openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/external-secrets-enable-metrics.adoc
Andrea Hoffer bf30f56217 Fixing typos on main
2026-01-27 21:08:23 +00:00

129 lines
3.8 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * security/external_secrets_operator/exteernal-secrets-monitoring.adoc
:_mod-docs-content-type: PROCEDURE
[id="external-secrets-enable-metrics_{context}"]
= Configuring metrics collection for {external-secrets-operator} operands by using a ServiceMonitor
[role="_abstract"]
The {external-secrets-operator} operands exposes metrics by default on port `8080` at the `/metrics` service endpoint for all three components (`external-secrets`, `external-secrets-cert-controll`, and `external-secrets-webhook`). You can configure metrics collection for the external-secrets operands by creating a `ServiceMonitor` custom resource (CR) that enables the Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring".
.Prerequisites
* You have access to the cluster as a user with the `cluster-admin` role.
* You have installed the {external-secrets-operator}.
* You have enabled the user workload monitoring.
.Procedure
. Create the `ClusterRoleBinding` resource required for granting permissions to access metrics:
.. Create the `clusterrolebinding-external-secrets.yaml` YAML file:
+
The following example shows a `clusterrolebinding-external-secrets.yaml` file.
+
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: external-secrets
name: external-secrets-allow-metrics-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-secrets-operator-metrics-reader
subjects:
- kind: ServiceAccount
name: external-secrets
namespace: external-secrets
- kind: ServiceAccount
name: external-secrets-cert-controller
namespace: external-secrets
- kind: ServiceAccount
name: external-secrets-webhook
namespace: external-secrets
----
.. Create the `ClusterRoldeBinding` custom resource by running the following command:
+
[source,terminal]
----
$ oc apply -f clusterrolebinding-external-secrets.yaml
----
. Create the `ServiceMonitor` CR:
.. Create the `servicemonitor-external-secrets.yaml` YAML file:
+
[source,yaml]
----
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
app: external-secrets
name: external-secrets-metrics-monitor
namespace: external-secrets
spec:
endpoints:
- interval: 60s
path: /metrics
port: metrics
scheme: http
scrapeTimeout: 30s
namespaceSelector:
matchNames:
- external-secrets
selector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- external-secrets
- external-secrets-cert-controller
- external-secrets-webhook
- key: app.kubernetes.io/instance
operator: In
values:
- external-secrets
- key: app.kubernetes.io/managed-by
operator: In
values:
- external-secrets-operator
----
.. Create the `ServiceMonitor` CR by running the following command:
+
[source,terminal]
----
$ oc apply -f servicemonitor-external-secrets.yaml
----
+
After the `ServiceMonitor` CR is created, the user workload Prometheus instance begins metrics collection from the {external-secrets-operator} operands. The collected metrics are labeled with `job="external-secrets"`,`job="external-secrets-cainjector"`, and `job="external-secrets-webhook"`.
.Verification
. In the {product-title} web console, navigate to *Observe* -> *Targets*.
. In the Label filter field, enter the following labels to filter the metrics targets for each operand:
+
[source,terminal]
----
$ service=external-secrets
----
+
[source,terminal]
----
$ service=external-secrets-cert-controller-metrics
----
+
[source,terminal]
----
$ service=external-secrets-webhook
----
. Confirm that the *Status* column shows `Up` for the `external-secrets`, `external-secrets-cert-controller` and `external-secrets-webhook`.
View Git Blame Copy Permalink