prometheus: Introduce RuleFile Custom Resource Definition

This patch introduces a new Custom Resource Definition to the Prometheus Operator - the Rule CRD. It addresses two main needs: 1. Prometheus (alerting and recording) Rule validation during creation time via Kubernetes Custom Resource Definition validation. 2. Life-cycle management of Prometheus application Rules alongside the application itself, inside the applications Kubernetes namespace, not necessarily the namespace of the scraping Prometheus instance. A user defines Prometheus alerting and recording Rules via a Kubernetes Custom Resource Definition. These Custom Resource Definitions can be fully validated by the Kubernetes API server during creation time via automatically generated OpenAPI specifications. Instead of the restriction of a Prometheus instance to only select Rule definitions inside its own namespace, the Prometheus specification is extended to also specify namespaces to look for Rule Custom Resource Definitions outside its own namespace. --- Dependent technical changes: - prometheus: Use github.com/jimmidyson/configmap-reload to reload rules - prometheus: Remove Prometheus Statefulset deletion function. Starting with K8s >=1.8 this is handled via OwnerReferences. - prometheus: Do not add rule files checksum to Prometheus configuration secret - prometheus: Update StatefulSet only on relevant changes. Instead of updating the Prometheus StatefulSet on every `sync()` run, only update it if the input parameters to `makeStatefulSet` change. Enforce this via a checksum of the parameters which is saved inside the annotations of the statefulset. - e2e/prometheus: Check how often resources (Secret, ConfigMap, Prometheus CRD, Service) are updated to enforce that Prometheus Operator only updated created resources if necessary. - contrib/prometheus-config-reloader: Remove logic to retriev K8s ConfigMaps. These are mounted into the pod right away now.
2018-05-08 09:43:45 +02:00
parent 0461c85098
commit 9e180452f8
9 changed files with 150 additions and 12 deletions
--- a/manifests/0prometheus-operator-0alertmanagerCustomResourceDefinition.yaml
+++ b/manifests/0prometheus-operator-0alertmanagerCustomResourceDefinition.yaml
@@ -666,7 +666,7 @@ spec:
                              description: Specify whether the ConfigMap must be defined
                              type: boolean
                        prefix:
-                          description: An optional identifer to prepend to each key
+                          description: An optional identifier to prepend to each key
                            in the ConfigMap. Must be a C_IDENTIFIER.
                          type: string
                        secretRef:
@@ -1120,6 +1120,14 @@ spec:
                        description: Whether this container has a read-only root filesystem.
                          Default is false.
                        type: boolean
+                      runAsGroup:
+                        description: The GID to run the entrypoint of the container
+                          process. Uses runtime default if unset. May also be set
+                          in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext
+                          takes precedence.
+                        format: int64
+                        type: integer
                      runAsNonRoot:
                        description: Indicates that the container must run as a non-root
                          user. If true, the Kubelet will validate the image at runtime
@@ -1231,8 +1239,7 @@ spec:
                          description: mountPropagation determines how mounts are
                            propagated from the host to container and the other way
                            around. When not set, MountPropagationHostToContainer
-                            is used. This field is alpha in 1.8 and can be reworked
-                            or removed in a future release.
+                            is used. This field is beta in 1.10.
                          type: string
                        name:
                          description: This must match the Name of a Volume.
@@ -1614,6 +1621,13 @@ spec:
                    If unset, the Kubelet will not modify the ownership and permissions of any volume.
                  format: int64
                  type: integer
+                runAsGroup:
+                  description: The GID to run the entrypoint of the container process.
+                    Uses runtime default if unset. May also be set in SecurityContext.  If
+                    set in both SecurityContext and PodSecurityContext, the value
+                    specified in SecurityContext takes precedence for that container.
+                  format: int64
+                  type: integer
                runAsNonRoot:
                  description: Indicates that the container must run as a non-root
                    user. If true, the Kubelet will validate the image at runtime