Kubernetes operator for executing synthetic tests
- Introduction
- Features
- Comparisons
- Quick Start
- Check Types
- DNS - Query a DNS server
- Containerd Pull - Pull an image using containerd
- Docker Pull - Pull an image using docker
- Docker Push - Create and push a docker image
- HTTP - Query an HTTP endpoint or namespace
- Helm - Build and push a helm chart
- ICMP - Ping a destination and check for packet loss
- LDAP - Query a ldap(s) server
- Namespace - Create a new kubernetes namespace and pod
- Pod - Create a new pod and verify reachability
- Postgres - Query a Postgresql DB using SQL
- Mssql - Query a Mssql DB using SQL
- Elasticsearch - Query an Elasticsearch DB
- Redis - Execute ping against redis instance
- S3 - Verify reachability and correctness of an S3 compatible store
- Folder Check
- Restic - Query the contents of a Restic repository for backup freshness and integrity
- Jmeter - Run the supplied JMX test plan against the specified host
- SSL - Verify the expiry date of a SSL cert
- Exec - Execute commands or script on the host
- TCP
- Junit
- Display Types
- Guide for Developers
Canary Checker is a Kubernetes native multi-tenant synthetic monitoring system. To learn more, please see the official documentation.
- Built-in UI/Dashboard with multi-cluster aggregation
- CRD based configuration and status reporting
- Prometheus Integration
- Runnable as a CLI for once-off checks or as a standalone server outside kubernetes
- Many built-in check types
| App | Comparison |
|---|---|
| Prometheus | canary-checker is not a replacement for prometheus, rather a companion. While prometheus provides persistent time series storage, canary-checker only has a small in-memory cache of recent checks. Canary-checker also exposes metrics via /metrics that are scraped by prometheus. |
| Grafana | The built-in UI provides a mechanism to display check results across 1 or more instances without a dependency on grafana/prometheus running. The UI will also display long-term graphs of check results by quering prometheus. |
| Kuberhealthy | Very similar goals, but Kuberhealthy relies on external containers to implement checks and does not provide a UI or multi-cluster/instance aggregation. |
| Cloudprober | Very similar goals, but Cloudprober is designed for very high scale, not multi-tenancy. Only has ICMP,DNS,HTTP,UDP built-in checks. |
Before installing the Canary Checker, please ensure you have the prerequisites installed on your Kubernetes cluster.
# install the operator
kubectl apply -f https://github.com/flanksource/canary-checker/releases/download/v0.38.154/release.yaml
# deploy a sample canary
kubectl apply -f https://raw.githubusercontent.com/flanksource/canary-checker/master/fixtures-crd/http_pass.yaml
# check the results of the canary
kubectl get canarysample output
NAMESPACE NAME INTERVAL STATUS MESSAGE UPTIME 1H LATENCY 1H LAST TRANSITIONED LAST CHECK
platform-system dns 30 Passed 0/2 (0%) 6s
platform-system lan 30 Passed 12/12 (100%) 1033 139m 6s
platform-system ldap 30 Passed 5/5 (100%) 323 1s
platform-system pod 120 Passed 1/2 (50%) 10904 45m 24s
platform-system s3 30 Passed 5/5 (100%) 1091 5m35s 5s
http_pass.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-pass
spec:
interval: 30
http:
- endpoint: https://httpstat.us/200
thresholdMillis: 3000
responseCodes: [201, 200, 301]
responseContent: ""
maxSSLExpiry: 7dns:
- server: 8.8.8.8
port: 53
query: "flanksource.com"
querytype: "A"
minrecords: 1
exactreply: ["34.65.228.161"]
timeout: 10| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of check | string | Yes |
| server | Address of DNS server to query | string | Yes |
| port | Port to query DNS server on | int | Yes |
| query | Domain name to lookup | string | |
| querytype | Record type to query | string | Yes |
| minrecords | Minimum records | int | |
| exactreply | Expected exact match result(s) | []string | |
| timeout | Maximum timeout for DNS query | int | Yes |
| thresholdMillis | Threshold response time from DNS server | int | Yes |
This check will try to pull a Docker image from specified registry using containerd and then verify its checksum and size.
containerdPull:
- image: docker.io/library/busybox:1.31.1
username:
password:
expectedDigest: 6915be4043561d64e0ab0f8f098dc2ac48e077fe23f488ac24b665166898115a
expectedSize: 1219782| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of check | string | Yes |
| image | Full path to image, including registry | string | Yes |
| auth | Username and password value, configMapKeyRef or SecretKeyRef for registry | Object | No |
| expectedDigest | Expected digest of the pulled image | string | Yes |
| expectedSize | Expected size of the pulled image | int64 | Yes |
This check will try to pull a Docker image from specified registry, verify it's checksum and size.
