health mode

Author: leandroberetta

api/flowcollector/v1beta2/flowcollector_alert_types.go

@@ -12,6 +12,7 @@ import (
 
 type AlertTemplate string
 type AlertGroupBy string
+type HealthMode string
 
 const (
 	AlertNoFlows                  AlertTemplate = "NetObservNoFlows"
@@ -28,6 +29,8 @@ const (
 	GroupByNode                   AlertGroupBy  = "Node"
 	GroupByNamespace              AlertGroupBy  = "Namespace"
 	GroupByWorkload               AlertGroupBy  = "Workload"
+	HealthModeAlerts              HealthMode    = "alerts"
+	HealthModeRecordingRules      HealthMode    = "recording-rules"
 )
 
 type FLPAlert struct {

api/flowcollector/v1beta2/flowcollector_types.go

@@ -590,6 +590,17 @@ type FLPMetrics struct {
 	// More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md
 	// +optional
 	Alerts *[]FLPAlert `json:"alerts"`
+
+	// `healthMode` defines how to expose network health information.
+	// Possible values are `alerts` (default) or `recording-rules`.
+	// - `alerts`: Generate Prometheus alerts that fire when thresholds are exceeded (current behavior).
+	// - `recording-rules`: Generate Prometheus recording rules that pre-compute health metrics for passive consumption.
+	// Recording rules avoid alert fatigue and are useful for dashboard-based health monitoring.
+	// This is currently an experimental feature behind a feature gate. To enable, edit `spec.processor.advanced.env` by adding `EXPERIMENTAL_ALERTS_HEALTH` set to `true`.
+	// +kubebuilder:validation:Enum:="alerts";"recording-rules"
+	// +kubebuilder:default:="alerts"
+	// +optional
+	HealthMode string `json:"healthMode,omitempty"`
 }
 
 type FLPLogTypes string

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -5427,6 +5427,19 @@ spec:
                           items:
                             type: string
                           type: array
+                        healthMode:
+                          default: alerts
+                          description: |-
+                            `healthMode` defines how to expose network health information.
+                            Possible values are `alerts` (default) or `recording-rules`.
+                            - `alerts`: Generate Prometheus alerts that fire when thresholds are exceeded (current behavior).
+                            - `recording-rules`: Generate Prometheus recording rules that pre-compute health metrics for passive consumption.
+                            Recording rules avoid alert fatigue and are useful for dashboard-based health monitoring.
+                            This is currently an experimental feature behind a feature gate. To enable, edit `spec.processor.advanced.env` by adding `EXPERIMENTAL_ALERTS_HEALTH` set to `true`.
+                          enum:
+                            - alerts
+                            - recording-rules
+                          type: string
                         includeList:
                           description: |-
                             `includeList` is a list of metric names to specify which ones to generate.

docs/FlowCollector.md

@@ -11485,6 +11485,21 @@ Possible values are: `NetObservNoFlows`, `NetObservLokiError`, `PacketDropsByKer
 More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>healthMode</b></td>
+        <td>enum</td>
+        <td>
+          `healthMode` defines how to expose network health information.
+Possible values are `alerts` (default) or `recording-rules`.
+- `alerts`: Generate Prometheus alerts that fire when thresholds are exceeded (current behavior).
+- `recording-rules`: Generate Prometheus recording rules that pre-compute health metrics for passive consumption.
+Recording rules avoid alert fatigue and are useful for dashboard-based health monitoring.
+This is currently an experimental feature behind a feature gate. To enable, edit `spec.processor.advanced.env` by adding `EXPERIMENTAL_ALERTS_HEALTH` set to `true`.<br/>
+          <br/>
+            <i>Enum</i>: alerts, recording-rules<br/>
+            <i>Default</i>: alerts<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>includeList</b></td>
         <td>[]enum</td>

internal/pkg/metrics/alerts/builder.go

@@ -33,8 +33,23 @@ type ruleBuilder struct {
 	duration          monitoringv1.Duration
 }
 
+// BuildRules is the main entry point that decides whether to build alerts or recording rules
+// based on the healthMode configuration
 func BuildRules(ctx context.Context, fc *flowslatest.FlowCollectorSpec) []monitoringv1.Rule {
 	log := log.FromContext(ctx)
+
+	if fc.Processor.Metrics.HealthMode == string(flowslatest.HealthModeRecordingRules) {
+		log.Info("Building recording rules for health monitoring")
+		return BuildRecordingRules(ctx, fc)
+	}
+
+	log.Info("Building alerts for health monitoring")
+	return BuildAlertRules(ctx, fc)
+}
+
+// BuildAlertRules builds Prometheus alert rules for health monitoring
+func BuildAlertRules(ctx context.Context, fc *flowslatest.FlowCollectorSpec) []monitoringv1.Rule {
+	log := log.FromContext(ctx)
 	rules := []monitoringv1.Rule{}
 
 	if fc.HasExperimentalAlertsHealth() {
@@ -66,6 +81,40 @@ func BuildRules(ctx context.Context, fc *flowslatest.FlowCollectorSpec) []monito
 	return rules
 }
 
