Merge pull request #917 from external-secrets/chart-service-monitor

feat: replace prometheus annotations with servicemonitor

deploy/charts/external-secrets/README.md

@@ -51,8 +51,8 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.podLabels | object | `{}` |  |
 | certController.podSecurityContext | object | `{}` |  |
 | certController.priorityClassName | string | `""` | Pod priority class name. |
-| certController.prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics |
-| certController.prometheus.service.port | int | `8080` |  |
+| certController.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
+| certController.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
 | certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
 | certController.requeueInterval | string | `"5m"` |  |
 | certController.resources | object | `{}` |  |
@@ -60,6 +60,10 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| certController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| certController.serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
+| certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | certController.tolerations | list | `[]` |  |
 | concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
 | controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
@@ -84,8 +88,8 @@ The command removes all the Kubernetes components associated with the chart and
 | priorityClassName | string | `""` | Pod priority class name. |
 | processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
 | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
-| prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics |
-| prometheus.service.port | int | `8080` |  |
+| prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
+| prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
 | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
@@ -95,6 +99,10 @@ The command removes all the Kubernetes components associated with the chart and
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
+| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | tolerations | list | `[]` |  |
 | webhook.affinity | object | `{}` |  |
 | webhook.certCheckInterval | string | `"5m"` |  |
@@ -117,8 +125,8 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.podSecurityContext | object | `{}` |  |
 | webhook.port | int | `10250` | The port the webhook will listen to |
 | webhook.priorityClassName | string | `""` | Pod priority class name. |
-| webhook.prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics |
-| webhook.prometheus.service.port | int | `8080` |  |
+| webhook.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
+| webhook.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
 | webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
 | webhook.replicaCount | int | `1` |  |
 | webhook.resources | object | `{}` |  |
@@ -127,4 +135,8 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| webhook.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| webhook.serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
+| webhook.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| webhook.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | webhook.tolerations | list | `[]` |  |

deploy/charts/external-secrets/templates/NOTES.txt

@@ -5,3 +5,9 @@ or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
 
 More information on the different types of SecretStores and how to configure them
 can be found in our Github: {{ .Chart.Home }}
+
+{{ if  .Values.prometheus.enabled -}}
+deprecation warning:
+> The flag `prometheus.enabled` is deprecated and will be removed in the next release.
+  Please migrate to using servicemonitor instead.
+{{ end }}

deploy/charts/external-secrets/templates/cert-controller-service.yaml

@@ -17,4 +17,4 @@ spec:
     name: metrics
   selector:
     {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
-{{- end }}
+{{- end }}

deploy/charts/external-secrets/templates/cert-controller-servicemonitor.yaml

@@ -0,0 +1,38 @@
+{{- if and .Values.certController.create .Values.certController.serviceMonitor.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
+  labels:
+    {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8080
+    protocol: TCP
+    name: metrics
+  selector:
+    {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
+---
+apiVersion: "monitoring.coreos.com/v1"
+kind: ServiceMonitor
+metadata:
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+{{- if .Values.certController.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.certController.serviceMonitor.additionalLabels | indent 4 }}
+{{- end }}
+  name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace | quote }}
+  endpoints:
+  - port: metrics
+    interval: {{ .Values.certController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.certController.serviceMonitor.scrapeTimeout }}
+{{- end }}

deploy/charts/external-secrets/templates/service.yaml

@@ -18,4 +18,4 @@ spec:
       name: metrics
   selector:
     {{- include "external-secrets.selectorLabels" . | nindent 4 }}
-{{- end }}
+{{- end }}

deploy/charts/external-secrets/templates/servicemonitor.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-metrics
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "external-secrets.selectorLabels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      protocol: TCP
+      name: metrics
+  selector:
+    {{- include "external-secrets.selectorLabels" . | nindent 4 }}
+---
+apiVersion: "monitoring.coreos.com/v1"
+kind: ServiceMonitor
+metadata:
+  labels:
+    {{- include "external-secrets.labels" . | nindent 4 }}
+{{- if .Values.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
+{{- end }}
+  name: {{ include "external-secrets.fullname" . }}-metrics
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "external-secrets.selectorLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace | quote }}
+  endpoints:
+  - port: metrics
+    interval: {{ .Values.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
+{{- end }}

