ci(canaries): add alerting to provisioned k8s clusters

This adds a new Terraform module to the canaries infra that, using the New Relic provider, creates alerts for different scenarios.

Currently there are basic alerts in place for general resource usage, but more could be added (and their thresholds updated) over time.

Author: alvarocabanas

test/k8s-canaries/Makefile

@@ -17,18 +17,35 @@ ifndef CANARY_DIR
 	@echo "CANARY_DIR variable must be provided to know which canary to terraform-plan"
 	exit 1
 endif
-	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) init && \
-	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) plan
+ifndef NEW_RELIC_ACCOUNT_ID
+	@echo "NEW_RELIC_ACCOUNT_ID variable must be provided for test/k8s-canaries/terraform-plan"
+	exit 1
+endif
+ifndef NEW_RELIC_API_KEY
+	@echo "NEW_RELIC_API_KEY variable must be provided for test/k8s-canaries/terraform-plan"
+	exit 1
+endif
+	@terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) init && \
+	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) plan \
+	-var="api_key=$(NEW_RELIC_API_KEY)" -var="account_id=$(NEW_RELIC_ACCOUNT_ID)"
 
 .PHONY: test/k8s-canaries/terraform-apply
 test/k8s-canaries/terraform-apply:
 ifndef CANARY_DIR
 	@echo "CANARY_DIR variable must be provided to know which canary to terraform-apply"
 	exit 1
 endif
-	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) init && \
-	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) apply -auto-approve
-
+ifndef NEW_RELIC_ACCOUNT_ID
+	@echo "NEW_RELIC_ACCOUNT_ID variable must be provided for test/k8s-canaries/terraform-plan"
+	exit 1
+endif
+ifndef NEW_RELIC_API_KEY
+	@echo "NEW_RELIC_API_KEY variable must be provided for test/k8s-canaries/terraform-plan"
+	exit 1
+endif
+	@terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) init && \
+	terraform -chdir=$(TERRAFORM_DIR)/$(CANARY_DIR) apply -auto-approve \
+	-var="api_key=$(NEW_RELIC_API_KEY)" -var="account_id=$(NEW_RELIC_ACCOUNT_ID)"
 
 .PHONY: test/k8s-canaries/update-kubeconfig-from-aws
 test/k8s-canaries/update-kubeconfig-from-aws:
@@ -51,12 +68,30 @@ endif
 ifndef IMAGE_TAG
 	@echo "IMAGE_TAG variable must be provided for test/k8s-canaries/helm-upgrade"
 	exit 1
+endif
+ifndef NR_SYSTEM_IDENTITY_CLIENT_ID
+	@echo "NR_SYSTEM_IDENTITY_CLIENT_ID variable must be provided for test/k8s-canaries/helm-upgrade"
+	exit 1
+endif
+ifndef NR_SYSTEM_IDENTITY_PRIVATE_KEY
+	@echo "NR_SYSTEM_IDENTITY_PRIVATE_KEY variable must be provided for test/k8s-canaries/helm-upgrade"
+	exit 1
 endif
 	@helm repo add newrelic https://helm-charts.newrelic.com
+	@kubectl create namespace newrelic --dry-run=client -o yaml | kubectl apply -f -
+	@echo -n $$NR_SYSTEM_IDENTITY_PRIVATE_KEY > /tmp/private_key
+	@kubectl get secret sys-identity --namespace newrelic || \
+    kubectl create secret generic sys-identity \
+    --namespace newrelic \
+    --from-literal=CLIENT_ID=$$NR_SYSTEM_IDENTITY_CLIENT_ID \
+    --from-file=private_key=/tmp/private_key
 	@helm upgrade --install ac newrelic/agent-control --devel -f $(HELM_DIR)/agent-control.yml \
-    -n newrelic --create-namespace \
+    --namespace newrelic \
     --set global.licenseKey=$(NR_LICENSE_KEY) \
     --set global.cluster=$(CLUSTER_NAME) \
+    --set global.nrStaging=true \
     --set agent-control-deployment.image.tag=$(IMAGE_TAG) \
-    --set agent-control-deployment.podAnnotations.deploymentKey="${DEPLOYMENT_KEY}"
-
+    --set agent-control-deployment.config.fleet_control.auth.secret.create=false \
+    --set agent-control-deployment.config.fleet_control.auth.secret.name="sys-identity" \
+    --set agent-control-deployment.config.fleet_control.fleet_id="MTIyMTMwNjh8TkdFUHxGTEVFVHwwMTk0ZTAwMy03NGEyLTdiZTEtODk5NS0zZjgyN2E0MjBlMjA" \
+    --set agent-control-deployment.podAnnotations.deploymentKey="$(DEPLOYMENT_KEY)"

