feat: add custom prometheus metrics (#129)

isindir · Feb 15, 2023 · 0904bff · 0904bff
1 parent e73eea6
commit 0904bff
Show file tree

Hide file tree

Showing 13 changed files with 214 additions and 85 deletions.
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 # UPDATE_HERE
 GO := GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.7.2
+SOPS_SEC_OPERATOR_VERSION := 0.8.0
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
 CONTROLLER_GEN_VERSION := "v0.11.3"

diff --git a/README.md b/README.md
@@ -23,7 +23,7 @@ encrypted files stored in `git` repository.
 
 | Kubernetes | Sops | Chart | Operator |
 |---|---|---|---|
-| v1.26.x | v3.7.3 | 0.13.2 | 0.7.2 |
+| v1.26.x | v3.7.3 | 0.14.0 | 0.8.0 |
 | v1.25.x | v3.7.3 | 0.12.5 | 0.6.4 |
 | v1.24.x | v3.7.3 | 0.11.3 | 0.5.3 |
 | v1.23.x | v3.7.2 | 0.10.8 | 0.4.8 |

diff --git a/chart/helm3/sops-secrets-operator/Chart.yaml b/chart/helm3/sops-secrets-operator/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 # UPDATE_HERE
-version: 0.13.2
-appVersion: 0.7.2
+version: 0.14.0
+appVersion: 0.8.0
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator

diff --git a/chart/helm3/sops-secrets-operator/README.md b/chart/helm3/sops-secrets-operator/README.md
@@ -134,7 +134,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.7.2"` | Operator image tag |
+| image.tag | string | `"0.8.0"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | initImage.pullPolicy | string | `"Always"` | Init container image pull policy |
 | initImage.repository | string | `"ubuntu"` | Init container image name |
@@ -144,6 +144,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | logging.encoder | string | `"json"` | Zap log encoding (one of 'json' or 'console') |
 | logging.level | string | `"info"` | Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity |
 | logging.stacktraceLevel | string | `"error"` | Zap Level at and above which stacktraces are captured (one of 'info', 'error'). |
+| metrics.enabled | bool | `false` | Enable prometheus metrics |
 | nameOverride | string | `""` | Overrides auto-generated short resource name |
 | nodeSelector | object | `{}` | Node selector to use for pod configuration |
 | podAnnotations | object | `{}` | Annotations to be added to operator pod (can be used with kiam or kube2iam) |

diff --git a/chart/helm3/sops-secrets-operator/templates/monitor.yaml b/chart/helm3/sops-secrets-operator/templates/monitor.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.metrics.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "sops-secrets-operator.fullname" . }}-mentrics-monitor
+  labels:
+{{ include "sops-secrets-operator.labels" . | indent 4 }}
+spec:
+  endpoints:
+    - path: /metrics
+      port: https
+      scheme: https
+      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      tlsConfig:
+        insecureSkipVerify: true
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/chart/helm3/sops-secrets-operator/tests/monitor_test.yaml b/chart/helm3/sops-secrets-operator/tests/monitor_test.yaml
@@ -0,0 +1,33 @@
+suite: operator prometheus monitor tests
+templates:
+  - monitor.yaml
+
+tests:
+
+  - it: should not render any ServiceMonitor documents
+    release:
+      name: sops
+      namespace: sops
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should set correct kind and apiVersion, one document and selector
+    release:
+      name: sops
+      namespace: sops
+    set:
+      metrics:
+        enabled: true
+    asserts:
+      - isKind:
+          of: ServiceMonitor
+      - isAPIVersion:
+          of: monitoring.coreos.com/v1
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: spec.selector.matchLabels
+          value:
+            app.kubernetes.io/instance: sops
+            app.kubernetes.io/name: sops-secrets-operator
diff --git a/chart/helm3/sops-secrets-operator/tests/operator_test.yaml b/chart/helm3/sops-secrets-operator/tests/operator_test.yaml
@@ -31,8 +31,8 @@ tests:
             app.kubernetes.io/instance: sops
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: sops-secrets-operator
-            app.kubernetes.io/version: 0.7.2
-            helm.sh/chart: sops-secrets-operator-0.13.2
+            app.kubernetes.io/version: 0.8.0
+            helm.sh/chart: sops-secrets-operator-0.14.0
 
