k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/prow/cluster/monitoring/mixins/prometheus/external_secret_alerts.libsonnet

k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/prow/cluster/monitoring/mixins/prometheus/external_secret_alerts.libsonnet (about)

     1  {
     2    prometheusAlerts+:: {
     3      groups+: [
     4        {
     5          name: 'external-secret-sync',
     6          rules: [
     7            {
     8              # https://github.com/external-secrets/kubernetes-external-secrets/blob/master/README.md#metrics
     9              alert: 'Failed-syncing-external-secret',
    10              # Prometheus scrapes kubernetes external secrets every 30 seconds as defined in servicemonitor, so this counts failures between scrape intervals.
    11              # Since kubernetes secret manager runs every 10 seconds, there should be at least 2 runs in every 30s, so this will only report consecutive failures.
    12              expr: |||
    13                increase(kubernetes_external_secrets_sync_calls_count{job="kubernetes-external-secrets",status!="success"}[1m]) > 1.5
    14              |||,
    15              labels: {
    16                severity: 'critical',
    17              },
    18              annotations: {
    19                message: 'ExternalSecret {{ $labels.namespace }}/{{ $labels.name }} failed to be synced. does %s have `roles/secretmanager.viewer` and `roles/secretmanager.secretAccessor` permissions on the google secret manager secret used for this cluster secret?' % $._config.kubernetesExternalSecretServiceAccount,
    20              },
    21            }
    22          ],
    23        },
    24      ],
    25    },
    26  }