initial commit

Author: meysholdt

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Gitpod GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,68 @@
+BIN_DIR?=$(shell pwd)/tmp/bin
+JB_BIN=$(BIN_DIR)/jb
+GOJSONTOYAML_BIN=$(BIN_DIR)/gojsontoyaml
+JSONNET_BIN=$(BIN_DIR)/jsonnet
+JSONNETFMT_BIN=$(BIN_DIR)/jsonnetfmt
+TOOLING=$(JSONNETFMT_BIN) $(JSONNET_BIN) $(GOJSONTOYAML_BIN) $(JB_BIN)
+
+JSONNET_FMT := $(JSONNETFMT_BIN) -n 2 --max-blank-lines 2 --string-style s --comment-style s
+
+all: setup-workspace fmt lint generate
+
+.PHONY: clean
+clean:
+    # Delete files marked in .gitignore
+	git clean -Xfd .
+
+.PHONY: setup-workspace
+setup-workspace: 
+	go get github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb
+	go get github.com/brancz/gojsontoyaml
+	go get github.com/google/go-jsonnet/cmd/jsonnet
+	go get github.com/google/go-jsonnet/cmd/jsonnetfmt
+	GO111MODULE=on go get github.com/prometheus/prometheus/cmd/[email protected]
+	export PATH=$(PATH):$(PWD)/tmp/bin
+
+.PHONY: generate
+generate: $(JSONNET_BIN)
+	./hack/generate.sh 
+
+.PHONY: generate-ci
+generate-ci: $(JSONNET_BIN)
+	./hack/generate.sh -e CI
+
+.PHONY: fmt
+fmt: $(JSONNETFMT_BIN)
+	find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
+		xargs -n 1 -- $(JSONNET_FMT) -i
+
+.PHONY: lint
+lint: $(JSONNETFMT_BIN) 
+	find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
+		while read f; do \
+			$(JSONNET_FMT) "$$f" | diff -u "$$f" -; \
+		done
+
+.PHONY: promtool-lint
+promtool-lint: 
+	promtool check rules monitoring-satellite/manifests/ci_prometheus_rules.yaml
+
+$(BIN_DIR):
+	mkdir -p $(BIN_DIR)
+
+$(TOOLING): $(BIN_DIR)
+	@echo Installing tools from tools.go
+	@cd hack && cat tools.go | grep _ | awk -F'"' '{print $$2}' | xargs -tI % go build -modfile=go.mod -o $(BIN_DIR) %
+
+.PHONY: update
+update: $(JB_BIN)
+	$(JB_BIN) update
+
+.PHONY: deploy-satellite
+deploy-satellite: generate
+	./hack/prepare-kind.sh
+	./hack/deploy-satellite.sh
+
+.PHONY: test-e2e
+test-e2e:
+	@cd tests/e2e && go test -timeout 55m -v . -count=1

