diff --git a/resources/services/observatorium-template.yaml b/resources/services/observatorium-template.yaml index cda2b71621..8a3994bf93 100644 --- a/resources/services/observatorium-template.yaml +++ b/resources/services/observatorium-template.yaml @@ -3,273 +3,6 @@ kind: Template metadata: name: observatorium objects: -- apiVersion: v1 - data: - rbac.yaml: |- - "roleBindings": - - "name": "cnv-qe-metrics" - "roles": - - "cnv-qe-metrics-write" - - "cnv-qe-metrics-read" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-cnv-qe-staging" - - "kind": "user" - "name": "service-account-observatorium-cnv-qe" - - "name": "rhods-metrics" - "roles": - - "rhods-metrics-write" - - "rhods-metrics-read" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-rhods-isv-staging" - - "name": "rhacs-metrics" - "roles": - - "rhacs-metrics-write" - - "rhacs-metrics-read" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-rhacs-metrics-staging" - - "kind": "user" - "name": "service-account-observatorium-rhacs-metrics" - - "name": "rhacs-metrics-grafana" - "roles": - - "rhacs-metrics-read" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-rhacs-grafana-staging" - - "kind": "user" - "name": "service-account-observatorium-rhacs-grafana" - - "name": "rhacs-logs" - "roles": - - "rhacs-logs-read" - - "rhacs-logs-write" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-rhacs-logs-staging" - - "kind": "user" - "name": "service-account-observatorium-rhacs-logs" - - "name": "rhobs" - "roles": - - "rhobs-write" - - "rhobs-read" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-rhobs-testing" - - "kind": "user" - "name": "service-account-observatorium-rhobs-staging" - - "kind": "user" - "name": "service-account-observatorium-rhobs" - - "name": "rhobs-mst" - "roles": - - "rhobs-write" - - "rhobs-read" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-rhobs-mst-staging" - - "kind": "user" - "name": "service-account-observatorium-rhobs-mst" - - "name": "rhobs-admin" - "roles": - - "telemeter-read" - - "rhobs-read" - "subjects": - - "kind": "group" - "name": "team-monitoring@redhat.com" - - "name": "telemeter-server" - "roles": - - "telemeter-write" - - "telemeter-read" - "subjects": - - "kind": "user" - "name": "service-account-telemeter-service-staging" - - "kind": "user" - "name": "service-account-telemeter-service" - - "name": "subwatch" - "roles": - - "telemeter-read" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-subwatch-staging" - - "kind": "user" - "name": "service-account-observatorium-subwatch" - - "name": "psiocp" - "roles": - - "psiocp-write" - - "psiocp-read" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-psiocp-staging" - - "name": "rhoc" - "roles": - - "rhoc-metrics-read" - - "rhoc-metrics-write" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-rhoc-staging" - - "name": "odfms" - "roles": - - "odfms-metrics-read" - - "odfms-metrics-write" - "subjects": - - "kind": "user" - "name": "service-account-observatorium-odfms-staging" - "roles": - - "name": "cnv-qe-metrics-read" - "permissions": - - "read" - "resources": - - "metrics" - "tenants": - - "cnvqe" - - "name": "cnv-qe-metrics-write" - "permissions": - - "write" - "resources": - - "metrics" - "tenants": - - "cnvqe" - - "name": "rhods-metrics-read" - "permissions": - - "read" - "resources": - - "metrics" - "tenants": - - "rhods" - - "name": "rhods-metrics-write" - "permissions": - - "write" - "resources": - - "metrics" - "tenants": - - "rhods" - - "name": "rhods-logs-read" - "permissions": - - "read" - "resources": - - "logs" - "tenants": - - "rhods" - - "name": "rhods-logs-write" - "permissions": - - "write" - "resources": - - "logs" - "tenants": - - "rhods" - - "name": "rhacs-metrics-read" - "permissions": - - "read" - "resources": - - "metrics" - "tenants": - - "rhacs" - - "name": "rhacs-metrics-write" - "permissions": - - "write" - "resources": - - "metrics" - "tenants": - - "rhacs" - - "name": "rhacs-logs-write" - "permissions": - - "write" - "resources": - - "logs" - "tenants": - - "rhacs" - - "name": "rhacs-logs-read" - "permissions": - - "read" - "resources": - - "logs" - "tenants": - - "rhacs" - - "name": "rhobs-read" - "permissions": - - "read" - "resources": - - "metrics" - - "logs" - - "traces" - "tenants": - - "rhobs" - - "name": "rhobs-write" - "permissions": - - "write" - "resources": - - "metrics" - - "logs" - - "traces" - "tenants": - - "rhobs" - - "name": "telemeter-write" - "permissions": - - "write" - "resources": - - "metrics" - "tenants": - - "telemeter" - - "name": "telemeter-read" - "permissions": - - "read" - "resources": - - "metrics" - "tenants": - - "telemeter" - - "name": "psiocp-read" - "permissions": - - "read" - "resources": - - "metrics" - "tenants": - - "psiocp" - - "name": "psiocp-write" - "permissions": - - "write" - "resources": - - "metrics" - "tenants": - - "psiocp" - - "name": "rhoc-metrics-read" - "permissions": - - "read" - "resources": - - "metrics" - "tenants": - - "rhoc" - - "name": "rhoc-metrics-write" - "permissions": - - "write" - "resources": - - "metrics" - "tenants": - - "rhoc" - - "name": "odfms-metrics-read" - "permissions": - - "read" - "resources": - - "metrics" - "tenants": - - "odfms" - - "name": "odfms-metrics-write" - "permissions": - - "write" - "resources": - - "metrics" - "tenants": - - "odfms" - kind: ConfigMap - metadata: - annotations: - qontract.recycle: "true" - labels: - app.kubernetes.io/component: api - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-api - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG} - name: ${OBSERVATORIUM_API_IDENTIFIER} - apiVersion: apps/v1 kind: Deployment metadata: @@ -464,99 +197,96 @@ objects: - name: tenants secret: secretName: ${OBSERVATORIUM_API_IDENTIFIER} -- apiVersion: v1 - kind: Secret - metadata: - labels: - app.kubernetes.io/component: api - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-api - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG} - name: ${OBSERVATORIUM_API_IDENTIFIER} - stringData: - client-id: test - client-secret: ZXhhbXBsZS1hcHAtc2VjcmV0 - issuer-url: http://dex.dex.svc.cluster.local:5556/dex - tenants.yaml: |- - "tenants": - - "id": "770c1124-6ae8-4324-a9d4-9ce08590094b" - "name": "rhobs" - "oidc": - "clientID": "test" - "clientSecret": "ZXhhbXBsZS1hcHAtc2VjcmV0" - "issuerURL": "http://dex.dex.svc.cluster.local:5556/dex" - "usernameClaim": "email" - - "id": "FB870BF3-9F3A-44FF-9BF7-D7A047A52F43" - "name": "telemeter" - "oidc": - "clientID": "test" - "clientSecret": "ZXhhbXBsZS1hcHAtc2VjcmV0" - "issuerURL": "http://dex.dex.svc.cluster.local:5556/dex" - "usernameClaim": "email" -- apiVersion: v1 - kind: Service +- apiVersion: apps/v1 + kind: Deployment metadata: labels: - app.kubernetes.io/component: api - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-api + app.kubernetes.io/component: avalanche + app.kubernetes.io/name: avalanche-remote-writer app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG} - name: ${OBSERVATORIUM_API_IDENTIFIER} + name: avalanche-remote-writer spec: - ports: - - appProtocol: h2c - name: grpc-public - port: 8090 - targetPort: 8090 - - appProtocol: http - name: internal - port: 8081 - targetPort: 8081 - - appProtocol: http - name: public - port: 8080 - targetPort: 8080 - - name: opa-ams-api - port: 8082 - targetPort: 8082 - - name: opa-ams-metrics - port: 8083 - targetPort: 8083 + replicas: 1 selector: - app.kubernetes.io/component: api - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-api - app.kubernetes.io/part-of: observatorium -- apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/component: api - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-api - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG} - name: ${OBSERVATORIUM_API_IDENTIFIER} -- apiVersion: monitoring.coreos.com/v1 - kind: ServiceMonitor + matchLabels: + app.kubernetes.io/component: avalanche + app.kubernetes.io/name: avalanche-remote-writer + app.kubernetes.io/part-of: observatorium + template: + metadata: + labels: + app.kubernetes.io/component: avalanche + app.kubernetes.io/name: avalanche-remote-writer + app.kubernetes.io/part-of: observatorium + spec: + containers: + - args: + - --metric-count=1 + - --series-count=8333 + - --remote-url=http://observatorium-thanos-receive.${OBSERVATORIUM_METRICS_NAMESPACE}.svc.cluster.local:19291/api/v1/receive + - --remote-write-interval=30s + - --remote-requests-count=1000000 + - --value-interval=3600 + - --series-interval=315360000 + - --metric-interval=315360000 + - --remote-tenant-header=THANOS-TENANT + - --remote-tenant=0fc2b00e-201b-4c17-b9f2-19d91adc4fd2 + image: quay.io/observatorium/avalanche:make-tenant-header-configurable-2021-10-07-0a2cbf5 + name: avalanche-remote-writer +- apiVersion: apps/v1 + kind: Deployment metadata: labels: - prometheus: app-sre - name: observatorium-api + app.kubernetes.io/component: blackbox-prober + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-up + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: master-2022-03-24-098c31a + name: observatorium-observatorium-up spec: - endpoints: - - port: internal - - port: opa-ams-metrics - namespaceSelector: - matchNames: ${{NAMESPACES}} + replicas: 1 selector: matchLabels: - app.kubernetes.io/component: api + app.kubernetes.io/component: blackbox-prober app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-api + app.kubernetes.io/name: observatorium-up app.kubernetes.io/part-of: observatorium + template: + metadata: + labels: + app.kubernetes.io/component: blackbox-prober + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-up + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: master-2022-03-24-098c31a + spec: + containers: + - args: + - --duration=0 + - --log.level=debug + - --endpoint-type=metrics + - --queries-file=/etc/up/queries.yaml + - --endpoint-read=http://observatorium-thanos-query-frontend.