Merge pull request #155 from projectsyn/feat/clustermesh-alerts

Implement initial alert for Cilium Clustermesh

Author: simu

.cruft.json

@@ -7,7 +7,7 @@
       "name": "Cilium",
       "slug": "cilium",
       "parameter_key": "cilium",
-      "test_cases": "defaults helm-opensource olm-opensource egress-gateway bgp-control-plane kubeproxyreplacement-strict l2-announcement",
+      "test_cases": "defaults helm-opensource olm-opensource egress-gateway bgp-control-plane kubeproxyreplacement-strict l2-announcement clustermesh",
       "add_lib": "n",
       "add_pp": "n",
       "add_golden": "y",
@@ -24,7 +24,8 @@
       "github_owner": "projectsyn",
       "github_name": "component-cilium",
       "github_url": "https://github.com/projectsyn/component-cilium",
-      "_template": "https://github.com/projectsyn/commodore-component-template.git"
+      "_template": "https://github.com/projectsyn/commodore-component-template.git",
+      "_commit": "98d16f99766e6c6d97322dbe42e058f0e2bf73d0"
     }
   },
   "directory": null

.github/workflows/test.yaml

@@ -39,6 +39,7 @@ jobs:
           - bgp-control-plane
           - kubeproxyreplacement-strict
           - l2-announcement
+          - clustermesh
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -60,6 +61,7 @@ jobs:
           - bgp-control-plane
           - kubeproxyreplacement-strict
           - l2-announcement
+          - clustermesh
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

Makefile.vars.mk

@@ -57,4 +57,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/helm-opensource.yml tests/olm-opensource.yml tests/egress-gateway.yml tests/bgp-control-plane.yml tests/kubeproxyreplacement-strict.yml tests/l2-announcement.yml
+test_instances = tests/defaults.yml tests/helm-opensource.yml tests/olm-opensource.yml tests/egress-gateway.yml tests/bgp-control-plane.yml tests/kubeproxyreplacement-strict.yml tests/l2-announcement.yml tests/clustermesh.yml

class/cilium.yml

@@ -4,6 +4,13 @@ parameters:
     opensource: cilium
     enterprise: cilium-enterprise
   =_kapitan:
+    jsonnet_input_paths:
+      - ${_base_directory}/component/aggregated-clusterroles.jsonnet
+      - ${_base_directory}/component/egress-gateway-policies.jsonnet
+      - ${_base_directory}/component/l2-announcement-policies.jsonnet
+      - ${_base_directory}/component/bgp-control-plane.jsonnet
+      - ${_base_directory}/component/ocp-manage-kube-proxy.jsonnet
+      - ${_base_directory}/component/alerts.jsonnet
     olm:
       dependencies:
         - type: https
@@ -22,12 +29,7 @@ parameters:
           input_type: jsonnet
           output_path: ${_instance}/olm/
 
-        - input_paths:
-            - ${_base_directory}/component/aggregated-clusterroles.jsonnet
-            - ${_base_directory}/component/egress-gateway-policies.jsonnet
-            - ${_base_directory}/component/l2-announcement-policies.jsonnet
-            - ${_base_directory}/component/bgp-control-plane.jsonnet
-            - ${_base_directory}/component/ocp-manage-kube-proxy.jsonnet
+        - input_paths: ${_kapitan:jsonnet_input_paths}
           input_type: jsonnet
           output_path: ${_instance}/
 
@@ -49,12 +51,7 @@ parameters:
             - ${_base_directory}/component/helm-namespace.jsonnet
           input_type: jsonnet
           output_path: ${_instance}/01_cilium_helmchart
-        - input_paths:
-            - ${_base_directory}/component/aggregated-clusterroles.jsonnet
-            - ${_base_directory}/component/egress-gateway-policies.jsonnet
-            - ${_base_directory}/component/l2-announcement-policies.jsonnet
-            - ${_base_directory}/component/bgp-control-plane.jsonnet
-            - ${_base_directory}/component/ocp-manage-kube-proxy.jsonnet
+        - input_paths: ${_kapitan:jsonnet_input_paths}
           input_type: jsonnet
           output_path: ${_instance}/
         - input_paths:

class/defaults.yml

@@ -107,6 +107,11 @@ parameters:
       peerings: {}
       loadbalancer_ip_pools: {}
 
