OSDOCS-14993: Adding monitoring cert-manager metrics section”

aravipra · aravipra · commit 289d0ccb61db · 2025-06-22T01:22:26.000+05:30
:wq
diff --git a/modules/cert-manager-configure-metrics-scraping.adoc b/modules/cert-manager-configure-metrics-scraping.adoc
@@ -0,0 +1,99 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cert-manager-configure-metrics-scraping_{context}"]
+= Configuring metrics scraping for cert-manager operand by using a ServiceMonitor
+
+The cert-manager operand exposes metrics by default on port `9402` at the `/metrics` service endpoint. You can configure metrics collection for the cert-manager operands by creating a `ServiceMonitor` or `PodMonitor` Custom Resource (CR) that enables Prometheus Operator to collect custom metrics.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the {cert-manager-operator}.
+* You have deployed the cert-manager operand in the cluster.
+* You have enabled the user workload monitoring.
+
+.Procedure
+
+. Create the `cert-manager` YAML file that defines the `ServiceMonitor` CR:
++
+.Example `cert-manager` file
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  endpoints:
+    - honorLabels: false
+      interval: 60s
+      path: /metrics
+      scrapeTimeout: 30s
+      targetPort: 9402
+  selector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+          - cainjector
+          - cert-manager
+          - webhook
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+          - cert-manager
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+          - cainjector
+          - controller
+          - webhook
+----
+
+. Create the `ServiceMonitor` CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f cert-manager.yaml
+----
++
+After the `ServiceMonitor` CR is created, the user workload Prometheus instance begins metrics collection from the cert-manager operands. The collected metrics are labeled with `job="cert-manager"`,`job="cert-manager-cainjector"`, and `job="cert-manager-webhook"`.
+
+.Verification
+
+. The following can be used to verify the Prometheus Targets in the web console:
+
+.. In the {product-title} web console, navigate to *Observe* → *Targets*.
+
+.. In the *Label* filter field, enter the following label to filter the metrics targets:
++
+[source,terminal]
+----
+$ service=cert-manager
+----
+
+.. Confirm that the *Status* column shows `Up` for the `cert-manager` entry.
+
+. Verify that the cert-manager services are running in the cert-manager namespace by running the following command:
++
+[source,terminal]
+----
+$ oc -n cert-manager get service
+----
++
+.Example output
+[source,terminal]
+----
+NAME                      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)            AGE
+cert-manager              ClusterIP   172.30.199.12   <none>        9402/TCP           54s
+cert-manager-cainjector   ClusterIP   172.30.148.41   <none>        9402/TCP           63s
+cert-manager-webhook      ClusterIP   172.30.100.46   <none>        443/TCP,9402/TCP   62s
+----
diff --git a/modules/cert-manager-enable-user-workload-monitor.adoc b/modules/cert-manager-enable-user-workload-monitor.adoc
@@ -0,0 +1,60 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cert-manager-enable-user-workload-monitor_{context}"]
+= Enabling user workload monitoring
+
+You can enable monitoring for user-defined projects by configuring user workload monitoring in the cluster. For more information, see "Configuring user workload monitoring".
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+. Create the `cluster-monitoring-config.yaml` YAML file:
++
+.Example `cluster-monitoring-config.yaml` file
++
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-monitoring-config
+  namespace: openshift-monitoring
+data:
+  config.yaml: |
+    enableUserWorkload: true
+----
+
+. Apply the `ConfigMap` by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f cluster-monitoring-config.yaml
+----
+
+.Verification
+
+. Verify that the monitoring components for user workloads are running in the `openshift-user-workload-monitoring` namespace by running the following command:
++
+[source,terminal]
+----
+$ oc -n openshift-user-workload-monitoring get pod
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                   READY   STATUS    RESTARTS   AGE
+prometheus-operator-6cb6bd9588-dtzxq   2/2     Running   0          50s
+prometheus-user-workload-0             6/6     Running   0          48s
+prometheus-user-workload-1             6/6     Running   0          48s
+thanos-ruler-user-workload-0           4/4     Running   0          42s
+thanos-ruler-user-workload-1           4/4     Running   0          42s
+----
+
+The status of the pods such as `prometheus-operator`, `prometheus-user-workload`, and `thanos-ruler-user-workload` must be `Running`.
diff --git a/modules/cert-manager-query-metrics-operand.adoc b/modules/cert-manager-query-metrics-operand.adoc
@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cert-manager-query-metrics-operand_{context}"]
+= Querying metrics for the cert-manager operand
+
+As a cluster administrator, or as a user with view access to all namespaces, you can query cert-manager operand metrics by using the {product-title} web console or the command line. For more information see "Accessing metrics".
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the {cert-manager-operator}.
+* You have deployed the cert-manager operands in the cluster.
+* You have enabled monitoring and metrics collection by creating `ServiceMonitor` object.
+
+.Procedure
+
+. Get your own token by running the following command:
++
+[source,terminal]
+----
+$ (oc whoami -t)
+----
+
+. Get the token for a specific service account by running the following command:
++
+[source,terminal]
+----
+$ TOKEN=$(oc create token prometheus-k8s -n openshift-monitoring)
+----
+
+. Get the OpenShift API route for Thanos Querier by running the following command:
++
+[source,terminal]
+----
+$ URL=$(oc get route thanos-querier -n openshift-monitoring -o=jsonpath='{.status.ingress[0].host}')
+----
+
+. Query the metrics by running the following command:
++
+[source,terminal]
+----
+$ curl -s -k -H "Authorization: Bearer $TOKEN" https://$URL/api/v1/query --data-urlencode 'query={job="cert-manager"}' | jq
+----
+
+.Verification
+
+. In the {product-title} web console, navigate to *Observe* → *Metrics*.
+
+. In the *Label* filter field, enter the following label to filter the metrics of each operand:
++
+[source,terminal]
+----
+$ {job="<JobLabel>"}
+----
+
+. Confirm that the *Status* column shows `Up` for the `cert-manager` entry.
diff --git a/security/cert_manager_operator/cert-manager-monitoring.adoc b/security/cert_manager_operator/cert-manager-monitoring.adoc
@@ -17,4 +17,23 @@ include::modules/cert-manager-enable-metrics.adoc[leveloffset=+1]
 * xref:../../observability/monitoring/configuring-user-workload-monitoring/configuring-metrics-uwm.adoc#setting-up-metrics-collection-for-user-defined-projects_configuring-metrics-uwm[Setting up metrics collection for user-defined projects]
 
 // Querying metrics for the {cert-manager-operator}
-include::modules/cert-manager-query-metrics.adoc[leveloffset=+1]
+include::modules/cert-manager-query-metrics.adoc[leveloffset=+1]
+
+// Enabling user workload monitoring for the cert-manager operand
+include::modules/cert-manager-enable-user-workload-monitor.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../observability/monitoring/configuring-user-workload-monitoring/preparing-to-configure-the-monitoring-stack-uwm.adoc#configurable-monitoring-components_preparing-to-configure-the-monitoring-stack-uwm[Configuring user workload monitoring]
+
+// Configuring metrics scraping for the cert-manager operand
+include::modules/cert-manager-configure-metrics-scraping.adoc[leveloffset=+1]
+
+// Querying metrics for the cert-manager operand
+include::modules/cert-manager-query-metrics-operand.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../observability/monitoring/accessing-metrics/accessing-metrics-as-an-administrator.adoc#accessing-metrics[Accessing metrics]
