From b22126cc2f964e7bcb98f8bb320c9e747c3ba9f3 Mon Sep 17 00:00:00 2001
From: hungran <26101787+hungran@users.noreply.github.com>
Date: Sun, 26 Nov 2023 14:21:24 +0700
Subject: [PATCH] feat: adding optional to expose tetragon-operator metrics

Signed-off-by: hungran <26101787+hungran@users.noreply.github.com>
---
 docs/content/en/docs/reference/helm-chart.md  |  5 ++++-
 install/kubernetes/README.md                  |  5 ++++-
 .../templates/operator_configmap.yaml         |  2 +-
 .../templates/operator_deployment.yaml        |  9 +++++++++
 .../templates/operator_service.yaml           | 19 +++++++++++++++++++
 install/kubernetes/test.sh                    |  4 ++--
 install/kubernetes/values.yaml                |  8 +++++++-
 operator/cmd/serve/serve.go                   |  2 +-
 8 files changed, 47 insertions(+), 7 deletions(-)
 create mode 100644 install/kubernetes/templates/operator_service.yaml

diff --git a/docs/content/en/docs/reference/helm-chart.md b/docs/content/en/docs/reference/helm-chart.md
index 1922fd13d07..39f2f233489 100644
--- a/docs/content/en/docs/reference/helm-chart.md
+++ b/docs/content/en/docs/reference/helm-chart.md
@@ -90,7 +90,7 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | tetragon.prometheus.serviceMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped. If not specified, Prometheus' global scrape interval is used. |
 | tetragon.resources | object | `{}` |  |
 | tetragon.securityContext.privileged | bool | `true` |  |
-| tetragonOperator | object | `{"affinity":{},"annotations":{},"extraLabels":{},"extraPodLabels":{},"extraVolumeMounts":[],"extraVolumes":[],"image":{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"},"nodeSelector":{},"podAnnotations":{},"podInfo":{"enabled":false},"podSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"priorityClassName":"","resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{},"serviceAccount":{"annotations":{},"create":true,"name":""},"skipCRDCreation":false,"strategy":{},"tolerations":[{"operator":"Exists"}]}` | Tetragon Operator settings |
+| tetragonOperator | object | `{"affinity":{},"annotations":{},"extraLabels":{},"extraPodLabels":{},"extraVolumeMounts":[],"extraVolumes":[],"image":{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"},"nodeSelector":{},"podAnnotations":{},"podInfo":{"enabled":false},"podSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"priorityClassName":"","prometheus":{"address":"","enabled":true,"port":2113},"resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{},"serviceAccount":{"annotations":{},"create":true,"name":""},"skipCRDCreation":false,"strategy":{},"tolerations":[{"operator":"Exists"}]}` | Tetragon Operator settings |
 | tetragonOperator.annotations | object | `{}` | Annotations for the Tetragon Operator Deployment. |
 | tetragonOperator.extraLabels | object | `{}` | Extra labels to be added on the Tetragon Operator Deployment. |
 | tetragonOperator.extraPodLabels | object | `{}` | Extra labels to be added on the Tetragon Operator Deployment Pods. |
@@ -101,6 +101,9 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | tetragonOperator.podInfo.enabled | bool | `false` | Enables the PodInfo CRD and the controller that reconciles PodInfo custom resources. |
 | tetragonOperator.podSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | securityContext for the Tetragon Operator Deployment Pod container. |
 | tetragonOperator.priorityClassName | string | `""` | priorityClassName for the Tetragon Operator Deployment Pods. |
+| tetragonOperator.prometheus | object | `{"address":"","enabled":true,"port":2113}` | Enables the Tetragon Operator metrics. |
+| tetragonOperator.prometheus.address | string | `""` | The address at which to expose Tetragon Operator metrics. Set it to "" to expose on all available interfaces. |
+| tetragonOperator.prometheus.port | int | `2113` | The port at which to expose metrics. |
 | tetragonOperator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}` | resources for the Tetragon Operator Deployment Pod container. |
 | tetragonOperator.securityContext | object | `{}` | securityContext for the Tetragon Operator Deployment Pods. |