+    alerts:
+      ignoreNames: []
+      patches: {}
+      additionalRules: {}
+
     olm:
       source:
         opensource: https://github.com/isovalent/olm-for-cilium/archive/main.tar.gz

component/alerts.jsonnet

@@ -0,0 +1,97 @@
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local prom = import 'lib/prom.libsonnet';
+local util = import 'util.libsonnet';
+
+local inv = kap.inventory();
+local params = inv.parameters.cilium;
+
+local ignoreNames = com.renderArray(params.alerts.ignoreNames);
+
+local clustermesh_enabled =
+  std.get(params.cilium_helm_values, 'clustermesh', { config: { enabled: false } }).config.enabled;
+
+local alertpatching = if util.isOpenshift then
+  import 'lib/alert-patching.libsonnet'
+else
+  {
+    filterPatchRules(g, ignoreNames, patches, preserveRecordingRules, patchNames): g,
+  };
+
+local clustermesh_group = {
+  name: 'cilium-clustermesh.rules',
+  rules: [
+    {
+      local this = self,
+      alert: 'CiliumClustermeshRemoteClusterNotReady',
+      expr: 'cilium_clustermesh_remote_cluster_readiness_status == 0',
+      'for': '10m',
+      labels: {
+        severity: 'critical',
+      },
+      annotations: {
+        runbook_url:
+          'https://hub.syn.tools/cilium/runbooks/CiliumClustermeshRemoteClusterNotReady.html',
+        message: 'Remote cluster ${{ labels.target_cluster }} not reachable from ${{ labels.source_node_name }}',
+        description: |||
+          Remote cluster ${{ labels.target_cluster }} has been unreachable from
+          ${{ labels.source_node_name }} on cluster ${{ labels.source_cluster }} for the
+          last %s.
+        ||| % this['for'],
+      },
+    },
+  ],
+};
+
+local clustermesh_alerts = prom.PrometheusRule('cilium-clustermesh') {
+  spec+: {
+    groups: [
+      alertpatching.filterPatchRules(
+        clustermesh_group,
+        ignoreNames=ignoreNames,
+        patches=params.alerts.patches,
+        preserveRecordingRules=true,
+        patchNames=false,
+      ),
+    ],
+  },
+};
+
+local additional_group =
+  local parseRuleName(rname) =
+    local rparts = std.splitLimit(rname, ':', 1);
+    assert
+      std.length(rparts) == 2 :
+      'Expected custom alert rule to be prefixed with `record:` or `alert:`.';
+    assert
+      std.member([ 'alert', 'record' ], rparts[0]) :
+      'Expected custom alert rule to be prefixed with `record:` or `alert:`, got `%s:`.' % rparts[0];
+    { [rparts[0]]: rparts[1] };
+  {
+    name: 'cilium-user.rules',
+    rules: [
+      params.alerts.additionalRules[rname] + parseRuleName(rname)
+      for rname in std.objectFields(params.alerts.additionalRules)
+    ],
+  };
+
+local additional_alerts = prom.PrometheusRule('cilium-custom') {
+  spec+: {
+    groups: [
+      alertpatching.filterPatchRules(
+        additional_group,
+        ignoreNames=ignoreNames,
+        patches=params.alerts.patches,
+        preserveRecordingRules=true,
+        patchNames=false,
+      ),
+    ],
+  },
+};
+
+{
+  [if clustermesh_enabled && std.length(clustermesh_group.rules) > 0 then
+    '10_clustermesh_alerts']: clustermesh_alerts,
+  [if std.length(additional_group.rules) > 0 then
+    '10_custom_alerts']: additional_alerts,
+}

docs/modules/ROOT/pages/references/parameters.adoc

@@ -712,6 +712,46 @@ Make sure to check the upstream documentation for the version of Cilium that you
 The LoadBalancer IP address management (LB IPAM) feature is under active development and sometimes has significant changes between Cilium minor versions.
 ====
 
