From ca121d635fe2f57308958925ee96c778e921dfe9 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Tue, 5 Dec 2023 11:52:43 -0500 Subject: [PATCH 01/11] Adjust prometheus query to use token --- .../modules/proc_creating-an-alert-rule-in-prometheus.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_creating-an-alert-rule-in-prometheus.adoc b/doc-Service-Telemetry-Framework/modules/proc_creating-an-alert-rule-in-prometheus.adoc index 79736766..016a27fd 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_creating-an-alert-rule-in-prometheus.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_creating-an-alert-rule-in-prometheus.adoc @@ -43,7 +43,7 @@ To change the rule, edit the value of the `expr` parameter. + [source,bash,options="nowrap"] ---- -$ curl -k --user "internal:$(oc get secret default-prometheus-htpasswd -ogo-template='{{ .data.password | base64decode }}')" https://$(oc get route default-prometheus-proxy -ogo-template='{{ .spec.host }}')/api/v1/rules +$ curl -k -H "Authorization: Bearer $(oc create token stf-prometheus-reader)" https://$(oc get route default-prometheus-proxy -ogo-template='{{ .spec.host }}')/api/v1/rules {"status":"success","data":{"groups":[{"name":"./openstack.rules","file":"/etc/prometheus/rules/prometheus-default-rulefiles-0/service-telemetry-prometheus-alarm-rules.yaml","rules":[{"state":"inactive","name":"Collectd metrics receive count is zero","query":"rate(sg_total_collectd_msg_received_count[1m]) == 0","duration":0,"labels":{},"annotations":{},"alerts":[],"health":"ok","evaluationTime":0.00034627,"lastEvaluation":"2021-12-07T17:23:22.160448028Z","type":"alerting"}],"interval":30,"evaluationTime":0.000353787,"lastEvaluation":"2021-12-07T17:23:22.160444017Z"}]}} ---- From f889f9a06d13b7ad7195cb8e8f02fb5ab64f217e Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Thu, 7 Dec 2023 12:57:44 -0500 Subject: [PATCH 02/11] Add section for prometheus token handling --- .../assembly_advanced-features.adoc | 1 + ...nnecting-an-external-dashboard-system.adoc | 73 +++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc diff --git a/doc-Service-Telemetry-Framework/assemblies/assembly_advanced-features.adoc b/doc-Service-Telemetry-Framework/assemblies/assembly_advanced-features.adoc index 28916ec4..355bbecd 100644 --- a/doc-Service-Telemetry-Framework/assemblies/assembly_advanced-features.adoc +++ b/doc-Service-Telemetry-Framework/assemblies/assembly_advanced-features.adoc @@ -28,6 +28,7 @@ ifdef::include_when_16[] include::../modules/proc_importing-dashboards.adoc[leveloffset=+2] endif::include_when_16[] include::../modules/proc_retrieving-and-setting-grafana-login-credentials.adoc[leveloffset=+2] +include::../modules/proc_connecting-an-external-dashboard-system.adoc[leveloffset=+2] //Editing the metrics retention time period diff --git a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc new file mode 100644 index 00000000..56196f1c --- /dev/null +++ b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc @@ -0,0 +1,73 @@ + +[id="connecting-an-external-dashboard-system_{context}"] += Connecting an external dashboard system + +It is possible to configure third-party visualization tools to connect to the {ProjectShort} Prometheus for metrics retrival. Access is controlled via an OAuth token, and a ServiceAccount is already created that has (only) the required permissions. A new OAuth token can be generated against this account for the external system to use. + +To use the authentication token, the third-party tool must be configured to supply an HTTP Bearer Token Authorization header as described in RFC6750. Consult the documentation of the third-party tool for how to configure this header. For example link:https://grafana.com/docs/grafana/latest/datasources/prometheus/configure-prometheus-data-source/#custom-http-headers[Configure Promethues - Custom HTTP Headers] in the _Grafana Documentation_. + +.Procedure + +. Log in to {OpenShift}. + +. Change to the `service-telemetry` namespace: ++ +[source,bash] +---- +$ oc project service-telemetry +---- + +. Create a new token secret for the stf-prometheus-reader service account ++ +[source,bash] +---- +$ oc create -f - < Date: Thu, 7 Dec 2023 13:03:34 -0500 Subject: [PATCH 03/11] Correction for RBAC changes --- .../modules/proc_accessing-uis-for-stf-components.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc b/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc index f75060ea..4fbbb8c8 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc @@ -4,7 +4,7 @@ [role="_abstract"] In {OpenShift}, applications are exposed to the external network through a route. For more information about routes, see https://docs.openshift.com/container-platform/{NextSupportedOpenShiftVersion}/networking/configuring_ingress_cluster_traffic/overview-traffic.html[Configuring ingress cluster traffic]. -In {Project} ({ProjectShort}), HTTPS routes are exposed for each service that has a web-based interface. These routes are protected by {OpenShift} RBAC and any user that has a `ClusterRoleBinding` that enables them to view {OpenShift} Namespaces can log in. For more information about RBAC, see https://docs.openshift.com/container-platform/{NextSupportedOpenShiftVersion}/authentication/using-rbac.html[Using RBAC to define and apply permissions]. +In {Project} ({ProjectShort}), HTTPS routes are exposed for each service that has a web-based interface. These routes are protected by {OpenShift} RBAC and any user that has read access to the component can log in. For more information about RBAC, see https://docs.openshift.com/container-platform/{NextSupportedOpenShiftVersion}/authentication/using-rbac.html[Using RBAC to define and apply permissions]. .Procedure From bb2bead31e6e79301d5d8ae6d48514e163383622 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Thu, 7 Dec 2023 15:16:52 -0500 Subject: [PATCH 04/11] Add link to OCP token secret docs --- .../modules/proc_connecting-an-external-dashboard-system.