Introduce PPROF Documentation

awgreene · awgreene · commit 98daa43afb90 · 2021-07-23T15:41:06.000-04:00
This commit introduces documentation detailing how to retrieve
PPROF data from the OLM and Catalog operators.
diff --git a/content/en/docs/Tasks/performance-profiling.md b/content/en/docs/Tasks/performance-profiling.md
@@ -1,8 +1,8 @@
 ---
-title: "Continuous Profiling"
+title: "Performance Profiling Metrics"
 weight: 10
 description: >
-  The goal of this document is to familiarize you with OLM's stance on performance profiling.
+  The goal of this document is to familiarize you with the steps to enable and review OLM's performance profiling metrics.
 ---
 
 ## Prerequisites 
@@ -11,60 +11,96 @@ description: >
 
 ## Background
 
-OLM utilizes the [pprof package](https://golang.org/pkg/net/http/pprof/) from the standard go library to expose performance profiles for the OLM Operator, the Catalog Operator, and Registry Servers. Due to the sensitive nature of this data, client requests against the pprof endpoint are rejected unless they are made with the certificate data kept in the `pprof-cert secret` in the `olm namespace`. 
-Kubernetes does not provide a native way to prevent pods on cluster from iterating over the list of available ports and retrieving the data exposed. Without authetnicating the requests, OLM could leak customer usage statistics on multitenant clusters. If the aforementioned secret does not exist the pprof data will not be accessable.
+OLM utilizes the [pprof package](https://golang.org/pkg/net/http/pprof/) from the standard go library to expose performance profiles for the OLM Operator, the Catalog Operator, and Registry Servers. Due to the sensitive nature of this data, OLM must be configured to use TLS Certificates before performance profiling can be enabled.
 
-### Retrieving PProf Data
+Requests against the performance profiling endpoint will be rejected unless the client certificate is validated by OLM. Unfortunately, Kubernetes does not provide a native way to prevent pods on cluster from iterating over the list of available ports and retrieving the data exposed. Without authenticating the requests, OLM could leak customer usage statistics on multitenant clusters.
 
-#### OLM Operator
+This document will dive into the steps to [enable olm performance profiling](enable-performance-profiling) and retrieving pprof data from each component.
 
-```bash
-$ go tool pprof http://localhost:8080/debug/pprof/heap #TODO: Replace with actual command
-```
+## Enabling Performance Profiling
+
+### Creating a Certificate
 
-#### Catalog Operator
+A valid server certiciate must be created for each component before Performance Profiling can be enabled. If you are unfamiliar with certificate generation, I recomend using the [OpenSSL](https://www.openssl.org/) tool-kit and refer to the [request certificate](https://www.openssl.org/docs/manmaster/man1/openssl-req.html) documentation.
+
+Once you have generated a private and public key, this data should be stored in a `TLS Secret`:
 
 ```bash
-$ go tool pprof http://localhost:8080/debug/pprof/heap #TODO: Replace with actual command
+
+$ export TLS_SECRET=my-tls-secret
+$ export PRIVATE_KEY_FILENAME=private.key # Replace with the name of the file that contains the private key you generated.
+$ export PUBLIC_KEY_FILENAME=certificate.crt # Replace with the name of the file that contains the public key you generated.
+
+$ cat << EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: $TLS_SECRET
+  namespace: olm
+type: kubernetes.io/tls
+data:
+  tls.key: $(base64 -w0 $PRIVATE_KEY_FILENAME)
+  tls.crt: $(base64 -w0 $PUBLIC_KEY_FILENAME)
+EOF
 ```
 
-#### Registry Server
+### Updating OLM to Use the TLS Secret
+
+Patch the OLM Deployment's pod template to use the generated TLS secret:
+
+- Defining a volume and volumeMount
+- Adding the `client-ca`, `tls-key` and `tls-crt` arguments
+- Replacing all mentions of port `8080` with `8443`
+- Updating the `livenessProbe` and `readinessProbe` to use HTTPS as the scheme.
+
+This can by generating patching an existing OLM deployment:
 
 ```bash
-$ go tool pprof http://localhost:8080/debug/pprof/heap #TODO: Replace with actual command
-```
+$ export TLS_SECRET=my-tls-secret
+$ export CERT_PATH=/var/run/secrets # Define where to mount the certs.
+# Set Deployment name to olm-operator or catalog-operator
+$ export DEPLOYMENT_NAME=olm-operator
+
+$ kubectl patch deployment $DEPLOYMENT_NAME -n olm --type json -p='[
+    # Mount the secret to the pod
+    {"op": "add", "path": "/spec/template/spec/volumes", "value":[{"name": '$TLS_SECRET', "secret": {"secretName": '$TLS_SECRET'}}]},
+    {"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts", "value":[{"name": '$TLS_SECRET', "mountPath": '$CERT_PATH'}]},
+    
+    # Add startup arguments
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--client-ca"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.crt"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--tls-key"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.key"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--tls-cert"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.crt"},
+    
+    # Replace port 8080 with 8443
+    {"op": "replace", "path": "/spec/template/spec/containers/0/ports/0", "value":{"containerPort": 8443}},
+    {"op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe/httpGet/port", "value":8443},
+    {"op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe/httpGet/port", "value":8443},
+
+    # Update livenessProbe and readinessProbe to use HTTPS
+    {"op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe/httpGet/scheme", "value":"HTTPS"},
+    {"op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe/httpGet/scheme", "value":"HTTPS"},
+]'
+deployment.apps/olm-operator patched
 
-<details>
-  <summary>Downstream docs, click to expand!</summary>
-  
-## Continuous Profiling
-OLM relies on [pprof-dump]() to periodically collect the pprof data and store it in the contents of a `ConfigMap`. The data in these `ConfigMaps` may be referenced when debugging issues.
+```
 
-### Default PProf-Dump Settings
+## Accessing PPROF Data
 
-OLM configures pprof-dump with the `pprof-dump ConfigMap` setting the follow default configurations:
+You will need to be able to access OLM port, for dev purposes the following commands may prove useful:
 
-```yaml
-kind: ConfigMap
-metadata:
-  name: prof-dump
-  namespace: olm
-Data:
-  garbageCollection: 60 # Delete configmaps older than 60 minutes
-  poll: 15 # interval in minutes that pprof data is collected and dumped into ConfigMaps
+```bash
+# Set Deployment name to olm-operator or catalog-operator
+$ export DEPLOYMENT_NAME=olm-operator
+$ kubectl port-forward deployment/$DEPLOYMENT_NAME 8443:8443 -n olm
 ```
 
-### How do I disable continuous profiling?
+You can then curl the OLM `/debug/pprof` endpoint to retrieve default pprof profiles like so:
 
-To disable OLM's continuous profiling, apply the following YAML:
+```bash
+$ curl https://localhost:8443/debug/pprof/heap --cert certificate.crt --key private.key  --insecure -o olm-heap
 
-```yaml
-kind: ConfigMap
-metadata:
-  name: prof-dump
-  namespace: olm
-Data:
-  garbageCollection: 60
-  poll: 0
+$ go tool pprof --top olm-heap
 ```
-</details>