+== `alerts`
+
+This section allows users to configure alerts for Cilium.
+The component expects that an externally-managed Prometheus stack is running on the target cluster.
+For OpenShift 4, the component makes use of the component libraries provided by https://github.com/appuio/component-openshift4-monitoring.git[component `openshift4-monitoring`].
+On other distributions, the component expects that a component library `prom.libsonnet` is available, for example via https://github.com/projectsyn/component-prometheus.git[component `prometheus`].
+
+=== `alerts.ignoreNames`
+
+[horizontal]
+type:: list
+default:: `[]`
+
+Alerts which shouldn't be deployed.
+The list supports removal of entries by prefixing them with `~`.
+
+=== `alerts.patches`
+
+[horizontal]
+type:: dict
+default:: `{}`
+
+Patches for alerts managed by the component.
+The component expects that keys in this object match the name of an alert managed through the component.
+The value of each entry is expected to be a valid partial Prometheus rule definition.
+
+=== `alerts.additionalRules`
+
+[horizontal]
+type:: dict
+default:: `{}`
+
+This parameter allows users to configure additional Prometheus recording and alerting rules.
+The component expects that keys of this object are prefixed with either `alert:` or `record:` and will use these prefixes to create alerting or recording rules.
+The component will take the suffix of the key as the alerting or recording rule name and will set field `alert` or `record` of the rule to the suffix.
+The value of each entry will be used as the base Prometheus rule in which the `alert` or `record` field will be injected.
+
+NOTE: Parameters `alerts.ignoreNames` and `alerts.patches` are also applied to alerts defined through this parameter.
+
+
 == Example
 
 [source,yaml]

