Add external Prometheus on OpenShift E2E

czeslavo · czeslavo · commit b8c743137417 · 2025-09-26T14:28:56.000+02:00
diff --git a/hack/ci-deploy.sh b/hack/ci-deploy.sh
@@ -108,6 +108,10 @@ if [[ -n ${SO_INSTALL_XFSPROGS_ON_NODES:-} ]]; then
   kubectl_create -f "${ARTIFACTS_DEPLOY_DIR}"/install-xfsprogs.daemonset.yaml
 fi
 
+if [[ "${SO_ENABLE_OPENSHIFT_USER_WORKLOAD_MONITORING:-}" == "true" ]]; then
+  kubectl_create -f "${ARTIFACTS_DEPLOY_DIR}/openshift-uwm.cm.yaml"
+fi
+
 kubectl_create -n haproxy-ingress -f "${ARTIFACTS_DEPLOY_DIR}/haproxy-ingress"
 kubectl_create -f "${ARTIFACTS_DEPLOY_DIR}"/cert-manager.yaml
 
diff --git a/test/e2e/set/scylladbmonitoring/scylladbmonitoring.go b/test/e2e/set/scylladbmonitoring/scylladbmonitoring.go
@@ -38,7 +38,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
+	apimachineryutilintstr "k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/util/cert"
 	"k8s.io/klog/v2"
 )
@@ -70,7 +70,7 @@ var _ = g.Describe("ScyllaDBMonitoring", func() {
 	f := framework.NewFramework("scylladbmonitoring")
 
 	// Disabled on OpenShift because of https://github.com/scylladb/scylla-operator/issues/2319#issuecomment-2643287819
-	g.DescribeTable("should setup monitoring stack TESTCASE_DISABLED_ON_OPENSHIFT", func(ctx g.SpecContext, e *scyllaDBMonitoringEntry) {
+	g.DescribeTable("should setup monitoring stack", func(ctx g.SpecContext, e *scyllaDBMonitoringEntry) {
 		framework.By("Creating a ScyllaCluster with a single node")
 		sc := createTestScyllaCluster(ctx, f)
 
@@ -88,8 +88,10 @@ var _ = g.Describe("ScyllaDBMonitoring", func() {
 		framework.By("Waiting for the ScyllaDBMonitoring to roll out")
 		awaitScyllaDBMonitoringRollout(ctx, f, sm)
 
-		framework.By("Verifying that Prometheus is configured correctly")
-		e.VerifyPrometheusFn(ctx, f, sm)
+		if e.VerifyPrometheusFn != nil {
+			framework.By("Verifying that Prometheus is configured correctly")
+			e.VerifyPrometheusFn(ctx, f, sm)
+		}
 
 		framework.By("Verifying that Grafana is configured correctly")
 		e.VerifyGrafanaFn(ctx, f, sm)
@@ -146,7 +148,7 @@ var _ = g.Describe("ScyllaDBMonitoring", func() {
 			VerifyPrometheusFn:          verifyExternalPrometheusWithoutTLS,
 			VerifyGrafanaFn:             verifyManagedGrafanaWithDashboards(getExpectedPlatformDashboards()),
 		}),
-		g.FEntry(describeEntry, &scyllaDBMonitoringEntry{
+		g.Entry(describeEntry, &scyllaDBMonitoringEntry{
 			Description: "Platform type with external Prometheus with TLS",
 			ScyllaDBMonitoringModifierFn: func(sm *scyllav1alpha1.ScyllaDBMonitoring) {
 				sm.Spec.Type = pointer.Ptr(scyllav1alpha1.ScyllaDBMonitoringTypePlatform)
@@ -172,6 +174,41 @@ var _ = g.Describe("ScyllaDBMonitoring", func() {
 			VerifyPrometheusFn:          verifyExternalPrometheusWithTLS,
 			VerifyGrafanaFn:             verifyManagedGrafanaWithDashboards(getExpectedPlatformDashboards()),
 		}),
+		g.FEntry(describeEntry, &scyllaDBMonitoringEntry{
+			Description: "Platform type with Thanos Querier on OpenShift",
+			ScyllaDBMonitoringModifierFn: func(sm *scyllav1alpha1.ScyllaDBMonitoring) {
+				sm.Spec.Type = pointer.Ptr(scyllav1alpha1.ScyllaDBMonitoringTypePlatform)
+				sm.Spec.Components.Prometheus.Mode = scyllav1alpha1.PrometheusModeExternal
+				sm.Spec.Components.Grafana.Datasources = []scyllav1alpha1.GrafanaDatasourceSpec{
+					{
+						Name: "prometheus",
+						Type: scyllav1alpha1.GrafanaDatasourceTypePrometheus,
+						URL:  "https://thanos-querier.openshift-monitoring.svc:9091",
+						PrometheusOptions: &scyllav1alpha1.GrafanaPrometheusDatasourceOptions{
+							TLS: &scyllav1alpha1.GrafanaDatasourceTLSSpec{
+								InsecureSkipVerify: false,
+								CACertConfigMapRef: &scyllav1alpha1.LocalObjectKeySelector{
+									Name: "openshift-service-ca.crt",
+									Key:  "service-ca.crt",
+								},
+							},
+							Auth: &scyllav1alpha1.GrafanaPrometheusDatasourceAuthSpec{
+								Type: scyllav1alpha1.GrafanaPrometheusDatasourceAuthTypeBearerToken,
+								BearerTokenOptions: &scyllav1alpha1.GrafanaPrometheusDatasourceBearerTokenAuthOptions{
+									SecretRef: &scyllav1alpha1.LocalObjectKeySelector{
+										Name: monitoringAccessServiceAccountNameOnOpenShift(sm),
+										Key:  "token",
+									},
+								},
+							},
+						},
+					},
+				}
+			},
+			PrepareExternalPrometheusFn: prepareOpenShiftMonitoring,
+			VerifyPrometheusFn:          nil, // Nothing to verify, we trust OpenShift.
+			VerifyGrafanaFn:             verifyManagedGrafanaWithDashboards(getExpectedPlatformDashboards()),
+		}),
 	)
 })
 
