rhobs · philipgough · Nov 28, 2023 · Nov 9, 2023 · Nov 23, 2023 · Nov 23, 2023
diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/observatorium/observatorium v0.0.0-00010101000000-000000000000
 	github.com/openshift/api v3.9.0+incompatible
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.68.0
+	github.com/prometheus/common v0.44.0
 	github.com/pyrra-dev/pyrra v0.7.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.28.2
@@ -50,7 +51,6 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.16.0 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/prometheus/prometheus v1.8.2-0.20220211202545-56e14463bccf // indirect
 	github.com/rodaine/hclencoder v0.0.1 // indirect
@@ -83,4 +83,4 @@ require (
 )
 
 // Delete when https://github.com/observatorium/observatorium/pull/543 is merged to main branch
-replace github.com/observatorium/observatorium => github.com/thibaultmg/observatorium v0.0.0-20231109122152-cc47e5be397b
+replace github.com/observatorium/observatorium => github.com/thibaultmg/observatorium v0.0.0-20231123172357-0705fe74fcd5
diff --git a/go.sum b/go.sum
@@ -1253,8 +1253,8 @@ github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
-github.com/thibaultmg/observatorium v0.0.0-20231109122152-cc47e5be397b h1:HDy/lsnObTgZgeNnq/ZUwQ+5unJdR4gvd3JOKMarQKM=
-github.com/thibaultmg/observatorium v0.0.0-20231109122152-cc47e5be397b/go.mod h1:P+7t9O8AitkuZjUhXC4LHw4iwAzTpIrs0tHz8X3xTvM=
+github.com/thibaultmg/observatorium v0.0.0-20231123172357-0705fe74fcd5 h1:EQ3Qb3hsVxrhlWKl3DWettTcHwKGbGyJp4t6j0q4W3E=
+github.com/thibaultmg/observatorium v0.0.0-20231123172357-0705fe74fcd5/go.mod h1:P+7t9O8AitkuZjUhXC4LHw4iwAzTpIrs0tHz8X3xTvM=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tinylib/msgp v1.0.2/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE=
 github.com/tinylib/msgp v1.1.0/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE=

diff --git a/...rvices/app-sre-stage-01/rhobs/default/observatorium-metrics-compact-default-template.yaml b/...rvices/app-sre-stage-01/rhobs/default/observatorium-metrics-compact-default-template.yaml
@@ -247,14 +247,14 @@ objects:
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
           - mountPath: /etc/tls/private
-            name: compact-tls
+            name: tls
             readOnly: true
         nodeSelector:
           kubernetes.io/os: linux
         serviceAccountName: observatorium-thanos-compact-default
         terminationGracePeriodSeconds: 120
         volumes:
-        - name: compact-tls
+        - name: tls
           secret:
             secretName: compact-tls-default
     updateStrategy: {}

diff --git a/...ces/app-sre-stage-01/rhobs/default/observatorium-metrics-query-rule-default-template.yaml b/...ces/app-sre-stage-01/rhobs/default/observatorium-metrics-query-rule-default-template.yaml
@@ -0,0 +1,318 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  creationTimestamp: null
+  name: observatorium-thanos-query-rule-default
+objects:
+- apiVersion: route.openshift.io/v1
+  kind: Route
+  metadata:
+    annotations:
+      cert-manager.io/issuer-kind: ClusterIssuer
+      cert-manager.io/issuer-name: letsencrypt-prod-http
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: query-layer
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: thanos-query-rule
+      app.kubernetes.io/part-of: observatorium
+      app.kubernetes.io/version: v0.32.4
+    name: observatorium-thanos-query-rule-default
+    namespace: rhobs
+  spec:
+    host: ""
+    port:
+      targetPort: https
+    tls:
+      insecureEdgeTerminationPolicy: Redirect
+      termination: reencrypt
+    to:
+      kind: Service
+      name: observatorium-thanos-query-rule-default
+      weight: null
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      service.alpha.openshift.io/serving-cert-secret-name: query-rule-tls-default
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: query-layer
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: thanos-query-rule
+      app.kubernetes.io/part-of: observatorium
+      app.kubernetes.io/version: v0.32.4
+    name: observatorium-thanos-query-rule-default
+    namespace: rhobs
+  spec:
+    ports:
+    - name: http
+      port: 10902
+      protocol: TCP
+      targetPort: 10902
+    - name: grpc
+      port: 10901
+      protocol: TCP
+      targetPort: 10901
+    - name: https
+      port: 8443
+      protocol: TCP
+      targetPort: 8443
+    selector:
+      app.kubernetes.io/component: query-layer
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: thanos-query-rule
+      app.kubernetes.io/part-of: observatorium
+- apiVersion: v1
+  imagePullSecrets:
+  - name: quay.io
+  kind: ServiceAccount
+  metadata:
+    annotations:
+      serviceaccounts.openshift.io/oauth-redirectreference.application: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"observatorium-thanos-query-rule-default"}}'
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: query-layer
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: thanos-query-rule
+      app.kubernetes.io/part-of: observatorium
+      app.kubernetes.io/version: v0.32.4
+    name: observatorium-thanos-query-rule-default
+    namespace: rhobs
+- apiVersion: monitoring.coreos.com/v1
+  kind: ServiceMonitor
+  metadata:
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: query-layer
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: thanos-query-rule
+      app.kubernetes.io/part-of: observatorium
+      app.kubernetes.io/version: v0.32.4
+      prometheus: app-sre
+    name: observatorium-thanos-query-rule-default
+    namespace: openshift-customer-monitoring
+  spec:
+    endpoints:
+    - port: http
+      relabelings:
+      - action: replace
+        separator: /
+        sourceLabels:
+        - namespace
+        - pod
+        targetLabel: instance
+    namespaceSelector:
+      matchNames:
+      - rhobs
+    selector:
+      matchLabels:
+        app.kubernetes.io/component: query-layer
+        app.kubernetes.io/instance: observatorium
+        app.kubernetes.io/name: thanos-query-rule
+        app.kubernetes.io/part-of: observatorium
+- apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: query-layer
+      app.kubernetes.io/instance: observatorium
+      app.kubernetes.io/name: thanos-query-rule
+      app.kubernetes.io/part-of: observatorium
+      app.kubernetes.io/version: v0.32.4
+    name: observatorium-thanos-query-rule-default
+    namespace: rhobs
+  spec:
+    replicas: ${{REPLICAS}}
+    selector:
+      matchLabels:
+        app.kubernetes.io/component: query-layer
+        app.kubernetes.io/instance: observatorium
+        app.kubernetes.io/name: thanos-query-rule
+        app.kubernetes.io/part-of: observatorium
+    strategy: {}
+    template:
+      metadata:
+        creationTimestamp: null
+        labels:
+          app.kubernetes.io/component: query-layer
+          app.kubernetes.io/instance: observatorium
+          app.kubernetes.io/name: thanos-query-rule
+          app.kubernetes.io/part-of: observatorium
+          app.kubernetes.io/version: v0.32.4
+        namespace: rhobs
+      spec:
+        affinity:
+          podAntiAffinity:
+            preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                  - key: app.kubernetes.io/instance
+                    operator: In
+                    values:
+                    - observatorium
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                    - thanos-query-rule
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+        containers:
+        - args:
+          - query
+          - --endpoint=dnssrv+_grpc._tcp.observatorium-thanos-receive-ingestor-default.rhobs.svc.cluster.local
+          - --endpoint=dnssrv+_grpc._tcp.observatorium-thanos-store-default.rhobs.svc.cluster.local
+          - --log.format=logfmt
+          - --log.level=${LOG_LEVEL}
+          - --query.auto-downsampling
+          - --query.lookback-delta=15m
+          - --query.max-concurrent=10
+          - --query.promql-engine=prometheus
+          - --query.replica-label=replica
+          - --query.replica-label=prometheus_replica
+          - --query.replica-label=rule_replica
+          - --query.timeout=15m
+          - |
+            --tracing.config=type: JAEGER
+            config:
+              service_name: thanos-query-rule
+              sampler_type: ratelimiting
+              sampler_param: 2
+          - --web.prefix-header=X-Forwarded-Prefix
+          env:
+          - name: HOST_IP_ADDRESS
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
+          image: quay.io/thanos/thanos:v0.32.4
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 8
+            httpGet:
+              path: /-/healthy
+              port: 10902
+            periodSeconds: 30
+            timeoutSeconds: 1
+          name: thanos
+          ports:
+          - containerPort: 10902
+            name: http
+            protocol: TCP
+          - containerPort: 10901
+            name: grpc
+            protocol: TCP
+          readinessProbe:
+            failureThreshold: 20
+            httpGet:
+              path: /-/ready
+              port: 10902
+            periodSeconds: 5
+          resources:
+            limits:
+              memory: ${MEMORY_LIMIT}
+            requests:
+              cpu: ${CPU_REQUEST}
+              memory: ${MEMORY_REQUEST}
+          terminationMessagePolicy: FallbackToLogsOnError
+        - args:
+          - --reporter.grpc.host-port=dns:///otel-trace-writer-collector-headless.observatorium-tools.svc:14250
+          - --reporter.type=grpc
+          - --agent.tags=pod.namespace=$(NAMESPACE),pod.name=$(POD)
+          env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: POD
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          image: quay.io/app-sre/jaegertracing-jaeger-agent:1.22.0
+          livenessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /
+              port: 14271
+          name: jaeger-agent
+          ports:
+          - containerPort: 5778
+            name: configs
+            protocol: TCP
+          - containerPort: 6831
+            name: jaeger-thrift
+            protocol: TCP
+          - containerPort: 14271
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 14271
+            initialDelaySeconds: 1
+          resources:
+            limits:
+              cpu: 128m
+              memory: 128Mi
+            requests:
+              cpu: 32m
+              memory: 64Mi
+          terminationMessagePolicy: FallbackToLogsOnError
+        - args:
+          - -provider=openshift
+          - -https-address=:8443
+          - -http-address=
+          - -email-domain=*
+          - -upstream=http://localhost:10902
+          - -openshift-service-account=observatorium-thanos-query-rule-default
+          - '-openshift-sar={"resource": "namespaces", "verb": "get", "name": "rhobs",
+            "namespace": "rhobs"}'
+          - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get",
+            "name": "rhobs", "namespace": "rhobs"}}'
+          - -tls-cert=/etc/tls/private/tls.crt
+          - -tls-key=/etc/tls/private/tls.key
+          - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+          - -cookie-secret=${OAUTH_PROXY_COOKIE_SECRET}
+          - -openshift-ca=/etc/pki/tls/cert.pem
+          - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          image: quay.io/openshift/origin-oauth-proxy:4.15
+          name: oauth-proxy
+          ports:
+          - containerPort: 8443
+            name: https
+            protocol: TCP
+          resources:
+            limits:
+              cpu: 200m
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+          - mountPath: /etc/tls/private
+            name: tls
+            readOnly: true
+        nodeSelector:
+          kubernetes.io/os: linux
+        serviceAccountName: observatorium-thanos-query-rule-default
+        terminationGracePeriodSeconds: 120
+        volumes:
+        - name: tls
+          secret:
+            secretName: query-rule-tls-default
+parameters:
+- name: LOG_LEVEL
+  value: warn
+- name: REPLICAS
+  value: "1"
+- name: CPU_REQUEST
+  value: 250m
+- name: MEMORY_LIMIT
+  value: 8Gi
+- name: MEMORY_REQUEST
+  value: 2Gi
+- from: '[a-zA-Z0-9]{40}'
+  generate: expression
+  name: OAUTH_PROXY_COOKIE_SECRET