README.md

@@ -0,0 +1,122 @@
+# Observability
+
+[![Build Status](https://github.com/gitpod-com/observability/workflows/ci/badge.svg)](https://github.com/gitpod-com/observability/actions)
+[![Slack](https://img.shields.io/badge/join%20slack-%23observability-brightgreen.svg)](https://gitpod.slack.com/archives/C01KGM9D8LE)
+[![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-908a85?logo=gitpod)](https://gitpod.io/#https://github.com/gitpod-com/observability)
+
+Set of Jsonnet files used to deploy customized [monitoring-satellites](#monitoring-satellite) and [monitoring-centrals](#monitoring-central) into different clusters.
+
+## Table of contents
+
+- [Applications](#applications)
+  - [Monitoring-satellite](#monitoring-satellite)
+  - [Monitoring-Central](#monitoring-central)
+- [Workflows](#workflows)
+  - [Development](#development)
+  - [CI](#ci)
+  - [Deployment](#deployment)
+
+## Applications
+
+### Monitoring-satellite
+
+Monitoring-satellite is an application responsible for collecting observability signals from kubernetes clusters. Components included in monitoring-satellite:
+
+* [Prometheus-Operator](https://github.com/prometheus-operator/prometheus-operator)
+* [Prometheus](https://github.com/prometheus/prometheus)
+* [Alertmanager](https://github.com/prometheus/alertmanager)
+* [Node-exporter](https://github.com/prometheus/node_exporter)
+* [Kube-State-Metrics](https://github.com/kubernetes/kube-state-metrics)
+* [Grafana](https://github.com/grafana/grafana)
+* Custom ServiceMonitors for [Gitpod](https://github.com/gitpod-io/gitpod)'s components
+
+Monitoring-satellite can be customized by setting up jsonnet external-variables:
+
+* `namespace` - changes the namespace where monitoring-satellite will be installed
+* `cluster_name` - adds a external label named `cluster` to Prometheus. This label is extermelly important to differentiate metrics comming from multiple clusters after being stored in monitoring-central.
+* `remote_write_url` - When defining this variable with something different from an empty string, Prometheus will send metrics to a Metrics backend, e.g. Thanos or Cortex, through Prometheus' Remote Write Protocol.
+* `pagerduty_routing_key` - Used to route critical alerts to pagerduty.
+* `slack_webhook_url_critical` - When defining this variable with something different from an empty string, Alertmanager will be configured to route alerts to Slack. **Careful:** When declaring this variable, you should also declare `slack_webhook_url_warning` and `slack_webhook_url_info`, which will route alerts from lower severities to different channels.
+* `dns_name` - When defining this variable with something different from an empty string, a set of extra resources will be created to expose Grafana to the internet while keeping it secure. When defining this variable, be careful to also declare `grafana_ingress_node_port`, `gcp_external_ip_address`, `IAP_client_id` and `IAP_client_secret`. The components included are:
+  * Ingress
+  * SSL Certificate (Requires certmanager installed in the cluster)
+  * Google Cloud Backend Config
+
+#### Monitoring-satellite RoadMap
+
+As you can see, Metrics is the only Observability signal being collected by monitoring satellite right now. To make it complete Observability signal collector, we'll extend this application to collect: 
+
+* `Logs` - With [Promtail](https://grafana.com/docs/loki/latest/clients/promtail/) or [Fluentd](https://www.fluentd.org/)
+* `Traces` - With [Jaeger Agent](https://www.jaegertracing.io/docs/1.22/deployment/) or [OpenTelemetry Collector](https://github.com/open-telemetry/opentelemetry-collector)
+* `Profiles` - With [ConProf](https://github.com/conprof/conprof)
+
+### Monitoring-Central
+