@@ -400,6 +437,7 @@ func verifyManagedGrafanaWithDashboards(
 		o.Expect(err).NotTo(o.HaveOccurred())
 
 		verifyGrafanaDashboards(grafanaClient, expectedDashboards, expectedHomeDashboardUID)
+		verifyPrometheusGrafanaDataSource(grafanaClient)
 	}
 }
 
@@ -423,6 +461,18 @@ func verifyGrafanaDashboards(grafanaClient *grafana.Client, expectedDashboards [
 	o.Expect(homeDashboardUID).To(o.Equal(expectedHomeDashboardUID))
 }
 
+func verifyPrometheusGrafanaDataSource(grafanaClient *grafana.Client) {
+	g.GinkgoHelper()
+
+	framework.By("Verifying 'prometheus' Grafana data source")
+	o.Eventually(func(eo o.Gomega) {
+		health, err := grafanaClient.DatasourceHealth("prometheus")
+		framework.Infof("Checking 'prometheus' grafana data source health: err: %v, health: %v, message: %s", err, health.OK, health.Message)
+		eo.Expect(err).NotTo(o.HaveOccurred())
+		eo.Expect(health.OK).To(o.Equal(true))
+	}).WithTimeout(10 * time.Minute).WithPolling(1 * time.Second).Should(o.Succeed())
+}
+
 // getExpectedPlatformDashboards returns the expected grafana dashboards.
 // Platform dashboards come directly from ScyllaDB Monitoring, so we do not know the expected values
 // and given the size they are not feasible to be maintained as a duplicate.
@@ -685,7 +735,7 @@ func createExternalPrometheusInstanceWithoutTLS(ctx context.Context, f *framewor
 				Alertmanagers: []monitoringv1.AlertmanagerEndpoints{
 					{
 						Name: "scylla-monitoring",
-						Port: intstr.FromString("web"),
+						Port: apimachineryutilintstr.FromString("web"),
 					},
 				},
 			},
@@ -753,7 +803,7 @@ func createExternalPrometheusInstanceWithTLS(ctx context.Context, f *framework.F
 				Alertmanagers: []monitoringv1.AlertmanagerEndpoints{
 					{
 						Name: "scylla-monitoring",
-						Port: intstr.FromString("web"),
+						Port: apimachineryutilintstr.FromString("web"),
 					},
 				},
 			},
@@ -771,6 +821,71 @@ func createExternalPrometheusInstanceWithTLS(ctx context.Context, f *framework.F
 	return prom
 }
 
