wip

awgreene · awgreene · commit f4bf735af00a · 2021-06-18T16:46:12.000-04:00
diff --git a/content/en/docs/Tasks/performance-profiling.md b/content/en/docs/Tasks/performance-profiling.md
@@ -1,8 +1,8 @@
 ---
-title: "Continuous Profiling"
+title: "Performance Profiling Metrics"
 weight: 10
 description: >
-  The goal of this document is to familiarize you with OLM's stance on performance profiling.
+  The goal of this document is to familiarize you with the steps to enable and review OLM's performance profiling metrics.
 ---
 
 ## Prerequisites 
@@ -11,60 +11,86 @@ description: >
 
 ## Background
 
-OLM utilizes the [pprof package](https://golang.org/pkg/net/http/pprof/) from the standard go library to expose performance profiles for the OLM Operator, the Catalog Operator, and Registry Servers. Due to the sensitive nature of this data, client requests against the pprof endpoint are rejected unless they are made with the certificate data kept in the `pprof-cert secret` in the `olm namespace`. 
-Kubernetes does not provide a native way to prevent pods on cluster from iterating over the list of available ports and retrieving the data exposed. Without authetnicating the requests, OLM could leak customer usage statistics on multitenant clusters. If the aforementioned secret does not exist the pprof data will not be accessable.
+OLM utilizes the [pprof package](https://golang.org/pkg/net/http/pprof/) from the standard go library to expose performance profiles for the OLM Operator, the Catalog Operator, and Registry Servers. Due to the sensitive nature of this data, OLM must be configured to use TLS Certificates before performance profiling can be enabled.
 
-### Retrieving PProf Data
+Requests against the performance profiling endpoint will be rejected unless the client certificate is validated by OLM. Unfortunately, Kubernetes does not provide a native way to prevent pods on cluster from iterating over the list of available ports and retrieving the data exposed. Without authetnicating the requests, OLM could leak customer usage statistics on multitenant clusters.
 
-#### OLM Operator
+This document will dive into the steps to [enable olm performance profiling](enable-performance-profiling) and retrieving pprof data from each component.
 
-```bash
-$ go tool pprof http://localhost:8080/debug/pprof/heap #TODO: Replace with actual command
-```
+## Enabling Performance Profiling
 
-#### Catalog Operator
+### Creating a certificate
 
-```bash
-$ go tool pprof http://localhost:8080/debug/pprof/heap #TODO: Replace with actual command
-```
+A valid server certiciate must be created for each component before Performance Profiling can be enabled. If you are unfamiliar with certificate generation, I recomend using the [OpenSSL](https://www.openssl.org/) tool-kit and refer to the [request certificate](https://www.openssl.org/docs/manmaster/man1/openssl-req.html) documentation.
 
-#### Registry Server
+Once you have generated a private and public key, this data should be stored in a `TLS Secret`:
 
 ```bash
-$ go tool pprof http://localhost:8080/debug/pprof/heap #TODO: Replace with actual command
+$ export PRIVATE_KEY_FILENAME=private.key # Replace with the name of the file that contains the private key you generated.
+$ export PUBLIC_KEY_FILENAME=certificate.key # Replace with the name of the file that contains the public key you generated.
+
+$ cat << EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: olm-serving-secret
+  namespace: olm
+type: kubernetes.io/tls
+data:
+  tls.key: $(base64 $PRIVATE_KEY_FILENAME)
+  tls.crt: $(base64 $PUBLIC_KEY_FILENAME)
+EOF
 ```
 
-<details>
-  <summary>Downstream docs, click to expand!</summary>
-  
-## Continuous Profiling
-OLM relies on [pprof-dump]() to periodically collect the pprof data and store it in the contents of a `ConfigMap`. The data in these `ConfigMaps` may be referenced when debugging issues.
+We then need to patch the OLM Deployment to use the TLS secret that we generated by:
 
-### Default PProf-Dump Settings
+- Adding a volume and volumeMount to the olm pod which mounts the secret.
+- Adding the `client-ca`, `tls-key` and `tls-crt` arguments to the OLM pod
+- Replacing all mentions of port `8080` with `8443`
+- Update the `livenessProbe` and `readinessProbe` to use HTTPS as the scheme.
 
-OLM configures pprof-dump with the `pprof-dump ConfigMap` setting the follow default configurations:
+This can be done with the following commands:
 
-```yaml
-kind: ConfigMap
-metadata:
-  name: prof-dump
-  namespace: olm
-Data:
-  garbageCollection: 60 # Delete configmaps older than 60 minutes
-  poll: 15 # interval in minutes that pprof data is collected and dumped into ConfigMaps
+```bash
+$ export CERT_PATH=/etc/olm-serving-certs # Define where to mount the certs.
+$ kubectl patch deployment olm-operator -n olm  --type json   -p='[
+    # Mount the secret to the pod
+    {"op": "add", "path": "/spec/template/spec/volumes", "value":[{"name": "olm-serving-cert", "secret": {"secretName": "olm-serving-cert"}}]},
+    {"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts", "value":[{"name": "olm-serving-cert", "mountPath": '$CERT_PATH'}]},
+    
+    # Add startup arguments
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--client-ca"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.crt"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--tls-key"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.key"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--tls-cert"},
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.crt"},
+    
+    # Replace port 8080 with 8443
+    {"op": "replace", "path": "/spec/template/spec/containers/0/ports/0", "value":{"containerPort": 8443}},
+    {"op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe/httpGet/port", "value":8443},
+    {"op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe/httpGet/port", "value":8443},
+
+    # Update livenessProbe and readinessProbe to use HTTPS
+    {"op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe/httpGet/scheme", "value":"HTTPS"},
+    {"op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe/httpGet/scheme", "value":"HTTPS"},
+]'
+deployment.apps/olm-operator patched
 ```
 
-### How do I disable continuous profiling?
+You will need to be able to access OLM port, for dev purposes the following commands may prove useful:
+
+```bash
+$ kubectl port-forward deployment/olm-operator 8443:8443 -n olm
+```
 
-To disable OLM's continuous profiling, apply the following YAML:
+You can then curl the OLM `/debug/pprof` endpoint to retrieve default pprof profiles like so:
 
-```yaml
-kind: ConfigMap
-metadata:
-  name: prof-dump
-  namespace: olm
-Data:
-  garbageCollection: 60
-  poll: 0
+```bash
+export BASE_URL=https://localhost:8443/debug/pprof
+curl $BASE_URL/goroutine --cert certificate.crt --key private.key  --insecure -o goroutine
+curl $BASE_URL/heap --cert certificate.crt --key private.key  --insecure -o heap
+curl $BASE_URL/threadcreate --cert certificate.crt --key private.key  --insecure -o threadcreate
+curl $BASE_URL/block --cert certificate.crt --key private.key  --insecure -o block
+curl $BASE_URL/mutex --cert certificate.crt --key private.key  --insecure -o mutex
 ```
-</details>
