Add prometheus Helm chart

This is currently separate due to the ordering of application.
If we change the order, this could be included in the main Helm Chart.

Signed-off-by: Todd Short <[email protected]>
Assisted-by: Gemini (research)
Assisted-by: Claude Code (analysis)

Author: tmshort

Makefile

@@ -294,7 +294,7 @@ test-experimental-e2e: run-internal image-registry prometheus experimental-e2e e
 prometheus: PROMETHEUS_NAMESPACE := olmv1-system
 prometheus: PROMETHEUS_VERSION := v0.83.0
 prometheus: $(KUSTOMIZE) #EXHELP Deploy Prometheus into specified namespace
-	./hack/test/install-prometheus.sh $(PROMETHEUS_NAMESPACE) $(PROMETHEUS_VERSION) $(KUSTOMIZE) $(VERSION)
+	./hack/test/install-prometheus.sh $(PROMETHEUS_NAMESPACE) $(PROMETHEUS_VERSION) $(VERSION)
 
 .PHONY: test-extension-developer-e2e
 test-extension-developer-e2e: SOURCE_MANIFEST := $(STANDARD_E2E_MANIFEST)

hack/test/install-prometheus.sh

@@ -1,22 +1,23 @@
 #!/bin/bash
 
+source ".bingo/variables.env"
+
 set -euo pipefail
 
 help="install-prometheus.sh is used to set up prometheus monitoring for e2e testing.
 Usage:
-  install-prometheus.sh [PROMETHEUS_NAMESPACE] [PROMETHEUS_VERSION] [KUSTOMIZE] [GIT_VERSION]
+  install-prometheus.sh [PROMETHEUS_NAMESPACE] [PROMETHEUS_VERSION] [GIT_VERSION]
 "
 
-if [[ "$#" -ne 4 ]]; then
+if [[ "$#" -ne 3 ]]; then
   echo "Illegal number of arguments passed"
   echo "${help}"
   exit 1
 fi
 
 PROMETHEUS_NAMESPACE="$1"
 PROMETHEUS_VERSION="$2"
-KUSTOMIZE="$3"
-GIT_VERSION="$4"
+GIT_VERSION="$3"
 
 TMPDIR="$(mktemp -d)"
 trap 'echo "Cleaning up $TMPDIR"; rm -rf "$TMPDIR"' EXIT
@@ -26,16 +27,16 @@ curl -s "https://raw.githubusercontent.com/prometheus-operator/prometheus-operat
 curl -s "https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/refs/tags/${PROMETHEUS_VERSION}/bundle.yaml" > "${TMPDIR}/bundle.yaml"
 
 echo "Patching namespace to ${PROMETHEUS_NAMESPACE}..."
-(cd "$TMPDIR" && $KUSTOMIZE edit set namespace "$PROMETHEUS_NAMESPACE")
+(cd "$TMPDIR" && ${KUSTOMIZE} edit set namespace "$PROMETHEUS_NAMESPACE")
 
 echo "Applying Prometheus base..."
 kubectl apply -k "$TMPDIR" --server-side
 
 echo "Waiting for Prometheus Operator pod to become ready..."
 kubectl wait --for=condition=Ready pod -n "$PROMETHEUS_NAMESPACE" -l app.kubernetes.io/name=prometheus-operator
 
-echo "Applying overlay config..."
-$KUSTOMIZE build config/overlays/prometheus | sed "s/cert-git-version/cert-${VERSION}/g" | kubectl apply -f -
+echo "Applying prometheus Helm chart..."
+${HELM} template prometheus helm/prometheus | sed "s/cert-git-version/cert-${VERSION}/g" | kubectl apply -f -
 
 echo "Waiting for metrics scraper to become ready..."
 kubectl wait --for=create pods -n "$PROMETHEUS_NAMESPACE" prometheus-prometheus-0 --timeout=60s

helm/prometheus/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: prometheus
+description: A Helm chart of Prometheus resources for OLMv1
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0

helm/prometheus/templates/clusterrole-prometheus.yml

@@ -0,0 +1,44 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: prometheus
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/metrics
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - /metrics
+    verbs:
+      - get

helm/prometheus/templates/clusterrolebinding-prometheus.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus
+subjects:
+  - kind: ServiceAccount
+    name: prometheus
+    namespace: {{ .Values.namespaces.olmv1.name }}

helm/prometheus/templates/networkpolicy-prometheus.yml

@@ -0,0 +1,17 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: prometheus
+  namespace: {{ .Values.namespaces.olmv1.name }}
+spec:
+  egress:
+    - {}
+  ingress:
+    - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  policyTypes:
+    - Egress
+    - Ingress