   # custom name
   - it: should correctly render custome name
@@ -170,7 +170,7 @@ tests:
       # UPDATE_HERE
       - equal:
           path: spec.template.spec.containers[0].image
-          value: isindir/sops-secrets-operator:0.7.2
+          value: isindir/sops-secrets-operator:0.8.0
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: Always

diff --git a/chart/helm3/sops-secrets-operator/values.yaml b/chart/helm3/sops-secrets-operator/values.yaml
@@ -13,7 +13,7 @@ image:
   # -- Operator image name
   repository: isindir/sops-secrets-operator
   # -- Operator image tag
-  tag: 0.7.2
+  tag: 0.8.0
   # -- Operator image pull policy
   pullPolicy: Always
 
@@ -163,3 +163,7 @@ affinity: {}
 rbac:
   # -- Create and use RBAC resources
   enabled: true
+
+metrics:
+  # -- Enable prometheus metrics
+  enabled: false
diff --git a/controllers/custom_metrics.go b/controllers/custom_metrics.go
@@ -0,0 +1,44 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+// these metrics are introduced for learning purposes, these have almost no real value
+
+package controllers
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
+)
+
+var (
+	sopsSecretsReconciliations = prometheus.NewCounter(
+		prometheus.CounterOpts{
+			Name: "sopssecrets_reconcilation_successes_total",
+			Help: "Number of SopsSecrets reconciliations",
+		},
+	)
+
+	sopsSecretsReconciliationFailures = prometheus.NewCounter(
+		prometheus.CounterOpts{
+			Name: "sopssecrets_reconcilation_failures_total",
+			Help: "Number of SopsSecrets reconcoliation failures",
+		},
+	)
+
+	sopsSecretsReconciliationsSuspended = prometheus.NewCounter(
+		prometheus.CounterOpts{
+			Name: "sopssecrets_reconcilation_suspends_total",
+			Help: "Number of SopsSecrets reconciliations suspends",
+		},
+	)
+)
+
+func init() {
+	// Register custom metrics with the global prometheus registry
+	metrics.Registry.MustRegister(
+		sopsSecretsReconciliations,
+		sopsSecretsReconciliationFailures,
+		sopsSecretsReconciliationsSuspended,
+	)
+}
diff --git a/controllers/sopssecret_controller.go b/controllers/sopssecret_controller.go
@@ -64,11 +64,13 @@ func (r *SopsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 
 	if r.isSecretSuspended(encryptedSopsSecret, req) {
+		sopsSecretsReconciliationsSuspended.Inc()
 		return reconcile.Result{}, nil
 	}
 
 	plainTextSopsSecret, rescheduleReconcileLoop := r.decryptSopsSecret(encryptedSopsSecret)
 	if rescheduleReconcileLoop {
+		sopsSecretsReconciliationFailures.Inc()
 		return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 	}
 
@@ -78,27 +80,32 @@ func (r *SopsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 		kubeSecretFromTemplate, rescheduleReconcileLoop := r.newKubeSecretFromTemplate(req, encryptedSopsSecret, plainTextSopsSecret, &secretTemplate)
 		if rescheduleReconcileLoop {
+			sopsSecretsReconciliationFailures.Inc()
 			return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 		}
 
 		kubeSecretInCluster, rescheduleReconcileLoop := r.getSecretFromClusterOrCreateFromTemplate(ctx, req, encryptedSopsSecret, kubeSecretFromTemplate)
 		if rescheduleReconcileLoop {
+			sopsSecretsReconciliationFailures.Inc()
 			return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 		}
 
 		rescheduleReconcileLoop = r.isKubeSecretManagedOrAnnotatedToBeManaged(req, encryptedSopsSecret, kubeSecretInCluster)
 		if rescheduleReconcileLoop {
+			sopsSecretsReconciliationFailures.Inc()
 			return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 		}
 
 		rescheduleReconcileLoop = r.refreshKubeSecretIfNeeded(ctx, req, encryptedSopsSecret, kubeSecretFromTemplate, kubeSecretInCluster)
 		if rescheduleReconcileLoop {
+			sopsSecretsReconciliationFailures.Inc()
 			return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 		}
 	}
 
 	encryptedSopsSecret.Status.Message = "Healthy"
 	r.Status().Update(context.Background(), encryptedSopsSecret)
+	sopsSecretsReconciliations.Inc()
 
 	r.Log.Info("SopsSecret is Healthy", "sopssecret", req.NamespacedName)
 	return ctrl.Result{}, nil