Skip to content

SEP for observability integration (monitoring controller)#2028

Open
mayleighnmyers wants to merge 1 commit into
istio-ecosystem:mainfrom
mayleighnmyers:enhancements/sep3-observability
Open

SEP for observability integration (monitoring controller)#2028
mayleighnmyers wants to merge 1 commit into
istio-ecosystem:mainfrom
mayleighnmyers:enhancements/sep3-observability

Conversation

@mayleighnmyers

Copy link
Copy Markdown

What type of PR is this?

  • [ X] Enhancement / New Feature
  • Bug Fix
  • Refactor
  • Optimization
  • Test
  • Documentation Update

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Related Issue/PR #
#1959

Additional information:

Signed-off-by: Mayleigh Tjapkes <mamyers@redhat.com>
@mayleighnmyers mayleighnmyers requested a review from a team as a code owner June 24, 2026 16:40
@istio-testing

Copy link
Copy Markdown
Collaborator

Hi @mayleighnmyers. Thanks for your PR.

I'm waiting for a istio-ecosystem or istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@fjglira

fjglira commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

/ok-to-test

- [x] Unit tests for controller and relabeling package
- [ ] External CRD/API group detection (`monitoring.coreos.com` vs `monitoring.rhobs`)
- [ ] Kubernetes PodMonitor strategy using `namespaceSelector.any: true`
- [ ] Validation when monitoring CRDs are unavailable

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add to this document design details for this? From my pov this can be discussed here to set a base. I think we can set a Condition field with Type: MonitoringAvailable, Status: False, Reason: MissingCRDs, Message: "Prometheus Operator CRDs not found" something like this will be very helpfull

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @fjglira , yes, I am working on this validation change and having a draft change.
ok, we can add status condition update in the Istio custom resources. I will update this detail in SEP later today.


We assume `ServiceMonitor` and `PodMonitor` CRDs are available under `monitoring.coreos.com/v1` and/or `monitoring.rhobs/v1` group. The Sail Operator ClusterRole grants permissions for both API groups' `ServiceMonitor` and `PodMonitor` custom resources.

A monitoring controller watches `IstioRevision` resources and reconciles `ServiceMonitor` and `PodMonitor` CRs when the boolean field `spec.monitoring.enabled` is set to `true` in the parent `Istio` CR. It also watches namespaces with the `istio-injection=enabled` label and reconciles `PodMonitor` CRs for Istio sidecar injection namespaces.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means it will only reconcile the resource for namespaces with stio-injection=enabled`? What about the revision labels used?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mayleighnmyers , here is a doc about injection label:
https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy

Currently, we only have the istio-injection label watch. There is another label we want to watch. istio.io/rev
when the istio.io/rev label has a value , it is same as the istio-injection=enabled.

I can update the SEP part, would you like to add that additional istio.io/rev label watch in the monitoring controller code ? thanks.

Comment on lines +15 to +16
* Provide a monitoring controller that reconciles `ServiceMonitor` and `PodMonitor` resources for Istio control plane and sidecar proxy metrics.
* Apply platform-appropriate default relabeling rules on Kubernetes and OpenShift.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ambient is out of scope?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it is out of scope, we should mention this; if not, we need to plan how metrics are gathered from node level ztunnel components and namespace level waypoint proxies

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, ambient is out of scope in this SEP. We want to keep changes smaller in each SEP. We can have the next SEP for ambient mode metrics.

## Non-goals

* Deploying observability stack components (Prometheus, OpenShift Cluster Observability Operator, OpenShift User-Workload Monitoring, etc.). We assume those are installed separately.
* Updating `ServiceMonitor` and `PodMonitor` for user customization of scraping paths, ports, or relabeling rules via the Sail Operator API.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need to explicitly mention this in the docs:
If users require custom relabeling or scraping configs, they must leave spec.monitoring.enabled: false, and deploy their own independent PodMonitors.


A broader Observability Integration API with target references to a monitoring and tracing stacks is being discussed in the initial PR comments. We plan to design and implement the monitoring controller and broader Integration API controller separately. This enhancement proposal is focused on the monitoring controller with API change in the `Istio` Custom Resource. We will work toward a broader Integration API design and implementation in next phase.

### Architecture

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How will deletion be handled? I think it worth to mention how we plan to hanlde the deletion of the resources

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a concern from existing environments where users have configured their custom ServiceMonitor or PodMontior resources manually. They expect those existing resources should not be deleted from Sail Operator.
We will add a paragraph about deletion in SEP. Thanks.

@fjglira fjglira requested a review from dgn June 29, 2026 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants