README
¶
deadmanssnitch-operator
Operator to manage deadmanssnitch configs for Openshift Dedicated
Overview
The operator runs on hive. It has a single controller. It:
- Requires a master Secret to talk to the Dead Man's Snitch API.
This secret is expected to be named
deadmanssnitch-api-keyand live in thedeadmanssnitch-operatornamespace. - Pays attention to ClusterDeployments that are:
- Installed (
spec.installed=true) - Managed (label
api.openshift.com/managed="true")
- Installed (
- For each such ClusterDeployment:
- Adds a finalizer to the ClusterDeployment to ensure we get a chance to clean up when it is deleted.
- Creates a Snitch
- Creates a Secret in the ClusterDeployment's namespace named
{clusterdeploymentname}-dms-secret. The Secret contains the Snitch URL. - Creates a SyncSet in the ClusterDeployment's namespace named
{clusterdeploymentname}-dms}. The SyncSet creates a SecretMapping that makes the above Secret appear inside the cluster asdms-secretin theopenshift-monitoringnamespace.
Metrics
metricDeadMansSnitchHeartbeat: Every 5 minutes, makes a request to the Dead Man's Snitch API using the API key and updates the gauge to 1 when the response code is between 200-299.
Alerts
- DeadMansSnitchAPIUnavailable - Unable to communicate with Dead Man's Snitch API for 15 minutes.
Usage
- Create an account on https://deadmanssnitch.com/
- Choose a plan that allows enhanced snitch intervals(Private eye or above)
- Create an API key
- Create the following secret which is required for deadmanssnitch-operator to create snitches
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: deadmanssnitch-api-key
namespace: deadmanssnitch-operator
data:
tags: <Tag for snitches>
deadmanssnitch-api-key: <deadmanssnitch API key here>
- Build a docker image and replace
REPLACE_IMAGEoperator.yaml field with that image- you can do that using
oc create -f https://github.com/openshift/deadmanssnitch-operator/raw/master/deploy/operator.yaml --dry-run=client -oyaml | oc set image --local -f - --dry-run=client -oyaml *=REPLACE_IMAGE
- you can do that using
- Deploy using
oc apply -f deploy/
Development
how to develop this locally
Set up local OpenShift cluster
Methods include:
Deploy dependencies
Hive CRDs need to be installed on the cluster.
Clone hive repo and run
git clone https://github.com/openshift/hive.git
oc apply -f hive/config/crds
Install the DeadMansSnitchIntegration CRD, create the operator namespace and other operator dependencies:
oc apply -f deploy/crds/deadmanssnitch.managed.openshift.io_deadmanssnitchintegrations.yaml
oc new-project deadmanssnitch-operator
oc apply -f deploy/role.yaml
oc apply -f deploy/service_account.yaml
oc apply -f deploy/role_binding.yaml
Create a secret which will contain the DeadMansSnitch API Key and Hive Cluster Tag.
You will require an API Key signed up to a DeadMansSnitch plan that allows for enhanced snitch intervals (the "Private Eye" plan). You can alternatively test the deadmanssnitch-operator by signing up to the free tier DeadMansSnitch plan (limited to 1 snitch), but doing so will require you to customize the snitch interval from 15_minute to hourly. This can be performed in deadmanssnitchintegration_controller.go
Adjust the example below and apply the file with oc apply -f <file>. Note that the values for tags and deadmanssnitch-api-key need to be base64 encoded. This can be performed using echo -n <text> | base64.
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: deadmanssnitch-api-key
namespace: deadmanssnitch-operator
data:
tags: <value>
deadmanssnitch-api-key: <value>
Define a DeadMansSnitchIntegration
Create a DeadMansSnitchIntegration CR which will be used to identify clusters to apply DMS to.