test/k8s-canaries/helm/agent-control.yml

@@ -3,8 +3,6 @@ agent-control-deployment:
   image:
     imagePullPolicy: Always
   config:
-    fleet_control:
-      enabled: false
     agentControl:
       content:
         log:

test/k8s-canaries/terraform/modules/nr_alerts/main.tf

@@ -0,0 +1,52 @@
+resource "newrelic_alert_policy" "alert_k8s_canary" {
+  name = format("%s: %s", var.region, var.cluster_name)
+}
+
+locals {
+  policies_with_cluster_name = [
+    for pol in var.conditions : {
+      policy_id    = newrelic_alert_policy.alert_k8s_canary.id
+      cluster_name = var.cluster_name
+      condition    = pol
+    }
+  ]
+}
+
+# Uncomment this to "debug" the generated structure
+#output prueba {
+#  value = local.policies_with_display_names
+#}
+
+resource "newrelic_nrql_alert_condition" "condition_nrql_canary" {
+  count = length(local.policies_with_cluster_name)
+
+  account_id                   = var.account_id
+  policy_id                    = local.policies_with_cluster_name[count.index].policy_id
+  name                         = local.policies_with_cluster_name[count.index].condition.name
+  violation_time_limit_seconds = 3600
+
+  nrql {
+    query = templatefile(
+      local.policies_with_cluster_name[count.index].condition.template_name,
+      merge(
+        {
+          "cluster_name" : "${local.policies_with_cluster_name[count.index].cluster_name}",
+          "function" : null,
+          "wheres" : {}
+        },
+        local.policies_with_cluster_name[count.index].condition
+      )
+    )
+  }
+
+  critical {
+    operator              = local.policies_with_cluster_name[count.index].condition.operator
+    threshold             = local.policies_with_cluster_name[count.index].condition.threshold
+    threshold_duration    = local.policies_with_cluster_name[count.index].condition.duration
+    threshold_occurrences = "ALL"
+  }
+}
+
+output "queries" {
+  value = [newrelic_nrql_alert_condition.condition_nrql_canary.*.nrql]
+}

test/k8s-canaries/terraform/modules/nr_alerts/provider.tf

@@ -0,0 +1,16 @@
+# Configure terraform.
+terraform {
+  required_version = "~> 1.0"
+  required_providers {
+    newrelic = {
+      source = "newrelic/newrelic"
+    }
+  }
+}
+
+# Configure the New Relic provider.
+provider "newrelic" {
+  account_id = var.account_id
+  api_key    = var.api_key
+  region     = var.region
+}

test/k8s-canaries/terraform/modules/nr_alerts/variables.tf

@@ -0,0 +1,54 @@
+# NR Account ID
+variable "account_id" {
+  default = ""
+}
+
+# NR User Api Key
+variable "api_key" {
+  default = ""
+}
+
+# US/EU/Staging
+variable "region" {
+  default = "US"
+
+  validation {
+    condition     = can(regex("^(US|EU|Staging)$", var.region))
+    error_message = "Unsupported region"
+  }
+}
+
+variable "cluster_name" {
+  default = "Agent_Control_Canaries_Staging-Cluster"
+}
+
+variable "policies_prefix" {
+  default = "[Staging] Agent Control canaries metric monitoring"
+}
+
+# conditions should follow next structure:
+#[
+# {
+#   name          = "System / Core Count"
+#   metric        = "coreCount"
+#   sample        = "SystemSample"
+#   threshold     = 0
+#   duration      = 600
+#   operator      = "above"
+#   template_name = "generic_metric_comparator"
+# },
+# {
+#   name = "System / Cpu IOWait Percent"
+#   metric = "cpuIOWaitPercent"
+#   sample = "SystemSample"
+#   threshold = 0.5 # max 0.112 in last week
+#   duration = 600
+#   operator = "above"
+#   template_name = "generic_metric_comparator"
+# },
+# ...
+# ]
+#
+variable "conditions" {
+  default = []
+}

test/k8s-canaries/terraform/production/alert_nrql_templates/generic_metric_threshold.tftpl

@@ -0,0 +1,9 @@
+SELECT max(${metric})
+FROM ${sample}
+WHERE (
+  clusterName = '${cluster_name}'
+  AND deploymentName = 'ac-agent-control'
+  %{ for k, v in wheres }
+  AND ${k}='${v}'
+  %{ endfor }
+)

test/k8s-canaries/terraform/production/main.tf

@@ -1,8 +1,49 @@
-  # Use the EKS cluster module
+# Use the EKS cluster module
 module "eks_cluster" {
   source               = "../modules/eks_cluster"
   canary_name          = "Agent_Control_Canaries_Production"
   cluster_desired_size = 2
   cluster_max_size     = 3
   cluster_min_size     = 2
 }
+
+variable "account_id" {}
+variable "api_key" {}
+module "alerts" {
+  source = "../modules/nr_alerts"
+
+  api_key         = var.api_key
+  account_id      = var.account_id
+  policies_prefix = "Agent Control canaries metric monitoring"
+  conditions = [
+    {
+      name          = "CPU usage (cores)"
+      metric        = "cpuUsedCores"
+      sample        = "K8sContainerSample"
+      threshold     = 1
+      duration      = 3600
+      operator      = "above"
+      template_name = "./alert_nrql_templates/generic_metric_threshold.tftpl"
+    },
+    {
+      name          = "Memory usage (bytes)"
+      metric        = "memoryWorkingSetBytes"
+      sample        = "K8sContainerSample"
+      threshold     = 10000000 # 10 MB
+      duration      = 600
+      operator      = "above"
+      template_name = "./alert_nrql_templates/generic_metric_threshold.tftpl"
+    },
+    {
+      name          = "Storage usage (bytes)"
+      metric        = "fsUsedBytes"
+      sample        = "K8sContainerSample"
+      threshold     = 10000 # 10 KB
+      duration      = 3600
+      operator      = "above"
+      template_name = "./alert_nrql_templates/generic_metric_threshold.tftpl"
+    },
+  ]
+  region       = "US"
+  cluster_name = "Agent_Control_Canaries_Production"
+}

test/k8s-canaries/terraform/staging/alert_nrql_templates/generic_metric_threshold.tftpl

@@ -0,0 +1,9 @@
+SELECT max(${metric})
+FROM ${sample}
+WHERE (
+  clusterName = '${cluster_name}'
+  AND deploymentName = 'ac-agent-control'
+  %{ for k, v in wheres }
+  AND ${k}='${v}'
+  %{ endfor }
+)

test/k8s-canaries/terraform/staging/main.tf

@@ -1,8 +1,51 @@
-  # Use the EKS cluster module
+# Use the EKS cluster module
 module "eks_cluster" {
   source               = "../modules/eks_cluster"
   canary_name          = "Agent_Control_Canaries_Staging"
   cluster_desired_size = 2
   cluster_max_size     = 3
   cluster_min_size     = 2
 }
+
+
+variable "account_id" {}
+variable "api_key" {}
+module "alerts" {
+  source = "../modules/nr_alerts"
+
+  api_key         = var.api_key
+  account_id      = var.account_id
+  policies_prefix = "Agent Control canaries metric monitoring"
+  conditions = [
+    {
+      name          = "CPU usage (cores)"
+      metric        = "cpuUsedCores"
+      sample        = "K8sContainerSample"
+      threshold     = 1
+      duration      = 3600
+      operator      = "above"
+      template_name = "./alert_nrql_templates/generic_metric_threshold.tftpl"
+    },
+    {
+      name          = "Memory usage (bytes)"
+      metric        = "memoryWorkingSetBytes"
+      sample        = "K8sContainerSample"
+      threshold     = 10000000 # 10 MB
+      duration      = 600
+      operator      = "above"
+      template_name = "./alert_nrql_templates/generic_metric_threshold.tftpl"
+    },
+    {
+      name          = "Storage usage (bytes)"
+      metric        = "fsUsedBytes"
+      sample        = "K8sContainerSample"
+      threshold     = 10000 # 10 KB
+      duration      = 3600
+      operator      = "above"
+      template_name = "./alert_nrql_templates/generic_metric_threshold.tftpl"
+    },
+  ]
+  region       = "Staging"
+  cluster_name = "Agent_Control_Canaries_Staging"
+}
+