openshift
diff --git a/‎go.mod
+19-15 b/‎go.mod
+19-15
diff --git a/‎go.sum
+43-35 b/‎go.sum
+43-35
diff --git a/‎manifests/03-clusterrole.yaml
+9 b/‎manifests/03-clusterrole.yaml
+9
diff --git a/‎manifests/08-prometheus_rule.yaml
-43 b/‎manifests/08-prometheus_rule.yaml
-43
diff --git a/‎pkg/controller/operator.go
+4 b/‎pkg/controller/operator.go
+4
diff --git a/‎pkg/insights/prometheus_rules.go
+153 b/‎pkg/insights/prometheus_rules.go
+153
@@ -4,31 +4,34 @@ go 1.18
 
 require (
 	github.com/blang/semver/v4 v4.0.0
-	github.com/evanphx/json-patch v4.12.0+incompatible
+	github.com/evanphx/json-patch v5.6.0+incompatible
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 	github.com/openshift/api v0.0.0-20230509100629-894b49f57a15
 	github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d
 	github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb
 	github.com/openshift/installer v0.9.0-master.0.20191219195746-103098955ced
 	github.com/openshift/library-go v0.0.0-20230510144506-e749b54aff20
+	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.65.2
+	github.com/prometheus-operator/prometheus-operator/pkg/client v0.65.2
 	github.com/prometheus/client_golang v1.14.0
 	github.com/spf13/cobra v1.6.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.1
 	github.com/xeipuuv/gojsonschema v1.2.0
-	golang.org/x/net v0.8.0
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
+	golang.org/x/net v0.9.0
+	golang.org/x/time v0.3.0
 	k8s.io/api v0.27.1
 	k8s.io/apiextensions-apiserver v0.27.1
 	k8s.io/apimachinery v0.27.1
 	k8s.io/client-go v0.27.1
 	k8s.io/component-base v0.27.1
-	k8s.io/klog/v2 v2.90.1
+	k8s.io/klog/v2 v2.100.1
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
@@ -39,19 +42,19 @@ require (
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.4.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/cel-go v0.12.6 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
@@ -94,26 +97,27 @@ require (
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.19.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/crypto v0.1.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.6.0 // indirect
-	golang.org/x/term v0.6.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/term v0.7.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
 	google.golang.org/grpc v1.51.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiserver v0.27.1 // indirect
 	k8s.io/kms v0.27.1 // indirect
 	k8s.io/kube-aggregator v0.27.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect
+	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.1 // indirect
+	sigs.k8s.io/controller-runtime v0.14.6 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kube-storage-version-migrator v0.0.4 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 
@@ -94,6 +94,15 @@ rules:
       - namespaces
     verbs:
       - get
+  - apiGroups:
+      - "monitoring.coreos.com"
+    resources:
+      - prometheusrules
+    verbs:
+      - create
+      - get
+      - list
+      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 
@@ -29,6 +29,7 @@ import (
 	"github.com/openshift/insights-operator/pkg/controller/periodic"
 	"github.com/openshift/insights-operator/pkg/controller/status"
 	"github.com/openshift/insights-operator/pkg/gather"
+	"github.com/openshift/insights-operator/pkg/insights"
 	"github.com/openshift/insights-operator/pkg/insights/insightsclient"
 	"github.com/openshift/insights-operator/pkg/insights/insightsreport"
 	"github.com/openshift/insights-operator/pkg/insights/insightsuploader"
@@ -241,6 +242,9 @@ func (s *Operator) Run(ctx context.Context, controller *controllercmd.Controller
 	statusReporter.AddSources(clusterTransferController)
 	go clusterTransferController.Run()
 
+	promRulesController := insights.NewPrometheusRulesController(secretConfigObserver, controller.KubeConfig)
+	go promRulesController.Start(ctx)
+
 	klog.Warning("started")
 
 	<-ctx.Done()
 
