProgress(ctx) if err != nil { diff --git a/pkg/tasks/alertmanager.go b/pkg/tasks/alertmanager.go index b4f530f938..39eedb2e7d 100644 --- a/pkg/tasks/alertmanager.go +++ b/pkg/tasks/alertmanager.go @@ -44,11 +44,7 @@ func NewAlertmanagerTask( } func (t *AlertmanagerTask) Run(ctx context.Context) error { - optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) - if err != nil { - return fmt.Errorf("checking for optional monitoring capability failed: %w", err) - } - if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() && optionalMonitoringEnabled { + if t.config.ClusterMonitoringConfiguration.AlertmanagerMainConfig.IsEnabled() { return t.create(ctx) } diff --git a/pkg/tasks/alertmanager_user_workload.go b/pkg/tasks/alertmanager_user_workload.go index 33931e9a8e..c5cb88a86b 100644 --- a/pkg/tasks/alertmanager_user_workload.go +++ b/pkg/tasks/alertmanager_user_workload.go @@ -44,11 +44,7 @@ func NewAlertmanagerUserWorkloadTask( } func (t *AlertmanagerUserWorkloadTask) Run(ctx context.Context) error { - optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) - if err != nil { - return fmt.Errorf("checking for optional monitoring capability failed: %w", err) - } - if t.config.UserWorkloadConfiguration.Alertmanager.Enabled && optionalMonitoringEnabled { + if t.config.UserWorkloadConfiguration.Alertmanager.Enabled { return t.create(ctx) } diff --git a/pkg/tasks/prometheus_user_workload.go b/pkg/tasks/prometheus_user_workload.go index 9fa55eeb6b..ddda8061d8 100644 --- a/pkg/tasks/prometheus_user_workload.go +++ b/pkg/tasks/prometheus_user_workload.go @@ -40,11 +40,7 @@ func NewPrometheusUserWorkloadTask(client *client.Client, factory *manifests.Fac } func (t *PrometheusUserWorkloadTask) Run(ctx context.Context) error { - optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) - if err != nil { - return fmt.Errorf("checking for optional monitoring capability failed: %w", err) - } - if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled && optionalMonitoringEnabled { + if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled { return t.create(ctx) } diff --git a/pkg/tasks/prometheusoperator_user_workload.go b/pkg/tasks/prometheusoperator_user_workload.go index 06cd91e61c..6bfc970ac7 100644 --- a/pkg/tasks/prometheusoperator_user_workload.go +++ b/pkg/tasks/prometheusoperator_user_workload.go @@ -39,11 +39,7 @@ func NewPrometheusOperatorUserWorkloadTask(client *client.Client, factory *manif } func (t *PrometheusOperatorUserWorkloadTask) Run(ctx context.Context) error { - optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) - if err != nil { - return fmt.Errorf("checking for optional monitoring capability failed: %w", err) - } - if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled && optionalMonitoringEnabled { + if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled { return t.create(ctx) } diff --git a/pkg/tasks/tasks.go b/pkg/tasks/tasks.go index abc2c8ea02..c4f365dc38 100644 --- a/pkg/tasks/tasks.go +++ b/pkg/tasks/tasks.go @@ -20,11 +20,33 @@ import ( "strings" "golang.org/x/sync/errgroup" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" "github.com/openshift/cluster-monitoring-operator/pkg/client" ) +const ( + MetricsClientCATaskName = "MetricsScrapingClientCA" + PrometheusOperatorTaskName = "PrometheusOperator" + ClusterMonitoringOperatorTaskName = "ClusterMonitoringOperatorDeps" + PrometheusTaskName = "Prometheus" + AlertmanagerTaskName = "Alertmanager" + NodeExporterTaskName = "NodeExporter" + KubeStateMetricsTaskName = "KubeStateMetrics" + OpenshiftStateMetricsTaskName = "OpenshiftStateMetrics" + MetricsServerTaskName = "MetricsServer" + TelemeterClientTaskName = "TelemeterClient" + ThanosQuerierTaskName = "ThanosQuerier" + ControlPlaneTaskName = "ControlPlaneComponents" + MonitoringPluginTaskName = "ConsolePluginComponents" + PrometheusOperatorUWMTaskName = "PrometheusOperator" + PrometheusUWMTaskName = "Prometheus" + AlertmanagerUWMTaskName = "Alertmanager" + ThanosRulerUWMTaskName = "ThanosRuler" + ConfigSharingTaskName = "ConfigurationSharing" +) + // TaskRunner manages lists of task groups. Through the RunAll method task groups are // executed, the groups sequentially, each group of tasks concurrently. type TaskRunner struct { @@ -41,6 +63,44 @@ func NewTaskRunner(client *client.Client, taskGroups ...*TaskGroup) *TaskRunner } } +func (tl *TaskRunner) MaybeSkipOptionalTasks() error { + // Optional tasks reflect components that fall under optional monitoring, which will be skipped (not deployed) + // if the `OptionalMonitoring` capability is disabled. + optionalTasks := sets.New[string]( + AlertmanagerTaskName, + PrometheusOperatorUWMTaskName, + PrometheusUWMTaskName, + AlertmanagerUWMTaskName, + ThanosRulerUWMTaskName, + ) + optionalMonitoringEnabled, err := tl.client.HasOptionalMonitoringCapability(context.Background()) + if err != nil { + return fmt.Errorf("could not determine optional monitoring capability status: %w", err) + } + if optionalMonitoringEnabled { + klog.V(2).Infof("OptionalMonitoring capability is enabled, all monitoring components will be deployed") + return nil + } + + var filteredTaskGroups []*TaskGroup + for _, tg := range tl.taskGroups { + var filteredTasks []*TaskSpec + for _, t := range tg.tasks { + if optionalTasks.Has(t.Name) { + klog.V(2).Infof("skipping optional monitoring component %q as OptionalMonitoring capability is disabled", t.Name) + continue + } + filteredTasks = append(filteredTasks, t) + } + if len(filteredTasks) > 0 { + filteredTaskGroups = append(filteredTaskGroups, &TaskGroup{tasks: filteredTasks}) + } + } + tl.taskGroups = append([]*TaskGroup{}, filteredTaskGroups...) + + return nil +} + // RunAll executes all registered task groups sequentially. For each group the // taskGroup.RunConcurrently function is called. diff --git a/pkg/tasks/thanos_ruler_user_workload.go b/pkg/tasks/thanos_ruler_user_workload.go index 26c980f3cb..8956509b06 100644 --- a/pkg/tasks/thanos_ruler_user_workload.go +++ b/pkg/tasks/thanos_ruler_user_workload.go @@ -39,11 +39,7 @@ func NewThanosRulerUserWorkloadTask(client *client.Client, factory *manifests.Fa } func (t *ThanosRulerUserWorkloadTask) Run(ctx context.Context) error { - optionalMonitoringEnabled, err := t.client.HasOptionalMonitoringCapability(ctx) - if err != nil { - return fmt.Errorf("checking for optional monitoring capability failed: %w", err) - } - if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled && optionalMonitoringEnabled { + if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled { return t.create(ctx) }