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc index 56196f1c..51a0a24a 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc @@ -71,3 +71,7 @@ $ echo $TOKEN $ oc delete secret my-prometheus-reader-token secret "my-prometheus-reader-token" deleted ---- + +.Additional information + +For more information about service account token secrets, see link:https://docs.openshift.com/container-platform/4.14/nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret] in the _OpenShift Container Platform Documentation_. \ No newline at end of file From 5678467b8795fbdcc666ab1f66d2669a36e2d159 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Thu, 7 Dec 2023 16:03:18 -0500 Subject: [PATCH 05/11] Specifics about UI perms --- .../proc_accessing-uis-for-stf-components.adoc | 13 ++++++++++++- ...roc_connecting-an-external-dashboard-system.adoc | 2 +- .../modules/proc_importing-dashboards.adoc | 2 ++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc b/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc index 4fbbb8c8..21f3e5a6 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc @@ -4,7 +4,18 @@ [role="_abstract"] In {OpenShift}, applications are exposed to the external network through a route. For more information about routes, see https://docs.openshift.com/container-platform/{NextSupportedOpenShiftVersion}/networking/configuring_ingress_cluster_traffic/overview-traffic.html[Configuring ingress cluster traffic]. -In {Project} ({ProjectShort}), HTTPS routes are exposed for each service that has a web-based interface. These routes are protected by {OpenShift} RBAC and any user that has read access to the component can log in. For more information about RBAC, see https://docs.openshift.com/container-platform/{NextSupportedOpenShiftVersion}/authentication/using-rbac.html[Using RBAC to define and apply permissions]. +In {Project} ({ProjectShort}), HTTPS routes are exposed for each service that has a web-based interface. These routes are protected by {OpenShift} RBAC and any user that has read access to the component can log in. + +Specifically, the following permissions are required in order to access the corresponding component UIs: + +[source,json,options="nowrap"] +---- +{"namespace":"service-telemetry", "resource":"grafana", "group":"integreatly.org", "verb":"get"} +{"namespace":"service-telemetry", "resource":"prometheus", "group":"monitoring.rhobs", "verb":"get"} +{"namespace":"service-telemetry", "resource":"alertmanager", "group":"monitoring.rhobs", "verb":"get"} +---- + +For more information about RBAC, see https://docs.openshift.com/container-platform/{NextSupportedOpenShiftVersion}/authentication/using-rbac.html[Using RBAC to define and apply permissions]. .Procedure diff --git a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc index 51a0a24a..f0de5c31 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc @@ -74,4 +74,4 @@ secret "my-prometheus-reader-token" deleted .Additional information -For more information about service account token secrets, see link:https://docs.openshift.com/container-platform/4.14/nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret] in the _OpenShift Container Platform Documentation_. \ No newline at end of file +For more information about service account token secrets, see link:https://docs.openshift.com/container-platform/{NextSupportedOpenShiftVersion}/nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret] in the _OpenShift Container Platform Documentation_. \ No newline at end of file diff --git a/doc-Service-Telemetry-Framework/modules/proc_importing-dashboards.adoc b/doc-Service-Telemetry-Framework/modules/proc_importing-dashboards.adoc index 86602898..c7d21999 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_importing-dashboards.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_importing-dashboards.adoc @@ -73,4 +73,6 @@ grafana-route-service-telemetry.apps.infra.watch . In a web browser, navigate to https://__. Replace __ with the value that you retrieved in the previous step. +. Log in with OpenShift credentials. For more information about logging in, see xref:accessing-uis-for-stf-components_assembly-installing-the-core-components-of-stf[]. + . To view the dashboard, click *Dashboards* and *Manage*. From aa2504fedb13484be6d304e90cde55c03967e58c Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Thu, 7 Dec 2023 17:35:03 -0500 Subject: [PATCH 06/11] Update doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc Co-authored-by: Leif Madsen --- .../modules/proc_connecting-an-external-dashboard-system.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc index f0de5c31..cb94fa60 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc @@ -2,7 +2,7 @@ [id="connecting-an-external-dashboard-system_{context}"] = Connecting an external dashboard system -It is possible to configure third-party visualization tools to connect to the {ProjectShort} Prometheus for metrics retrival. Access is controlled via an OAuth token, and a ServiceAccount is already created that has (only) the required permissions. A new OAuth token can be generated against this account for the external system to use. +It is possible to configure third-party visualization tools to connect to the {ProjectShort} Prometheus for metrics retrieval. Access is controlled via an OAuth token, and a ServiceAccount is already created that has (only) the required permissions. A new OAuth token can be generated against this account for the external system to use. To use the authentication token, the third-party tool must be configured to supply an HTTP Bearer Token Authorization header as described in RFC6750. Consult the documentation of the third-party tool for how to configure this header. For example link:https://grafana.com/docs/grafana/latest/datasources/prometheus/configure-prometheus-data-source/#custom-http-headers[Configure Promethues - Custom HTTP Headers] in the _Grafana Documentation_. From b52aed911d395fed69ec62ceb2da8e8fe89d3382 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Thu, 7 Dec 2023 17:35:17 -0500 Subject: [PATCH 07/11] Update doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc Co-authored-by: Leif Madsen --- .../modules/proc_connecting-an-external-dashboard-system.