+// BuildRecordingRules builds Prometheus recording rules for health monitoring
+func BuildRecordingRules(ctx context.Context, fc *flowslatest.FlowCollectorSpec) []monitoringv1.Rule {
+	log := log.FromContext(ctx)
+	rules := []monitoringv1.Rule{}
+
+	if fc.HasExperimentalAlertsHealth() {
+		alerts := fc.GetFLPAlerts()
+		metrics := fc.GetIncludeList()
+		for _, alert := range alerts {
+			if ok, _ := alert.IsAllowed(fc); !ok {
+				continue
+			}
+			for _, variant := range alert.Variants {
+				if r, err := convertToRecordingRules(alert.Template, &variant, metrics); err != nil {
+					log.Error(err, "unable to configure a recording rule")
+				} else if len(r) > 0 {
+					rules = append(rules, r...)
+				}
+			}
+		}
+	}
+
+	if !slices.Contains(fc.Processor.Metrics.DisableAlerts, flowslatest.AlertNoFlows) {
+		r := recordingNoFlows()
+		rules = append(rules, *r)
+	}
+	if !slices.Contains(fc.Processor.Metrics.DisableAlerts, flowslatest.AlertLokiError) {
+		r := recordingLokiError()
+		rules = append(rules, *r)
+	}
+
+	return rules
+}
+
 func convertToRules(template flowslatest.AlertTemplate, alert *flowslatest.AlertVariant, enabledMetrics []string) ([]monitoringv1.Rule, error) {
 	var rules []monitoringv1.Rule
 	var upperThreshold string

