feat: one prometheus (#1724)

Author: srodenhuis

charts/team-ns/templates/istio-sidecar.yaml

@@ -1,6 +1,6 @@
 {{- $v := .Values | merge (dict) }}
 {{- $ := . }}
-{{- $prometheus := dig "managedMonitoring" "prometheus" false $v }}
+{{- $alertmanager := dig "managedMonitoring" "alertmanager" false $v }}
 {{- if not (eq $v.teamId "admin") }}
 {{- $egressFilteringEnabled := $v | dig "networkPolicy" "egressPublic" true }}
 {{- if $egressFilteringEnabled }}
@@ -13,46 +13,19 @@ metadata:
 spec:
   outboundTrafficPolicy: 
     mode: REGISTRY_ONLY
-{{- if $prometheus }}
+{{- if $alertmanager }}
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
-  name: team-prometheus
+  name: team-alertmanager
   labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
 spec:
   outboundTrafficPolicy:
     mode: ALLOW_ANY
   workloadSelector:
     labels:
-      otomi.io/app: prometheus-team-{{ $v.teamId }}
+      app.kubernetes.io/instance: po-prometheus
 {{- end }}
 {{- end }}
-{{- end }}
-{{- if $prometheus }}
----
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  labels:
-    {{- include "team-ns.chart-labels" $ | nindent 4 }}
-    prometheus: team-{{ $v.teamId }}
-  name: istio-sidecars-team-services
-spec:
-  namespaceSelector:
-    matchNames: [team-{{ $v.teamId }}]
-  podMetricsEndpoints:
-  - path: /stats/prometheus
-    port: http-envoy-prom
-  selector:
-    matchLabels:
-      security.istio.io/tlsMode: istio
-    matchExpressions:
-      - key: app.kubernetes.io/instance
-        operator: NotIn
-        values:
-          - prometheus-{{ $v.teamId }}
-          - {{ $v.teamId }}-po-prometheus
-          - {{ $v.teamId }}-po-alertmanager
-          - tekton-dashboard-{{ $v.teamId }}
 {{- end }}

charts/team-ns/templates/netpols/default-network-policies.yaml

@@ -1,7 +1,5 @@
 {{/* Below merge is a workaround for: https://github.com/helm/helm/issues/9266 */}}
 {{- $v := .Values | merge (dict) }}
-{{- $prometheus := dig "managedMonitoring" "prometheus" false $v }}
-{{- $alertmng := dig "managedMonitoring" "alertmanager" false $v }}
 {{- if (not (dig "networkPolicy" "ingressPrivate" true $v)) }}
 ---
 # If team network policies are disabled then we whitelist all traffic to prevent undesired blocking while deploying team workloads
@@ -28,6 +26,7 @@ spec:
   policyTypes:
   - Ingress
 ---
+# Allow traffic from platform services
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -61,79 +60,6 @@ spec:
         - namespaceSelector:
             matchLabels:
               name: tekton-pipelines
-{{- if $alertmng }}
----
-# Allow traffic from team's prometheus to team's alertmanager
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default-to-alertmanager
-  labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
-spec:
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: team-{{ $v.teamId }}
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/instance: {{ $v.teamId }}-po-prometheus
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager
-  policyTypes:
-    - Ingress
-{{- end }}
-{{- if $prometheus }}
----
-# Allow traffic from Alertmanager and Grafana to Prometheus
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default-to-prometheus
-  labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
-spec:
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: team-{{ $v.teamId }}
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager
-        - namespaceSelector:
-            matchLabels:
-              name: team-{{ $v.teamId }}
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: {{ $v.teamId }}-po-grafana
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/instance: {{ $v.teamId }}-po-prometheus
-  policyTypes:
-    - Ingress
----
-# Allow traffic from Prometheus to kube-state-metrics
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default-to-kube-state-metrics
-  labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
-spec:
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: team-{{ $v.teamId }}
-          podSelector:
-            matchLabels:
-              prometheus: team-{{ $v.teamId }}
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: kube-state-metrics
-  policyTypes:
-    - Ingress
-{{- end }}
 ---
 # Allow webhook traffic from gitea to event listeners
 apiVersion: networking.k8s.io/v1
@@ -155,25 +81,4 @@ spec:
       app.kubernetes.io/managed-by: EventListener
   policyTypes:
     - Ingress
-{{- if $prometheus }}
----
-# Allow traffic from Prometheus to all pods for scraping metrics
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default-from-prometheus
-  labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: team-{{ $v.teamId }}
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/instance: {{ $v.teamId }}-po-prometheus
-{{- end }}
 {{- end }}

