feat: cluster/component healh backend & resources update

Author: tremes

bundle/manifests/observability-operator.clusterserviceversion.yaml

@@ -408,6 +408,13 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - clusteroperators
+          verbs:
+          - get
+          - list
         - apiGroups:
           - config.openshift.io
           resources:
@@ -437,6 +444,13 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - kubevirt.io
+          resources:
+          - kubevirts
+          verbs:
+          - get
+          - list
         - apiGroups:
           - loki.grafana.com
           resources:
@@ -453,6 +467,13 @@ spec:
           verbs:
           - get
           - list
+        - apiGroups:
+          - machineconfiguration.openshift.io
+          resources:
+          - machineconfigpools
+          verbs:
+          - get
+          - list
         - apiGroups:
           - monitoring.coreos.com
           resourceNames:

deploy/operator/observability-operator-cluster-role.yaml

@@ -92,6 +92,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - clusteroperators
+  verbs:
+  - get
+  - list
 - apiGroups:
   - config.openshift.io
   resources:
@@ -121,6 +128,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - kubevirt.io
+  resources:
+  - kubevirts
+  verbs:
+  - get
+  - list
 - apiGroups:
   - loki.grafana.com
   resources:
@@ -137,6 +151,13 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+  - machineconfiguration.openshift.io
+  resources:
+  - machineconfigpools
+  verbs:
+  - get
+  - list
 - apiGroups:
   - monitoring.coreos.com
   resourceNames:

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/prometheus/common v0.67.4
 	github.com/rhobs/obo-prometheus-operator v0.87.0-rhobs1
 	github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.87.0-rhobs1
-	github.com/rhobs/observability-operator/pkg/apis v0.0.0-20251009091129-76135c924ed6
+	github.com/rhobs/observability-operator/pkg/apis v0.0.0-20260115120443-7527133cfea4
 	github.com/rhobs/perses v0.0.0-20260113083341-bce6f0039b5d
 	github.com/rhobs/perses-operator v0.1.10-0.20260119104604-801af29f7716
 	github.com/stretchr/testify v1.11.1

go.sum

@@ -440,16 +440,8 @@ github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.87.0-rhobs1 h1:f
 github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.87.0-rhobs1/go.mod h1:amf29isbT7UfgLWDCamPG6jaELHKoXyCd25Nx3DBlNY=
 github.com/rhobs/obo-prometheus-operator/pkg/client v0.87.0-rhobs1 h1:/3w2Mky/kVuzNH19uT6vsSgmCuZwEFftjF0A7LuX+Mo=
 github.com/rhobs/obo-prometheus-operator/pkg/client v0.87.0-rhobs1/go.mod h1:FMfzfWcCGBtflg+gT1SNchG243iywu015rJskh1U+/c=
-github.com/rhobs/perses v0.0.0-20260108135452-fa4ca8ac8e73 h1:oVpyW74yXZzixJlsCprgnIkG1QnSd3t8XQIQRe84vQc=
-github.com/rhobs/perses v0.0.0-20260108135452-fa4ca8ac8e73/go.mod h1:t5HVls3hnD2zn9pg/sjVd3n1ULHUizAn69lX7Wf9wUE=
 github.com/rhobs/perses v0.0.0-20260113083341-bce6f0039b5d h1:hagDxkfSvy6vGxH0qPFIOQoPjdblKCfNAhjqCgsuy7Q=
 github.com/rhobs/perses v0.0.0-20260113083341-bce6f0039b5d/go.mod h1:t5HVls3hnD2zn9pg/sjVd3n1ULHUizAn69lX7Wf9wUE=
-github.com/rhobs/perses-operator v0.1.10-0.20260108143425-6efe058ff3ec h1:qDlJf6dGLi3DqVB6Tb7msGEM9AD9HhVOW+f724Az7fc=
-github.com/rhobs/perses-operator v0.1.10-0.20260108143425-6efe058ff3ec/go.mod h1:ciSWn2z4DA7/47GHN65UDDNvVXE/PSPlQ27csHytKRI=
-github.com/rhobs/perses-operator v0.1.10-0.20260113122614-fbdfa948934b h1:G7rsnn43gSfd/81rbZqbZwzD0wpGg6tqZ8VR+5fKMtA=
-github.com/rhobs/perses-operator v0.1.10-0.20260113122614-fbdfa948934b/go.mod h1:ciSWn2z4DA7/47GHN65UDDNvVXE/PSPlQ27csHytKRI=
-github.com/rhobs/perses-operator v0.1.10-0.20260113145446-31dca3123509 h1:qsacWU0fdzSvbLQEHnhsk5Pi0hwPZKQVdcbTHKhjM1E=
-github.com/rhobs/perses-operator v0.1.10-0.20260113145446-31dca3123509/go.mod h1:ciSWn2z4DA7/47GHN65UDDNvVXE/PSPlQ27csHytKRI=
 github.com/rhobs/perses-operator v0.1.10-0.20260119104604-801af29f7716 h1:fFiorvTDcBHhT/FSfrlEHrtHKg+p8h7nhPzP6bRY93c=
 github.com/rhobs/perses-operator v0.1.10-0.20260119104604-801af29f7716/go.mod h1:7XmXHWocDHqOerp3lmggbQzbBZ9VkK1+FCv/LGGMHvE=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=