internal/pkg/metrics/alerts/recording.go

@@ -0,0 +1,257 @@
+package alerts
+
+import (
+	"fmt"
+	"strings"
+
+	flowslatest "github.com/netobserv/network-observability-operator/api/flowcollector/v1beta2"
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// convertToRecordingRules converts alert configuration to recording rules
+func convertToRecordingRules(template flowslatest.AlertTemplate, alert *flowslatest.AlertVariant, enabledMetrics []string) ([]monitoringv1.Rule, error) {
+	var rules []monitoringv1.Rule
+	sides := []srcOrDst{asSource, asDest}
+	if alert.GroupBy == "" {
+		// No side for global group
+		sides = []srcOrDst{""}
+	}
+
+	// For recording rules, we create one rule per side (not per severity)
+	for _, side := range sides {
+		rb := ruleBuilder{
+			template:       template,
+			alert:          alert,
+			enabledMetrics: enabledMetrics,
+			side:           side,
+			duration:       monitoringv1.Duration("5m"),
+		}
+		if r, err := rb.convertToRecordingRule(); err != nil {
+			return nil, err
+		} else if r != nil {
+			rules = append(rules, *r)
+		}
+	}
+	return rules, nil
+}
+
+func (rb *ruleBuilder) convertToRecordingRule() (*monitoringv1.Rule, error) {
+	switch rb.template {
+	case flowslatest.AlertPacketDropsByKernel:
+		return rb.kernelDropsRecording()
+	case flowslatest.AlertIPsecErrors:
+		return rb.ipsecErrorsRecording()
+	case flowslatest.AlertDNSErrors:
+		return rb.dnsErrorsRecording()
+	case flowslatest.AlertNetpolDenied:
+		return rb.netpolDeniedRecording()
+	case flowslatest.AlertLatencyHighTrend:
+		return rb.latencyTrendRecording()
+	case flowslatest.AlertPacketDropsByDevice:
+		return rb.deviceDropsRecording()
+	case flowslatest.AlertExternalEgressHighTrend, flowslatest.AlertExternalIngressHighTrend, flowslatest.AlertCrossAZ:
+		// TODO: implement these
+		return nil, nil
+	case flowslatest.AlertLokiError, flowslatest.AlertNoFlows:
+		// These are handled separately in BuildRecordingRules
+		return nil, nil
+	}
+	return nil, fmt.Errorf("unknown recording rule template: %s", rb.template)
+}
+
+func (rb *ruleBuilder) buildRecordingRuleName() string {
+	// Format: netobserv:health:<template>:<groupby>:<side>:rate5m
+	// Example: netobserv:health:packet_drops_by_kernel:namespace:src:rate5m
+
+	templateLower := strings.ToLower(string(rb.template))
+	// Convert CamelCase to snake_case
+	templateSnake := camelToSnake(templateLower)
+
+	var parts []string
+	parts = append(parts, "netobserv", "health", templateSnake)
+
+	if rb.alert.GroupBy != "" {
+		parts = append(parts, strings.ToLower(string(rb.alert.GroupBy)))
+	}
+
+	if rb.side != "" {
+		parts = append(parts, strings.ToLower(string(rb.side)))
+	}
+
+	parts = append(parts, "rate5m")
+
+	return strings.Join(parts, ":")
+}
+
+func (rb *ruleBuilder) buildRecordingRuleLabels() map[string]string {
+	labels := map[string]string{
+		"netobserv":       "health",
+		"health_template": string(rb.template),
+	}
+
+	if rb.alert.GroupBy != "" {
+		labels["health_groupby"] = string(rb.alert.GroupBy)
+	}
+
+	if rb.side != "" {
+		labels["health_side"] = string(rb.side)
+	}
+
+	return labels
+}
+
+func (rb *ruleBuilder) kernelDropsRecording() (*monitoringv1.Rule, error) {
+	metric, totalMetric := rb.getMetricsForAlert()
+	filter := rb.buildLabelFilter("")
+	metricsRate := promQLRateFromMetric(metric, "", filter, "5m", "")
+	totalRate := promQLRateFromMetric(totalMetric, "", filter, "5m", "")
+	metricsSumBy := sumBy(metricsRate, rb.alert.GroupBy, rb.side, "")
+	totalSumBy := sumBy(totalRate, rb.alert.GroupBy, rb.side, "")
+
+	// Recording rule: compute the percentage without threshold comparison
+	promql := fmt.Sprintf("100 * (%s) / (%s)", metricsSumBy, totalSumBy)
+
+	return &monitoringv1.Rule{
+		Record: rb.buildRecordingRuleName(),
+		Expr:   intstr.FromString(promql),
+		Labels: rb.buildRecordingRuleLabels(),
+	}, nil
+}
+
+func (rb *ruleBuilder) deviceDropsRecording() (*monitoringv1.Rule, error) {
+	// No "side" consideration on netdev metrics, so keep only 1 call from the two of them
+	if rb.side == asDest {
+		return nil, nil
+	}
+
+	var byLabels string
+	switch rb.alert.GroupBy {
+	case flowslatest.GroupByNode:
+		byLabels = " by (instance)"
+	case flowslatest.GroupByNamespace:
+		return nil, fmt.Errorf("PacketDropsByDevice recording rule does not support grouping per namespace")
+	case flowslatest.GroupByWorkload:
+		return nil, fmt.Errorf("PacketDropsByDevice recording rule does not support grouping per workload")
+	}
+
+	promql := fmt.Sprintf(