+func prepareOpenShiftMonitoring(ctx context.Context, f *framework.Framework, sm *scyllav1alpha1.ScyllaDBMonitoring) {
+	g.GinkgoHelper()
+
+	framework.By("Creating a ServiceAccount for monitoring access on OpenShift")
+	sa := createMonitoringAccessServiceAccountOnOpenShift(ctx, f, sm)
+
+	framework.By("Binding cluster-monitoring-view ClusterRole to the ServiceAccount")
+	bindClusterMonitoringViewClusterRoleToServiceAccount(ctx, f, sa)
+
+	framework.By("Creating a Secret with the ServiceAccount token")
+	createServiceAccountTokenSecret(ctx, f, sa)
+}
+
+func createMonitoringAccessServiceAccountOnOpenShift(ctx context.Context, f *framework.Framework, sm *scyllav1alpha1.ScyllaDBMonitoring) *corev1.ServiceAccount {
+	sa, err := f.KubeAdminClient().CoreV1().ServiceAccounts(f.Namespace()).Create(ctx, &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      monitoringAccessServiceAccountNameOnOpenShift(sm),
+			Namespace: f.Namespace(),
+		},
+	}, metav1.CreateOptions{
+		FieldManager: f.FieldManager(),
+	})
+	o.Expect(err).NotTo(o.HaveOccurred())
+	return sa
+}
+
+func bindClusterMonitoringViewClusterRoleToServiceAccount(ctx context.Context, f *framework.Framework, sa *corev1.ServiceAccount) {
+	_, err := f.KubeAdminClient().RbacV1().ClusterRoleBindings().Create(ctx, &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: sa.Name,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      rbacv1.ServiceAccountKind,
+				Name:      sa.Name,
+				Namespace: sa.Namespace,
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "cluster-monitoring-view",
+		},
+	}, metav1.CreateOptions{
+		FieldManager: f.FieldManager(),
+	})
+	o.Expect(err).NotTo(o.HaveOccurred())
+}
+
+func createServiceAccountTokenSecret(ctx context.Context, f *framework.Framework, sa *corev1.ServiceAccount) {
+	_, err := f.KubeAdminClient().CoreV1().Secrets(f.Namespace()).Create(ctx, &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      sa.Name,
+			Namespace: f.Namespace(),
+			Annotations: map[string]string{
+				"kubernetes.io/service-account.name": sa.Name,
+			},
+		},
+		Type: corev1.SecretTypeServiceAccountToken,
+	}, metav1.CreateOptions{
+		FieldManager: f.FieldManager(),
+	})
+	o.Expect(err).NotTo(o.HaveOccurred())
+}
+
 func verifyExternalPrometheusWithoutTLS(ctx context.Context, f *framework.Framework, sm *scyllav1alpha1.ScyllaDBMonitoring) {
 	g.GinkgoHelper()
 
@@ -859,3 +974,7 @@ func prometheusCACertConfigMapNameForScyllaDBMonitoring(sm *scyllav1alpha1.Scyll
 func prometheusTLSSecretNameForScyllaDBMonitoring(sm *scyllav1alpha1.ScyllaDBMonitoring) string {
 	return fmt.Sprintf("%s-prometheus-tls", sm.Name)
 }
+
+func monitoringAccessServiceAccountNameOnOpenShift(sm *scyllav1alpha1.ScyllaDBMonitoring) string {
+	return fmt.Sprintf("%s-monitoring-access", sm.Name)
+}
diff --git a/test/e2e/utils/grafana/client.go b/test/e2e/utils/grafana/client.go
@@ -95,3 +95,26 @@ func (c *Client) HomeDashboardUID() (string, error) {
 
 	return "", fmt.Errorf("unexpected type for dashboard payload")
 }
+
+type DatasourceHealth struct {
+	Message string
+	OK      bool
+}
+
+func (c *Client) DatasourceHealth(datasourceName string) (DatasourceHealth, error) {
+	resp, err := c.c.Datasources.GetDataSourceByName(datasourceName)
+	if err != nil {
+		return DatasourceHealth{}, fmt.Errorf("failed to get datasource %q: %w", datasourceName, err)
+	}
+
+	datasourceUID := resp.GetPayload().UID
+	healthResp, err := c.c.Datasources.CheckDatasourceHealthWithUID(datasourceUID)
+	if err != nil {
+		return DatasourceHealth{}, fmt.Errorf("failed to check health for datasource %q (UID %s): %w", datasourceName, datasourceUID, err)
+	}
+
+	return DatasourceHealth{
+		Message: healthResp.GetPayload().Message,
+		OK:      healthResp.IsSuccess(),
+	}, nil
+}