deploy/charts/external-secrets/templates/webhook-servicemonitor.yaml

@@ -0,0 +1,38 @@
+{{- if and .Values.webhook.create .Values.webhook.serviceMonitor.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-webhook-metrics
+  labels:
+    {{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8080
+    protocol: TCP
+    name: metrics
+  selector:
+    {{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
+---
+apiVersion: "monitoring.coreos.com/v1"
+kind: ServiceMonitor
+metadata:
+  labels:
+    {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+{{- if .Values.webhook.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.webhook.serviceMonitor.additionalLabels | indent 4 }}
+{{- end }}
+  name: {{ include "external-secrets.fullname" . }}-webhook-metrics
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace | quote }}
+  endpoints:
+  - port: metrics
+    interval: {{ .Values.webhook.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.webhook.serviceMonitor.scrapeTimeout }}
+{{- end }}

deploy/charts/external-secrets/values.yaml

@@ -92,11 +92,25 @@ resources: {}
   #   memory: 32Mi
 
 prometheus:
-  # -- Specifies whether to expose Service resource for collecting Prometheus metrics
+  # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead.
   enabled: false
   service:
+    # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead.
     port: 8080
 
+serviceMonitor:
+  # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
+  enabled: false
+
+  # -- Additional labels
+  additionalLabels: {}
+
+  # --  Interval to scrape metrics
+  interval: 30s
+
+  # -- Timeout if metrics can't be retrieved in given time interval
+  scrapeTimeout: 25s
+
 nodeSelector: {}
 
 tolerations: []
@@ -145,11 +159,27 @@ webhook:
 
     # -- Pod priority class name.
   priorityClassName: ""
+
   prometheus:
-      # -- Specifies whether to expose Service resource for collecting Prometheus metrics
+    # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
     enabled: false
     service:
+      # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
       port: 8080
+
+  serviceMonitor:
+    # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
+    enabled: false
+
+    # -- Additional labels
+    additionalLabels: {}
+
+    # --  Interval to scrape metrics
+    interval: 30s
+
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+
     ## -- Extra environment variables to add to container.
   extraEnv: []
 
@@ -213,11 +243,27 @@ certController:
 
     # -- Pod priority class name.
   priorityClassName: ""
+
   prometheus:
-      # -- Specifies whether to expose Service resource for collecting Prometheus metrics
+    # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
     enabled: false
     service:
+      # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
       port: 8080
+
+  serviceMonitor:
+    # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
+    enabled: false
+
+    # -- Additional labels
+    additionalLabels: {}
+
+    # --  Interval to scrape metrics
+    interval: 30s
+
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+
     ## -- Extra environment variables to add to container.
   extraEnv: []
 

docs/guides-metrics.md

@@ -1,5 +1,13 @@
 # Metrics
 
-The External Secrets Operator exposes its Prometheus metrics in the `/metrics` path. To enable it, set the `prometheus.enabled` Helm flag to `true`.
+The External Secrets Operator exposes its Prometheus metrics in the `/metrics` path. To enable it, set the `serviceMonitor.enabled` Helm flag to `true`. In addition you can also set `webhook.serviceMonitor.enabled=true` and `certController.serviceMonitor.enabled=true` to create `ServiceMonitor` resources for the other components.
 
 The Operator has the metrics inherited from Kubebuilder plus some custom metrics with the `externalsecret` prefix.
+
+## External Secret Metrics
+
+| Name                            | Type    | Description                                        |
+| ------------------------------- | ------- | -------------------------------------------------- |
+| externalsecret_sync_calls_total | Counter | Total number of the External Secret sync calls     |
+| externalsecret_sync_calls_error | Counter | Total number of the External Secret sync errors    |
+| externalsecret_status_condition | Gauge   | The status condition of a specific External Secret |