pkg/controllers/uiplugin/components.go

@@ -121,15 +121,30 @@ func pluginComponentReconcilers(plugin *uiv1alpha1.UIPlugin, pluginInfo UIPlugin
 			monitoringConfig.Incidents != nil &&
 			monitoringConfig.Incidents.Enabled &&
 			pluginInfo.HealthAnalyzerImage != ""
+
+		healthAnalyzerEnabled := monitoringConfig != nil &&
+			monitoringConfig.ClusterHealthAnalyzer != nil &&
+			monitoringConfig.ClusterHealthAnalyzer.Enabled &&
+			pluginInfo.HealthAnalyzerImage != ""
+
+		components = append(components,
+			reconciler.NewOptionalUpdater(componentsHealthClusterRole("components-health-view"), plugin, healthAnalyzerEnabled),
+			reconciler.NewOptionalUpdater(newClusterRoleBinding(namespace, serviceAccountName, "components-health-view", plugin.Name+"-"+"components-health-view"), plugin, healthAnalyzerEnabled),
+			reconciler.NewOptionalUpdater(newComponentHealthConfig(namespace), plugin, healthAnalyzerEnabled),
+		)
+
+		deployHealthAnalyzer := incidentsEnabled || healthAnalyzerEnabled
+
 		components = append(components,
-			reconciler.NewOptionalUpdater(newClusterRoleBinding(namespace, serviceAccountName, monitorClusterroleName, plugin.Name+"-"+monitorClusterroleName), plugin, incidentsEnabled),
-			reconciler.NewOptionalUpdater(newClusterRoleBinding(namespace, serviceAccountName, "system:auth-delegator", serviceAccountName+"-system-auth-delegator"), plugin, incidentsEnabled),
-			reconciler.NewOptionalUpdater(newAlertManagerViewRoleBinding(serviceAccountName, namespace), plugin, incidentsEnabled),
-			reconciler.NewOptionalUpdater(newHealthAnalyzerPrometheusRole(namespace), plugin, incidentsEnabled),
-			reconciler.NewOptionalUpdater(newHealthAnalyzerPrometheusRoleBinding(namespace), plugin, incidentsEnabled),
-			reconciler.NewOptionalUpdater(newHealthAnalyzerService(namespace), plugin, incidentsEnabled),
-			reconciler.NewOptionalUpdater(newHealthAnalyzerDeployment(namespace, serviceAccountName, pluginInfo), plugin, incidentsEnabled),
-			reconciler.NewOptionalUpdater(newHealthAnalyzerServiceMonitor(namespace), plugin, incidentsEnabled),
+			reconciler.NewOptionalUpdater(newClusterRoleBinding(namespace, serviceAccountName, "cluster-monitoring-view", plugin.Name+"cluster-monitoring-view"), plugin, deployHealthAnalyzer),
+			reconciler.NewOptionalUpdater(newClusterRoleBinding(namespace, serviceAccountName, "system:auth-delegator", serviceAccountName+"-system-auth-delegator"), plugin, deployHealthAnalyzer),
+			reconciler.NewOptionalUpdater(newAlertManagerViewRoleBinding(serviceAccountName, namespace), plugin, deployHealthAnalyzer),
+			reconciler.NewOptionalUpdater(newHealthAnalyzerPrometheusRole(namespace), plugin, deployHealthAnalyzer),
+			reconciler.NewOptionalUpdater(newHealthAnalyzerPrometheusRoleBinding(namespace), plugin, deployHealthAnalyzer),
+			reconciler.NewOptionalUpdater(newHealthAnalyzerService(namespace), plugin, deployHealthAnalyzer),
+			reconciler.NewOptionalUpdater(newHealthAnalyzerDeployment(namespace, serviceAccountName, pluginInfo.HealthAnalyzerImage, healthAnalyzerEnabled),
+				plugin, deployHealthAnalyzer),
+			reconciler.NewOptionalUpdater(newHealthAnalyzerServiceMonitor(namespace), plugin, deployHealthAnalyzer),
 		)
 