@@ -0,0 +1,153 @@
+package insights
+
+import (
+	"context"
+
+	"github.com/openshift/insights-operator/pkg/config/configobserver"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
+
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	monitoringcli "github.com/prometheus-operator/prometheus-operator/pkg/client/versioned"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var (
+	rulesName      string = "insights-prometheus-rules"
+	namespaceName  string = "openshift-insights"
+	durationString string = "5m"
+	info           string = "info"
+
+	insightsDisabledAlert                string = "InsightsDisabled"
+	simpleContentAccessNotAvailableAlert string = "SimpleContentAccessNotAvailable"
+	insightsRecommendationActiveAlert    string = "InsightsRecommendationActive"
+)
+
+// PrometheusRulesControllers listens to the configuration observer and
+// creates or removes the Insights Prometheus Rules definitions accordingly
+type PrometheusRulesController struct {
+	configurator   configobserver.Configurator
+	monitoringCS   monitoringcli.Interface
+	promRulesExist bool
+}
+
+func NewPrometheusRulesController(configurator configobserver.Configurator, kubeConfig *rest.Config) PrometheusRulesController {
+	monitoringCS, err := monitoringcli.NewForConfig(kubeConfig)
+	if err != nil {
+		klog.Warningf("Unable create monitoring client: %v", err)
+	}
+	return PrometheusRulesController{
+		configurator: configurator,
+		monitoringCS: monitoringCS,
+	}
+}
+
+// Start starts listening to the configuration observer
+func (p *PrometheusRulesController) Start(ctx context.Context) {
+	configCh, cancel := p.configurator.ConfigChanged()
+	defer cancel()
+
+	p.checkAlertsDisabled(ctx)
+	for {
+		select {
+		case <-configCh:
+			p.checkAlertsDisabled(ctx)
+		case <-ctx.Done():
+			return
+		}
+	}
+}
+
+// checkAlertsDisabled reads the actual config and either creates (if they don't exist) or removes (if they do exist)
+// the "insights-prometheus-rules" definition
+func (p *PrometheusRulesController) checkAlertsDisabled(ctx context.Context) {
+	disableInsightsAlerts := p.configurator.Config().DisableInsightsAlerts
+
+	if disableInsightsAlerts && p.promRulesExist {
+		err := p.removeInsightsAlerts(ctx)
+		if err != nil {
+			klog.Errorf("Failed to remove Insights Prometheus rules definition: %v", err)
+			return
+		}
+		klog.Info("Prometheus rules successfully removed")
+		p.promRulesExist = false
+	}
+
+	if !disableInsightsAlerts && !p.promRulesExist {
+		err := p.createInsightsAlerts(ctx)
+		if err != nil {
+			klog.Errorf("Failed to create Insights Prometheus rules definition: %v", err)
+			return
+		}
+		klog.Info("Prometheus rules successfully created")
+		p.promRulesExist = true
+	}
+}
+
+// createInsightsAlerts creates Insights Prometheus Rules definitions (including alerts)
+func (p *PrometheusRulesController) createInsightsAlerts(ctx context.Context) error {
+	pr := &monitoringv1.PrometheusRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      rulesName,
+			Namespace: namespaceName,
+		},
+		Spec: monitoringv1.PrometheusRuleSpec{
+			Groups: []monitoringv1.RuleGroup{
+				{
+					Name: "insights",
+					Rules: []monitoringv1.Rule{
+						{
+							Alert: insightsDisabledAlert,
+							Expr:  intstr.FromString("max without (job, pod, service, instance) (cluster_operator_conditions{name=\"insights\", condition=\"Disabled\"} == 1)"),
+							For:   monitoringv1.Duration(durationString),
+							Labels: map[string]string{
+								"severity":  info,
+								"namespace": namespaceName,
+							},
+							Annotations: map[string]string{
+								"description": "Insights operator is disabled. In order to enable Insights and benefit from recommendations specific to your cluster, please follow steps listed in the documentation: https://docs.openshift.com/container-platform/latest/support/remote_health_monitoring/enabling-remote-health-reporting.html",
+								"summary":     "Insights operator is disabled.",
+							},
+						},
+						{
+							Alert: simpleContentAccessNotAvailableAlert,
+							Expr:  intstr.FromString(" max without (job, pod, service, instance) (max_over_time(cluster_operator_conditions{name=\"insights\", condition=\"SCAAvailable\", reason=\"NotFound\"}[5m]) == 0)"),
+							For:   monitoringv1.Duration(durationString),
+							Labels: map[string]string{
+								"severity":  info,
+								"namespace": namespaceName,
+							},
+							Annotations: map[string]string{
+								"description": "Simple content access (SCA) is not enabled. Once enabled, Insights Operator can automatically import the SCA certificates from Red Hat OpenShift Cluster Manager making it easier to use the content provided by your Red Hat subscriptions when creating container images. See https://docs.openshift.com/container-platform/latest/cicd/builds/running-entitled-builds.html for more information.",
+								"summary":     "Simple content access certificates are not available.",
+							},
+						},
+						{
+							Alert: insightsRecommendationActiveAlert,
+							Expr:  intstr.FromString("insights_recommendation_active == 1"),
+							For:   monitoringv1.Duration(durationString),
+							Labels: map[string]string{
+								"severity": info,
+							},
+							Annotations: map[string]string{
+								"description": "Insights recommendation \"{{ $labels.description }}\" with total risk \"{{ $labels.total_risk }}\" was detected on the cluster. More information is available at {{ $labels.info_link }}.",
+								"summary":     "An Insights recommendation is active for this cluster.",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	_, err := p.monitoringCS.MonitoringV1().PrometheusRules(namespaceName).Create(ctx, pr, metav1.CreateOptions{})
+	return err
+}
+
+// removeInsightsAlerts removes the "insights-prometheus-rules" definition
+func (p *PrometheusRulesController) removeInsightsAlerts(ctx context.Context) error {
+	return p.monitoringCS.MonitoringV1().
+		PrometheusRules(namespaceName).
+		Delete(ctx, rulesName, metav1.DeleteOptions{})
+}