Monitoring API: Add AlertmanagerMainConfig

[marioferh]

Every component will be in a separated PR in order to improve review process

First PR: #1929
Related: Enhancements Proposal openshift/enhancements#1627

[openshift-ci]

Hello @marioferh! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[marioferh]

/hold

[everettraven]

A lot of the comments are centered around godoc. I'd recommend looking at https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#write-user-readable-documentation-in-godoc for more information on what makes a good godoc that is helpful to users.

Another thing that stood out was multiple fields related to pod spec configuration - you may want to group those into a separate struct to have a single field that clearly denotes that the sub-fields in that object map directly to pod spec fields.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: marioferh
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everettraven]

Only got about halfway through the changes on this round, will circle back soon to review the rest.

[everettraven]

A couple things:

• The godoc seems a bit outdated here, referencing "true" as value that can be set
• Is UserMode the most appropriate name here? Maybe this would make more sense as something like ConfigurationPolicy with options like PlatformDefined and UserDefined?

[marioferh]

https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/monitoring/about-openshift-container-platform-monitoring#default-monitoring-targets_monitoring-stack-architecture

I think it's important to highlight how the monitoring stack works. We have the default stack and the user-defined mode, and with these two fields, I believe it becomes clearer than with a ConfigurationPolicy.
Also because this: // This field is only effective when the user workload Alertmanager instance is not enabled.

[everettraven]

IIRC we don't encourage the use of the ResourceRequirements type and instead recommend using a list of a custom type that gets translated to the ResourceRequirements you set on a Pod

[marioferh]

any example?
https://github.com/search?q=repo%3Aopenshift%2Fapi+v1.ResourceRequirements&type=code

[everettraven]

I recall this conversation recently related to ResourceLists and because ResourceRequirements at least includes fields of type ResourceList the same principle applies: #2222 (comment)

@JoelSpeed Would probably have more explicit knowledge as to the limitations of using these types, but my understanding is that they don't align with our API conventions any more.

[marioferh]

this could work?
ee3b854

[everettraven]

Something along those lines may be reasonable if you need explicit fields for each resource type. For example, that change would result in a UX of writing YAML like:

...
resources:
  cpu:
    requests: ...
    limits: ...
  memory:
    requests: ...
    limits: ...
  hugepages:
    requests: ...
    limits: ...
    size: ...
...

An alternative would be to do something like:

...
resources:
  - name: cpu
    requests: ...
    limits: ...
  - name: memory
    requests: ...
    limits: ...
  - name: hugepages
    requests: ...
    limits: ...
...

Based on my understanding of the comment I linked to, I think the alternative I've shared is the preferred approach for something like this because it can more easily grow as your needs to support other resource types do.

I'll leave @JoelSpeed to explain any further and dictate what approach is actually preferred.

[JoelSpeed]

What is the use case here? Are we just passing the data through to the pod template itself?

Are there any restrictions that we would be applying, eg, are there certain types of resources that we wouldn't want to support?

Does each type of resource support the same options, for example, in the comment above, it looks as though maybe hugepages has other options that CPU and memory do not support?

[marioferh]

Yes, the CRD passes these values through to the pod template.

AFAIK this is the info we have: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

    spec.containers[].resources.limits.cpu
    spec.containers[].resources.limits.memory
    spec.containers[].resources.limits.hugepages-<size>
    spec.containers[].resources.requests.cpu
    spec.containers[].resources.requests.memory
    spec.containers[].resources.requests.hugepages-<size>

[JoelSpeed]

When we aren't interpreting the content of the field, and simply copying it through, it can be ok to re-use the types from upstream.

However, in this case, there are alpha fields in the struct that we would want to not expose, so creating a mirror that meets the parts of the API that we do want to expose makes sense. It also means we can exclude other resources that we do not support users configuring

[everettraven]

Why might a user care to set these? What happens if they don't?

[marioferh]

same in other comments:
If it's not set, containers have no resource limits, which can be harmful to the system. Users configuring containers in OpenShift should be aware of this.

[everettraven]

We generally try to avoid using the kubebuilder:validation:Pattern marker now in favor of writing a CEL expression that performs the regular expression evaluation. Using CEL expressions allows us to provide a more human readable error message than returned when using the pattern marker.

An example:

api/config/v1/types_kmsencryption.go

Line 34 in 108fecf

// +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."

[marioferh]

thanks, but I not sure if it is needed a validation pattern, remove it.

[everettraven]

Another round of comments. Additionally, I would like to see tests added to ensure the API and validations you have are working as expected.

[everettraven]

Why was this moved to optional?

Also, minor typo:

Suggested change

	// userDefined is optional.
	// +optional`
	// userDefined is optional.
	// +optional

[JoelSpeed]

By making this optional, you now have no required fields in the spec.

Are we ok with folks creating an object like

spec: {}

What does that object mean? Should there be a required field or a minProperties?

[marioferh]

I thought that with the latest changes, the user-defined field had to be optional. From the configmap // The default value is false. — so I have to make it optional, because was enable, disabled.

	// A Boolean flag that enables or disables user-defined namespaces
	// to be selected for `AlertmanagerConfig` lookups. This setting only
	// applies if the user workload monitoring instance of Alertmanager
	// is not enabled.
	// The default value is `false`.
	EnableUserAlertManagerConfig bool `json:"enableUserAlertmanagerConfig,omitempty"`

[everettraven]

For discriminated unions, this field must be set when the discriminator is set to Deployed and unset otherwise. We have a pretty standard CEL expression we use for this:

api/machine/v1/types_aws.go

Line 9 in 7318813

// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Filters' ? has(self.filters) : !has(self.filters)",message="filters is required when type is Filters, and forbidden otherwise"

[marioferh]

is correct now?

[everettraven]

Because not setting this could be harmful to the system, are there any defaults that we set on a users behalf?

[everettraven]

For an end-user, I believe this means that entries must be unique. I'm not sure an end-user cares about whether or not this simplifies updates and replacements of individual entries.

[marioferh]

done

[JoelSpeed]

By making this optional, you now have no required fields in the spec.

Are we ok with folks creating an object like

spec: {}

What does that object mean? Should there be a required field or a minProperties?

[JoelSpeed]

Why Main?

[marioferh]

explained before, removed.

[JoelSpeed]

The parent struct is optional, so what does it mean when the parent is omitted?

The parent also does not have omitempty, nor is it a pointer. Which means it is discoverable (++ for config API), however, this field being required, is going to cause issues.

If I asked you to allow "" as a valid value for the enum, what would that mean to the controller?

[marioferh]

I think AlertmanagerConfig should be required?

[JoelSpeed]

Is that safe? Not even an API question, but, tolerating all taints is generally not something we would do for control plane components. There are many valid taints (uninitialized for the CCM, network not ready) that I would expect this pod not to tolerate

[marioferh]

let me think about it

[JoelSpeed]

This should be 253

[marioferh]

done

[JoelSpeed]

So, where is the selector that the user would configure to determine which namespaces to use?

[marioferh]

the selector is use alertmanagerMain or user defined config

[JoelSpeed]

Should this be a quantity type?

[marioferh]

done

[marioferh]

Continue tomorrow with last comments

[openshift-ci]

@marioferh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-images	c35227f	link	true	/test okd-scos-images
ci/prow/e2e-upgrade	2a869cb	link	true	/test e2e-upgrade
ci/prow/e2e-azure	2a869cb	link	false	/test e2e-azure
ci/prow/verify-crd-schema	2a869cb	link	true	/test verify-crd-schema
ci/prow/e2e-aws-serial-2of2	2a869cb	link	true	/test e2e-aws-serial-2of2
ci/prow/e2e-upgrade-out-of-change	2a869cb	link	true	/test e2e-upgrade-out-of-change

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.