|
| 1 | +--- |
| 2 | +title: "OLM Performance Profiling Instrumentation" |
| 3 | +weight: 10 |
| 4 | +description: > |
| 5 | + The goal of this document is to familiarize you with the steps to enable and review OLM's performance profiling instrumentation. |
| 6 | +--- |
| 7 | + |
| 8 | +## Prerequisites |
| 9 | + |
| 10 | +- [go](https://golang.org/dl/) |
| 11 | + |
| 12 | +## Background |
| 13 | + |
| 14 | +OLM utilizes the [pprof package](https://golang.org/pkg/net/http/pprof/) from the standard go library to expose performance profiles for the OLM and Catalog Operator. |
| 15 | + |
| 16 | +Due to the sensitive nature of profiling data, the profiling endpoints will reject any clients that do not present a verifiable certificate. Both operators must be configured with a serving certificate and a client CA bundle in order to access the profiling endpoints. |
| 17 | + |
| 18 | +This document will dive into the steps to [enable olm performance profiling](#enabling-performance-profiling) and retrieving pprof data from each component. |
| 19 | + |
| 20 | +## Enabling Performance Profiling |
| 21 | + |
| 22 | +### Creating a Certificate |
| 23 | + |
| 24 | +A valid server certificate must be created for each component before the Performance Profiling functionality can be enabled. If you are unfamiliar with certificate generation, we recommend using the [OpenSSL](https://www.openssl.org/) tool-kit and refer to the [request certificate](https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html) documentation. |
| 25 | + |
| 26 | +Once you have generated a private and public key, this data should be stored in a `TLS Secret`: |
| 27 | + |
| 28 | +```bash |
| 29 | +$ export PRIVATE_KEY_FILENAME=private.key # Replace with the name of the file that contains the private key you generated. |
| 30 | +$ export PUBLIC_KEY_FILENAME=certificate.crt # Replace with the name of the file that contains the public key you generated. |
| 31 | + |
| 32 | +$ kubectl -n my-namespace create secret tls my-name --cert=$PUBLIC_KEY_FILENAME --key=$PRIVATE_KEY_FILENAME |
| 33 | +``` |
| 34 | + |
| 35 | +### Updating OLM to Use the TLS Secret |
| 36 | + |
| 37 | +Patch the OLM or Catalog Deployment's pod template to use the generated TLS secret: |
| 38 | + |
| 39 | +- Defining a volume and volumeMount |
| 40 | +- Adding the `client-ca`, `tls-key` and `tls-cert` arguments |
| 41 | +- Replacing all mentions of port `8080` with `8443` |
| 42 | +- Updating the `livenessProbe` and `readinessProbe` to use HTTPS as the scheme |
| 43 | + |
| 44 | +The steps to patch an existing OLM deployment can be seen below: |
| 45 | + |
| 46 | +```bash |
| 47 | +$ export TLS_SECRET=my-tls-secret |
| 48 | +$ export CERT_PATH=/var/run/secrets # Define where to mount the certs. |
| 49 | +# Set Deployment name to olm-operator or catalog-operator |
| 50 | +$ export DEPLOYMENT_NAME=olm-operator |
| 51 | + |
| 52 | +$ kubectl patch deployment $DEPLOYMENT_NAME -n olm --type json -p='[ |
| 53 | + # Mount the secret to the pod |
| 54 | + {"op": "add", "path": "/spec/template/spec/volumes", "value":[{"name": '$TLS_SECRET', "secret": {"secretName": '$TLS_SECRET'}}]}, |
| 55 | + {"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts", "value":[{"name": '$TLS_SECRET', "mountPath": '$CERT_PATH'}]}, |
| 56 | + |
| 57 | + # Add startup arguments |
| 58 | + {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--client-ca"}, |
| 59 | + {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.crt"}, |
| 60 | + {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--tls-key"}, |
| 61 | + {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.key"}, |
| 62 | + {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--tls-cert"}, |
| 63 | + {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"'$CERT_PATH'/tls.crt"}, |
| 64 | + |
| 65 | + # Replace port 8080 with 8443 |
| 66 | + {"op": "replace", "path": "/spec/template/spec/containers/0/ports/0", "value":{"containerPort": 8443}}, |
| 67 | + {"op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe/httpGet/port", "value":8443}, |
| 68 | + {"op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe/httpGet/port", "value":8443}, |
| 69 | +
|
| 70 | + # Update livenessProbe and readinessProbe to use HTTPS |
| 71 | + {"op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe/httpGet/scheme", "value":"HTTPS"}, |
| 72 | + {"op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe/httpGet/scheme", "value":"HTTPS"}, |
| 73 | +]' |
| 74 | +deployment.apps/olm-operator patched |
| 75 | + |
| 76 | +``` |
| 77 | + |
| 78 | +## Accessing PPROF Data |
| 79 | + |
| 80 | +You will need to be able to access OLM port, for dev purposes the following commands may prove useful: |
| 81 | + |
| 82 | +```bash |
| 83 | +# Set Deployment name to olm-operator or catalog-operator |
| 84 | +$ export DEPLOYMENT_NAME=olm-operator |
| 85 | +$ kubectl port-forward deployment/$DEPLOYMENT_NAME 8443:8443 -n olm |
| 86 | +``` |
| 87 | + |
| 88 | +You can then curl the OLM `/debug/pprof` endpoint to retrieve default pprof profiles like so: |
| 89 | + |
| 90 | +```bash |
| 91 | +$ curl https://localhost:8443/debug/pprof/heap --cert certificate.crt --key private.key --insecure -o olm-heap |
| 92 | + |
| 93 | +$ go tool pprof --top olm-heap |
| 94 | +``` |
| 95 | + |
| 96 | +Please review [the official pprof documentation](https://blog.golang.org/pprof) to learn more about pprof. |
0 commit comments