 | tetragonOperator.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | tetragon-operator service account. |
diff --git a/install/kubernetes/README.md b/install/kubernetes/README.md
index ea8bdb914ba..cb53f769f54 100644
--- a/install/kubernetes/README.md
+++ b/install/kubernetes/README.md
@@ -73,7 +73,7 @@ Helm chart for Tetragon
 | tetragon.prometheus.serviceMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped. If not specified, Prometheus' global scrape interval is used. |
 | tetragon.resources | object | `{}` |  |
 | tetragon.securityContext.privileged | bool | `true` |  |
-| tetragonOperator | object | `{"affinity":{},"annotations":{},"extraLabels":{},"extraPodLabels":{},"extraVolumeMounts":[],"extraVolumes":[],"image":{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"},"nodeSelector":{},"podAnnotations":{},"podInfo":{"enabled":false},"podSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"priorityClassName":"","resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{},"serviceAccount":{"annotations":{},"create":true,"name":""},"skipCRDCreation":false,"strategy":{},"tolerations":[{"operator":"Exists"}]}` | Tetragon Operator settings |
+| tetragonOperator | object | `{"affinity":{},"annotations":{},"extraLabels":{},"extraPodLabels":{},"extraVolumeMounts":[],"extraVolumes":[],"image":{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"},"nodeSelector":{},"podAnnotations":{},"podInfo":{"enabled":false},"podSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"priorityClassName":"","prometheus":{"address":"","enabled":true,"port":2113},"resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{},"serviceAccount":{"annotations":{},"create":true,"name":""},"skipCRDCreation":false,"strategy":{},"tolerations":[{"operator":"Exists"}]}` | Tetragon Operator settings |
 | tetragonOperator.annotations | object | `{}` | Annotations for the Tetragon Operator Deployment. |
 | tetragonOperator.extraLabels | object | `{}` | Extra labels to be added on the Tetragon Operator Deployment. |
 | tetragonOperator.extraPodLabels | object | `{}` | Extra labels to be added on the Tetragon Operator Deployment Pods. |
@@ -84,6 +84,9 @@ Helm chart for Tetragon
 | tetragonOperator.podInfo.enabled | bool | `false` | Enables the PodInfo CRD and the controller that reconciles PodInfo custom resources. |
 | tetragonOperator.podSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | securityContext for the Tetragon Operator Deployment Pod container. |
 | tetragonOperator.priorityClassName | string | `""` | priorityClassName for the Tetragon Operator Deployment Pods. |
+| tetragonOperator.prometheus | object | `{"address":"","enabled":true,"port":2113}` | Enables the Tetragon Operator metrics. |
+| tetragonOperator.prometheus.address | string | `""` | The address at which to expose Tetragon Operator metrics. Set it to "" to expose on all available interfaces. |
+| tetragonOperator.prometheus.port | int | `2113` | The port at which to expose metrics. |
 | tetragonOperator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}` | resources for the Tetragon Operator Deployment Pod container. |
 | tetragonOperator.securityContext | object | `{}` | securityContext for the Tetragon Operator Deployment Pods. |
 | tetragonOperator.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | tetragon-operator service account. |
diff --git a/install/kubernetes/templates/operator_configmap.yaml b/install/kubernetes/templates/operator_configmap.yaml
index 296506d3353..65d71ce0d70 100644
--- a/install/kubernetes/templates/operator_configmap.yaml
+++ b/install/kubernetes/templates/operator_configmap.yaml
@@ -7,4 +7,4 @@ metadata:
   {{- include "tetragon-operator.labels" . | nindent 4 }}
 data:
   skip-crd-creation: {{ .Values.tetragonOperator.skipCRDCreation | quote }}
-  skip-pod-info-crd: {{ not .Values.tetragonOperator.podInfo.enabled | quote }}
+  skip-pod-info-crd: {{ not .Values.tetragonOperator.podInfo.enabled | quote }}
\ No newline at end of file
diff --git a/install/kubernetes/templates/operator_deployment.yaml b/install/kubernetes/templates/operator_deployment.yaml
index 598dd3d775b..57800b65606 100644
--- a/install/kubernetes/templates/operator_deployment.yaml
