-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
added expiry metrics and alerts (#121)
* added expiry metrics and alerts Signed-off-by: raffaelespazzoli <[email protected]> * addressed Andrew's comment Signed-off-by: raffaelespazzoli <[email protected]>
- Loading branch information
1 parent
3ae3a41
commit efc5a23
Showing
21 changed files
with
292 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,4 +26,5 @@ testbin/* | |
|
||
bundle/ | ||
bundle.Dockerfile | ||
charts/ | ||
charts/ | ||
config/local-development/tilt/replace-image.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# -*- mode: Python -*- | ||
|
||
compile_cmd = 'CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/manager main.go' | ||
image = 'quay.io/' + os.environ['repo'] + '/cert-utils-operator' | ||
|
||
local_resource( | ||
'cert-utils-operator-compile', | ||
compile_cmd, | ||
deps=['./main.go','./api','./controllers']) | ||
|
||
|
||
custom_build( | ||
image, | ||
'podman build -t $EXPECTED_REF --ignorefile ci.Dockerfile.dockerignore -f ./ci.Dockerfile . && podman push $EXPECTED_REF $EXPECTED_REF', | ||
entrypoint=['/manager'], | ||
deps=['./bin'], | ||
live_update=[ | ||
sync('./bin/manager',"/manager"), | ||
], | ||
skips_local_docker=True, | ||
) | ||
|
||
allow_k8s_contexts(k8s_context()) | ||
k8s_yaml(kustomize('./config/local-development/tilt')) | ||
k8s_resource('cert-utils-operator-controller-manager',resource_deps=['cert-utils-operator-compile']) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
api/ | ||
bundle/ | ||
config/ | ||
controllers/ | ||
examples/ | ||
hack/ | ||
test/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
- op: add | ||
path: /metadata/annotations | ||
value: | ||
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/webhook-server-cert" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,34 +1,18 @@ | ||
# Adds namespace to all resources. | ||
|
||
|
||
# Value of this field is prepended to the | ||
# names of all resources, e.g. a deployment named | ||
# "wordpress" becomes "alices-wordpress". | ||
# Note that it should also match with the prefix (text before '-') of the namespace | ||
# field above. | ||
namePrefix: cert-utils-operator- | ||
|
||
# Labels to add to all resources and selectors. | ||
#commonLabels: | ||
# someName: someValue | ||
|
||
resources: | ||
- service-account.yaml | ||
namespace: release-namespace | ||
|
||
bases: | ||
- ../rbac | ||
- ../prometheus | ||
- ../local-development/tilt | ||
|
||
vars: | ||
- name: METRICS_SERVICE_NAME | ||
objref: | ||
kind: Service | ||
patchesJson6902: | ||
- target: | ||
group: admissionregistration.k8s.io | ||
version: v1 | ||
name: controller-manager-metrics | ||
- name: METRICS_SERVICE_NAMESPACE | ||
objref: | ||
kind: Service | ||
kind: MutatingWebhookConfiguration | ||
name: cert-utils-operator-mutating-webhook-configuration | ||
path: ./cert-manager-ca-injection.yaml | ||
- target: | ||
group: admissionregistration.k8s.io | ||
version: v1 | ||
name: controller-manager-metrics | ||
fieldref: | ||
fieldpath: metadata.namespace | ||
kind: ValidatingWebhookConfiguration | ||
name: cert-utils-operator-validating-webhook-configuration | ||
path: ./cert-manager-ca-injection.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
- op: replace | ||
path: /spec/template/spec/containers/1/image | ||
value: | ||
quay.io/$repo/cert-utils-operator:latest | ||
- op: add | ||
path: /spec/template/spec/containers/1/args/- | ||
value: | ||
--zap-devel=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Adds namespace to all resources. | ||
namespace: cert-utils-operator | ||
|
||
# Labels to add to all resources and selectors. | ||
#commonLabels: | ||
# someName: someValue | ||
|
||
bases: | ||
- ../../default | ||
- ./service-account.yaml | ||
|
||
|
||
patchesJson6902: | ||
- target: | ||
group: apps | ||
version: v1 | ||
kind: Deployment | ||
name: cert-utils-operator-controller-manager | ||
path: ./replace-image.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: prometheus-k8s | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- endpoints | ||
- pods | ||
- services | ||
verbs: | ||
- get | ||
- list | ||
- watch |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: prometheus-k8s | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: prometheus-k8s | ||
subjects: | ||
- kind: ServiceAccount | ||
name: prometheus-k8s | ||
namespace: openshift-monitoring |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,4 +2,4 @@ apiVersion: v1 | |
kind: ServiceAccount | ||
metadata: | ||
name: controller-manager | ||
namespace: system | ||
namespace: system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,8 @@ | ||
resources: | ||
- monitor.yaml | ||
- role.yaml | ||
- rolebinding.yaml | ||
- rules.yaml | ||
|
||
configurations: | ||
- kustomizeconfig.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,6 @@ | ||
--- | ||
varReference: | ||
- path: spec/endpoints/tlsConfig/serverName | ||
kind: ServiceMonitor | ||
kind: ServiceMonitor | ||
- path: roleRef/name | ||
kind: RoleBinding |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: prometheus-k8s | ||
namespace: system | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- endpoints | ||
- pods | ||
- services | ||
verbs: | ||
- get | ||
- list | ||
- watch |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: prometheus-k8s | ||
namespace: system | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: $(ROLE_NAME) | ||
subjects: | ||
- kind: ServiceAccount | ||
name: prometheus-k8s | ||
namespace: openshift-monitoring |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
apiVersion: monitoring.coreos.com/v1 | ||
kind: PrometheusRule | ||
metadata: | ||
name: certificate-rule-alerts | ||
spec: | ||
groups: | ||
- name: cert-utils-operator-recording-rules | ||
rules: | ||
- record: cert:validity_duration:sec | ||
expr: certutils_certificate_expiry_time - certutils_certificate_issue_time | ||
- record: cert:time_to_expiration:sec | ||
expr: certutils_certificate_expiry_time - time() | ||
- name: cert-utils-operator-alerting-rules | ||
rules: | ||
- alert: CertificateApproachingExpiration | ||
annotations: | ||
message: >- | ||
Certificate {{ $labels.namespace }}/{{ $labels.name }} is at 85% of its lifetime | ||
summary: >- | ||
Certificate {{ $labels.namespace }}/{{ $labels.name }} is at 85% of its lifetime | ||
expr: | | ||
cert:time_to_expiration:sec/cert:validity_duration:sec < 0.15 | ||
labels: | ||
severity: warning | ||
- alert: CertificateIsAboutToExpire | ||
annotations: | ||
message: >- | ||
Certificate {{ $labels.namespace }}/{{ $labels.name }} is at 95% of its lifetime | ||
summary: >- | ||
Certificate {{ $labels.namespace }}/{{ $labels.name }} is at 95% of its lifetime | ||
expr: > | ||
cert:time_to_expiration:sec/cert:validity_duration:sec < 0.05 | ||
labels: | ||
severity: critical |
Oops, something went wrong.