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc index cb94fa60..b10c1c05 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc @@ -4,7 +4,7 @@ It is possible to configure third-party visualization tools to connect to the {ProjectShort} Prometheus for metrics retrieval. Access is controlled via an OAuth token, and a ServiceAccount is already created that has (only) the required permissions. A new OAuth token can be generated against this account for the external system to use. -To use the authentication token, the third-party tool must be configured to supply an HTTP Bearer Token Authorization header as described in RFC6750. Consult the documentation of the third-party tool for how to configure this header. For example link:https://grafana.com/docs/grafana/latest/datasources/prometheus/configure-prometheus-data-source/#custom-http-headers[Configure Promethues - Custom HTTP Headers] in the _Grafana Documentation_. +To use the authentication token, the third-party tool must be configured to supply an HTTP Bearer Token Authorization header as described in RFC6750. Consult the documentation of the third-party tool for how to configure this header. For example link:https://grafana.com/docs/grafana/latest/datasources/prometheus/configure-prometheus-data-source/#custom-http-headers[Configure Prometheus - Custom HTTP Headers] in the _Grafana Documentation_. .Procedure From bdadc3027402982f16f88b9f455bf19bfae6a4f8 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Thu, 7 Dec 2023 17:36:12 -0500 Subject: [PATCH 08/11] Update doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc Co-authored-by: Leif Madsen --- .../modules/proc_connecting-an-external-dashboard-system.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc index b10c1c05..3d0883c0 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc @@ -37,7 +37,7 @@ EOF + [source,bash] ---- -$ TOKEN=$(oc get secret my-prometheus-reader-token -o template={{.data.token}} | base64 -d) +$ TOKEN=$(oc get secret my-prometheus-reader-token -o template='{{.data.token}}' | base64 -d) ---- . Retrieve the Prometheus host name From 265a2fd34a14996c350649a9995995b27c112616 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Thu, 7 Dec 2023 17:36:20 -0500 Subject: [PATCH 09/11] Update doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc Co-authored-by: Leif Madsen --- .../modules/proc_connecting-an-external-dashboard-system.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc index 3d0883c0..4cc39b7a 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_connecting-an-external-dashboard-system.adoc @@ -33,7 +33,7 @@ type: kubernetes.io/service-account-token EOF ---- -. Retreive the token from the secret +. Retrieve the token from the secret + [source,bash] ---- From fa00ddc2df287bf9017e50eb9fc14af45c72c62e Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Mon, 11 Dec 2023 10:16:56 -0500 Subject: [PATCH 10/11] Update doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc Co-authored-by: mickogeary --- .../modules/proc_accessing-uis-for-stf-components.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc b/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc index 21f3e5a6..be7ccf61 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc @@ -6,7 +6,7 @@ In {OpenShift}, applications are exposed to the external network through a route In {Project} ({ProjectShort}), HTTPS routes are exposed for each service that has a web-based interface. These routes are protected by {OpenShift} RBAC and any user that has read access to the component can log in. -Specifically, the following permissions are required in order to access the corresponding component UIs: +You need the following permissions to access the corresponding component UI's: [source,json,options="nowrap"] ---- From 50be2fcffcd1a21245c8a09c575079cebc6ac9f4 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Mon, 11 Dec 2023 10:50:33 -0500 Subject: [PATCH 11/11] Update doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc Co-authored-by: mickogeary --- .../modules/proc_accessing-uis-for-stf-components.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc b/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc index be7ccf61..e9a0b46a 100644 --- a/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc +++ b/doc-Service-Telemetry-Framework/modules/proc_accessing-uis-for-stf-components.adoc @@ -4,7 +4,7 @@ [role="_abstract"] In {OpenShift}, applications are exposed to the external network through a route. For more information about routes, see https://docs.openshift.com/container-platform/{NextSupportedOpenShiftVersion}/networking/configuring_ingress_cluster_traffic/overview-traffic.html[Configuring ingress cluster traffic]. -In {Project} ({ProjectShort}), HTTPS routes are exposed for each service that has a web-based interface. These routes are protected by {OpenShift} RBAC and any user that has read access to the component can log in. +In {Project} ({ProjectShort}), HTTPS routes are exposed for each service that has a web-based interface and protected by {OpenShift} role-based access control (RBAC). You need the following permissions to access the corresponding component UI's: