UPSTREAM: <carry>: Enable OCP metrics collection by default

Enables OCP to collect Prometheus metrics for both catalogd and
operator-controller by default. This is accomplished
via ServiceMonitor CRs which are now created for both projects.

Author: azych

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml

@@ -7,10 +7,12 @@ resources:
 - ../../../../../../config/base/crd
 - ../../../../../../config/base/rbac
 - ../../../../../../config/base/manager
+- metrics
 - trusted-ca/catalogd_trusted_ca_configmap.yaml
 
 patches:
 - path: patches/manager_namespace_privileged.yaml
+- path: patches/manager_namespace_monitored.yaml
 - target:
     kind: Service
     name: service

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/metrics/catalogd_metrics_monitor_role.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: metrics-monitor-role
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/metrics/catalogd_metrics_monitor_role_binding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: metrics-monitor-rolebinding
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: metrics-monitor-role
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: openshift-monitoring

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/metrics/catalogd_metrics_monitor_servicemonitor.yaml

@@ -0,0 +1,27 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: metrics-monitor
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+    openshift.io/cluster-monitoring: 'true'
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      interval: 30s
+      path: /metrics
+      port: metrics
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt
+        keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key
+        serverName: catalogd-service.openshift-catalogd.svc
+  namespaceSelector:
+    matchNames:
+      - openshift-catalogd
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: catalogd
+

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/metrics/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+- catalogd_metrics_monitor_role.yaml
+- catalogd_metrics_monitor_role_binding.yaml
+- catalogd_metrics_monitor_servicemonitor.yaml

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_monitored.yaml

@@ -0,0 +1,7 @@
+$patch: merge
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system
+  labels:
+    openshift.io/cluster-monitoring: "true"

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml

@@ -1,3 +1,4 @@
+$patch: merge
 apiVersion: v1
 kind: Namespace
 metadata:

openshift/catalogd/manifests/00-namespace-openshift-catalogd.yml

@@ -3,6 +3,7 @@ kind: Namespace
 metadata:
   labels:
     app.kubernetes.io/part-of: olm
+    openshift.io/cluster-monitoring: "true"
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/audit-version: latest
     pod-security.kubernetes.io/enforce: privileged

openshift/catalogd/manifests/04-role-openshift-catalogd-catalogd-metrics-monitor-role.yml

@@ -0,0 +1,20 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+  name: catalogd-metrics-monitor-role
+  namespace: openshift-catalogd
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch

openshift/catalogd/manifests/04-role-openshift-config-catalogd-manager-role.yml renamed to openshift/catalogd/manifests/05-role-openshift-config-catalogd-manager-role.yml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+  name: catalogd-metrics-monitor-rolebinding
+  namespace: openshift-catalogd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: catalogd-metrics-monitor-role
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: openshift-monitoring

openshift/catalogd/manifests/05-clusterrole-catalogd-manager-role.yml renamed to openshift/catalogd/manifests/06-clusterrole-catalogd-manager-role.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+    openshift.io/cluster-monitoring: "true"
+  name: catalogd-metrics-monitor
+  namespace: openshift-catalogd
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      interval: 30s
+      path: /metrics
+      port: metrics
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt
+        keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key
+        serverName: catalogd-service.openshift-catalogd.svc
+  namespaceSelector:
+    matchNames:
+      - openshift-catalogd
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: catalogd

openshift/catalogd/manifests/06-clusterrole-catalogd-metrics-reader.yml renamed to openshift/catalogd/manifests/07-clusterrole-catalogd-metrics-reader.yml

@@ -5,9 +5,12 @@ resources:
   - ../../../../../../config/base/crd
   - ../../../../../../config/base/rbac
   - ../../../../../../config/base/manager
+  - metrics
   - trusted-ca/operator_controller_trusted_ca_configmap.yaml
 
 patches:
+  - path: patches/manager_namespace_privileged.yaml
+  - path: patches/manager_namespace_monitored.yaml
   - target:
       kind: Service
       name: service
@@ -32,4 +35,3 @@ patches:
       kind: Deployment
       name: controller-manager
     path: patches/manager_deployment_node_selection.yaml
-  - path: patches/manager_namespace_privileged.yaml

openshift/catalogd/manifests/07-clusterrole-catalogd-proxy-role.yml renamed to openshift/catalogd/manifests/08-clusterrole-catalogd-proxy-role.yml