 		persesServiceAccountName := "perses" + serviceAccountSuffix
@@ -436,6 +451,43 @@ func newService(info UIPluginInfo, namespace string) *corev1.Service {
 	}
 }
 
+// componentsHealthClusterRole creates a new clusterrole with the provided name.
+// The clusterrole has read permissions to the cluster resources and it is required
+// for the component health evaluation.
+func componentsHealthClusterRole(name string) *rbacv1.ClusterRole {
+	return &rbacv1.ClusterRole{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: rbacv1.SchemeGroupVersion.String(),
+			Kind:       "ClusterRole",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"nodes"},
+				Verbs:     []string{"get", "list"},
+			},
+			{
+				APIGroups: []string{"config.openshift.io"},
+				Resources: []string{"clusteroperators"},
+				Verbs:     []string{"get", "list"},
+			},
+			{
+				APIGroups: []string{"machineconfiguration.openshift.io"},
+				Resources: []string{"machineconfigpools"},
+				Verbs:     []string{"get", "list"},
+			},
+			{
+				APIGroups: []string{"kubevirt.io"},
+				Resources: []string{"kubevirts"},
+				Verbs:     []string{"get", "list"},
+			},
+		},
+	}
+}
+
 func newKorrel8rDeployment(name string, namespace string, info UIPluginInfo) *appsv1.Deployment {
 	volumes := []corev1.Volume{
 		{

pkg/controllers/uiplugin/config/health-analyzer.yaml

@@ -0,0 +1,47 @@
+# Default definition of the component tree used to evaluate component health
+# by the cluster-health-analyzer. 
+components:
+  - name: control-plane
+    children:
+    - name: nodes
+      objects:
+      - resource: nodes
+        selectors:
+        - matchLabels:
+            node-role.kubernetes.io/control-plane: []
+      - resource: machineconfigpools
+        group: machineconfiguration.openshift.io
+        selectors:
+        - matchLabels:
+            pools.operator.machineconfiguration.openshift.io/master: []
+    - name: capacity
+      children:
+      - name: cpu
+        alerts:
+          selectors:
+          - matchLabels:
+              alertname: ["KubeCPUOvercommit","HighOverallControlPlaneCPU", "ExtremelyHighIndividualControlPlaneCPU"]
+      - name: memory
+        alerts:
+          selectors:
+          - matchLabels:
+              alertname: ["HighOverallControlPlaneMemory", "ExtremelyHighIndividualControlPlaneMemory", "SystemMemoryExceedsReservation"]
+    - name: operators
+      children:
+      - name: etcd
+        alerts:
+          selectors:
+          - matchLabels:
+              namespace: ["openshift-etcd","openshift-etcd-operator"]
+  - name: addons
+    children:
+    - name: kubevirt
+      alerts:
+        selectors:
+        - matchLabels:
+            kubernetes_operator_part_of: ["kubevirt"]
+        - matchLabels:
+            namespace: ["openshift-cnv"]
+      objects:
+      - group: kubevirt.io
+        resource: kubevirts

pkg/controllers/uiplugin/controller.go

@@ -106,6 +106,9 @@ const (
 //+kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
 //+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
 //+kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create;update;patch;delete
+//+kubebuilder:rbac:groups=config.openshift.io,resources=clusteroperators,verbs=get;list
+//+kubebuilder:rbac:groups=machineconfiguration.openshift.io,resources=machineconfigpools,verbs=get;list
+//+kubebuilder:rbac:groups=kubevirt.io,resources=kubevirts,verbs=get;list
 
 const finalizerName = "uiplugin.observability.openshift.io/finalizer"
 

pkg/controllers/uiplugin/health_analyzer.go

@@ -1,9 +1,12 @@
 package uiplugin
 
 import (
+	_ "embed"
+
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -15,6 +18,9 @@ const (
 	volumeMountName = name + "-tls"
 )
 