helm/prometheus/templates/prometheus-prometheus.yml

@@ -0,0 +1,19 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: Prometheus
+metadata:
+  name: prometheus
+  namespace: {{ .Values.namespaces.olmv1.name }}
+spec:
+  logLevel: debug
+  ruleSelector: {}
+  scrapeInterval: 1m
+  scrapeTimeout: 30s
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
+  serviceAccountName: prometheus
+  serviceDiscoveryRole: EndpointSlice
+  serviceMonitorSelector: {}

helm/prometheus/templates/prometheusrile-controller-alerts.yml

@@ -0,0 +1,72 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: controller-alerts
+  namespace: {{ .Values.namespaces.olmv1.name }}
+spec:
+  groups:
+    - name: controller-panic
+      rules:
+        - alert: reconciler-panic
+          annotations:
+            description: controller of pod {{`{{ $labels.pod }}`}} experienced panic(s); count={{`{{ $value }}`}}
+          expr: controller_runtime_reconcile_panics_total{} > 0
+        - alert: webhook-panic
+          annotations:
+            description: controller webhook of pod {{`{{ $labels.pod }}`}} experienced panic(s); count={{`{{ $value }}`}}
+          expr: controller_runtime_webhook_panics_total{} > 0
+    - name: resource-usage
+      rules:
+        - alert: oom-events
+          annotations:
+            description: container {{`{{ $labels.container }}`}} of pod {{`{{ $labels.pod }}`}} experienced OOM event(s); count={{`{{ $value }}`}}
+          expr: container_oom_events_total > 0
+        - alert: operator-controller-memory-growth
+          annotations:
+            description: 'operator-controller pod memory usage growing at a high rate for 5 minutes: {{`{{ $value | humanize }}`}}B/sec'
+          expr: deriv(sum(container_memory_working_set_bytes{pod=~"operator-controller.*",container="manager"})[5m:]) > 100_000
+          for: 5m
+          keep_firing_for: 1d
+        - alert: catalogd-memory-growth
+          annotations:
+            description: 'catalogd pod memory usage growing at a high rate for 5 minutes: {{`{{ $value | humanize }}`}}B/sec'
+          expr: deriv(sum(container_memory_working_set_bytes{pod=~"catalogd.*",container="manager"})[5m:]) > 100_000
+          for: 5m
+          keep_firing_for: 1d
+        - alert: operator-controller-memory-usage
+          annotations:
+            description: 'operator-controller pod using high memory resources for the last 5 minutes: {{`{{ $value | humanize }}`}}B'
+          expr: sum(container_memory_working_set_bytes{pod=~"operator-controller.*",container="manager"}) > 100_000_000
+          for: 5m
+          keep_firing_for: 1d
+        - alert: catalogd-memory-usage
+          annotations:
+            description: 'catalogd pod using high memory resources for the last 5 minutes: {{`{{ $value | humanize }}`}}B'
+          expr: sum(container_memory_working_set_bytes{pod=~"catalogd.*",container="manager"}) > 75_000_000
+          for: 5m
+          keep_firing_for: 1d
+        - alert: operator-controller-cpu-usage
+          annotations:
+            description: 'operator-controller using high cpu resource for 5 minutes: {{`{{ $value | printf "%.2f" }}`}}%'
+          expr: rate(container_cpu_usage_seconds_total{pod=~"operator-controller.*",container="manager"}[5m]) * 100 > 20
+          for: 5m
+          keep_firing_for: 1d
+        - alert: catalogd-cpu-usage
+          annotations:
+            description: 'catalogd using high cpu resources for 5 minutes: {{`{{ $value | printf "%.2f" }}`}}%'
+          expr: rate(container_cpu_usage_seconds_total{pod=~"catalogd.*",container="manager"}[5m]) * 100 > 20
+          for: 5m
+          keep_firing_for: 1d
+        - alert: operator-controller-api-call-rate
+          annotations:
+            description: 'operator-controller making excessive API calls for 5 minutes: {{`{{ $value | printf "%.2f" }}`}}/sec'
+          expr: sum(rate(rest_client_requests_total{job=~"operator-controller-service"}[5m])) > 10
+          for: 5m
+          keep_firing_for: 1d
+        - alert: catalogd-api-call-rate
+          annotations:
+            description: 'catalogd making excessive API calls for 5 minutes: {{`{{ $value | printf "%.2f" }}`}}/sec'
+          expr: sum(rate(rest_client_requests_total{job=~"catalogd-service"}[5m])) > 5
+          for: 5m
+          keep_firing_for: 1d

helm/prometheus/templates/secret-prometheus-metrics-token.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: prometheus
+  name: prometheus-metrics-token
+  namespace: {{ .Values.namespaces.olmv1.name }}
+type: kubernetes.io/service-account-token

helm/prometheus/templates/service-prometheus-service.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prometheus-service
+  namespace: {{ .Values.namespaces.prometheus.name }}
+spec:
+  ports:
+    - name: web
+      nodePort: 30900
+      port: 9090
+      protocol: TCP
+      targetPort: web
+  selector:
+    prometheus: prometheus
+  type: NodePort