+Monitoring-central is an application responsible for storing multiple signals collected by multiple monitoring-satellites for long term. Monitoring-central is the best place to analyze data during incidents or historical trend analisis. Components included in monitoring-central:
+
+* [Grafana](https://github.com/grafana/grafana)
+* [VictoriaMetrics](https://github.com/VictoriaMetrics/VictoriaMetrics)
+
+Monitoring-central can be customized by setting up jsonnet external-variables:
+
+* `dns_name` - When defining this variable with something different from an empty string, a set of extra resources will be created to expose Grafana to the internet while keeping it secure. When defining this variable, be careful to also declare `grafana_ingress_node_port`, `gcp_external_ip_address`, `IAP_client_id` and `IAP_client_secret`. The components included are:
+  * Ingress
+  * SSL Certificate (Requires certmanager installed in the cluster)
+  * Google Cloud Backend Config
+
+#### Monitoring-central RoadMap
+
+Similarly to monitoring-satellite, monitoring-central only supports metric collection right now. To make it a complete Observability signal backend storage, we'll extend this application to store:
+
+* `Logs` - With [Loki](https://github.com/grafana/loki)
+* `Traces` - With [Jaeger](https://github.com/jaegertracing/jaeger) or [Tempo](https://github.com/grafana/tempo)
+* `Profiles` - With [ConProf](https://github.com/conprof/conprof)
+
+> To accelerate the development of monitoring-central, we are strongly considering teaming up with the Red Hat Monitoring Team to use [Observatorium](https://github.com/observatorium/observatorium) as our storage for all observability signals.
+
+## Workflows
+
+### Development
+
+See [docs/code-design](./docs/code-design.md) for details on our folder structure.
+
+During development we generate YAML files and Grafana dashboards based on our jsonnet templates.
+
+**Notice**: These YAML files are only used during development and CI. For development/ci the entrypoints are `monitoring-*/manifests/*.jsonnet` whereas for ArgoCD the entrypoint is `monitoring-*/main.jsonnet`.
+
+To generate the YAML files and Grafana dashboards run the command below.
+
+```sh
+make generate
+```
+
+The generated files are placed in `monitoring-*/manifests` - while working on the jsonnet templates it can sometimes be helpful to check out the generated YAML to see if everything looks the way you expected.
+
+If you'd like to test Grafana dashboards during development, you can copy the content of the JSON files located at `components/gitpod/mixin/dashboard_out` and import it to Grafana using the import feature:
+
+![image](https://user-images.githubusercontent.com/24193764/118832120-ba971200-b896-11eb-81aa-840dadecd21b.png)
+
+
+To make sure that all our jsonnet templates can compile and are correctly formatted run:
+
+```sh
+make fmt
+```
+
+If you are changing Prometheus rules you can additionally run:
+
+```sh
+make promtool-lint
+```
+
+### CI
+
+We use Github Actions to validate PRs.
+
+### Deployment
+
+To make changes to monitoring-satellites and monitoring-centrals spread across our clusters, simply merge a PR to the `main` branch and ArgoCD will automatically synchronize all deployed applications.
+
+If you want to verify ArgoCD has applied your changes, you can go to [argo-cd.gitpod-io-dev.com](https://argo-cd.gitpod-io-dev.com/) and use the label filter `application=monitoring-satelite` to see the status of all the satelites, or `application=monitoring-central` to see the monitoring centrals.
+
+The ArgoCD applications are configured in [gitpod-com/gitpod](https://github.com/gitpod-com/gitpod) which is also responsible for setting up all the appropriate external-variables.

