prometheus: Introduce RuleFile Custom Resource Definition

[mxinden]

This patch introduces a new Custom Resource Definition to the
Prometheus Operator - the Rule CRD. It addresses two main
needs:

1. Prometheus (alerting and recording) Rule validation during creation time
   via Kubernetes Custom Resource Definition validation.

2. Life-cycle management of Prometheus application Rules alongside the
   application itself, inside the applications Kubernetes namespace, not
   necessarily the namespace of the scraping Prometheus instance.

A user defines Prometheus alerting and recording Rules via a Kubernetes
Custom Resource Definition. These Custom Resource Definitions can be
fully validated by the Kubernetes API server during creation time via
automatically generated OpenAPI specifications. Instead of the
restriction of a Prometheus instance to only select Rule definitions
inside its own namespace, the Prometheus specification is extended to
also specify namespaces to look for Rule Custom Resource Definitions
outside its own namespace.

---

Dependent technical changes:

• prometheus: Use github.com/jimmidyson/configmap-reload to reload rules

• prometheus: Remove Prometheus Statefulset deletion function. Starting
  with K8s >=1.8 this is handled via OwnerReferences.

• prometheus: Do not add rule files checksum to Prometheus configuration
  secret

• prometheus: Update StatefulSet only on relevant changes. Instead of
  updating the Prometheus StatefulSet on every sync() run, only update
  it if the input parameters to makeStatefulSet change. Enforce this
  via a checksum of the parameters which is saved inside the annotations
  of the statefulset.

• e2e/prometheus: Check how often resources (Secret, ConfigMap,
  Prometheus CRD, Service) are updated to enforce that Prometheus Operator
  only updated created resources if necessary.

• contrib/prometheus-config-reloader: Remove logic to retriev K8s
  ConfigMaps. These are mounted into the pod right away now.

Design Document

[ironcladlou]

Alignment

[ironcladlou]

If AlertingRuleFile is used only to hold the serialized contents of an alerting rule file (the type for which is not represented in this API), how does AlertingRuleFile compare to using a ConfigMap?

[mxinden]

@ironcladlou My plan is to vendor the upstream Prometheus alerting rule struct. Thereby we would have full OpenAPI generated deep validation on creation time (instant feedback). What do you think?

[mxinden]

I still have a couple TODOs on my list :/

https://github.com/coreos/prometheus-operator/pull/1333/files#diff-c8710fb169ff41dfb58c4a26a2f7a755R210

[ironcladlou]

That makes sense to me- cool!

[brancz]

Awesome start! Really looking forward to this!

[brancz]

We will need to continue to support this for the time being, I suggest this should select both configmaps and Rule CRDs for the forseeable future and the configmap selector stays local to the namespace and the CRD selector is respective to the ruleNamespaceSelector.

In fact we should actually do a migration where we re-create rule CRDs from the content of the configmaps.

[mxinden]

I brought back the field and added the following to the rule retrieval logic:

	// With Prometheus Operator v0.20.0 the 'RuleSelector' field in the Prometheus
	// CRD Spec is deprecated. Any value in 'RuleSelector' is just copied to the new
	// field 'RuleFileSelector'.
	if p.Spec.RuleFileSelector == nil && p.Spec.RuleSelector != nil {
		p.Spec.RuleFileSelector = p.Spec.RuleSelector
	}

@brancz Do you mind if we add the migration logic in a separate PR (of course before the release)?

[brancz]

sgtm

[brancz]

It's not just alerting rules, it's also recording rules, therefore usually referred to as "rule"

[brancz]

remove debug fmt.Println

[brancz]

remove comment

[brancz]

I already commented on the name above, I think this should probably be "PrometheusRule" instead.

[brancz]

I've thought of this as well, but I'm not sure I like it, especially if the container image repo is the same, then people will be maximum confused I think. Even today people think the operator runs as a sidecar. It also has a large impact on the container size, the reload container is very very small whereas operator+reloader is a pretty large image.

[mxinden]

👍

[mxinden]

@brancz RuleFile CRD is currently accessible on monitoring v1alpha1. Would you prefer to go with v1?

[metalmatze]

I have a general question about this feature:

How does this align with the current work going on to make jsonnet bases monitoring mixins with alerts? Are these features orthogonal? I guess it tries to solves the problem with a different approach, but on the other hand can also be combined?
So I'd have those mixins, make slight adjustments and then generate a CRD from that?