@@ -0,0 +1,4 @@
+resources:
+- operator_controller_metrics_monitor_role.yaml
+- operator_controller_metrics_monitor_rolebinding.yaml
+- operator_controller_metrics_monitor_servicemonitor.yaml

openshift/catalogd/manifests/08-rolebinding-openshift-catalogd-catalogd-leader-election-rolebinding.yml renamed to openshift/catalogd/manifests/09-rolebinding-openshift-catalogd-catalogd-leader-election-rolebinding.yml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: metrics-monitor-role
+  labels:
+    control-plane: operator-controller-controller-manager
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch

openshift/catalogd/manifests/10-rolebinding-openshift-catalogd-catalogd-metrics-monitor-rolebinding.yml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: metrics-monitor-rolebinding
+  labels:
+    control-plane: operator-controller-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: metrics-monitor-role
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: openshift-monitoring

openshift/catalogd/manifests/09-rolebinding-openshift-config-catalogd-manager-rolebinding.yml renamed to openshift/catalogd/manifests/11-rolebinding-openshift-config-catalogd-manager-rolebinding.yml

@@ -0,0 +1,25 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: metrics-monitor
+  labels:
+    control-plane: operator-controller-controller-manager
+    openshift.io/cluster-monitoring: 'true'
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      interval: 30s
+      path: /metrics
+      port: https
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt
+        keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key
+        serverName: operator-controller-service.openshift-operator-controller.svc
+  namespaceSelector:
+    matchNames:
+      - openshift-operator-controller
+  selector:
+    matchLabels:
+      control-plane: operator-controller-controller-manager

openshift/catalogd/manifests/10-clusterrolebinding-catalogd-manager-rolebinding.yml renamed to openshift/catalogd/manifests/12-clusterrolebinding-catalogd-manager-rolebinding.yml

@@ -0,0 +1,7 @@
+$patch: merge
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system
+  labels:
+    openshift.io/cluster-monitoring: "true"

openshift/catalogd/manifests/11-clusterrolebinding-catalogd-proxy-rolebinding.yml renamed to openshift/catalogd/manifests/13-clusterrolebinding-catalogd-proxy-rolebinding.yml

@@ -1,3 +1,4 @@
+$patch: merge
 apiVersion: v1
 kind: Namespace
 metadata:

openshift/catalogd/manifests/12-configmap-openshift-catalogd-catalogd-trusted-ca-bundle.yml renamed to openshift/catalogd/manifests/14-configmap-openshift-catalogd-catalogd-trusted-ca-bundle.yml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   labels:
+    openshift.io/cluster-monitoring: "true"
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/audit-version: latest
     pod-security.kubernetes.io/enforce: privileged

openshift/catalogd/manifests/13-service-openshift-catalogd-catalogd-service.yml renamed to openshift/catalogd/manifests/15-service-openshift-catalogd-catalogd-service.yml

@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    control-plane: operator-controller-controller-manager
+  name: operator-controller-metrics-monitor-role
+  namespace: openshift-operator-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch

openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml renamed to openshift/catalogd/manifests/16-deployment-openshift-catalogd-catalogd-controller-manager.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    control-plane: operator-controller-controller-manager
+  name: operator-controller-metrics-monitor-rolebinding
+  namespace: openshift-operator-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: operator-controller-metrics-monitor-role
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: openshift-monitoring

openshift/catalogd/manifests/17-servicemonitor-openshift-catalogd-catalogd-metrics-monitor.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    control-plane: operator-controller-controller-manager
+    openshift.io/cluster-monitoring: "true"
+  name: operator-controller-metrics-monitor
+  namespace: openshift-operator-controller
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      interval: 30s
+      path: /metrics
+      port: https
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt
+        keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key
+        serverName: operator-controller-service.openshift-operator-controller.svc
+  namespaceSelector:
+    matchNames:
+      - openshift-operator-controller
+  selector:
+    matchLabels:
+      control-plane: operator-controller-controller-manager