${OBSERVATORIUM_METRICS_NAMESPACE}.svc:9090 + image: quay.io/observatorium/up:master-2022-03-24-098c31a + name: observatorium-up + ports: + - containerPort: 8080 + name: http + resources: + limits: + cpu: ${UP_CPU_LIMIT} + memory: ${UP_MEMORY_LIMIT} + requests: + cpu: ${UP_CPU_REQUEST} + memory: ${UP_MEMORY_REQUEST} + volumeMounts: + - mountPath: /etc/up/ + name: query-config + readOnly: false + volumes: + - configMap: + name: observatorium-observatorium-up + name: query-config - apiVersion: apps/v1 kind: Deployment metadata: @@ -632,184 +362,90 @@ objects: memory: ${GUBERNATOR_MEMORY_REQUEST} restartPolicy: Always serviceAccountName: observatorium-gubernator -- apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/component: rate-limiter - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: gubernator - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${GUBERNATOR_IMAGE_TAG} - name: observatorium-gubernator - rules: - - apiGroups: - - "" - resources: - - endpoints - verbs: - - list - - watch - - get -- apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/component: rate-limiter - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: gubernator - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${GUBERNATOR_IMAGE_TAG} - name: observatorium-gubernator - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: observatorium-gubernator - subjects: - - kind: ServiceAccount - name: observatorium-gubernator - namespace: ${NAMESPACE} -- apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/component: rate-limiter - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: gubernator - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${GUBERNATOR_IMAGE_TAG} - name: observatorium-gubernator - spec: - ports: - - name: grpc - port: 8081 - targetPort: 8081 - - name: http - port: 8080 - targetPort: 8080 - selector: - app.kubernetes.io/component: rate-limiter - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: gubernator - app.kubernetes.io/part-of: observatorium -- apiVersion: v1 - imagePullSecrets: - - name: quay.io - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/component: rate-limiter - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: gubernator - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${GUBERNATOR_IMAGE_TAG} - name: observatorium-gubernator -- apiVersion: monitoring.coreos.com/v1 - kind: ServiceMonitor - metadata: - labels: - prometheus: app-sre - name: observatorium-gubernator - spec: - endpoints: - - port: http - namespaceSelector: - matchNames: ${{NAMESPACES}} - selector: - matchLabels: - app.kubernetes.io/component: rate-limiter - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: gubernator - app.kubernetes.io/part-of: observatorium - apiVersion: apps/v1 kind: Deployment metadata: labels: - app.kubernetes.io/component: avalanche - app.kubernetes.io/name: avalanche-remote-writer + app.kubernetes.io/component: rules-storage + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: rules-objstore app.kubernetes.io/part-of: observatorium - name: avalanche-remote-writer + app.kubernetes.io/version: ${RULES_OBJSTORE_IMAGE_TAG} + name: rules-objstore spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/component: avalanche - app.kubernetes.io/name: avalanche-remote-writer + app.kubernetes.io/component: rules-storage + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: rules-objstore app.kubernetes.io/part-of: observatorium + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 template: metadata: labels: - app.kubernetes.io/component: avalanche - app.kubernetes.io/name: avalanche-remote-writer + app.kubernetes.io/component: rules-storage + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: rules-objstore app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${RULES_OBJSTORE_IMAGE_TAG} spec: containers: - args: - - --metric-count=1 - - --series-count=8333 - - --remote-url=http://observatorium-thanos-receive.