+++ b/install/kubernetes/templates/operator_deployment.yaml
@@ -36,6 +36,9 @@ spec:
         args:
           - serve
           - --config-dir=/etc/tetragon/operator.conf.d/
+        {{- if .Values.tetragonOperator.prometheus.enabled }}
+          - --metrics-bind-address={{ .Values.tetragonOperator.prometheus.address }}:{{ .Values.tetragonOperator.prometheus.port }}
+        {{- end }}
         image: "{{ if .Values.tetragonOperator.image.override }}{{ .Values.tetragonOperator.image.override }}{{ else }}{{ .Values.tetragonOperator.image.repository }}:{{ .Values.tetragonOperator.image.tag }}{{ end }}"
         imagePullPolicy: {{ .Values.tetragonOperator.image.pullPolicy }}
         volumeMounts:
@@ -49,6 +52,12 @@ spec:
         securityContext:
           {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- if .Values.tetragonOperator.prometheus.enabled }}
+        ports:
+          - name: metrics
+            containerPort: {{ .Values.tetragonOperator.prometheus.port }}
+            protocol: TCP
+        {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz
diff --git a/install/kubernetes/templates/operator_service.yaml b/install/kubernetes/templates/operator_service.yaml
new file mode 100644
index 00000000000..ef0bca9b24d
--- /dev/null
+++ b/install/kubernetes/templates/operator_service.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.tetragonOperator.prometheus.enabled -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ .Release.Name }}-operator-metrics
+  labels: 
+    {{- include "tetragon-operator.labels" . | nindent 4 }}
+spec:
+  ports:
+    - name: metrics
+      port: {{ .Values.tetragonOperator.prometheus.port }}
+      targetPort: {{ .Values.tetragonOperator.prometheus.port }}
+      protocol: TCP
+  selector:
+    {{- include "tetragon-operator.selectorLabels" . | nindent 4 }}
+  type: ClusterIP
+{{- end }}
\ No newline at end of file
diff --git a/install/kubernetes/test.sh b/install/kubernetes/test.sh
index 2862c6a5874..f377a305b31 100755
--- a/install/kubernetes/test.sh
+++ b/install/kubernetes/test.sh
@@ -9,10 +9,10 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 cd $SCRIPT_DIR
 
 alias helm='docker run --rm -v $(pwd):/apps alpine/helm:3.3.4'
-alias kubeval='docker run --rm -i garethr/kubeval:0.15.0@sha256:6962d8ecbb7839637667f66e6703e6ebaae0c29dfe93a31d9968fba4324c7b8d'
+alias kubeconform='docker run --rm -i ghcr.io/yannh/kubeconform:v0.6.4-alpine@sha256:e68a0b638c6e9b76f1b7d58b4ec94340ef3b6601db25b2e40b29e3ac2d68e4bf'
 helm dependency update .
 helm lint . --with-subcharts
-helm template tetragon . | kubeval --strict --additional-schema-locations https://raw.githubusercontent.com/joshuaspence/kubernetes-json-schema/master
+helm template tetragon . | kubeconform --strict --schema-location default
 
 # Update README.md.
 docker run --rm -v "$(pwd):/helm-docs" -u "$(id -u)" jnorwood/helm-docs:v1.11.0@sha256:66c8f4164dec860fa5c1528239c4aa826a12485305b7b224594b1a73f7e6879a
diff --git a/install/kubernetes/values.yaml b/install/kubernetes/values.yaml
index daae6fa3c65..e9f3e7859b8 100644
--- a/install/kubernetes/values.yaml
+++ b/install/kubernetes/values.yaml
@@ -217,7 +217,13 @@ tetragonOperator:
     # -- Enables the PodInfo CRD and the controller that reconciles PodInfo
     # custom resources.
     enabled: false
-
+  # -- Enables the Tetragon Operator metrics.
+  prometheus:
+    enabled: true
+    # -- The address at which to expose Tetragon Operator metrics. Set it to "" to expose on all available interfaces.
+    address: ""
+    # -- The port at which to expose metrics.
+    port: 2113
 # -- Tetragon event settings
 export:
   # "stdout". "" to disable.
diff --git a/operator/cmd/serve/serve.go b/operator/cmd/serve/serve.go
index 2631aee5bb3..ac0b1546c8d 100644
--- a/operator/cmd/serve/serve.go
+++ b/operator/cmd/serve/serve.go
@@ -90,7 +90,7 @@ func New() *cobra.Command {
 			return nil
 		},
 	}
-	cmd.Flags().StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	cmd.Flags().StringVar(&metricsAddr, "metrics-bind-address", ":2113", "The address the metric endpoint binds to.")
 	cmd.Flags().StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	cmd.Flags().BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+