charts/team-ns/templates/servicemonitors/service-monitors.yaml

@@ -1,5 +1,4 @@
 {{- $v := .Values | merge (dict) }}
-{{- $prometheus := dig "managedMonitoring" "prometheus" false $v }}
 {{- $alertmng := dig "managedMonitoring" "alertmanager" false $v }}
 {{- $grafana := dig "managedMonitoring" "grafana" false $v }}
 {{- if not (eq $v.teamId "admin") }}
@@ -27,26 +26,6 @@ spec:
       release: prometheus-{{ $v.teamId }}
 {{- end }}
 ---
-{{- if $prometheus }}
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  labels:
-    prometheus: system
-  name: po-prometheus-team-{{ $v.teamId }}
-spec:
-  endpoints:
-  - path: /metrics
-    port: http-web
-  namespaceSelector:
-    matchNames:
-    - team-{{ $v.teamId }}
-  selector:
-    matchLabels:
-      app: {{ $v.teamId }}-po-prometheus
-      release: prometheus-{{ $v.teamId }}
-{{- end }}
----
 {{- if $grafana }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor

core.yaml

@@ -337,6 +337,7 @@ adminApps:
 teamApps:
   - name: alertmanager
     ownHost: true
+    path: /#/alerts?silenced=false&inhibited=false&active=true&filter=%7Bnamespace%3D"team-#TEAM#"%7D
     ingress:
       - svc: po-alertmanager
         hasPrefix: true
@@ -357,14 +358,6 @@ teamApps:
   - name: loki
     useHost: grafana
     path: /explore?orgId=1&left=%7B"datasource":"loki","queries":%5B%7B"refId":"A","expr":"","queryType":"range","datasource":%7B"type":"loki","uid":"loki"%7D%7D%5D,"range":%7B"from":"now-1h","to":"now"%7D%7D
-  - name: prometheus
-    ownHost: true
-    ingress:
-      - svc: po-prometheus
-        hasPrefix: true
-        port: 9090
-        type: public
-        auth: true
   - name: tekton
     ownHost: true
     ingress:

helmfile.d/helmfile-60.teams.yaml

@@ -40,7 +40,7 @@ releases:
     values:
       - ../values/tekton-dashboard/tekton-dashboard-teams.gotmpl
   - name: prometheus-{{ $teamId }}
-    installed: {{ or ($team | get "managedMonitoring.grafana" false) ($team | get "managedMonitoring.prometheus" false) ($team | get "managedMonitoring.alertmanager" false) }}
+    installed: {{ or ($team | get "managedMonitoring.grafana" false) ($team | get "managedMonitoring.alertmanager" false) }}
     namespace: team-{{ $teamId }}
     chart: ../charts/kube-prometheus-stack
     labels:
@@ -61,47 +61,17 @@ releases:
               annotations:
                 sidecar.istio.io/inject: "true"
               labels:
-                prometheus: team-{{ $teamId }}
+                prometheus: system
           # to do: load slackTpl and opsgenieTpl only if alerts.receicers = true
-          config: {{- tpl (readFile "../helmfile.d/snippets/alertmanager.gotmpl") (dict "instance" $team "root" $v "slackTpl" $slackTpl "opsgenieTpl" $opsgenieTpl) | nindent 12 }}
+          config: {{- tpl (readFile "../helmfile.d/snippets/alertmanager-teams.gotmpl") (dict "instance" $team "root" $v "slackTpl" $slackTpl "opsgenieTpl" $opsgenieTpl) | nindent 12 }}
         defaultRules:
-          appNamespacesTarget: team-{{ $teamId }}
           rules:
-            general: {{ $team | get "managedMonitoring.prometheus" false }}
+            general: false
         commonLabels:
           prometheus: team-{{ $teamId }}
         prometheus:
-          enabled: {{ $team | get "managedMonitoring.prometheus" false }}
-          namespaceOverride: null # team-{{ $teamId }}
-          prometheusSpec:
-            podMetadata:
-              annotations:
-                traffic.sidecar.istio.io/excludeOutboundPorts: "9093"
-              labels:
-                otomi.io/app: prometheus-team-{{ $teamId }}
-            externalLabels:
-              cluster: "prometheus-{{ $teamId }}.{{ $domain }}"
-            externalUrl: "https://prometheus-{{ $teamId }}.{{ $domain }}"
-            {{- range $selType := list "podMonitor" "probe" "rule" "serviceMonitor" }}
-            {{ $selType }}NamespaceSelector:
-              matchExpressions:
-                - key: name
-                  operator: In
-                  values:
-                    - team-{{ $teamId }}
-            {{ $selType }}Selector:
-              matchLabels:
-                prometheus: team-{{ $teamId }}
-            {{- end }}
-    {{- if gt (len .services) 0 }}
-            additionalScrapeConfigs:
-          {{- tpl (readFile "../helmfile.d/snippets/blackbox-targets.gotmpl") (dict "teamId" $teamId "namespace" (printf "team-%s" $teamId) "services" $teamServices "domain" $domain) | nindent 12 }}
-    {{- end }}
-        {{- if $team | get "managedMonitoring.prometheus" false }}
-        additionalPrometheusRules:
-          - name: blackbox
-            {{- readFile "../values/prometheus-operator/rules/blackbox.yaml" | nindent 12 }}
-        {{- end }}    
+          enabled: false
+          prometheusSpec: {}
         grafana:
           enabled: {{ $team | get "managedMonitoring.grafana" false }}
           namespaceOverride: null # team-{{ $teamId }}
@@ -114,8 +84,7 @@ releases:
               root_url: https://grafana-{{ $teamId }}.{{ $domain }}
           sidecar:
             datasources:
-              defaultDatasourceEnabled: {{ $team | get "managedMonitoring.prometheus" false }}
-              uid: Prometheus-team
+              defaultDatasourceEnabled: false
             dashboards:
               enabled: true
               label: release
@@ -124,6 +93,7 @@ releases:
             - name: Prometheus-platform
               editable: false
               uid: prometheus-platform
+              isDefault: true
               type: prometheus
               access: proxy
               url: http://po-prometheus.monitoring:9090
@@ -186,7 +156,7 @@ releases:
                   datasourceUid: 'loki'
     {{- if has "msteams" ($team | get "alerts.receivers" list) }}
   - name: prometheus-msteams-{{ $teamId }}
-    installed: {{ $team | get "managedMonitoring.prometheus" false }}
+    installed: {{ $team | get "managedMonitoring.alertmanager" false }}
     namespace: team-{{ $teamId }}
     chart: ../charts/prometheus-msteams
     labels:
@@ -227,7 +197,6 @@ releases:
           {{- if $v.apps.trivy.enabled }}
           - trivy-teams
           {{- end }}
-
   - name: team-ns-{{ $teamId }}
     installed: true
     namespace: team-{{ $teamId }}
@@ -249,7 +218,7 @@ releases:
         teamId: {{ $teamId }}
         teamIds: {{- toYaml (keys $v.teamConfig) | nindent 10 }}
       - services: {{- concat $coreTeamServices $teamServices | toYaml | nindent 10 }}
-  {{- if and ($team | get "managedMonitoring.prometheus" false) (gt (len $teamServices) 0) }}
+  {{- if (gt (len $teamServices) 0) }}
       - name: blackbox
         svc: prometheus-blackbox-exporter
         port: 9115