Using kubebuilder, create initial CRD manifests based on the design in DESIGN.md

Once #153 is finished, set up a controller to watch for this CRD object

Context

Based on the documentation here overriding alert configurations with the field "threshold-critical" does not work.

Process

• Created a custom monitor (apdex-alert) in configuration file
• Added annotations to override monitor name, query, and message in a Kubernetes deployment and there are no logged errors for these.
• Added annotation to override alert threshold in the same deployment- "astro.fairwinds.com/override.apdex-alert.threshold-critical: 0.80"

Expected Result

• Monitor is created
• Newly created monitor reflects the new values

Current Result

• Monitor is not created.
• The following can be seen in the logs

time="2021-06-02T15:55:58Z" level=warning msg="override provided does mot match any monitor fields. provided field: threshold-critical"

Please help fix or suggest any necessary modifications.

Once this is implemented, let's test the results in a client cluster

Support for muting monitors by adding an annotation would be beneficial. For example, an annotation could be added to a kubernetes object:

kubernetes.io/astro/mute-until: "2019-12-30 00:00:00"

and a downtime would be created to turn off alerting for that object.

Add unit testing and ensure at least 80% test coverage.

This is based on a test I was doing when checking out a dependabot PR. I annotated a deployment for astro to create a monitor which worked fine. I stopped astro and pulled down code from a different PR, removed the annotation, then started astro and the monitor was not removed. It should be able to handle this.

I'd like to reproduce this a few times, but wanted to log this issue so I didn't forget.

Add the ability to ignore resources. For example, say a deployment exists in a namespace. You want to monitor every deployment in the namespace EXCEPT for this one. Being able to exclude it from configure monitors via an annotation would be very helpful.

This is something @mjhuber and I were chatting about recently. Right now in the example config we have things like master node High System Load Average listed as namespaced monitors which really doesn't make sense to me.

I was thinking having a new config section for static monitors that don't rely on kube state would make sense here. This would allow all monitoring for a given cluster to be fully defined and owned by astro without the weird namespaced workaround we currently have.

Interested in opinions on this.

I've noticed this behavior for a while and finally started looking into it but can't figure out why it's happening. The below logs are generated when updating the kstats-2 deployment in the kstats namespace. It runs this UpdateFunc code twice which also causes the reconciliation code to run twice. Any ideas on this? I can't seem to find anything in the code that would cause this, but I could be missing something.

INFO[0033] deployment/kstats/kstats-2 has been updated. 
INFO[0033] Handler got an OnUpdate event of type deployment 
INFO[0033] Loading rulesets from conf.yml               
INFO[0033] deployment/kstats/kstats-2 has been updated. 
INFO[0033] Annotation astro/admin with value fairwinds does not exist, so monitor 1 does not match 
INFO[0033] Reconcile monitor Deployment Replica Alert - kstats-2 
INFO[0033] Update templated monitor: Deployment Replica Alert - kstats-2 
INFO[0033] Monitor 14633828 needs updating.             
INFO[0033] Handler got an OnUpdate event of type deployment 
INFO[0033] Loading rulesets from conf.yml               
INFO[0033] Annotation astro/admin with value fairwinds does not exist, so monitor 1 does not match 
INFO[0033] Reconcile monitor Deployment Replica Alert - kstats-2 
INFO[0033] Update templated monitor: Deployment Replica Alert - kstats-2 
INFO[0033] Monitor 14633828 needs updating.

The docs don't make it super clear that we need to annotate deployments/namespaces in order to have monitors created. Also we can point to the how-to kube video that describes astro and how it works.

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

github.com/fairwindsops/astro/cmd: cannot find module providing package github.com/fairwindsops/astro/cmd

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

Currently the update handler only looks at the new object. This won't work in the use case of an object that is currently monitored, but the annotations are removed from the object. The monitors won't get removed. To function correctly, the update handler should examine the new and old object. If the old object had monitors that the new one does not, they should be removed.

The new datadog charts support specifying a secret for loading in the api or app keys. This might be an option for the project too. Happy to discuss if you'd like

Create separate branches for kubernetes versions so we can pin module verison to them

Once #153 is finished, set up a controller to watch for this CRD object

Verify 1.16 kubernetes compatibility

Once #153 is finished, set up a controller to watch for this CRD object

Steps to reproduce

Deployed astro using the helm chart with the following command:

helm --tiller-namespace ops --namespace ops upgrade um-astro fairwinds-stable/astro --debug -i --set custom_config.enabled=true --set secret.create=false --set secret.name=um-datadog-astro-secret -f custom-config.yaml

The ^^ deploys the following versions:

# helm --tiller-namespace ops list um-astro --output yaml
Next: ""
Releases:
- AppVersion: 1.5.3
  Chart: astro-1.0.4
  Name: um-astro
  Namespace: ops
  Revision: 7
  Status: DEPLOYED
  Updated: Mon Jul 13 21:33:48 2020

The docker image deployed is: image: quay.io/fairwinds/astro:v1.5.3

Data in custom-config.yaml

custom_config:
  enabled: false
  data: |
    ---
    cluster_variables:
      warning_notifications: "@[email protected]"
    rulesets:
    - type: deployment
      match_annotations:
        - name: astro/owner
          value: astro
      monitors:
        deploy-replica-alert:
          name: "Deployment Replica Alert - {{ .ObjectMeta.Name }}"
          type: metric alert
          query: "max(last_10m):max:kubernetes_state.deployment.replicas_available{deployment:{{ .ObjectMeta.Name }},namespace:{{ .ObjectMeta.Namespace }}} <= 0"
          message: |-
            {{ "{{#is_alert}}" }}
            Available replicas is currently 0 for {{ .ObjectMeta.Name }}
            {{ "{{/is_alert}}" }}
            {{ "{{^is_alert}}" }}
            Available replicas is no longer 0 for {{ .ObjectMeta.Name }}
            {{ "{{/is_alert}}" }}
            {{ ClusterVariables.warning_notifications }}
          tags: []
          options:
            no_data_timeframe: 60
            notify_audit: false
            notify_no_data: false
            renotify_interval: 5
            new_host_delay: 5
            evaluation_delay: 300
            timeout: 300
            escalation_message: ""
            threshold_count:
              critical: 0
            require_full_window: true
            locked: false

When I make a configuration change to custom-config.yaml e.g. last_5m to last_10m and run the helm upgrade command again, the configmap is updated appropriately but the changes never make it Datadog monitor (it continues to show last_5m)

Configmap after helm upgrade command:

$kubectl -nops get cm um-astro-data -oyaml | grep query
          query: "max(last_10m):max:kubernetes_state.deployment.replicas_available{deployment:{{ .ObjectMeta.Name }},namespace:{{ .ObjectMeta.Namespace }}} <= 0"

pods logs after helm upgrade:

time="2020-07-13T21:53:07Z" level=info msg="Loading rulesets from /etc/config/config.yml"
time="2020-07-13T21:54:07Z" level=info msg="Loading rulesets from /etc/config/config.yml"
time="2020-07-13T21:55:07Z" level=info msg="Loading rulesets from /etc/config/config.yml"

Also, the configmap changes are only synced if I bounce the old pods.

Right now we are a little too verbose in our logging. I think a lot of the logs can be modified to be DEBUG level. While we're at it we can switch to using klog since a lot of our other projects are making that change or are already using it.

on startup, if an object is found that matches a monitor, it can get created twice.

Once #153 is finished, set up a controller to watch for this CRD object

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

github.com/fairwindsops/astro/cmd: cannot find module providing package github.com/fairwindsops/astro/cmd

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

Add filters to change monitors fields/behaviors based on annotations. The filtering system must be extensible so new filters can be added as they're requested. This could be possible by parsing annotations and returning functions that perform operations based on the results.

Some possible examples I've thought about:

• given this annotation:

astro/ignore-resource

perhaps a function is returned that causes all monitors created for the object to NOT get created. Taking that example a step further, given this annotation:

astro/ns-io-wait-times/ignore-resource

would cause only the monitor ns-io-wait-times to get ignored.

• override any monitor field based on an annotation

For example, given this monitor definition:

    ns-io-wait-times:
      name: "I/O Wait Times"
      type: metric alert
      query: "avg(last_10m):avg:system.cpu.iowait{*} by {host} > 50"
      message: |
        {{ "{{^is_recovery }}" }}
        The I/O wait time for {{ "{host.ip}" }} is very high
        - Is the EBS volume out of burst capacity for iops?
        - Is something writing lots of errors to the journal?
        - Is there a pod doing something unexpected (crash looping, etc)?
        {{ "{{/is_recovery}}" }}
        {{ "{{#is_recovery}}" }}
        I/O waiti time for {{ "{host.ip}" }} has returned to normal.
        {{ "{{/is_recovery}}" }}
        {{ "{{#is_alert}}" }}
        {{ ClusterVariables.critical_notifications }}
        {{ "{{/is_alert}}" }}
        {{ "{{#is_alert_recovery}}" }}
        {{ ClusterVariables.critical_notifications }}
        {{ "{{/is_alert_recovery}}" }}
        {{ "{{#is_warning}}" }}
        {{ ClusterVariables.warning_notifications }}
        {{ "{{/is_warning}}" }}
        {{ "{{#is_warning_recovery}}" }}
        {{ ClusterVariables.warning_notifications }}
        {{ "{{/is_warning_recovery}}" }}
      tags:
        - astro
      options:
        notify_audit: false
        new_host_delay: 300
        notify_no_data: false
        require_full_window: true
        locked: false
        thresholds:
          critical: 50
          warning: 30

We might want to override the critical threshold value of 50 to 40. (Note: the query is also affected here)

The config file should be reloaded periodically to pick up updates.

client-go has a nice leader election package that could be used in astro: https://github.com/kubernetes/client-go/tree/master/examples/leader-election . Adding this would enable use to run redundant pods.

dockerimage: v1.6.0
k8s version: 1.15.11

I am using the custom config as follows:

custom_config:
  enabled: true
  data: |
    ---
    cluster_variables:
      warning_notifications: "@[email protected]"
      cluster_name: "sandbox"
    rulesets:
    - type: deployment
      match_annotations:
        - name: astro/owner
          value: falco
      monitors:
        falco-alert:
          name: "[ASTRO TEST] Falco Alert: - {{ ClusterVariables.cluster_name }} "
          type: log alert
          query: "logs(\"service:falco (\"A shell was spawned in a container with an attached terminal\" OR \"Privileged container started\" OR \"File below /etc opened for writing\")\").index(\"main\").rollup(\"count\").last(\"5m\") > 10"
          message: |-
            {{ ClusterVariables.warning_notifications }}
          tags: []
          options:
            no_data_timeframe: 60
            notify_audit: false
            notify_no_data: false
            renotify_interval: 5
            new_host_delay: 5
            evaluation_delay: 300
            timeout: 300
            escalation_message: ""
            threshold_count:
              critical: 10
              warning: 5
            require_full_window: true
            locked: false

On adding an annotation astro/owner=falco to a deployment, the logs show that a datadog monitor is created and deleted right after its creation

Logs:

time="2020-07-16T19:52:41Z" level=debug msg="deployment/ops-managed/stateful-sample-app-drupal-example has been updated."
time="2020-07-16T19:52:41Z" level=debug msg="Handler got an OnUpdate event of type deployment"
time="2020-07-16T19:52:41Z" level=debug msg="Loading rulesets from /etc/config/config.yml"
time="2020-07-16T19:52:41Z" level=debug msg="Reconcile monitor [ASTRO TEST] Falco Alert: - sandbox "
time="2020-07-16T19:52:41Z" level=debug msg="Update templated monitor: [ASTRO TEST] Falco Alert: - sandbox "
time="2020-07-16T19:52:41Z" level=debug msg="deployment/ops-managed/stateful-sample-app-drupal-example has been updated."
time="2020-07-16T19:52:41Z" level=info msg="Creating new monitor: [ASTRO TEST] Falco Alert: - sandbox "
time="2020-07-16T19:52:41Z" level=info msg="Removing monitor: [ASTRO TEST] Falco Alert: - sandbox"
time="2020-07-16T19:52:41Z" level=debug msg="Handler got an OnUpdate event of type deployment"
time="2020-07-16T19:52:41Z" level=debug msg="Old annotations match new, not updating: ops-managed/stateful-sample-app-drupal-example"

My expectation was that the monitor should only be deleted when the annotation is removed

Add endpoints for liveness & readiness probes

While creating 5 datadog monitors as part of my regression testing, I encountered the following API error (Rate limit of 5 requests in 600 seconds reached):

time="2020-07-21T15:59:09Z" level=error msg="Error creating monitor [ASTRO TEST] Deployment Replica Alert for Namespace: um-astro-poc in sandbox : API error 429 Too Many Requests: {\"errors\":[\"Can not create duplicate monitors: Rate limit of 5 requests in 600 seconds reached. Please try again later.\"]}"

Implementing exponential backoff and parametrizing it via a configurable parameter (maybe via helm chart) might be a desirable option.

The 1-minute reload is not triggering the addition and removal of new monitors. Is this expected behavior?

I can confirm that the updates to some of the fields are working, like modifying the message of a monitor.

I'm using image: quay.io/fairwinds/astro:v1.6.0 version of the Astro controller and I'm having an issue with the require_full_window options in all of my monitors. Setting the options for require_full_window: true in my astro-data ConfigMap is not translating to the correct setting in the actual DD monitor.

Here's a snippet of a monitor that I'm trying to make have a require_full_window: true. The monitor gets created with all the right settings except that one.

# ...
    - monitors:
        deployment:
          message: |-
            {{#is_alert}}
            Daemonset 'aws-node' has an issue
            {{/is_alert}}

            {{#is_recovery}}
            Daemonset 'aws-node' ready count recovered
            {{/is_recovery}}
          name: 'aws-node Daemonset Alert'
          options:
            evaluation_delay: 0
            locked: false
            no_data_timeframe: 60
            notify_audit: false
            notify_no_data: false
            renotify_interval: 0
            require_full_window: true
            threshold_count:
              critical: 0
          query: min(last_10m):abs( max:kubernetes_state.daemonset.desired{cluster_name:my-cluster,daemonset:aws-node} - max:kubernetes_state.daemonset.ready{cluster_name:my-cluster,daemonset:aws-node} ) > 0
          type: metric alert
      type: static

Helm chart is available at https://github.com/reactiveops/charts/tree/mh/dd-manager. When the chart is deployed with default values, the config loader throws an exception. Instead, the app should gracefully recover and if a required field is not defined, it should run in a dry-run mode.