[brancz]

@metalmatze they're unrelated, this CRD is merely so that we can collect Prometheus rules from across namespaces similar to cross namespace ServiceMonitors. In fact as these rules are identical to the Prometheus rule definition they are compatible.

[brancz]

@mxinden do they work alongside each other? I seem to recall there was some problem as some point. Otherwise v1alpha1 sounds good as it's a new resource.

[ant31]

AFAIK, CRD are painful to upgrade (from v1alpha1 to v1), I would save us and users this additional migration. Also there is no plan to keep both at the same time alive (configmap + crd), so as soon as we release this, the CRD will replace the configmap, then I would go for v1.
Last The spec itself is well-known, we don't add any feature/fields that exist already in the current configmap.

[brancz]

Yeah after thinking about it once more I think putting it in v1 is fine, given that the spec we're using is identical to the Prometheus rule spec, which cannot be broken until the next Prometheus major version anyways.

[mxinden]

General design document can be found here.

Feedback by the community is very welcome.

[mxinden]

@brancz @ant31 @ironcladlou @metalmatze this PR is ready for review. Would you mind taking another look?

[brancz]

Nice work. Just a couple of comments and nits, but overall looking very good!

[brancz]

What speaks against having the Groups field here instead of nested into the RuleGroups struct? Seems double encapsulated.

[mxinden]

True. I will address that.

[brancz]

yeah we should start to actually implement these * hides *

[mxinden]

Not entirely sure, but we are auto-generating these, right?

I have replaced the panic with return l.DeepCopy().

[brancz]

this doesn't work for update, which is why we chose duplication over confusion

[mxinden]

handleSmonUpdate and handleRuleUpdate seem equal to me, no?

[brancz]

yes, that's true, we can look into deduping those

[brancz]

This should be configured from the config like the other CRDs.

[mxinden]

👍 thanks, I forgot that.

[brancz]

Rule -> RuleFile

[brancz]

this doesn't return an error

[mxinden]

Fixed it and forgot to remove the TODO 🤦‍♂️

[brancz]

not sure what this comment is referring to

[brancz]

on error return nil explicitly

[mxinden]

I don't understand what you mean.

There are two types of possible errors here:
1. Error thrown by ListAllByNamespace
2. Error thrown by yaml.Marshal

Not very proud of the structure of my code here. Happy for suggestions.

Never mind, understood.

[brancz]

on error return nil explicitly

[brancz]

I'm not entirely sure about the behavior, when file name is different but rule group name is the same, we might have to add the namespace as a prefix to the rule group name. Let's make sure and investigate this.

[mxinden]

I have just started a Prometheus with two unique rule files, with matching rule group names. Both the alerts from file one, as well as file two show up in the Prometheus UI.

[brancz]

Perfect, thanks for making sure!

[brancz]

One more thing, the RuleFile CRD needs to be generated into examples/prometheus-operator-crds/ and converted to json for the kube-prometheus stack.

[mxinden]

@brancz Thanks for all the comments! Would you mind taking another look?

[brancz]

Nice job! lgtm 👍

[Atoms]

here is written if empy only check own namespace, more down it's written empty will match all objects. so which is it ? :)

[gmauleon]

Seems to be the former:
https://github.com/mxinden/prometheus-operator/blob/89fc4e306972604eba2dcb961a6d29cc27a668ad/pkg/prometheus/rulefile.go#L103

[gmauleon]

Most likely to match the behavior of the ServiceMonitor one:
https://github.com/coreos/prometheus-operator/blob/f9676ddc5b55ae47dcdfa43d9290cb28e5504649/pkg/prometheus/promcfg.go#L468

Although @mxinden will confirm but in the RuleFile it seems to implement a standard selector which may offer the possibility to match all namespaces somehow.

[brancz]

Sorry for the confusion. When it is not set, then it will select the same namespace as the Prometheus server is in. With an empty selector explicitly set ({} is the empty selector), it will select all namespaces (maybe better referred to as the "all" selector). Hope this makes it clearer. 🙂 Also note that we will be renaming the resource before releasing it, see #1425.

[Atoms]

yes that makes sense :) thanks for explanation