alertmanager: Generate prod resources (#727)

Author: philipgough

magefiles/alertmanager.go

@@ -11,6 +11,7 @@ import (
 	"github.com/observatorium/observatorium/configuration_go/kubegen/workload"
 	routev1 "github.com/openshift/api/route/v1"
 	templatev1 "github.com/openshift/api/template/v1"
+	"github.com/philipgough/mimic"
 	"github.com/philipgough/mimic/encoding"
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"github.com/rhobs/configuration/services_go/observatorium"
@@ -64,20 +65,44 @@ func (s Stage) Alertmanager() {
 			memoryLimit:   memLimit,
 		},
 	})
-	manifests := k8s.Objects()
-	var sm *monv1.ServiceMonitor
-	sm, manifests = getAndRemoveObject[*monv1.ServiceMonitor](manifests, "")
-	smEnc := postProcessServiceMonitor(sm, s.namespace())
-	enc := alertmanagerPostProcess(manifests, s.namespace())
-	gen.Add(alertmanagerTemplate, enc)
-	gen.Add(serviceMonitorTemplate, smEnc)
-	gen.Generate()
-
+	buildAlertmanager(k8s.Objects(), s.namespace(), gen)
 }
 
 // Alertmanager Generates the Alertmanager configuration for the production environment.
-func (Production) Alertmanager() {
-	// todo
+func (p Production) Alertmanager() {
+	gen := p.generator(alertManagerName)
+
+	const (
+		alertManagerImageTag = defaultAlertManagerImageTag
+
+		cpuRequest = defaultAlertmanagerCPURequest
+		cpuLimit   = defaultAlertmanagerCPULimit
+		memRequest = defaultAlertmanagerMemoryRequest
+		memLimit   = defaultAlertmanagerMemoryLimit
+	)
+
+	k8s := alertmanagerKubernetes(alertManagerOptions(), manifestOptions{
+		namespace: p.namespace(),
+		image:     defaultAlertManagerImage,
+		imageTag:  alertManagerImageTag,
+		resourceRequirements: resourceRequirements{
+			cpuRequest:    cpuRequest,
+			cpuLimit:      cpuLimit,
+			memoryRequest: memRequest,
+			memoryLimit:   memLimit,
+		},
+	})
+	buildAlertmanager(k8s.Objects(), p.namespace(), gen)
+}
+
+func buildAlertmanager(manifests []runtime.Object, namespace string, generator *mimic.Generator) {
+	var sm *monv1.ServiceMonitor
+	sm, manifests = getAndRemoveObject[*monv1.ServiceMonitor](manifests, "")
+	smEnc := postProcessServiceMonitor(sm, namespace)
+	enc := alertmanagerPostProcess(manifests, namespace)
+	generator.Add(alertmanagerTemplate, enc)
+	generator.Add(serviceMonitorTemplate, smEnc)
+	generator.Generate()
 }
 
 func alertManagerOptions() *alertmanager.AlertManagerOptions {

magefiles/magefile.go

@@ -90,13 +90,27 @@ func (Stage) generator(component string) *mimic.Generator {
 	return gen
 }
 
-const stageNamespace = "rhobs-stage"
+func (Production) generator(component string) *mimic.Generator {
+	gen := &mimic.Generator{}
+	gen = gen.With(templatePath, templateServicesPath, component, "production")
+	gen.Logger = log.NewLogfmtLogger(log.NewSyncWriter(os.Stdout))
+	return gen
+}
+
+const (
+	stageNamespace = "rhobs-stage"
+	prodNamespace  = "rhobs-production"
+)
 
 func (Stage) namespace() string {
 	return stageNamespace
 }
 
+func (Production) namespace() string {
+	return prodNamespace
+}
+
 // Build Builds the manifests for the production environment.
 func (Production) Build() {
-	// todo
+	mg.Deps(Production.Alertmanager)
 }

