introduce performance profiling doc #167
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
| $ export CERT_PATH=/etc/olm-serving-certs # Define where to mount the certs. | ||
| $ kubectl patch deployment olm-operator -n olm --type json -p='[ | ||
| # Mount the secret to the pod | ||
| {"op": "add", "path": "/spec/template/spec/volumes", "value":[{"name": "olm-serving-cert", "secret": {"secretName": "olm-serving-cert"}}]}, | ||
| {"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts", "value":[{"name": "olm-serving-cert", "mountPath": '$CERT_PATH'}]}, | ||
|
|
||
| # Add startup arguments | ||
| {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--client-ca"}, | ||
| {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.crt"}, | ||
| {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--tls-key"}, | ||
| {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.key"}, | ||
| {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--tls-cert"}, | ||
| {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.crt"}, | ||
|
|
||
| # Replace port 8080 with 8443 | ||
| {"op": "replace", "path": "/spec/template/spec/containers/0/ports/0", "value":{"containerPort": 8443}}, | ||
| {"op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe/httpGet/port", "value":8443}, | ||
| {"op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe/httpGet/port", "value":8443}, | ||
|
|
||
| # Update livenessProbe and readinessProbe to use HTTPS | ||
| {"op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe/httpGet/scheme", "value":"HTTPS"}, | ||
| {"op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe/httpGet/scheme", "value":"HTTPS"}, | ||
| ]' | ||
| deployment.apps/olm-operator patched |
There was a problem hiding this comment.
Alternatively, we could generate the manifests that include these changes as part of the OLM release.
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: olm-serving-secret |
There was a problem hiding this comment.
| name: olm-serving-secret | |
| name: olm-serving-cert |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| title: "Performance Profiling Metrics" | ||
| weight: 10 | ||
| description: > | ||
| The goal of this document is to familiarize you with the steps to enable and review OLM's performance profiling metrics. |
There was a problem hiding this comment.
| The goal of this document is to familiarize you with the steps to enable and review OLM's performance profiling metrics. | |
| The goal of this document is to familiarize you with the steps to enable and review OLM's performance profiling instrumentation. |
|
|
||
| ## Background | ||
|
|
||
| OLM utilizes the [pprof package](https://golang.org/pkg/net/http/pprof/) from the standard go library to expose performance profiles for the OLM Operator, the Catalog Operator, and Registry Servers. Due to the sensitive nature of this data, OLM must be configured to use TLS Certificates before performance profiling can be enabled. |
There was a problem hiding this comment.
and Registry Servers
Not registry-server today.
must be configured to use TLS Certificates before performance profiling can be enabled
For clarity, since the profiling endpoints are always enabled now, this could probably be combined with the following paragraph and say something like "due to the sensitive nature of profiling data, the profiling endpoints will reject any clients that do not present a verifiable certificate. Both operators must be configured with a serving certificate and a client CA bundle in order to access the profiling endpoints".
| $ export PRIVATE_KEY_FILENAME=private.key # Replace with the name of the file that contains the private key you generated. | ||
| $ export PUBLIC_KEY_FILENAME=certificate.crt # Replace with the name of the file that contains the public key you generated. | ||
|
|
||
| $ cat << EOF | kubectl apply -f - |
There was a problem hiding this comment.
Users can also do:
kubectl -n my-namespace create secret tls my-name --cert=certfile --key=keyfile
| EOF | ||
| ``` | ||
|
|
||
| ### Updating OLM to Use the TLS Secret |
There was a problem hiding this comment.
I know the chart is sort of an internal detail of the release process, but since the audience for this doc is skewed towards developers, maybe it'd be worth putting some commented-out-with-explanation lines into the values.yaml and mentioning them here as well?
| Patch the OLM Deployment's pod template to use the generated TLS secret: | ||
|
|
||
| - Defining a volume and volumeMount | ||
| - Adding the `client-ca`, `tls-key` and `tls-crt` arguments |
There was a problem hiding this comment.
| - Adding the `client-ca`, `tls-key` and `tls-crt` arguments | |
| - Adding the `client-ca`, `tls-key` and `tls-cert` arguments |
| @@ -0,0 +1,106 @@ | |||
| --- | |||
| title: "Performance Profiling Metrics" | |||
There was a problem hiding this comment.