addons/alerting.libsonnet

@@ -0,0 +1,123 @@
+local criticalReceiver =
+  if std.extVar('pagerduty_routing_key') != '' then
+    |||
+      pagerduty_configs:
+        - send_resolved: true
+          routing_key: '%(pagerdutyRoutingKey)s'
+    ||| % {
+      pagerdutyRoutingKey: std.extVar('pagerduty_routing_key'),
+    }
+  else
+    |||
+      slack_configs:
+        - send_resolved: true
+          api_url: %(slackWebhookUrlCritical)s
+          channel: '%(slackChannelPrefix)s_critical'
+          title: '[{{ .Status | toUpper }}{{ if eq .Status "firing" }}{{ end }}] %(clusterName)s Monitoring'
+          text: |
+            {{ range .Alerts }}
+            **Please take immediate action!**
+            *Cluster:* {{ .Labels.cluster }}
+            *Alert:* {{ .Labels.alertname }}
+            *Description:* {{ .Annotations.description }}
+            {{ end }}
+          actions:
+          - type: button
+            text: 'Runbook :book:'
+            url: '{{ .CommonAnnotations.runbook_url }}'
+    ||| % {
+      clusterName: std.extVar('cluster_name'),
+      slackWebhookUrlCritical: std.extVar('slack_webhook_url_critical'),
+      slackChannelPrefix: std.extVar('slack_channel_prefix'),
+    }
+;
+
+{
+  values+:: {
+    alertmanager+: {
+      config: |||
+        global:
+          resolve_timeout: 5m
+        route:
+          receiver: Black_Hole
+          group_by: ['...']
+          routes:
+          - receiver: CriticalReceiver
+            match:
+              severity: critical
+          - receiver: SlackWarning
+            match:
+              severity: warning
+          - receiver: SlackInfo
+            match:
+              severity: info
+          - receiver: Watchdog
+            match:
+              alertname: Watchdog
+          group_wait: 30s
+          group_interval: 5m
+          repeat_interval: 6h
+        inhibit_rules:
+        - source_match:
+            severity: critical
+          target_match_re:
+            severity: warning|info
+          equal:
+          - alertname
+        - source_match:
+            severity: warning
+          target_match_re:
+            severity: info
+          equal:
+          - alertname
+        receivers:
+        - name: Black_Hole
+        - name: Watchdog
+        - name: CriticalReceiver
+          %(criticalReceiver)s
+        - name: SlackWarning
+          slack_configs:
+          - send_resolved: true
+            api_url: %(slackWebhookUrlWarning)s
+            channel: '%(slackChannelPrefix)s_warning'
+            title: '[{{ .Status | toUpper }}{{ if eq .Status "firing" }}{{ end }}] %(clusterName)s Monitoring'
+            text: |
+              {{ range .Alerts }}
+              **Please take a look when possible**
+              *Cluster:* {{ .Labels.cluster }}
+              *Alert:* {{ .Labels.alertname }}
+              *Description:* {{ .Annotations.description }}
+              {{ end }}
+            actions:
+            - type: button
+              text: 'Runbook :book:'
+              url: '{{ .CommonAnnotations.runbook_url }}'
+        - name: SlackInfo
+          slack_configs:
+          - send_resolved: true
+            api_url: %(slackWebhookUrlInfo)s
+            channel: '%(slackChannelPrefix)s_info'
+            title: '[{{ .Status | toUpper }}{{ if eq .Status "firing" }}{{ end }}] %(clusterName)s Monitoring'
+            text: |
+              {{ range .Alerts }}
+              **No need for human intervention :slightly_smiling_face:
+              *Cluster:* {{ .Labels.cluster }}
+              *Alert:* {{ .Labels.alertname }}
+              *Description:* {{ .Annotations.description }}
+              {{ end }}
+            actions:
+            - type: button
+              text: 'Runbook :book:'
+              url: '{{ .CommonAnnotations.runbook_url }}'
+        templates: []
+      ||| % {
+        clusterName: std.extVar('cluster_name'),
+        slackWebhookUrlWarning: std.extVar('slack_webhook_url_warning'),
+        slackWebhookUrlInfo: std.extVar('slack_webhook_url_info'),
+        slackChannelPrefix: std.extVar('slack_channel_prefix'),
+        pagerdutyRoutingKey: std.extVar('pagerduty_routing_key'),
+        criticalReceiver: criticalReceiver,
+      },
+    },
+  },
+}

addons/cluster-monitoring.libsonnet

@@ -0,0 +1,2 @@
+// The cluster-monitoring addon provides json snippets that are specific for installations responsible for full cluster monitoring.
+(import './node-affinity.libsonnet')

addons/continuous_integration.libsonnet

@@ -0,0 +1,14 @@
+// Specific modification when running the stack on CI
+{
+  values+:: {
+    prometheus+: {
+      // Github Actions compute isn't strong, strip limits so pods can come up
+      resources: {},
+    },
+
+    alertmanager+: {
+      // Github Actions compute isn't strong, strip limits so pods can come up
+      resources: {},
+    },
+  },
+}

addons/disable-grafana-auth.libsonnet

@@ -0,0 +1,20 @@
+{
+  values+:: {
+    grafana+: {
+      env+: [
+        {
+          name: 'GF_AUTH_ANONYMOUS_ENABLED',
+          value: 'true',
+        },
+        {
+          name: 'GF_AUTH_ANONYMOUS_ORG_ROLE',
+          value: 'Admin',
+        },
+        {
+          name: 'GF_AUTH_DISABLE_LOGIN_FORM',
+          value: 'true',
+        },
+      ],
+    },
+  },
+}