resources/services/alertmanager/production/alertmanager-template.yaml

@@ -0,0 +1,275 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  creationTimestamp: null
+  name: alertmanager
+objects:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: alertmanager
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: alertmanager
+      app.kubernetes.io/part-of: observatorium
+    name: alertmanager-cluster
+    namespace: rhobs-production
+  spec:
+    clusterIP: None
+    ports:
+    - name: cluster-tcp
+      port: 9094
+      protocol: TCP
+      targetPort: 9094
+    selector:
+      app.kubernetes.io/component: alertmanager
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: alertmanager
+      app.kubernetes.io/part-of: observatorium
+  status:
+    loadBalancer: {}
+- apiVersion: route.openshift.io/v1
+  kind: Route
+  metadata:
+    annotations:
+      cert-manager.io/issuer-kind: ClusterIssuer
+      cert-manager.io/issuer-name: letsencrypt-prod-http
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: alertmanager
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: alertmanager
+      app.kubernetes.io/part-of: observatorium
+      app.kubernetes.io/version: v4.15
+    name: alertmanager
+    namespace: rhobs-production
+  spec:
+    host: ""
+    port:
+      targetPort: https
+    tls:
+      insecureEdgeTerminationPolicy: Redirect
+      termination: reencrypt
+    to:
+      kind: Service
+      name: alertmanager
+      weight: null
+  status:
+    ingress: null
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      service.alpha.openshift.io/serving-cert-secret-name: alertmanager-tls
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: alertmanager
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: alertmanager
+      app.kubernetes.io/part-of: observatorium
+    name: alertmanager
+    namespace: rhobs-production
+  spec:
+    ports:
+    - name: http
+      port: 9093
+      protocol: TCP
+      targetPort: 9093
+    - name: https
+      port: 8443
+      targetPort: 8443
+    selector:
+      app.kubernetes.io/component: alertmanager
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: alertmanager
+      app.kubernetes.io/part-of: observatorium
+  status:
+    loadBalancer: {}
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    annotations:
+      serviceaccounts.openshift.io/oauth-redirectreference.application: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"alertmanager"}}'
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: alertmanager
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: alertmanager
+      app.kubernetes.io/part-of: observatorium
+    name: alertmanager
+    namespace: rhobs-production
+- apiVersion: apps/v1
+  kind: StatefulSet
+  metadata:
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: alertmanager
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: alertmanager
+      app.kubernetes.io/part-of: observatorium
+      app.kubernetes.io/version: v4.15
+    name: alertmanager
+    namespace: rhobs-production
+  spec:
+    replicas: ${{ALERTMANAGER_REPLICAS}}
+    selector:
+      matchLabels:
+        app.kubernetes.io/component: alertmanager
+        app.kubernetes.io/instance: observatorium
+        app.kubernetes.io/name: alertmanager
+        app.kubernetes.io/part-of: observatorium
+    serviceName: alertmanager-cluster
+    template:
+      metadata:
+        creationTimestamp: null
+        labels:
+          app.kubernetes.io/component: alertmanager
+          app.kubernetes.io/instance: observatorium
+          app.kubernetes.io/name: alertmanager
+          app.kubernetes.io/part-of: observatorium
+          app.kubernetes.io/version: v4.15
+        namespace: rhobs-production
+      spec:
+        affinity:
+          podAntiAffinity:
+            preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                  - key: app.kubernetes.io/instance
+                    operator: In
+                    values:
+                    - observatorium
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                    - alertmanager
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+        containers:
+        - args:
+          - --config.file=/etc/alertmanager/config/alertmanager.yaml
+          - --storage.path=/data
+          - --cluster.peer=alertmanager-0.alertmanager-cluster.rhobs-production.svc.cluster.local:9094
+          - --cluster.peer=alertmanager-1.alertmanager-cluster.rhobs-production.svc.cluster.local:9094
+          - --cluster.reconnect-timeout=5m0s
+          - --log.level=${ALERTMANAGER_LOG_LEVEL}
+          - --log.format=logfmt
+          image: registry.redhat.io/openshift4/ose-prometheus-alertmanager:v4.15
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 8
+            httpGet:
+              path: /-/healthy
+              port: 9093
+            periodSeconds: 30
+            timeoutSeconds: 1
+          name: alertmanager
+          ports:
+          - containerPort: 9093
+            name: http
+            protocol: TCP
+          - containerPort: 9094
+            name: cluster-tcp
+            protocol: TCP
+          readinessProbe:
+            failureThreshold: 20
+            httpGet:
+              path: /-/ready
+              port: 9093
+            periodSeconds: 5
+          resources:
+            limits:
+              cpu: "5"
+              memory: ${ALERTMANAGER_MEMORY_LIMIT}
+            requests:
+              cpu: ${ALERTMANAGER_CPU_REQUEST}
+              memory: ${ALERTMANAGER_MEMORY_REQUEST}
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+          - mountPath: /data
+            name: alertmanager-data
+          - mountPath: /etc/alertmanager/config
+            name: config-file
+            readOnly: true
+        - args:
+          - -provider=openshift
+          - -https-address=:8443
+          - -http-address=
+          - -email-domain=*
+          - -upstream=http://localhost:9093
+          - -openshift-service-account=alertmanager
+          - '-openshift-sar={"resource": "namespaces", "verb": "get", "name": "rhobs-production",
+            "namespace": "rhobs-production"}'
+          - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get",
+            "name": "rhobs-production", "namespace": "rhobs-production"}}'
+          - -tls-cert=/etc/tls/private/tls.crt
+          - -tls-key=/etc/tls/private/tls.key
+          - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+          - -cookie-secret=${OAUTH_PROXY_COOKIE_SECRET}
+          - -openshift-ca=/etc/pki/tls/cert.pem
+          - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          image: registry.redhat.io/openshift4/ose-oauth-proxy:v4.14
+          name: oauth-proxy
+          ports:
+          - containerPort: 8443
+            name: https
+            protocol: TCP
+          resources:
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+          - mountPath: /etc/tls/private
+            name: tls
+            readOnly: true
+        nodeSelector:
+          kubernetes.io/os: linux
+        serviceAccountName: alertmanager
+        terminationGracePeriodSeconds: 120
+        volumes:
+        - name: config-file
+          secret:
+            secretName: alertmanager-config
+        - name: tls
+          secret:
+            secretName: alertmanager-tls
+    updateStrategy: {}
+    volumeClaimTemplates:
+    - metadata:
+        creationTimestamp: null
+        labels:
+          app.kubernetes.io/component: alertmanager
+          app.kubernetes.io/instance: observatorium
+          app.kubernetes.io/name: alertmanager
+          app.kubernetes.io/part-of: observatorium
+          app.kubernetes.io/version: v4.15
+        name: alertmanager-data
+        namespace: rhobs-production
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+        storageClassName: gp2
+      status: {}
+  status:
+    availableReplicas: 0
+    replicas: 0
+parameters:
+- name: ALERTMANAGER_CPU_REQUEST
+  value: 100m
+- name: ALERTMANAGER_LOG_LEVEL
+  value: warn
+- name: ALERTMANAGER_MEMORY_LIMIT
+  value: 5Gi
+- name: ALERTMANAGER_MEMORY_REQUEST
+  value: 256Mi
+- name: ALERTMANAGER_REPLICAS
+  value: "2"
+- from: '[a-zA-Z0-9]{40}'
+  generate: expression
+  name: OAUTH_PROXY_COOKIE_SECRET