From 315bb666c33f5bb5f0a47b08eafee19bdccc277e Mon Sep 17 00:00:00 2001 From: Xiyue Yu Date: Wed, 26 Nov 2025 09:19:25 -0800 Subject: [PATCH 1/5] refactor monitoring session --- .../templates/epp-monitoring.yaml | 103 ++++++++++++++++++ .../charts/inferencepool/templates/gke.yaml | 103 ------------------ config/charts/inferencepool/values.yaml | 4 - 3 files changed, 103 insertions(+), 107 deletions(-) create mode 100644 config/charts/inferencepool/templates/epp-monitoring.yaml diff --git a/config/charts/inferencepool/templates/epp-monitoring.yaml b/config/charts/inferencepool/templates/epp-monitoring.yaml new file mode 100644 index 0000000000..631359026a --- /dev/null +++ b/config/charts/inferencepool/templates/epp-monitoring.yaml @@ -0,0 +1,103 @@ +{{- if and .Values.inferenceExtension.monitoring.prometheus.enabled .Values.inferenceExtension.monitoring.prometheus.auth.enabled }} +{{- $metricsReadSA := printf "%s-metrics-reader-sa" .Release.Name -}} +{{- $metricsReadSecretName := printf "%s-metrics-reader-secret" .Release.Name -}} +{{- $metricsReadRoleName := printf "%s-%s-metrics-reader" .Release.Namespace .Release.Name -}} +{{- $metricsReadRoleBindingName := printf "%s-%s-metrics-reader-role-binding" .Release.Namespace .Release.Name -}} +{{- $secretReadRoleName := printf "%s-metrics-reader-secret-read" .Release.Name -}} +{{- $gmpNamespace := "gmp-system" -}} +{{- $isAutopilot := false -}} +{{- with .Values.provider.gke }} + {{- $isAutopilot = .autopilot | default false -}} +{{- end }} +{{- if $isAutopilot -}} +{{- $gmpNamespace = "gke-gmp-system" -}} +{{- end -}} +{{- $gmpCollectorRoleBindingName := printf "%s:collector:%s-%s-metrics-reader-secret-read" $gmpNamespace .Release.Namespace .Release.Name -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $metricsReadSA }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $metricsReadSecretName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway-api-inference-extension.labels" . | nindent 4 }} + annotations: + kubernetes.io/service-account.name: {{ $metricsReadSA }} +type: kubernetes.io/service-account-token +--- +apiVersion: monitoring.googleapis.com/v1 +kind: PodMonitoring +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway-api-inference-extension.labels" . | nindent 4 }} +spec: + endpoints: + - port: metrics + scheme: http + interval: {{ .Values.inferenceExtension.monitoring.interval }} + path: /metrics + authorization: + type: Bearer + credentials: + secret: + name: {{ $metricsReadSecretName }} + key: token + selector: + matchLabels: + {{- include "gateway-api-inference-extension.selectorLabels" . | nindent 8 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ $metricsReadRoleName }} +rules: + - nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $metricsReadRoleBindingName }} +subjects: + - kind: ServiceAccount + name: {{ $metricsReadSA }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $metricsReadRoleName }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $secretReadRoleName }} +rules: + - resources: + - secrets + apiGroups: [""] + verbs: ["get", "list", "watch"] + resourceNames: [{{ $metricsReadSecretName | quote }}] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gmpCollectorRoleBindingName }} + namespace: {{ .Release.Namespace }} +roleRef: + name: {{ $secretReadRoleName }} + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - name: collector + namespace: {{ $gmpNamespace }} + kind: ServiceAccount +{{- end }} \ No newline at end of file diff --git a/config/charts/inferencepool/templates/gke.yaml b/config/charts/inferencepool/templates/gke.yaml index a2d8bbc873..48c0cef9ce 100644 --- a/config/charts/inferencepool/templates/gke.yaml +++ b/config/charts/inferencepool/templates/gke.yaml @@ -40,107 +40,4 @@ spec: logging: enabled: true # log all requests by default --- -{{- if or .Values.inferenceExtension.monitoring.gke.enabled (and .Values.inferenceExtension.monitoring.prometheus.enabled .Values.inferenceExtension.monitoring.prometheus.auth.enabled) }} -{{- $metricsReadSA := printf "%s-metrics-reader-sa" .Release.Name -}} -{{- $metricsReadSecretName := printf "%s-metrics-reader-secret" .Release.Name -}} -{{- $metricsReadRoleName := printf "%s-%s-metrics-reader" .Release.Namespace .Release.Name -}} -{{- $metricsReadRoleBindingName := printf "%s-%s-metrics-reader-role-binding" .Release.Namespace .Release.Name -}} -{{- $secretReadRoleName := printf "%s-metrics-reader-secret-read" .Release.Name -}} -{{- $gmpNamespace := "gmp-system" -}} -{{- $isAutopilot := false -}} -{{- with .Values.provider.gke }} - {{- $isAutopilot = .autopilot | default false -}} -{{- end }} -{{- if $isAutopilot -}} -{{- $gmpNamespace = "gke-gmp-system" -}} -{{- end -}} -{{- $gmpCollectorRoleBindingName := printf "%s:collector:%s-%s-metrics-reader-secret-read" $gmpNamespace .Release.Namespace .Release.Name -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $metricsReadSA }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ $metricsReadSecretName }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway-api-inference-extension.labels" . | nindent 4 }} - annotations: - kubernetes.io/service-account.name: {{ $metricsReadSA }} -type: kubernetes.io/service-account-token ---- -apiVersion: monitoring.googleapis.com/v1 -kind: PodMonitoring -metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway-api-inference-extension.labels" . | nindent 4 }} -spec: - endpoints: - - port: metrics - scheme: http - interval: {{ .Values.inferenceExtension.monitoring.interval }} - path: /metrics - authorization: - type: Bearer - credentials: - secret: - name: {{ $metricsReadSecretName }} - key: token - selector: - matchLabels: - {{- include "gateway-api-inference-extension.selectorLabels" . | nindent 8 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ $metricsReadRoleName }} -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $metricsReadRoleBindingName }} -subjects: -- kind: ServiceAccount - name: {{ $metricsReadSA }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ $metricsReadRoleName }} - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $secretReadRoleName }} -rules: -- resources: - - secrets - apiGroups: [""] - verbs: ["get", "list", "watch"] - resourceNames: [{{ $metricsReadSecretName | quote }}] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gmpCollectorRoleBindingName }} - namespace: {{ .Release.Namespace }} -roleRef: - name: {{ $secretReadRoleName }} - kind: Role - apiGroup: rbac.authorization.k8s.io -subjects: -- name: collector - namespace: {{ $gmpNamespace }} - kind: ServiceAccount -{{- end }} {{- end }} diff --git a/config/charts/inferencepool/values.yaml b/config/charts/inferencepool/values.yaml index aba6bbfdae..518fb7b880 100644 --- a/config/charts/inferencepool/values.yaml +++ b/config/charts/inferencepool/values.yaml @@ -60,10 +60,6 @@ inferenceExtension: secretName: inference-gateway-sa-metrics-reader-secret # additional labels for the ServiceMonitor extraLabels: {} - - # DEPRECATED: The 'gke' configuration will be removed in the next release. - gke: - enabled: false tracing: enabled: false otelExporterEndpoint: "http://localhost:4317" From 67a1f4041b4b4045b4cb71b9dcbc60e000fb3f7c Mon Sep 17 00:00:00 2001 From: Xiyue Yu Date: Wed, 26 Nov 2025 09:23:25 -0800 Subject: [PATCH 2/5] changed format --- config/charts/inferencepool/templates/epp-monitoring.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/charts/inferencepool/templates/epp-monitoring.yaml b/config/charts/inferencepool/templates/epp-monitoring.yaml index 631359026a..022ae9b9fa 100644 --- a/config/charts/inferencepool/templates/epp-monitoring.yaml +++ b/config/charts/inferencepool/templates/epp-monitoring.yaml @@ -100,4 +100,4 @@ subjects: - name: collector namespace: {{ $gmpNamespace }} kind: ServiceAccount -{{- end }} \ No newline at end of file +{{- end }} From ce3f246639e6372cb96614c16216c231d274c320 Mon Sep 17 00:00:00 2001 From: Xiyue Yu Date: Thu, 11 Dec 2025 12:54:34 -0800 Subject: [PATCH 3/5] changed it back to gke only monitoring --- .../templates/epp-monitoring.yaml | 103 ------------------ .../charts/inferencepool/templates/gke.yaml | 101 +++++++++++++++++ 2 files changed, 101 insertions(+), 103 deletions(-) delete mode 100644 config/charts/inferencepool/templates/epp-monitoring.yaml diff --git a/config/charts/inferencepool/templates/epp-monitoring.yaml b/config/charts/inferencepool/templates/epp-monitoring.yaml deleted file mode 100644 index 022ae9b9fa..0000000000 --- a/config/charts/inferencepool/templates/epp-monitoring.yaml +++ /dev/null @@ -1,103 +0,0 @@ -{{- if and .Values.inferenceExtension.monitoring.prometheus.enabled .Values.inferenceExtension.monitoring.prometheus.auth.enabled }} -{{- $metricsReadSA := printf "%s-metrics-reader-sa" .Release.Name -}} -{{- $metricsReadSecretName := printf "%s-metrics-reader-secret" .Release.Name -}} -{{- $metricsReadRoleName := printf "%s-%s-metrics-reader" .Release.Namespace .Release.Name -}} -{{- $metricsReadRoleBindingName := printf "%s-%s-metrics-reader-role-binding" .Release.Namespace .Release.Name -}} -{{- $secretReadRoleName := printf "%s-metrics-reader-secret-read" .Release.Name -}} -{{- $gmpNamespace := "gmp-system" -}} -{{- $isAutopilot := false -}} -{{- with .Values.provider.gke }} - {{- $isAutopilot = .autopilot | default false -}} -{{- end }} -{{- if $isAutopilot -}} -{{- $gmpNamespace = "gke-gmp-system" -}} -{{- end -}} -{{- $gmpCollectorRoleBindingName := printf "%s:collector:%s-%s-metrics-reader-secret-read" $gmpNamespace .Release.Namespace .Release.Name -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $metricsReadSA }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ $metricsReadSecretName }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway-api-inference-extension.labels" . | nindent 4 }} - annotations: - kubernetes.io/service-account.name: {{ $metricsReadSA }} -type: kubernetes.io/service-account-token ---- -apiVersion: monitoring.googleapis.com/v1 -kind: PodMonitoring -metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway-api-inference-extension.labels" . | nindent 4 }} -spec: - endpoints: - - port: metrics - scheme: http - interval: {{ .Values.inferenceExtension.monitoring.interval }} - path: /metrics - authorization: - type: Bearer - credentials: - secret: - name: {{ $metricsReadSecretName }} - key: token - selector: - matchLabels: - {{- include "gateway-api-inference-extension.selectorLabels" . | nindent 8 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ $metricsReadRoleName }} -rules: - - nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $metricsReadRoleBindingName }} -subjects: - - kind: ServiceAccount - name: {{ $metricsReadSA }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ $metricsReadRoleName }} - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $secretReadRoleName }} -rules: - - resources: - - secrets - apiGroups: [""] - verbs: ["get", "list", "watch"] - resourceNames: [{{ $metricsReadSecretName | quote }}] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gmpCollectorRoleBindingName }} - namespace: {{ .Release.Namespace }} -roleRef: - name: {{ $secretReadRoleName }} - kind: Role - apiGroup: rbac.authorization.k8s.io -subjects: - - name: collector - namespace: {{ $gmpNamespace }} - kind: ServiceAccount -{{- end }} diff --git a/config/charts/inferencepool/templates/gke.yaml b/config/charts/inferencepool/templates/gke.yaml index 48c0cef9ce..5c8caf879c 100644 --- a/config/charts/inferencepool/templates/gke.yaml +++ b/config/charts/inferencepool/templates/gke.yaml @@ -40,4 +40,105 @@ spec: logging: enabled: true # log all requests by default --- +{{- $metricsReadSA := printf "%s-metrics-reader-sa" .Release.Name -}} +{{- $metricsReadSecretName := printf "%s-metrics-reader-secret" .Release.Name -}} +{{- $metricsReadRoleName := printf "%s-%s-metrics-reader" .Release.Namespace .Release.Name -}} +{{- $metricsReadRoleBindingName := printf "%s-%s-metrics-reader-role-binding" .Release.Namespace .Release.Name -}} +{{- $secretReadRoleName := printf "%s-metrics-reader-secret-read" .Release.Name -}} +{{- $gmpNamespace := "gmp-system" -}} +{{- $isAutopilot := false -}} +{{- with .Values.provider.gke }} + {{- $isAutopilot = .autopilot | default false -}} +{{- if $isAutopilot -}} +{{- $gmpNamespace = "gke-gmp-system" -}} +{{- end -}} +{{- $gmpCollectorRoleBindingName := printf "%s:collector:%s-%s-metrics-reader-secret-read" $gmpNamespace .Release.Namespace .Release.Name -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $metricsReadSA }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $metricsReadSecretName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway-api-inference-extension.labels" . | nindent 4 }} + annotations: + kubernetes.io/service-account.name: {{ $metricsReadSA }} +type: kubernetes.io/service-account-token +--- +apiVersion: monitoring.googleapis.com/v1 +kind: PodMonitoring +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway-api-inference-extension.labels" . | nindent 4 }} +spec: + endpoints: + - port: metrics + scheme: http + interval: {{ .Values.inferenceExtension.monitoring.interval }} + path: /metrics + authorization: + type: Bearer + credentials: + secret: + name: {{ $metricsReadSecretName }} + key: token + selector: + matchLabels: + {{- include "gateway-api-inference-extension.selectorLabels" . | nindent 8 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ $metricsReadRoleName }} +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $metricsReadRoleBindingName }} +subjects: +- kind: ServiceAccount + name: {{ $metricsReadSA }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $metricsReadRoleName }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $secretReadRoleName }} +rules: +- resources: + - secrets + apiGroups: [""] + verbs: ["get", "list", "watch"] + resourceNames: [{{ $metricsReadSecretName | quote }}] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gmpCollectorRoleBindingName }} + namespace: {{ .Release.Namespace }} +roleRef: + name: {{ $secretReadRoleName }} + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: +- name: collector + namespace: {{ $gmpNamespace }} + kind: ServiceAccount +{{- end }} {{- end }} From 153253314dcb2ab3faae0a1733225c8b0871b7b9 Mon Sep 17 00:00:00 2001 From: Xiyue Yu Date: Thu, 11 Dec 2025 13:57:34 -0800 Subject: [PATCH 4/5] fixed pipeline --- config/charts/inferencepool/templates/gke.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/charts/inferencepool/templates/gke.yaml b/config/charts/inferencepool/templates/gke.yaml index 5c8caf879c..0349a6ce97 100644 --- a/config/charts/inferencepool/templates/gke.yaml +++ b/config/charts/inferencepool/templates/gke.yaml @@ -49,6 +49,7 @@ spec: {{- $isAutopilot := false -}} {{- with .Values.provider.gke }} {{- $isAutopilot = .autopilot | default false -}} +{{- end }} {{- if $isAutopilot -}} {{- $gmpNamespace = "gke-gmp-system" -}} {{- end -}} @@ -141,4 +142,3 @@ subjects: namespace: {{ $gmpNamespace }} kind: ServiceAccount {{- end }} -{{- end }} From 13d0ddd205ca5e87aebbd7873c34c58dd3fcc842 Mon Sep 17 00:00:00 2001 From: Xiyue Yu Date: Thu, 11 Dec 2025 14:00:09 -0800 Subject: [PATCH 5/5] updated monitoring --- config/charts/inferencepool/templates/gke.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/charts/inferencepool/templates/gke.yaml b/config/charts/inferencepool/templates/gke.yaml index 0349a6ce97..2ee2e13fc9 100644 --- a/config/charts/inferencepool/templates/gke.yaml +++ b/config/charts/inferencepool/templates/gke.yaml @@ -40,6 +40,7 @@ spec: logging: enabled: true # log all requests by default --- +{{- if and .Values.inferenceExtension.monitoring.prometheus.enabled .Values.inferenceExtension.monitoring.prometheus.auth.enabled }} {{- $metricsReadSA := printf "%s-metrics-reader-sa" .Release.Name -}} {{- $metricsReadSecretName := printf "%s-metrics-reader-secret" .Release.Name -}} {{- $metricsReadRoleName := printf "%s-%s-metrics-reader" .Release.Namespace .Release.Name -}} @@ -142,3 +143,4 @@ subjects: namespace: {{ $gmpNamespace }} kind: ServiceAccount {{- end }} +{{- end }}