helm/metrics: add a new gauge metric to monitor helm releases

[zonggen]

Adds a helm_chart_release_health_status gauge metric to monitor the
status of the current helm releases.

To query the total number of healthy releases: count (helm_chart_release_health_status == 1) by (chartName, chartVersion, releaseName).
To query the total number of unhealthy releases: count (helm_chart_release_health_status == 0) by (chartName, chartVersion, releaseName).

From console UI:

From Prometheus UI:

Closes: https://issues.redhat.com/browse/HELM-224
Signed-off-by: Allen Bai abai@redhat.com

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zonggen
To complete the pull request process, please assign bparees after the PR has been reviewed.
You can assign the PR to them by writing /assign @bparees in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zonggen]

This is required to run helm list --all-namespaces with Helm SDK.

Error without it: metric helm_chart_release_health_status unhandled: list: failed to list: secrets is forbidden: User "system:serviceaccount:openshift-console-operator:console-operator" cannot list resource "secrets" in API group "" at the cluster scope

[dperaza4dustbit]

All those vendor files came from the helm sdk reference?

[dperaza4dustbit]

So only deploy is healthy, what about the other states. I would say if it is unknown or failed then is 0 then is 1 for all other states

[zonggen]

Updated

[dperaza4dustbit]

the only diff between this and the line below is the 0 or 1. I would do healthStatus := 1 then change to 0 if status unknown or failed. Then make a single call to klog and to helmChartReleaseHealthStatus passing healthStatus

[zonggen]

Updated

[zonggen]

The vendor files came from after I did go mod vendor followed by go mod tidy.

[zonggen]

@jhadvig @spadgett Gentle reminder: could you take a look at this PR?

[jhadvig]

@zonggen I see that the e2e TestMetricsEndpoint TC is failing:

=== RUN   TestMetricsEndpoint
    ....
    metrics_test.go:71: searching for helm_chart_release_health_status in metrics data...
    metrics_test.go:74: did not find helm_chart_release_health_status
    metrics_test.go:47: waiting for cleanup to reach settled state...
--- FAIL: TestMetricsEndpoint (6.27s)

Should be fixed in the PR so it's passing.

[zonggen]

/retest

[zonggen]

@jhadvig Could you take a second look? The test case failed because the helm_chart_release_health_status was not initialized util there's a Helm release in the cluster. Added a logic to initialize it to 0 with no labels.

Reference: https://prometheus.io/docs/practices/instrumentation/#avoid-missing-metrics

[jhadvig]

@zonggen thanks for the PR. Adding couple of comments.

[jhadvig]

Why does the operator need to be able to fetch any secret from the cluster? Looks like a potential security issue. If we need we should rather create a Role for a specific namespace. But on the other hand I dont see any usage in the added code, where we are fetching any secret for the metrics.

[zonggen]

The helm list --all-namespaces action from metrics.go requires this particular permission. If I remove this it would produce:

metrics.go:40] metric helm_chart_release_health_status unhandled: list: failed to list: secrets is forbidden: User "system:serviceaccount:openshift-console-operator:console-operator" cannot list resource "secrets" in API group "" at the cluster scope

[spadgett]

This is pretty concerning because console-operator is effectively running as root on the cluster with this change. Is there any way to add the metrics without needing this permission?

[jwforres]

Yeah this is a hard no. We won't escalate the console operator to have read on Secrets cluster-wide.

[dperaza4dustbit]

Understand, we are looking for alternative options to mitigate. It won't be a full solution if we have to use the users identity on the console side, but that is what we will pivot towards. For future reference @spadgett and @jwforres, If we had a way to filter Allow Rules by Resource Type like for example "type": "helm.sh/release.v1", would that work to reduce the access escalation? Trying to figure out if I propose a change in Kubernetes RBAC upstream on this.

[jhadvig]

Why do we call the helmmetrics.HandleHelmChartReleaseHealthStatus() inside the SyncConsoleConfig method? Its not using any of its arguments.
I would suggest to eight put it directly to the main sync_v400 method or create a new controller.

[zonggen]

Agreed, will move it to the main sync_v400. The original intent was to piggyback on the console_url metric. Also willing to add a new controller but that controller will only consist of this one line helmmetrics.HandleHelmChartReleaseHealthStatus().

[jhadvig]

lets put this into the pkg/helm/metrics/helm_metrics.go so we can reuse functions like recoverMetricPanic() instead of duplicating them

[zonggen]

Moved to pkg/console/metrics/helm_metrics.go

[jhadvig]

Dont think kubeconfig is the right name

Suggested change

	var kubeConfig *genericclioptions.ConfigFlags
	var configFlags *genericclioptions.ConfigFlags

[jhadvig]

also why do we need to initialize the configFlags, since on line in 72 you are setting it ? cant we jusst set it directly ?

[zonggen]

Updated :)

[zonggen]

Thanks for reviewing! Waiting for the tests before another look.

[zonggen]

@jhadvig PR is ready for another look but the ci/prow/e2e-aws-operator test kept failing for other non-related reasons. Do I keep retesting until it succeeds? Thanks :)

[spadgett]

/hold

[openshift-ci]

@zonggen: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator	696a192	link	/test e2e-aws-operator
ci/prow/e2e-agnostic-upgrade	696a192	link	/test e2e-agnostic-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[zonggen]

Closing in favor of #601.

For record, we are shifting away from calling cluster-wise helm list actions in console-operator, instead use a counter metric in console that increments whenever a user installs a Helm chart. By doing this, we are not depending on the cluster-wise secrets and only adds the counter when the user helm install a Chart.