docker:
- image: docker.io/library/busybox:1.31.1
auth:
username:
value: some-user
password:
value: some-password
expectedDigest: 6915be4043561d64e0ab0f8f098dc2ac48e077fe23f488ac24b665166898115a
expectedSize: 1219782| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of check | string | Yes |
| image | Full path to image, including registry | string | Yes |
| auth | Username and password value, configMapKeyRef or SecretKeyRef for registry | Object | No |
| expectedDigest | Expected digest of the pulled image | string | Yes |
| expectedSize | Expected size of the pulled image | int64 | Yes |
http:
- endpoint: https://httpstat.us/200
thresholdMillis: 3000
responseCodes: [201,200,301]
responseContent: ""
maxSSLExpiry: 60
displayTemplate: 'Response Code: [[.code]] Content: [[.content]]; Headers: [[.headers]]'
- endpoint: https://httpstat.us/500
thresholdMillis: 3000
responseCodes: [500]
responseContent: ""
maxSSLExpiry: 60
- endpoint: https://httpstat.us/500
thresholdMillis: 3000
responseCodes: [302]
responseContent: ""
maxSSLExpiry: 60
- namespace: k8s-https-namespace
thresholdMillis: 3000
responseCodes: [200]
responseContent: ""
maxSSLExpiry: 60
displayTemplate: 'Response Code: [[.code]]'
- headers:
- name: headerkey1
value: headervalue1
- name: headerkey2
valueFrom:
configMapRef:
key: headervalue2
name: header-configmap
responseJSONContent:
path: "$.headerkey1[0]"
value: headervalue1
endpoint: http://podinfo.127.0.0.1.nip.io/headers
responseCodes:
- 200
- method: POST
body: bodycontent
responseContent: bodycontent
endpoint: http://podinfo.127.0.0.1.nip.io/echo
displayTemplate: 'Response Code: [[.code]] Content: [[.content]]; Headers: [[.headers]]'
responseCodes:
- 202
- authentication:
username:
value: user
password:
valueFrom:
secretKeyRef:
name: authentication-secret
key: password
responsecodes:
- 202
endpoint: https://testloginserver.127.0.0.1.nip.io/login| Field | Description | Scheme | Required |
|---|---|---|---|
| description | string | Yes | |
| endpoint | HTTP endpoint to monitor | string | Yes * |
| namespace | kubernetes namespace to monitor | string | Yes * |
| thresholdMillis | maximum duration in milliseconds for the HTTP request. It will fail the check if it takes longer. | int | Yes |
| responseCodes | expected response codes for the HTTP Request. | []int | Yes |
| responseContent | exact response content expected to be returned by the endpoint. | string | Yes |
| responseJSONContent | path and value to parse json responses. path is a jsonpath string, value is the expected content at that path |
JSONCheck | |
| maxSSLExpiry | maximum number of days until the SSL Certificate expires. | int | Yes |
| method | specify GET (default) or POST method for HTTP call | string | |
| body | body of HTTP method | string | |
| headers | array of key-value pairs to be passed as headers to the HTTP method. Specified in the same manner as pod environment variables but without the support for pod spec references | []kommons.EnvVar | |
| authentication | username and password value, both of which are specified as []kommons.EnvVar, to be passed as authentication headers |
*Authentication | |
| ntlm | if true, will change authentication protocol | bool | |
| displayTemplate | template to display server response in text (overrides default bar format for UI) | string | No |
* One of either endpoint or namespace must be specified, but not both. Specify a namespace of "*" to crawl all namespaces.
The fields for displayTemplate (see Display Types) are :
.code: response code from the http server.headers: response headers.content: content from the http request
This test will check ICMP packet loss and duration.
icmp:
- endpoints:
- https://google.com
- https://yahoo.com
thresholdMillis: 400
packetLossThreshold: 50
packetCount: 2| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of check | string | Yes |
| endpoint | Address to query using ICMP | string | Yes |
| thresholdMillis | Expected response time threshold in ms | int64 | Yes |
| packetLossThreshold | Percent of total packets that are allowed to be lost | int64 | Yes |
| packetCount | Total number of packets to send per check | int | Yes |
The LDAP check will:
- bind using provided user/password to the ldap host. Supports ldap/ldaps protocols.
