Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 5. Configuring secrets for Alertmanager
The Red Hat OpenShift Service on AWS monitoring stack includes Alertmanager, which routes alerts from Prometheus to endpoint receivers. If you need to authenticate with a receiver so that Alertmanager can send alerts to it, you can configure Alertmanager to use a secret that contains authentication credentials for the receiver.
For example, you can configure Alertmanager to use a secret to authenticate with an endpoint receiver that requires a certificate issued by a private Certificate Authority (CA). You can also configure Alertmanager to use a secret to authenticate with a receiver that requires a password file for Basic HTTP authentication. In either case, authentication details are contained in the Secret object rather than in the ConfigMap object.
5.1. Adding a secret to the Alertmanager configuration
You can add secrets to the Alertmanager configuration for user-defined projects by editing the user-workload-monitoring-config config map in the openshift-user-workload-monitoring project.
After you add a secret to the config map, the secret is mounted as a volume at /etc/alertmanager/secrets/<secret_name> within the alertmanager container for the Alertmanager pods.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have created the secret to be configured in Alertmanager in the
openshift-user-workload-monitoringproject. -
You have installed the OpenShift CLI (
oc).
Procedure
Edit the
ConfigMapobject.Edit the
user-workload-monitoring-configconfig map in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add a
secrets:section underdata/config.yaml/alertmanager/secretswith the following configuration:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | alertmanager: secrets: 1 - <secret_name_1> 2 - <secret_name_2>- 1
- This section contains the secrets to be mounted into Alertmanager. The secrets must be located within the same namespace as the Alertmanager object.
- 2
- The name of the
Secretobject that contains authentication credentials for the receiver. If you add multiple secrets, place each one on a new line.
The following sample config map settings configure Alertmanager to use two
Secretobjects namedtest-secretandtest-secret-api-token:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | alertmanager: enabled: true secrets: - test-secret - test-api-receiver-token
-
Save the file to apply the changes to the
ConfigMapobject. The new configuration is applied automatically.
5.2. Attaching additional labels to your time series and alerts
You can attach custom labels to all time series and alerts leaving Prometheus by using the external labels feature of Prometheus.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
Edit the
ConfigMapobject:Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Define a map of labels you want to add for every metric under
data/config.yaml:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: externalLabels: <key>: <value> 1- 1
- Substitute
<key>: <value>with a map of key-value pairs where<key>is a unique name for the new label and<value>is its value.
Warning-
Do not use
prometheusorprometheus_replicaas key names, because they are reserved and will be overwritten. -
Do not use
clusterormanaged_clusteras key names. Using them can cause issues where you are unable to see data in the developer dashboards.
NoteIn the
openshift-user-workload-monitoringproject, Prometheus handles metrics and Thanos Ruler handles alerting and recording rules. SettingexternalLabelsforprometheusin theuser-workload-monitoring-configConfigMapobject will only configure external labels for metrics and not for any rules.For example, to add metadata about the region and environment to all time series and alerts related to user-defined projects, use the following example:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: externalLabels: region: eu environment: prod
Save the file to apply the changes. The new configuration is applied automatically.
WarningWhen changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.