${OBSERVATORIUM_METRICS_NAMESPACE}.svc.cluster.local:19291/api/v1/receive - - --remote-write-interval=30s - - --remote-requests-count=1000000 - - --value-interval=3600 - - --series-interval=315360000 - - --metric-interval=315360000 - - --remote-tenant-header=THANOS-TENANT - - --remote-tenant=0fc2b00e-201b-4c17-b9f2-19d91adc4fd2 - image: quay.io/observatorium/avalanche:make-tenant-header-configurable-2021-10-07-0a2cbf5 - name: avalanche-remote-writer -- apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/component: api-cache - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: memcached - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${MEMCACHED_IMAGE_TAG} - name: observatorium-api-cache-memcached - spec: - clusterIP: None - ports: - - name: client - port: 11211 - targetPort: 11211 - - name: metrics - port: 9150 - targetPort: 9150 - selector: - app.kubernetes.io/component: api-cache - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: memcached - app.kubernetes.io/part-of: observatorium -- apiVersion: v1 - imagePullSecrets: - - name: quay.io - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/component: api-cache - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: memcached - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${MEMCACHED_IMAGE_TAG} - name: observatorium-api-cache-memcached -- apiVersion: monitoring.coreos.com/v1 - kind: ServiceMonitor - metadata: - labels: - prometheus: app-sre - name: observatorium-api-cache-memcached - spec: - endpoints: - - port: metrics - namespaceSelector: - matchNames: ${{NAMESPACES}} - selector: - matchLabels: - app.kubernetes.io/component: api-cache - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: memcached - app.kubernetes.io/part-of: observatorium + - --debug.name=rules-objstore + - --web.listen=0.0.0.0:8080 + - --web.internal.listen=0.0.0.0:8081 + - --web.healthchecks.url=http://localhost:8080 + - --log.level=info + - --log.format=logfmt + - --objstore.config-file=/etc/rules-objstore/objstore.yaml + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: aws_access_key_id + name: ${RULES_OBJSTORE_S3_SECRET} + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: aws_secret_access_key + name: ${RULES_OBJSTORE_S3_SECRET} + image: ${RULES_OBJSTORE_IMAGE}:${RULES_OBJSTORE_IMAGE_TAG} + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + path: /live + port: 8081 + scheme: HTTP + periodSeconds: 30 + name: rules-objstore + ports: + - containerPort: 8081 + name: internal + - containerPort: 8080 + name: public + readinessProbe: + failureThreshold: 12 + httpGet: + path: /ready + port: 8081 + scheme: HTTP + periodSeconds: 5 + resources: {} + volumeMounts: + - mountPath: /etc/rules-objstore/objstore.yaml + name: objstore + readOnly: true + subPath: objstore.yaml + serviceAccountName: rules-objstore + volumes: + - name: objstore + secret: + secretName: ${RULES_OBJSTORE_SECRET} - apiVersion: apps/v1 kind: StatefulSet metadata: @@ -876,154 +512,533 @@ objects: memory: ${MEMCACHED_EXPORTER_MEMORY_REQUEST} securityContext: {} serviceAccountName: observatorium-api-cache-memcached -- apiVersion: apps/v1 - kind: Deployment +- apiVersion: monitoring.coreos.com/v1 + kind: ServiceMonitor + metadata: + labels: + prometheus: app-sre + name: observatorium-api + spec: + endpoints: + - port: internal + - port: opa-ams-metrics + namespaceSelector: + matchNames: ${{NAMESPACES}} + selector: + matchLabels: + app.kubernetes.io/component: api + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-api + app.kubernetes.io/part-of: observatorium +- apiVersion: monitoring.coreos.com/v1 + kind: ServiceMonitor + metadata: + labels: + prometheus: app-sre + name: observatorium-api-cache-memcached + spec: + endpoints: + - port: metrics + namespaceSelector: + matchNames: ${{NAMESPACES}} + selector: + matchLabels: + app.kubernetes.io/component: api-cache + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: memcached + app.kubernetes.io/part-of: observatorium +- apiVersion: monitoring.coreos.com/v1 + kind: ServiceMonitor + metadata: + labels: + prometheus: app-sre + name: observatorium-gubernator + spec: + endpoints: + - port: http + namespaceSelector: + matchNames: ${{NAMESPACES}} + selector: + matchLabels: + app.kubernetes.io/component: rate-limiter + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: gubernator + app.kubernetes.io/part-of: observatorium +- apiVersion: monitoring.coreos.com/v1 + kind: ServiceMonitor + metadata: + labels: + prometheus: app-sre + name: observatorium-up + spec: + endpoints: + - port: http + namespaceSelector: + matchNames: ${{NAMESPACES}} + selector: + matchLabels: + app.kubernetes.io/component: blackbox-prober + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-up + app.kubernetes.io/part-of: observatorium +- apiVersion: monitoring.coreos.com/v1 + kind: ServiceMonitor + metadata: + labels: + prometheus: app-sre + name: rules-objstore + spec: + endpoints: + - port: internal + namespaceSelector: + matchNames: ${{NAMESPACES}} + selector: + matchLabels: + app.kubernetes.io/component: rules-storage + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: rules-objstore + app.kubernetes.io/part-of: observatorium +- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/component: rate-limiter + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: gubernator + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${GUBERNATOR_IMAGE_TAG} + name: observatorium-gubernator + rules: + - apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + - get +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/component: rate-limiter + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: gubernator + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${GUBERNATOR_IMAGE_TAG} + name: observatorium-gubernator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: observatorium-gubernator + subjects: + - kind: ServiceAccount + name: observatorium-gubernator + namespace: ${NAMESPACE} +- apiVersion: v1 + data: + queries.yaml: |- + "queries": + - "name": "query-path-sli-1M-samples" + "query": "avg_over_time(avalanche_metric_mmmmm_0_0{tenant_id=\"0fc2b00e-201b-4c17-b9f2-19d91adc4fd2\"}[1h])" + - "name": "query-path-sli-10M-samples" + "query": "avg_over_time(avalanche_metric_mmmmm_0_0{tenant_id=\"0fc2b00e-201b-4c17-b9f2-19d91adc4fd2\"}[10h])" + - "name": "query-path-sli-100M-samples" + "query": "avg_over_time(avalanche_metric_mmmmm_0_0{tenant_id=\"0fc2b00e-201b-4c17-b9f2-19d91adc4fd2\"}[100h])" + kind: ConfigMap + metadata: + annotations: + qontract.recycle: "true" + labels: + app.kubernetes.io/component: blackbox-prober + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-up + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: master-2022-03-24-098c31a + name: observatorium-observatorium-up +- apiVersion: v1 + data: + rbac.yaml: |- + "roleBindings": + - "name": "cnv-qe-metrics" + "roles": + - "cnv-qe-metrics-write" + - "cnv-qe-metrics-read" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-cnv-qe-staging" + - "kind": "user" + "name": "service-account-observatorium-cnv-qe" + - "name": "rhods-metrics" + "roles": + - "rhods-metrics-write" + - "rhods-metrics-read" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-rhods-isv-staging" + - "name": "rhacs-metrics" + "roles": + - "rhacs-metrics-write" + - "rhacs-metrics-read" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-rhacs-metrics-staging" + - "kind": "user" + "name": "service-account-observatorium-rhacs-metrics" + - "name": "rhacs-metrics-grafana" + "roles": + - "rhacs-metrics-read" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-rhacs-grafana-staging" + - "kind": "user" + "name": "service-account-observatorium-rhacs-grafana" + - "name": "rhacs-logs" + "roles": + - "rhacs-logs-read" + - "rhacs-logs-write" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-rhacs-logs-staging" + - "kind": "user" + "name": "service-account-observatorium-rhacs-logs" + - "name": "rhobs" + "roles": + - "rhobs-write" + - "rhobs-read" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-rhobs-testing" + - "kind": "user" + "name": "service-account-observatorium-rhobs-staging" + - "kind": "user" + "name": "service-account-observatorium-rhobs" + - "name": "rhobs-mst" + "roles": + - "rhobs-write" + - "rhobs-read" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-rhobs-mst-staging" + - "kind": "user" + "name": "service-account-observatorium-rhobs-mst" + - "name": "rhobs-admin" + "roles": + - "telemeter-read" + - "rhobs-read" + "subjects": + - "kind": "group" + "name": "team-monitoring@redhat.com" + - "name": "telemeter-server" + "roles": + - "telemeter-write" + - "telemeter-read" + "subjects": + - "kind": "user" + "name": "service-account-telemeter-service-staging" + - "kind": "user" + "name": "service-account-telemeter-service" + - "name": "subwatch" + "roles": + - "telemeter-read" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-subwatch-staging" + - "kind": "user" + "name": "service-account-observatorium-subwatch" + - "name": "psiocp" + "roles": + - "psiocp-write" + - "psiocp-read" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-psiocp-staging" + - "name": "rhoc" + "roles": + - "rhoc-metrics-read" + - "rhoc-metrics-write" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-rhoc-staging" + - "name": "odfms" + "roles": + - "odfms-metrics-read" + - "odfms-metrics-write" + "subjects": + - "kind": "user" + "name": "service-account-observatorium-odfms-staging" + "roles": + - "name": "cnv-qe-metrics-read" + "permissions": + - "read" + "resources": + - "metrics" + "tenants": + - "cnvqe" + - "name": "cnv-qe-metrics-write" + "permissions": + - "write" + "resources": + - "metrics" + "tenants": + - "cnvqe" + - "name": "rhods-metrics-read" + "permissions": + - "read" + "resources": + - "metrics" + "tenants": + - "rhods" + - "name": "rhods-metrics-write" + "permissions": + - "write" + "resources": + - "metrics" + "tenants": + - "rhods" + - "name": "rhods-logs-read" + "permissions": + - "read" + "resources": + - "logs" + "tenants": + - "rhods" + - "name": "rhods-logs-write" + "permissions": + - "write" + "resources": + - "logs" + "tenants": + - "rhods" + - "name": "rhacs-metrics-read" + "permissions": + - "read" + "resources": + - "metrics" + "tenants": + - "rhacs" + - "name": "rhacs-metrics-write" + "permissions": + - "write" + "resources": + - "metrics" + "tenants": + - "rhacs" + - "name": "rhacs-logs-write" + "permissions": + - "write" + "resources": + - "logs" + "tenants": + - "rhacs" + - "name": "rhacs-logs-read" + "permissions": + - "read" + "resources": + - "logs" + "tenants": + - "rhacs" + - "name": "rhobs-read" + "permissions": + - "read" + "resources": + - "metrics" + - "logs" + - "traces" + "tenants": + - "rhobs" + - "name": "rhobs-write" + "permissions": + - "write" + "resources": + - "metrics" + - "logs" + - "traces" + "tenants": + - "rhobs" + - "name": "telemeter-write" + "permissions": + - "write" + "resources": + - "metrics" + "tenants": + - "telemeter" + - "name": "telemeter-read" + "permissions": + - "read" + "resources": + - "metrics" + "tenants": + - "telemeter" + - "name": "psiocp-read" + "permissions": + - "read" + "resources": + - "metrics" + "tenants": + - "psiocp" + - "name": "psiocp-write" + "permissions": + - "write" + "resources": + - "metrics" + "tenants": + - "psiocp" + - "name": "rhoc-metrics-read" + "permissions": + - "read" + "resources": + - "metrics" + "tenants": + - "rhoc" + - "name": "rhoc-metrics-write" + "permissions": + - "write" + "resources": + - "metrics" + "tenants": + - "rhoc" + - "name": "odfms-metrics-read" + "permissions": + - "read" + "resources": + - "metrics" + "tenants": + - "odfms" + - "name": "odfms-metrics-write" + "permissions": + - "write" + "resources": + - "metrics" + "tenants": + - "odfms" + kind: ConfigMap metadata: + annotations: + qontract.recycle: "true" labels: - app.kubernetes.io/component: rules-storage + app.kubernetes.io/component: api app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: rules-objstore + app.kubernetes.io/name: observatorium-api app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${RULES_OBJSTORE_IMAGE_TAG} - name: rules-objstore - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: rules-storage - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: rules-objstore - app.kubernetes.io/part-of: observatorium - strategy: - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - template: - metadata: - labels: - app.kubernetes.io/component: rules-storage - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: rules-objstore - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${RULES_OBJSTORE_IMAGE_TAG} - spec: - containers: - - args: - - --debug.name=rules-objstore - - --web.listen=0.0.0.0:8080 - - --web.internal.listen=0.0.0.0:8081 - - --web.healthchecks.url=http://localhost:8080 - - --log.level=info - - --log.format=logfmt - - --objstore.config-file=/etc/rules-objstore/objstore.yaml - env: - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: ${RULES_OBJSTORE_S3_SECRET} - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: ${RULES_OBJSTORE_S3_SECRET} - image: ${RULES_OBJSTORE_IMAGE}:${RULES_OBJSTORE_IMAGE_TAG} - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 10 - httpGet: - path: /live - port: 8081 - scheme: HTTP - periodSeconds: 30 - name: rules-objstore - ports: - - containerPort: 8081 - name: internal - - containerPort: 8080 - name: public - readinessProbe: - failureThreshold: 12 - httpGet: - path: /ready - port: 8081 - scheme: HTTP - periodSeconds: 5 - resources: {} - volumeMounts: - - mountPath: /etc/rules-objstore/objstore.yaml - name: objstore - readOnly: true - subPath: objstore.yaml - serviceAccountName: rules-objstore - volumes: - - name: objstore - secret: - secretName: ${RULES_OBJSTORE_SECRET} + app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG} + name: ${OBSERVATORIUM_API_IDENTIFIER} +- apiVersion: v1 + imagePullSecrets: + - name: quay.io + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/component: api-cache + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: memcached + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${MEMCACHED_IMAGE_TAG} + name: observatorium-api-cache-memcached +- apiVersion: v1 + imagePullSecrets: + - name: quay.io + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/component: rate-limiter + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: gubernator + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${GUBERNATOR_IMAGE_TAG} + name: observatorium-gubernator +- apiVersion: v1 + kind: Secret + metadata: + labels: + app.kubernetes.io/component: api + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-api + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG} + name: ${OBSERVATORIUM_API_IDENTIFIER} + stringData: + client-id: test + client-secret: ZXhhbXBsZS1hcHAtc2VjcmV0 + issuer-url: http://dex.dex.svc.cluster.local:5556/dex + tenants.yaml: |- + "tenants": + - "id": "770c1124-6ae8-4324-a9d4-9ce08590094b" + "name": "rhobs" + "oidc": + "clientID": "test" + "clientSecret": "ZXhhbXBsZS1hcHAtc2VjcmV0" + "issuerURL": "http://dex.dex.svc.cluster.local:5556/dex" + "usernameClaim": "email" + - "id": "FB870BF3-9F3A-44FF-9BF7-D7A047A52F43" + "name": "telemeter" + "oidc": + "clientID": "test" + "clientSecret": "ZXhhbXBsZS1hcHAtc2VjcmV0" + "issuerURL": "http://dex.dex.svc.cluster.local:5556/dex" + "usernameClaim": "email" - apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/component: rules-storage + app.kubernetes.io/component: api app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: rules-objstore + app.kubernetes.io/name: observatorium-api app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${RULES_OBJSTORE_IMAGE_TAG} - name: rules-objstore + app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG} + name: ${OBSERVATORIUM_API_IDENTIFIER} spec: ports: - - name: internal + - appProtocol: h2c + name: grpc-public + port: 8090 + targetPort: 8090 + - appProtocol: http + name: internal port: 8081 targetPort: 8081 - - name: public + - appProtocol: http + name: public port: 8080 targetPort: 8080 + - name: opa-ams-api + port: 8082 + targetPort: 8082 + - name: opa-ams-metrics + port: 8083 + targetPort: 8083 selector: - app.kubernetes.io/component: rules-storage + app.kubernetes.io/component: api app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: rules-objstore + app.kubernetes.io/name: observatorium-api app.kubernetes.io/part-of: observatorium - apiVersion: v1 - kind: ServiceAccount + kind: Service metadata: labels: - app.kubernetes.io/component: rules-storage + app.kubernetes.io/component: api-cache app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: rules-objstore + app.kubernetes.io/name: memcached app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: ${RULES_OBJSTORE_IMAGE_TAG} - name: rules-objstore -- apiVersion: monitoring.coreos.com/v1 - kind: ServiceMonitor - metadata: - labels: - prometheus: app-sre - name: rules-objstore + app.kubernetes.io/version: ${MEMCACHED_IMAGE_TAG} + name: observatorium-api-cache-memcached spec: - endpoints: - - port: internal - namespaceSelector: - matchNames: ${{NAMESPACES}} + clusterIP: None + ports: + - name: client + port: 11211 + targetPort: 11211 + - name: metrics + port: 9150 + targetPort: 9150 selector: - matchLabels: - app.kubernetes.io/component: rules-storage - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: rules-objstore - app.kubernetes.io/part-of: observatorium + app.kubernetes.io/component: api-cache + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: memcached + app.kubernetes.io/part-of: observatorium - apiVersion: v1 - data: - queries.yaml: |- - "queries": - - "name": "query-path-sli-1M-samples" - "query": "avg_over_time(avalanche_metric_mmmmm_0_0{tenant_id=\"0fc2b00e-201b-4c17-b9f2-19d91adc4fd2\"}[1h])" - - "name": "query-path-sli-10M-samples" - "query": "avg_over_time(avalanche_metric_mmmmm_0_0{tenant_id=\"0fc2b00e-201b-4c17-b9f2-19d91adc4fd2\"}[10h])" - - "name": "query-path-sli-100M-samples" - "query": "avg_over_time(avalanche_metric_mmmmm_0_0{tenant_id=\"0fc2b00e-201b-4c17-b9f2-19d91adc4fd2\"}[100h])" - kind: ConfigMap + kind: Service metadata: - annotations: - qontract.recycle: "true" labels: app.kubernetes.io/component: blackbox-prober app.kubernetes.io/instance: observatorium @@ -1031,97 +1046,82 @@ objects: app.kubernetes.io/part-of: observatorium app.kubernetes.io/version: master-2022-03-24-098c31a name: observatorium-observatorium-up -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: + spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + selector: app.kubernetes.io/component: blackbox-prober app.kubernetes.io/instance: observatorium app.kubernetes.io/name: observatorium-up app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: master-2022-03-24-098c31a - name: observatorium-observatorium-up - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: blackbox-prober - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-up - app.kubernetes.io/part-of: observatorium - template: - metadata: - labels: - app.kubernetes.io/component: blackbox-prober - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-up - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: master-2022-03-24-098c31a - spec: - containers: - - args: - - --duration=0 - - --log.level=debug - - --endpoint-type=metrics - - --queries-file=/etc/up/queries.yaml - - --endpoint-read=http://observatorium-thanos-query-frontend.${OBSERVATORIUM_METRICS_NAMESPACE}.svc:9090 - image: quay.io/observatorium/up:master-2022-03-24-098c31a - name: observatorium-up - ports: - - containerPort: 8080 - name: http - resources: - limits: - cpu: ${UP_CPU_LIMIT} - memory: ${UP_MEMORY_LIMIT} - requests: - cpu: ${UP_CPU_REQUEST} - memory: ${UP_MEMORY_REQUEST} - volumeMounts: - - mountPath: /etc/up/ - name: query-config - readOnly: false - volumes: - - configMap: - name: observatorium-observatorium-up - name: query-config - apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/component: blackbox-prober + app.kubernetes.io/component: rate-limiter app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-up + app.kubernetes.io/name: gubernator app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: master-2022-03-24-098c31a - name: observatorium-observatorium-up + app.kubernetes.io/version: ${GUBERNATOR_IMAGE_TAG} + name: observatorium-gubernator spec: ports: + - name: grpc + port: 8081 + targetPort: 8081 - name: http port: 8080 targetPort: 8080 selector: - app.kubernetes.io/component: blackbox-prober + app.kubernetes.io/component: rate-limiter app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-up + app.kubernetes.io/name: gubernator app.kubernetes.io/part-of: observatorium -- apiVersion: monitoring.coreos.com/v1 - kind: ServiceMonitor +- apiVersion: v1 + kind: Service metadata: labels: - prometheus: app-sre - name: observatorium-up + app.kubernetes.io/component: rules-storage + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: rules-objstore + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${RULES_OBJSTORE_IMAGE_TAG} + name: rules-objstore spec: - endpoints: - - port: http - namespaceSelector: - matchNames: ${{NAMESPACES}} + ports: + - name: internal + port: 8081 + targetPort: 8081 + - name: public + port: 8080 + targetPort: 8080 selector: - matchLabels: - app.kubernetes.io/component: blackbox-prober - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-up - app.kubernetes.io/part-of: observatorium + app.kubernetes.io/component: rules-storage + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: rules-objstore + app.kubernetes.io/part-of: observatorium +- apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/component: api + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-api + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG} + name: ${OBSERVATORIUM_API_IDENTIFIER} +- apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/component: rules-storage + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: rules-objstore + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: ${RULES_OBJSTORE_IMAGE_TAG} + name: rules-objstore parameters: - name: NAMESPACE value: observatorium diff --git a/services/observatorium-template.jsonnet b/services/observatorium-template.jsonnet index 0f9c194312..caaca28342 100644 --- a/services/observatorium-template.jsonnet +++ b/services/observatorium-template.jsonnet @@ -3,17 +3,16 @@ local obs = import 'observatorium.libsonnet'; apiVersion: 'v1', kind: 'Template', metadata: { name: 'observatorium' }, - objects: - [ - obs.manifests[name] { - metadata+: { namespace:: 'hidden' }, - } - for name in std.objectFields(obs.manifests) - if obs.manifests[name] != null && + objects: std.sort([ + obs.manifests[name] { + metadata+: { namespace:: 'hidden' }, + } + for name in std.objectFields(obs.manifests) + if obs.manifests[name] != null && !std.startsWith(name, 'thanos-') && !std.startsWith(name, 'loki-') && !std.startsWith(name, 'tracing-') - ], + ], std.manifestJsonMinified), parameters: [ { name: 'NAMESPACE', value: 'observatorium' }, // Used for ServiceMonitors to discover workloads in given namespaces.