The example below will target clusterdeployments that have a api.openshift.com/test label set to "true". Apply it using oc apply -f <file>.
apiVersion: deadmanssnitch.managed.openshift.io/v1alpha1
kind: DeadmansSnitchIntegration
metadata:
finalizers:
- dms.managed.openshift.io/deadmanssnitch-osd
name: test-dmsi
namespace: deadmanssnitch-operator
spec:
clusterDeploymentSelector:
matchExpressions:
- key: api.openshift.com/test
operator: In
values:
- "true"
dmsAPIKeySecretRef:
name: deadmanssnitch-api-key
namespace: deadmanssnitch-operator
snitchNamePostFix: "test"
tags:
- test
targetSecretRef:
name: dms-secret-test
namespace: openshift-monitoring
Run the operator
export OPERATOR_NAME=deadmanssnitch-operator
go run main.go
Create Clusterdeployment
You can create a dummy ClusterDeployment by copying a real one from an active hive
real-hive$ oc get cd -n <namespace> <cdname> -o yaml > /tmp/fake-clusterdeployment.yaml
...
$ oc create namespace fake-cluster-namespace
$ oc apply -f /tmp/fake-clusterdeployment.yaml
deadmanssnitch-operator doesn't start reconciling clusters until the clusterdeployment's spec.installed is set to true. If present, set spec.installed to true.
oc edit clusterdeployment fake-cluster -n fake-cluster-namespace
Ensure that the ClusterDeployment is labelled with the label from your DMSI's clusterDeploymentSelector clause.
Using the example from earlier:
oc label clusterdeployment -n <namespace> <cdname> api.openshift.com/test=true
Delete ClusterDeployment
To trigger deadmanssnitch-operator to remove the service in DeadMansSnitch, you can either delete the clusterdeployment or remove the clusterDeploymentSelector label:
oc delete clusterdeployment fake-cluster -n fake-cluster-namespace
If deleting the clusterdeployment, you may need to remove dangling finalizers from the clusterdeployment object.
oc edit clusterdeployment fake-cluster -n fake-cluster-namespace
PKO Template Testing
The operator is deployed via Package Operator (PKO). The PKO package lives in deploy_pko/ and includes Go templates (.gotmpl files) that are rendered at deploy time using config values from the ClusterPackage resource.
Two layers of template testing
1. PKO snapshot tests (test.template in deploy_pko/manifest.yaml)
The manifest.yaml defines test contexts under spec.test.template. Each context provides sample config values that PKO uses to render all .gotmpl files. The rendered output is stored as golden files in deploy_pko/.test-fixtures/.
Run locally:
kubectl-package validate deploy_pko/
If template output has changed, the command fails with a fixture mismatch error and a unified diff:
File mismatch against fixture in DeadmansSnitchIntegration-osd.yaml: Testcase "default"
--- FIXTURE/DeadmansSnitchIntegration-osd.yaml
+++ ACTUAL/DeadmansSnitchIntegration-osd.yaml
@@ -28,6 +28,9 @@
- key: api.openshift.com/fedramp
operator: NotIn
values: ["true"]
+ - key: api.openshift.com/some-new-label
+ operator: NotIn
+ values: ["true"]
If the diff reflects an intentional change, regenerate the fixtures:
rm -rf deploy_pko/.test-fixtures/
kubectl-package validate deploy_pko/
Review the regenerated files, then commit the updated .test-fixtures/ alongside your template change.
2. Go unit tests (pkg/pko/template_test.go)
Structural validation tests that run via go test ./pkg/pko/... as part of the standard CI pipeline. These assert invariants like correct kind, phase annotations, and conditional rendering (e.g., silentAlertLegalEntityIds omitted when empty).
When do I need to update these tests?
| Scenario | Action |
|---|---|
Changed a .gotmpl file |
Regenerate .test-fixtures/ (delete and re-run kubectl-package validate) |
Added a new config field to manifest.yaml |
Add it to the test.template contexts |
Added a new .gotmpl file |
Existing test contexts cover it automatically; add new contexts if it has conditional logic |
| Changed conditional logic | Verify the Go unit tests still pass; add cases for new branches |
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
api
|
|
|
v1alpha1
Package v1alpha1 contains API Schema definitions for the deadmanssnitch.managed.openshift.io v1alpha1 API group +kubebuilder:object:generate=true +groupName=deadmanssnitch.managed.openshift.io
|
Package v1alpha1 contains API Schema definitions for the deadmanssnitch.managed.openshift.io v1alpha1 API group +kubebuilder:object:generate=true +groupName=deadmanssnitch.managed.openshift.io |
|
controllers
|
|
|
pkg
|
|
|
dmsclient/mock
Package mock_dmsclient is a generated GoMock package.
|
Package mock_dmsclient is a generated GoMock package. |