+//go:embed config/health-analyzer.yaml
+var componentHealthConfig string
+
 func newHealthAnalyzerPrometheusRole(namespace string) *rbacv1.Role {
 	role := &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
@@ -94,7 +100,53 @@ func newHealthAnalyzerService(namespace string) *corev1.Service {
 	return service
 }
 
-func newHealthAnalyzerDeployment(namespace string, serviceAccountName string, pluginInfo UIPluginInfo) *appsv1.Deployment {
+func newHealthAnalyzerDeployment(namespace string,
+	serviceAccountName string,
+	image string,
+	healthAnalyzerEnabled bool) *appsv1.Deployment {
+	args := []string{
+		"serve",
+		"--tls-cert-file=/etc/tls/private/tls.crt",
+		"--tls-private-key-file=/etc/tls/private/tls.key",
+	}
+	volumes := []corev1.Volume{
+		{
+			Name: volumeMountName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: volumeMountName,
+				},
+			},
+		},
+	}
+
+	volumeMounts := []corev1.VolumeMount{
+		{
+			MountPath: "/etc/tls/private",
+			Name:      volumeMountName,
+			ReadOnly:  true,
+		},
+	}
+
+	if healthAnalyzerEnabled {
+		args = append(args, "--enable-components-health")
+		volumes = append(volumes, corev1.Volume{
+			Name: "components-health-config",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: "components-config",
+					},
+				},
+			},
+		})
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "components-health-config",
+			MountPath: "/etc/config",
+			ReadOnly:  true,
+		})
+	}
+
 	deploy := &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: appsv1.SchemeGroupVersion.String(),
@@ -122,13 +174,9 @@ func newHealthAnalyzerDeployment(namespace string, serviceAccountName string, pl
 					Containers: []corev1.Container{
 						{
 							Name:            name,
-							Image:           pluginInfo.HealthAnalyzerImage,
+							Image:           image,
 							ImagePullPolicy: corev1.PullAlways,
-							Args: []string{
-								"serve",
-								"--tls-cert-file=/etc/tls/private/tls.crt",
-								"--tls-private-key-file=/etc/tls/private/tls.key",
-							},
+							Args:            args,
 							Env: []corev1.EnvVar{
 								{
 									Name:  "PROM_URL",
@@ -156,25 +204,10 @@ func newHealthAnalyzerDeployment(namespace string, serviceAccountName string, pl
 								},
 							},
 							TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
-							VolumeMounts: []corev1.VolumeMount{
-								{
-									MountPath: "/etc/tls/private",
-									Name:      volumeMountName,
-									ReadOnly:  true,
-								},
-							},
-						},
-					},
-					Volumes: []corev1.Volume{
-						{
-							Name: volumeMountName,
-							VolumeSource: corev1.VolumeSource{
-								Secret: &corev1.SecretVolumeSource{
-									SecretName: volumeMountName,
-								},
-							},
+							VolumeMounts:             volumeMounts,
 						},
 					},
+					Volumes: volumes,
 				},
 			},
 		},
@@ -218,3 +251,24 @@ func newHealthAnalyzerServiceMonitor(namespace string) *monv1.ServiceMonitor {
 
 	return serviceMonitor
 }
+
+// newComponentHealthConfig creates a new ConfigMap
+// that defines the components whose health is evaluated.
+func newComponentHealthConfig(namespace string) *v1.ConfigMap {
+	cm := v1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: v1.SchemeGroupVersion.String(),
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      "components-config",
+			Labels:    componentLabels("monitoring"),
+		},
+		Data: map[string]string{
+			"components.yaml": componentHealthConfig,
+		},
+	}
+
+	return &cm
+}