Merge pull request #94943 from subhtk/osd-14597

OSDOCS#14959: Added monitoring and querying section to ZTWIM

Author: snarayan-redhat

_topic_maps/_topic_map.yml

@@ -1273,6 +1273,8 @@ Topics:
     File: zero-trust-manager-configuration
   - Name: Zero Trust Workload Identity Manager release notes
     File: zero-trust-manager-release-notes
+  - Name: Monitoring Zero Trust Workload Identity Manager
+    File: zero-trust-manager-monitoring
 ---
 Name: Authentication and authorization
 Dir: authentication

modules/zero-trust-manager-enable-metrics-agent.adoc

@@ -0,0 +1,70 @@
+// Module included in the following assemblies:
+//
+// * security/zer_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-enable-metrics-agent_{context}"]
+= Configuring metrics collection for SPIRE agent by using a Service Monitor
+
+The SPIRE Agent operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Agent by creating a `ServiceMonitor` custom resource (CR), which enables Prometheus Operator to collect custom metrics.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` cluster role.
+* You have installed the {zero-trust-full}.
+* You have deployed the SPIRE Agent operand in the cluster.
+* You have enabled the user workload monitoring.
+
+.Procedure
+
+. Create the `ServiceMonitor` CR:
+
+.. Create the YAML file that defines `ServiceMonitor` CR:
++
+.Example `servicemonitor-spire-agent.yaml` file
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: agent
+    app.kubernetes.io/instance: spire
+  name: spire-agent-metrics
+  namespace: zero-trust-workload-identity-manager
+spec:
+  endpoints:
+  - port: metrics
+    interval: 30s
+    path: /metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: agent
+      app.kubernetes.io/instance: spire
+  namespaceSelector:
+    matchNames:
+    - zero-trust-workload-identity-manager
+----
+
+.. Create the `ServiceMonitor` CR by running the following command:
++
+[source,terminal]
+----
+$ oc create -f servicemonitor-spire-agent.yaml
+----
++
+After the `ServiceMonitor` CR is created, the user workload Prometheus instance begins metrics collection from the SPIRE Agent. The collected metrics are labeled with `job="spire-agent"`.
+
+.Verification
+
+. In the {product-title} web console, navigate to *Observe* → *Targets*.
+
+
+. In the *Label* filter field, enter the following label to filter the metrics targets:
++
+[source,terminal]
+----
+$ service=spire-agent
+----
+
+. Confirm that the *Status* column shows `Up` for the `spire-agent-metrics` entry.

modules/zero-trust-manager-enable-metrics-server.adoc

@@ -0,0 +1,70 @@
+// Module included in the following assemblies:
+//
+// * security/zer_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-enable-metrics-server_{context}"]
+= Configuring metrics collection for SPIRE server by using a Service Monitor
+
+The SPIRE Server operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Server by creating a `ServiceMonitor` custom resource (CR) that enables Prometheus Operator to collect custom metrics.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` cluster role.
+* You have installed the {zero-trust-full}.
+* You have deployed the SPIRE Server operand in the cluster.
+* You have enabled the user workload monitoring.
+
+.Procedure
+
+. Create the `ServiceMonitor` CR:
+
+.. Create the YAML file that defines `ServiceMonitor` CR:
++
+.Example `servicemonitor-spire-server` file
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: server
+    app.kubernetes.io/instance: spire
+  name: spire-server-metrics
+  namespace: zero-trust-workload-identity-manager
+spec:
+  endpoints:
+  - port: metrics
+    interval: 30s
+    path: /metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: server
+      app.kubernetes.io/instance: spire
+  namespaceSelector:
+    matchNames:
+    - zero-trust-workload-identity-manager
+----
+
+.. Create the `ServiceMonitor` CR by running the following command:
++
+[source,terminal]
+----
+$ oc create -f servicemonitor-spire-server.yaml
+----
++
+After the `ServiceMonitor` CR is created, the user workload Prometheus instance begins metrics collection from the SPIRE Server. The collected metrics are labeled with `job="spire-server"`.
+
+.Verification
+
+. In the {product-title} web console, navigate to *Observe* → *Targets*.
+
+
+. In the *Label* filter field, enter the following label to filter the metrics targets:
++
+[source,terminal]
+----
+$ service=spire-server
+----
+
+. Confirm that the *Status* column shows `Up` for the `spire-server-metrics` entry.

modules/zero-trust-manager-enable-monitoring.adoc

@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-enable-monitoring_{context}"]
+= Enabling user workload monitoring
+
+You can enable monitoring for user-defined projects by configuring user workload monitoring in the cluster.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` cluster role.
+
+.Procedure
+
+. Create the `cluster-monitoring-config.yaml` file to define and configure the `ConfigMap`:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-monitoring-config
+  namespace: openshift-monitoring
+data:
+  config.yaml: |
+    enableUserWorkload: true
+----
+
+. Apply the `ConfigMap` by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f cluster-monitoring-config.yaml
+----
+
+
+.Verification
+
+* Verify that the monitoring components for user workloads are running in the `openshift-user-workload-monitoring` namespace:
++
+[source,terminal]
+----
+$ oc -n openshift-user-workload-monitoring get pod
+----
++
+.Example output
+[source,text]
+----
+NAME                                   READY   STATUS    RESTARTS   AGE
+prometheus-operator-6cb6bd9588-dtzxq   2/2     Running   0          50s
+prometheus-user-workload-0             6/6     Running   0          48s
+prometheus-user-workload-1             6/6     Running   0          48s
+thanos-ruler-user-workload-0           4/4     Running   0          42s
+thanos-ruler-user-workload-1           4/4     Running   0          42s
+----
+
+The status of the pods such as `prometheus-operator`, `prometheus-user-workload`, and `thanos-ruler-user-workload` must be `Running`.

modules/zero-trust-manager-query-metrics.adoc

@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-query-metrics_{context}"]
+= Querying metrics for the {zero-trust-full}
+
+As a cluster administrator, or as a user with view access to all namespaces, you can query SPIRE Agent and SPIRE Server metrics by using the {product-title} web console or the command line. The query retrieves all the metrics collected from the SPIRE components that match the specified job labels.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the {zero-trust-full}.
+* You have deployed the SPIRE Server and SPIRE Agent operands in the cluster.
+* You have enabled monitoring and metrics collection by creating `ServiceMonitor` objects.
+
+.Procedure
+
+. In the query field, enter the following PromQL expression to query SPIRE Server metrics:
++
+[source,promql]
+----
+{job="spire-server"}
+----
+
+. In the query field, enter the following PromQL expression to query SPIRE Agent metrics.
++
+[source,promql]
+----
+{job="spire-agent"}
+----

security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc

@@ -0,0 +1,41 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-manager-monitoring"]
+= Monitoring {zero-trust-full}
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-monitoring
+
+toc::[]
+
+By default, the SPIRE Server and SPIRE Agent components of the {zero-trust-full} emit metrics. You can configure OpenShift Monitoring to collect these metrics by using the Prometheus Operator format.
+
+// Enabling metrics for the {zero-trust-full}
+
+include::modules/zero-trust-manager-enable-monitoring.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../observability/monitoring/configuring-user-workload-monitoring/preparing-to-configure-the-monitoring-stack-uwm.adoc#configurable-monitoring-components_preparing-to-configure-the-monitoring-stack-uwm[Configuring user workload monitoring]
+
+include::modules/zero-trust-manager-enable-metrics-server.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../observability/monitoring/configuring-user-workload-monitoring/configuring-metrics-uwm.adoc#setting-up-metrics-collection-for-user-defined-projects_configuring-metrics-uwm[Setting up metrics collection for user-defined projects]
+
+
+include::modules/zero-trust-manager-enable-metrics-agent.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../observability/monitoring/configuring-user-workload-monitoring/preparing-to-configure-the-monitoring-stack-uwm.adoc#configurable-monitoring-components_preparing-to-configure-the-monitoring-stack-uwm[Configuring user workload monitoring]
+
+// Querying metrics for the {zero-trust-full}
+include::modules/zero-trust-manager-query-metrics.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../observability/monitoring/accessing-metrics/accessing-metrics-as-an-administrator.adoc#accessing-metrics[Accessing metrics]