+		"100 * (sum(rate(node_network_receive_drop_total[5m]))%s + sum(rate(node_network_transmit_drop_total[5m]))%s) / (sum(rate(node_network_receive_packets_total[5m]))%s + sum(rate(node_network_transmit_packets_total[5m]))%s)",
+		byLabels, byLabels, byLabels, byLabels,
+	)
+
+	return &monitoringv1.Rule{
+		Record: rb.buildRecordingRuleName(),
+		Expr:   intstr.FromString(promql),
+		Labels: rb.buildRecordingRuleLabels(),
+	}, nil
+}
+
+func (rb *ruleBuilder) ipsecErrorsRecording() (*monitoringv1.Rule, error) {
+	metric, totalMetric := rb.getMetricsForAlert()
+	filter := rb.buildLabelFilter("")
+	metricsRate := promQLRateFromMetric(metric, "", filter, "5m", "")
+	totalRate := promQLRateFromMetric(totalMetric, "", filter, "5m", "")
+	metricsSumBy := sumBy(metricsRate, rb.alert.GroupBy, rb.side, "")
+	totalSumBy := sumBy(totalRate, rb.alert.GroupBy, rb.side, "")
+	promql := fmt.Sprintf("100 * (%s) / (%s)", metricsSumBy, totalSumBy)
+
+	return &monitoringv1.Rule{
+		Record: rb.buildRecordingRuleName(),
+		Expr:   intstr.FromString(promql),
+		Labels: rb.buildRecordingRuleLabels(),
+	}, nil
+}
+
+func (rb *ruleBuilder) dnsErrorsRecording() (*monitoringv1.Rule, error) {
+	// DNS errors are in return traffic only
+	if rb.side == asSource {
+		return nil, nil
+	}
+
+	metric, totalMetric := rb.getMetricsForAlert()
+	metricsFilter := rb.buildLabelFilter(`DnsFlagsResponseCode!="NoError"`)
+	totalFilter := rb.buildLabelFilter("")
+	metricsRate := promQLRateFromMetric(metric, "_count", metricsFilter, "5m", "")
+	totalRate := promQLRateFromMetric(totalMetric, "_count", totalFilter, "5m", "")
+	metricsSumBy := sumBy(metricsRate, rb.alert.GroupBy, rb.side, "")
+	totalSumBy := sumBy(totalRate, rb.alert.GroupBy, rb.side, "")
+	promql := fmt.Sprintf("100 * (%s) / (%s)", metricsSumBy, totalSumBy)
+
+	return &monitoringv1.Rule{
+		Record: rb.buildRecordingRuleName(),
+		Expr:   intstr.FromString(promql),
+		Labels: rb.buildRecordingRuleLabels(),
+	}, nil
+}
+
+func (rb *ruleBuilder) netpolDeniedRecording() (*monitoringv1.Rule, error) {
+	metric, totalMetric := rb.getMetricsForAlert()
+	metricsFilter := rb.buildLabelFilter(`action="drop"`)
+	totalFilter := rb.buildLabelFilter("")
+	metricsRate := promQLRateFromMetric(metric, "", metricsFilter, "5m", "")
+	totalRate := promQLRateFromMetric(totalMetric, "", totalFilter, "5m", "")
+	metricsSumBy := sumBy(metricsRate, rb.alert.GroupBy, rb.side, "")
+	totalSumBy := sumBy(totalRate, rb.alert.GroupBy, rb.side, "")
+	promql := fmt.Sprintf("100 * (%s) / (%s)", metricsSumBy, totalSumBy)
+
+	return &monitoringv1.Rule{
+		Record: rb.buildRecordingRuleName(),
+		Expr:   intstr.FromString(promql),
+		Labels: rb.buildRecordingRuleLabels(),
+	}, nil
+}
+
+func (rb *ruleBuilder) latencyTrendRecording() (*monitoringv1.Rule, error) {
+	offset, duration := rb.alert.GetTrendParams()
+
+	metric, baseline := rb.getMetricsForAlert()
+	filter := rb.buildLabelFilter("")
+	metricsRate := promQLRateFromMetric(metric, "_bucket", filter, "5m", "")
+	baselineRate := promQLRateFromMetric(baseline, "_bucket", filter, duration, " offset "+offset)
+	metricQuantile := histogramQuantile(metricsRate, rb.alert.GroupBy, rb.side, "0.9")
+	baselineQuantile := histogramQuantile(baselineRate, rb.alert.GroupBy, rb.side, "0.9")
+
+	// Recording rule: compute the percentage increase without threshold comparison
+	promql := fmt.Sprintf("100 * ((%s) - (%s)) / (%s)", metricQuantile, baselineQuantile, baselineQuantile)
+
+	return &monitoringv1.Rule{
+		Record: rb.buildRecordingRuleName(),
+		Expr:   intstr.FromString(promql),
+		Labels: rb.buildRecordingRuleLabels(),
+	}, nil
+}
+
+func recordingNoFlows() *monitoringv1.Rule {
+	return &monitoringv1.Rule{
+		Record: "netobserv:health:no_flows:rate1m",
+		Expr:   intstr.FromString("sum(rate(netobserv_ingest_flows_processed[1m]))"),
+		Labels: map[string]string{
+			"netobserv":       "health",
+			"health_template": "NetObservNoFlows",
+		},
+	}
+}
+
+func recordingLokiError() *monitoringv1.Rule {
+	return &monitoringv1.Rule{
+		Record: "netobserv:health:loki_errors:rate1m",
+		Expr:   intstr.FromString("sum(rate(netobserv_loki_dropped_entries_total[1m]))"),
+		Labels: map[string]string{
+			"netobserv":       "health",
+			"health_template": "NetObservLokiError",
+		},
+	}
+}
+
+// camelToSnake converts CamelCase to snake_case
+func camelToSnake(s string) string {
+	var result strings.Builder
+	for i, r := range s {
+		if i > 0 && r >= 'A' && r <= 'Z' {
+			result.WriteRune('_')
+		}
+		result.WriteRune(r)
+	}
+	return strings.ToLower(result.String())
+}