I can imagine readers finding this page while trying to understand the performance of their own operator versus the OLM operators. Making the title more specific might save them some confusion or at least a click.
|
|
||
| ### Creating a Certificate | ||
|
|
||
| A valid server certiciate must be created for each component before Performance Profiling can be enabled. If you are unfamiliar with certificate generation, I recomend using the [OpenSSL](https://www.openssl.org/) tool-kit and refer to the [request certificate](https://www.openssl.org/docs/manmaster/man1/openssl-req.html) documentation. |
There was a problem hiding this comment.
| A valid server certiciate must be created for each component before Performance Profiling can be enabled. If you are unfamiliar with certificate generation, I recomend using the [OpenSSL](https://www.openssl.org/) tool-kit and refer to the [request certificate](https://www.openssl.org/docs/manmaster/man1/openssl-req.html) documentation. | |
| A valid server certificate must be created for each component before the Performance Profiling functionality can be enabled. If you are unfamiliar with certificate generation, it's recommend to use the [OpenSSL](https://www.openssl.org/) tool-kit and refer to the [request certificate](https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html) documentation. |
There was a problem hiding this comment.
The link is broken, https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html works now.
Possible alternative: https://linux.die.net/man/1/req
|
|
||
| Requests against the performance profiling endpoint will be rejected unless the client certificate is validated by OLM. Unfortunately, Kubernetes does not provide a native way to prevent pods on cluster from iterating over the list of available ports and retrieving the data exposed. Without authenticating the requests, OLM could leak customer usage statistics on multitenant clusters. | ||
|
|
||
| This document will dive into the steps to [enable olm performance profiling](enable-performance-profiling) and retrieving pprof data from each component. |
There was a problem hiding this comment.
It looks like a broken link to the next header section.
| This document will dive into the steps to [enable olm performance profiling](enable-performance-profiling) and retrieving pprof data from each component. | |
| This document will dive into the steps to [enable olm performance profiling](#enabling-performance-profiling) and retrieving pprof data from each component. |
| - Defining a volume and volumeMount | ||
| - Adding the `client-ca`, `tls-key` and `tls-crt` arguments | ||
| - Replacing all mentions of port `8080` with `8443` | ||
| - Updating the `livenessProbe` and `readinessProbe` to use HTTPS as the scheme. |
There was a problem hiding this comment.
| - Updating the `livenessProbe` and `readinessProbe` to use HTTPS as the scheme. | |
| - Updating the `livenessProbe` and `readinessProbe` to use HTTPS as the scheme |
| - Replacing all mentions of port `8080` with `8443` | ||
| - Updating the `livenessProbe` and `readinessProbe` to use HTTPS as the scheme. | ||
|
|
||
| This can by generating patching an existing OLM deployment: |
There was a problem hiding this comment.
| This can by generating patching an existing OLM deployment: | |
| This can be generated by patching an existing OLM deployment: |
awgreene
force-pushed
the
pprof-docs
branch
4 times, most recently
from
b6caa89 to
7b76263
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anik120, awgreene The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
|
||
| $ export TLS_SECRET=my-tls-secret |
There was a problem hiding this comment.
This variable isn't used anywhere in this codeblock. Is it supposed to be the secret name?
|
Closing due to inactivity |
|
Closed this by mistake oops. |
grokspawn
added
the
lifecycle/rotten
perdasilva
force-pushed
the
pprof-docs
branch
2 times, most recently
from
4459d7c to
730a0de
Compare
This commit introduces documentation detailing how to retrieve PPROF data from the OLM and Catalog operators. Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>
perdasilva
force-pushed
the
pprof-docs
branch
from
730a0de to
4fae606
Compare
8 participants
No description provided.