Hub metrics collector feature

[coleenquadros]

Ticket - https://issues.redhat.com/browse/ACM-8509
This PR refactors the deployment of the metrics-collector in the hub/local-cluster. We want to ensure that the metrics-collector on the hub runs independent of hubselfmanagement toggle.

• The placement controller of MCO operator treats the hub cluster as a special case, and directly creates the endpoint operator and the related resources (mTLS certificates, metrics lists, hub-info-secret that drives CMO configuration changes), in the open-cluster-management-observability namespace, instead of creating them as ManifestWork objects. It further ensures that it has no dependencies on the add-on framework. There will no longer be an Observability add-on on the hub cluster. In this respect, the hub cluster (local-cluster managed cluster) will be treated as a special case. In turn, the endpoint operator:
• Creates a metrics collector deployment always in open-cluster-management-observability namespace on the hub. This namespace will be different from open-cluster-management-addon-observability used in all other spokes
• Makes modifications to CMO operator configuration to ensure that hub cluster Prometheus continues to forward alerts to ACM Alert Manager
• The MCO operator placement controller ignores managed cluster create/update/delete events for local-cluster, so observability add-on is not creating managed cluster components in the old way. There will be only one way the endpoint operator is created on the hub.
• The MCO operator takes ownership of refreshing mTLS certificates for the collector on the hub, and restarts metrics collector deployment when the certificates expire/change/refreshed.
• The MCO operator will be responsible for installing these hub components when ACM is installed and Observability is enabled.
• The MCO operator will be responsible for upgrading these components when ACM is upgraded.
• The MCO operator will be responsible for uninstalling these components when ACM is uninstalled or Observability is disabled.

Since we no longer use observability add-on on the hub, we lose the ability to report failure to send metrics as via observability addon status. To compensate for this:

• Metrics collector should publish metrics related to failed metrics upload count.
• A local alert is raised when the upload metrics count exceeds a defined threshold
• The count should be reset after the error is cleared and metrics are propagating again.

Known issues (to be tracked as defects)

1. Certificate rotation for hub metrics collector after it expires in a year
2. Image replacement annotations don't work for hub endpoint operator and metrics collector (dev feature)
3. Some scenarios where "local-cluster" is still not available in grafana
4. Retrofit e2e tests (dev feature)

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: coleenquadros

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [coleenquadros]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coleenquadros]

/retest

[coleenquadros]

/retest

[marcolan018]

seems it's not a correct choice to use CSR flow here. Have you check the possibility to use the functions in https://github.com/stolostron/multicluster-observability-operator/blob/main/operators/multiclusterobservability/pkg/certificates/certificates.go?

[clyang82]

maybe just generate a private key and then sign it to have the client cert.

[clyang82]

Did you check if we create the obsaddon in open-cluster-management-observability namespace or not? I think no. but just double check. thanks.

[clyang82]

maybe just generate a private key and then sign it to have the client cert.

[elgnay]

The overall procedure to create client certificate looks good. The client cert may expire, cert rotation is required. You can find some example code from registration agent: https://github.com/open-cluster-management-io/ocm/blob/1c3cb033b096c0e95575dfbf6d5d12126f5d7e57/pkg/registration/clientcert/cert_controller.go#L290

[coleenquadros]

/retest

[sonarqubecloud]

Quality Gate failed

Failed conditions
41.3% Coverage on New Code (required ≥ 70%)

See analysis details on SonarCloud

[openshift-ci]

@coleenquadros: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/sonarcloud	d7af621	link	true	/test sonarcloud
ci/prow/e2e-kind	d7af621	link	true	/test e2e-kind
ci/prow/test-e2e	d7af621	link	true	/test test-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[thibaultmg]

Why are we ignoring other types of errors? Isn't risky?

[thibaultmg]

Same as above

[thibaultmg]

Can we delete this?

[thibaultmg]

We don't need that aren't we? The caller sets it using returned boolean.

[thibaultmg]

Just a global remark regarding the logs again that doesn't need to be changed here.
We are logging a lot errors at nested functions level. This function is called 3 levels down the Reconcile function and we are logging returned errors at every one of them (except in the Reconcile function...). So we are generating 3 logs for the same error. We could instead log only in the Reconcile function, while wrapping errors with the additional info in sub functions (except in some rare cases were details cannot be wrapped in the error).

[thibaultmg]

Could we add a comment explaining this check?

[thibaultmg]

I would appreciate a comment here also explaining the reason for this check.

[thibaultmg]

Do we need this check? I understand we just removed the key before.