docs/modules/ROOT/pages/runbooks/CiliumClustermeshRemoteClusterNotReady.adoc

@@ -0,0 +1,127 @@
+= CiliumClustermeshRemoteClusterNotReady
+
+include::partial$runbooks/contribution_note.adoc[]
+
+== icon:glasses[] Overview
+
+This alert fires if a remote cluster is not reachable from a node for 10 minutes or longer.
+This usually indicates one of the following two:
+
+. A local issue on the node prevents the Cilium agent to connect to the remote cluster or the cluster mesh API server
+. The remote cluster's cluster mesh API server is not available
+. There are network issues preventing cluster mesh connectivity
+
+TIP: Depending on the network configuration, there may be static routes on each node for the remote cluster's cluster mesh API server.
+
+NOTE: When using KVStoreMesh, the agents on the cluster connect to the *local* cache of the remote cluster mesh API server.
+
+== icon:bug[] Steps for debugging
+
+NOTE: The steps in this section assume that your current Kubernetes context points to the source cluster.
+
+TIP: This section assumes that you're running cluster mesh with the cluster mesh API server enabled.
+
+=== Prerequisites
+
+* `cilium` CLI, install from https://github.com/cilium/cilium-cli[icon:github[] cilium/cilium-cli]
+
+=== Identifying the root cause
+
+First, check the source cluster's overall cluster mesh status
+
+[source,bash]
+----
+cilium -n cilium clustermesh status --as=cluster-admin <1>
+----
+<1> `--as=cluster-admin` is required on VSHN Managed OpenShift, may need to be left out on other clusters.
+
+If the output indicates that all nodes are unable to connect to the remote cluster's clustermesh API, it's likely that the issue is either on the remote cluster, or in the network between the clusters.
+
+If the output indicates that only a few source nodes are affected, it's likely that the issue is in the Cilium agent or the routing configuration of the nodes.
+
+=== Investigating cluster mesh API
+
+The cluster mesh API runs in the `cilium` namespace as deployment `clustermesh-apiserver`.
+Check that the pod runs and check the logs for errors with
+
+[source,bash]
+----
+kubectl -n cilium get pods -l app.kubernetes.io/name=clustermesh-apiserver
+kubectl -n cilium logs deploy/clustermesh-apiserver --all-containers
+----
+
+=== Checking connectivity from a Cilium agent pod
+
+If the `cilium clustermesh status` output indicates that only a few nodes are affected, you can run a more detailed check from the nodes' agent pods.
+In the output of these command, you should see whether the agent can connect to the cluster mesh API and whether the clustermesh certificates are still valid.
+
+[source,bash]
+----
+NODE=<node name of affected node> <1>
+AGENT_POD=$(kubectl -n cilium get pods --field-selector=spec.nodeName=$NODE \
+  -l app.kubernetes.io/name=cilium-agent -oname)
+
+kubectl -n cilium exec -it $AGENT_POD --as=cluster-admin -- cilium status <2>
+kubectl -n cilium exec -it $AGENT_POD --as=cluster-admin -- cilium troubleshoot clustermesh <3>
+----
+<1> Set this to the name of an affected node's `Node` object
+<2> Show a summary of the Cilium agent status.
+You should see in the output of this command whether the agent can't reach one or more of the remote cluster's nodes.
+<3> This command will show connection details to the remote cluster's cluster mesh API server or the local cache in case you're using KVStoreMesh.
+
+TIP: `--as=cluster-admin` may need to be left out on some clusters.
+
+If the output of `cilium troubleshoot clustermesh` refers to the local cluster's cluster mesh API server, it's likely that you're using KVStoreMesh.
+In that case you can check the KVStoreMesh connection to the remote cluster mesh API server in the `clustermesh-apiserver` deployment:
+
+[source,bash]
+----
+kubectl -n cilium --as=cluster-admin exec -it deploy/clustermesh-apiserver -c kvstoremesh -- \
+   clustermesh-apiserver kvstoremesh-dbg status <1>
+
+kubectl exec -it -n cilium --as=cluster-admin deploy/clustermesh-apiserver -c kvstoremesh -- \
+  clustermesh-apiserver kvstoremesh-dbg troubleshoot <2>
+----
+<1> Show a connection summary of the KVStoreMesh
+<2> Show connection details of the KVStoreMesh
+
+You can also run `cilium-health status --probe` in the agent pod to actively probe the node to node connectivity:
+
+[source,bash]
+----
+kubectl -n cilium exec -it $AGENT_POD --as=cluster-admin -- cilium-health status --probe
+----
+
+=== Checking node routing tables and connectivity
+
+For setups which use static routes to make the nodes of the clusters participating in the cluster mesh reachable from each other, you can check the routing tables on the host and verify connectivity with `ping`.
+
+.OpenShift 4
+[source,bash]
+----
+NODE=<node name of affected node>
+REMOTE_NODE=<ip of a node in the remote cluster>
+oc -n syn-debug-nodes debug node/${NODE} --as=cluster-admin -- chroot /host ip r
+oc -n syn-debug-nodes debug node/${NODE} --as=cluster-admin -- chroot /host ping -c4 ${REMOTE_NODE}
+----
+
+.Other K8s
+[source,bash]
+----
+DEBUG_IMAGE=ghcr.io/digitalocean-packages/doks-debug:latest <1>
+NODE=<node name of affected node>
+REMOTE_NODE=<ip of a node in the remote cluster>
+kubectl debug node/${NODE} -it --image=${DEBUG_IMAGE} -- ip r
+kubectl debug node/${NODE} -it --image=${DEBUG_IMAGE} -- ping -c4 ${REMOTE_NODE} <2>
+----
+<1> We're using the DigitalOcean `doks-debug` image, which comes with a bunch of common tools installed.
+See https://github.com/digitalocean/doks-debug[icon:github[] digitalocean/doks-debug] for details.
+<2> This command hasn't been tested yet, it's possible that your cluster configuration will not allow `ping` in node debug containers.
+
+== icon:book[] Upstream documentation
+
+* https://docs.cilium.io/en/latest/network/clustermesh/intro/[Cilium OSS --  Cluster Mesh documetation]
+* https://docs.isovalent.com/configuration-guide/cluster-mesh/troubleshooting.html[Cilium OSS --  Cluster Mesh Troubleshooting]
+* https://docs.cilium.io/en/stable/operations/troubleshooting/#troubleshooting-clustermesh[Cilium OSS -- Troubleshooting Cluster Mesh]
+* https://docs.isovalent.com/configuration-guide/cluster-mesh/operating.html[Cilium Enterprise -- Operating Cluster Mesh]
+* https://docs.isovalent.com/configuration-guide/cluster-mesh/troubleshooting.html[Cilium Enterprise -- Troubleshooting Cluster Mesh]

docs/modules/ROOT/partials/nav.adoc

@@ -6,3 +6,7 @@
 * xref:how-tos/upgrade-cilium-enterprise.adoc[Upgrade Cilium Enterprise]
 * OpenShift 4
 ** xref:how-tos/openshift4/upgrade-cilium-oss-to-cilium-enterprise.adoc[Upgrade Cilium OSS to Cilium Enterprise]
+
+.Runbooks
+
+* xref:runbooks/CiliumClustermeshRemoteClusterNotReady.adoc[]

jsonnetfile.jsonnet

@@ -0,0 +1,15 @@
+{
+  version: 1,
+  dependencies: [
+    {
+      source: {
+        git: {
+          remote: 'https://github.com/projectsyn/jsonnet-libs',
+          subdir: '',
+        },
+      },
+      version: 'main',
+      name: 'syn',
+    },
+  ],
+}