Merge pull request #62 from projectsyn/feat/enable-metrics

Enable Prometheus metrics

class/cilium.yml

@@ -57,6 +57,7 @@ parameters:
           helm_params:
             name: ${cilium:release_name}
             namespace: ${cilium:_namespace}
+            api_versions: monitoring.coreos.com/v1
           helm_values: ${cilium:helm_values}
 
   kapitan:

class/defaults.yml

@@ -26,9 +26,14 @@ parameters:
           clusterPoolIPv4PodCIDR: 10.128.0.0/14
       kubeProxyReplacement: probe
       prometheus:
+        enabled: true
         serviceMonitor:
-          enabled: false
+          enabled: true
       operator:
+        prometheus:
+          enabled: false
+          serviceMonitor:
+            enabled: true
         resources:
           requests:
             cpu: 100m

docs/modules/ROOT/pages/index.adoc

@@ -4,6 +4,13 @@ cilium is a Commodore component to manage the Cilium networkplugin.
 
 See the xref:references/parameters.adoc[parameters] reference for further details on how to use the component to configure and deploy Cilium.
 
+== Metrics scraping
+
+By default, the component enables the metrics endpoint for the Cilium agent.
+The component assumes that prometheus-operator will be present on the target cluster, and creates a `ServiceMonitor` resource for the agent metrics endpoint.
+
+See the https://docs.cilium.io/en/v1.11/operations/metrics/#cilium-agent[Cilium docs] for available agent metrics.
+
 == Aggregated permissions
 
 The component creates the following `ClusterRoles` which are aggregated to the cluster's default `ClusterRoles`:

tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml

@@ -96,6 +96,15 @@ spec:
             successThreshold: 1
             timeoutSeconds: 5
           name: cilium-agent
+          ports:
+            - containerPort: 9090
+              hostPort: 9090
+              name: prometheus
+              protocol: TCP
+            - containerPort: 9095
+              hostPort: 9095
+              name: envoy-metrics
+              protocol: TCP
           readinessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: cilium
+  name: cilium-agent
+  namespace: cilium
+spec:
+  clusterIP: None
+  ports:
+    - name: metrics
+      port: 9090
+      protocol: TCP
+      targetPort: prometheus
+    - name: envoy-metrics
+      port: 9095
+      protocol: TCP
+      targetPort: envoy-metrics
+  selector:
+    k8s-app: cilium
+  type: ClusterIP

tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml

@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  annotations: null
+  labels: null
+  name: cilium-agent
+  namespace: cilium
+spec:
+  endpoints:
+    - honorLabels: true
+      interval: 10s
+      path: /metrics
+      port: metrics
+  namespaceSelector:
+    matchNames:
+      - cilium
+  selector:
+    matchLabels:
+      k8s-app: cilium
+  targetLabels:
+    - k8s-app

tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -54,6 +54,8 @@ data:
   nodes-gc-interval: 5m0s
   operator-api-serve-addr: 127.0.0.1:9234
   preallocate-bpf-maps: 'false'
+  prometheus-serve-addr: :9090
+  proxy-prometheus-port: '9095'
   remove-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   sidecar-istio-proxy-image: cilium/istio_proxy

tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml

@@ -96,6 +96,15 @@ spec:
             successThreshold: 1
             timeoutSeconds: 5
           name: cilium-agent
+          ports:
+            - containerPort: 9090
+              hostPort: 9090
+              name: prometheus
+              protocol: TCP
+            - containerPort: 9095
+              hostPort: 9095
+              name: envoy-metrics
+              protocol: TCP
           readinessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: cilium
+  name: cilium-agent
+  namespace: cilium
+spec:
+  clusterIP: None
+  ports:
+    - name: metrics
+      port: 9090
+      protocol: TCP
+      targetPort: prometheus
+    - name: envoy-metrics
+      port: 9095
+      protocol: TCP
+      targetPort: envoy-metrics
+  selector:
+    k8s-app: cilium
+  type: ClusterIP

tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml

@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  annotations: null
+  labels: null
+  name: cilium-agent
+  namespace: cilium
+spec:
+  endpoints:
+    - honorLabels: true
+      interval: 10s
+      path: /metrics
+      port: metrics
+  namespaceSelector:
+    matchNames:
+      - cilium
+  selector:
+    matchLabels:
+      k8s-app: cilium
+  targetLabels:
+    - k8s-app

tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -54,6 +54,8 @@ data:
   nodes-gc-interval: 5m0s
   operator-api-serve-addr: 127.0.0.1:9234
   preallocate-bpf-maps: 'false'
+  prometheus-serve-addr: :9090
+  proxy-prometheus-port: '9095'
   remove-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   sidecar-istio-proxy-image: cilium/istio_proxy

tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml

@@ -19,6 +19,10 @@ spec:
       clusterPoolIPv4PodCIDR: 10.128.0.0/14
   kubeProxyReplacement: probe
   operator:
+    prometheus:
+      enabled: false
+      serviceMonitor:
+        enabled: true
     resources:
       limits:
         cpu: 100m
@@ -27,5 +31,6 @@ spec:
         cpu: 100m
         memory: 250Mi
   prometheus:
+    enabled: true
     serviceMonitor:
-      enabled: false
+      enabled: true