Deploy monitoring-stack for prow

[hongkailiu]

What would you like to be added:
Add monitoring-stack including prometheus/alertmanager/grafana for prow.k8s.io.

Why is this needed:

• Scrape prow components with prometheus to collect data provided by the endpoints which are already available.
• Oversee with grafana dashboards how prow components are running on the (k8s-)cluster and fire alerts by alertmanager when necessary, eg, some service is down or other conditions are satisfied.

Steps:

• Check prerequisites: k8s version >=1.8.0
• Deploy CRDs: Prometheus, ServiceMonitor, PrometheusRule, Alertmanager
• Deploy prometheus operator and required RBAC
• Deploy custom object: Prometheus
• Deploy grafana
• Expose the ingress via the vanity URL
• Deploy dashboards
  • use mixins: blocked
  • fix the repo name in tide board
  • add UID into ghproxy board
• Add services for prow components that have not had /metrics services yet
• Update config.yaml to enable serving /metrics
• Add ServiceMontors for all prow-components
• Deploy ServiceMontors for prometheus and grafana
• grafana admin access issue: replicas=1
• https only on grafana ingress: nginx is the only promising solution
• Link in the bazel targets to apply all the monitoring objects with the normal Prow release target for postsubmit: trails; slack-discussion
• Deploy ServiceMontor for alertmanager
• Deploy custom object: Alertmanager
• Add more alerts
• Test firing alerts with AlertManager
• Add readme to do the port-forwarding/proxy for alertmanager and prometheus to make them simpler
• Decide if we want to HA grafana (view-only) and dev.monitoring.prow.k8s.io (admin): @Katharine and @stevekuznetsov are for this: We leave this as future work.

[stevekuznetsov]

/cc @cjwagner @fejta @krzyzacy

[hongkailiu]

tony-yang [7:04 PM]
1.13.5-gke.10

[stevekuznetsov]

Thought: a bazel target to do the port-forwarding/proxy for alertmanager and prometheus to make them simpler

[stevekuznetsov]

As well: link in the bazel targets to apply all the monitoring objects with the normal Prow release target for postsubmit (bazel run //prow/cluster/production.apply)

[hongkailiu]

Also need to find a convenient way to test queries:

• ingress for prometheus
• edit access (to a restricted set of people) to grafana (This might be preferable given the circumstance ^_^)

[hongkailiu]

monitoring.prow.k8s.io is not https yet.

[cjwagner]

SSL is working now, but is still optional. We need to force SSL redirection for HTTP requests to make it safe to use basic auth, but unfortunately this isn't possible to configure with ingress-gce: kubernetes/ingress-gce#51

I think we'll need to add an nginx proxy solely for this purpose like we used to have to do for Prow before we added SSL redirection to deck. Grafana doesn't appear to have any SSL redirect or HSTS options.

[hongkailiu]

SSL is working now, but is still optional.

Would kubernetes.io/ingress.allow-http: "false" help as described 51#issuecomment-335960782?

[hongkailiu]

@cjwagner
I would like to give another try of selling the idea of mixins (or jsonnet) for monitoring stack.

• reusable grafana dashboards: kind of more important when deploy/grafana has more than one replica (for HA). Provisioning of dashborads via json files ensures the consistent view across grafana instances, comparing to editting via UI. We could still do the UI editting, only for debugging purpose. Once we think we should include some new panel or boards, we will generate the json file and provision it to all instances.
• it is kind of popular in the community, eg, kubernetes-mixin. Ease the code review too (to some extent ^_^ @stevekuznetsov can tell more on this point).
• dependency managerment: the underlying libs (eg, grafana/grafonnet-lib) will be maintained by grafana gurus and the upgrade procedure should be more smooth when we decide to change the version of grafana in the future.

Let me know your decision.

[spiffxp]

/milestone v1.16
checklist above is still incomplete, I'm assuming we have more to do here

[spiffxp]

/sig testing

[hongkailiu]

@spiffxp Yes. We are working on this issue.

[spiffxp]

Currently available at https://monitoring.prow.k8s.io/

[stevekuznetsov]

All we have left is the AlertManager deployment, then we're done!

[stevekuznetsov]

I have a series of PRs to show how to add:

• a new metric: Expose the size of updated ConfigMaps via metrics #13376
• a dashboard from it: Add a dashboard to show ConfigMap sizes #13386
• an alert: Add an alert for ConfigMaps getting close to being full #13506

[hongkailiu]

Created kubernetes/community#3902, requesting slack incoming webhook URL.

[hongkailiu]

The testing alerts ... https://kubernetes.slack.com/archives/C7J9RP96G/p1563469948355200

Some discussion on icon/username: https://kubernetes.slack.com/archives/C7J9RP96G/p1563471649359200

[stevekuznetsov]

/woof

[k8s-ci-robot]

@stevekuznetsov:

In response to this:

/woof

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[krzyzacy]

/meowvie sunglass

[k8s-ci-robot]

@krzyzacy:

In response to this:

/meowvie sunglass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.