- search an object type in the provided bind DN.s
ldap:
- host: ldap://127.0.0.1:10389
auth:
username:
value: uid=admin,ou=system
password:
value: secret
bindDN: ou=users,dc=example,dc=com
userSearch: "(&(objectClass=organizationalPerson))"
- host: ldap://127.0.0.1:10389
auth:
username:
value: uid=admin,ou=system
password:
value: secret
bindDN: ou=groups,dc=example,dc=com
userSearch: "(&(objectClass=groupOfNames))"| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of check | string | Yes |
| host | URL of LDAP server to be qeuried | string | Yes |
| auth | username and password value, configMapKeyRef or SecretKeyRef for LDAP server | Object | Yes |
| bindDN | BindDN to use in query | string | Yes |
| userSearch | UserSearch to use in query | string | Yes |
| skipTLSVerify | Skip check of LDAP server TLS certificates | bool | Yes |
The namespace check will:
- Create a new namespace using the labels/annotations provided
- Create a new pod in the namespace using the provided PodSpec
- Expose the pod using the provided ingress URL
- Test an HTTP connection to the pod
namespace:
- namePrefix: "test-name-prefix-"
labels:
team: test
annotations:
"foo.baz.com/foo": "bar"| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of check | string | Yes |
| namespaceNamePrefix | Prefix string to identity namespace | string | Yes |
| namespaceLabels | Metadata labels to apply to created namespace | map[string]string | Yes |
| namespaceAnnotations | Metadata annotations to apply to created namespace | map[string]string | Yes |
| podSpec | Spec of pod to be created in check namespace | string | Yes |
| scheduleTimeout | Maximum time between pod created and pod running | int64 | Yes |
| readyTimeout | int64 | Yes | |
| httpTimeout | Maximum time to wait for an HTTP connection to the created pod | int64 | Yes |
| deleteTimeout | int64 | Yes | |
| ingressTimeout | Maximum time to create an ingress connected to the pod | int64 | Yes |
| httpRetryInterval | Interval in ms to retry HTTP connections to the created pod | int64 | Yes |
| deadline | Overall time before which an HTTP connection to the pod must be established | int64 | Yes |
| port | Port on which the created pod will serve traffic | int64 | Yes |
| path | Path on whcih the created pod will respond to requests | string | Yes |
| ingressName | Name to use for the ingress object that will expose the created pod | string | Yes |
| ingressHost | URL to be used by the ingress to expose the created pod | string | Yes |
| expectedContent | Expected content of an HTTP response from the created pod | string | Yes |
| expectedHttpStatuses | Expected HTTP status code of the response from the created pod | []int64 | Yes |
| priorityClass | Pod priority class | string | Yes |
pod:
- name: golang
namespace: default
spec: |
apiVersion: v1
kind: Pod
metadata:
name: hello-world-golang
namespace: default
labels:
app: hello-world-golang
spec:
containers:
- name: hello
image: quay.io/toni0/hello-webserver-golang:latest
port: 8080
path: /foo/bar
ingressName: hello-world-golang
ingressHost: "hello-world-golang.127.0.0.1.nip.io"
scheduleTimeout: 2000
readyTimeout: 5000
httpTimeout: 2000
deleteTimeout: 12000
ingressTimeout: 5000
deadline: 29000
httpRetryInterval: 200
expectedContent: bar
expectedHttpStatuses: [200, 201, 202]| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of the check | string | Yes |
| name | Name of the pod to be created | string | Yes |
| namespace | Namespace to create the pod in | string | Yes |
| spec | Spec of pod to be created | string | Yes |
| scheduleTimeout | Maximum time between pod created and pod running | int64 | Yes |
| readyTimeout | int64 | Yes | |
| httpTimeout | Maximum time to wait for an HTTP connection to the created pod | int64 | Yes |
| deleteTimeout | int64 | Yes | |
| ingressTimeout | Maximum time to create an ingress connected to the pod | int64 | Yes |
| httpRetryInterval | Interval in ms to retry HTTP connections to the created pod | int64 | Yes |
| deadline | Overall time before which an HTTP connection to the pod must be established | int64 | Yes |
| port | Port on which the created pod will serve traffic | int64 | Yes |
| path | Path on whcih the created pod will respond to requests | string | Yes |
| ingressName | Name to use for the ingress object that will expose the created pod | string | Yes |
| ingressHost | URL to be used by the ingress to expose the created pod | string | Yes |
| expectedContent | Expected content of an HTTP response from the created pod | string | Yes |
| expectedHttpStatuses | Expected HTTP status code of the response from the created pod | []int64 | Yes |
| priorityClass | Pod priority class | string | Yes |
This check will try to connect to a specified Postgresql database, run a query against it and verify the results.
postgres:
- connection: "user=postgres password=mysecretpassword host=192.168.0.103 port=15432 dbname=postgres sslmode=disable"
query: "SELECT * from names"
resultsFunction: '[[ if index .results 0 "surname" | eq "khandelwal" ]]true[[else]]false[[end]]'
displayTemplate: '[[ index .results 0 ]]'| Field | Description | Scheme | Required |
|---|---|---|---|
| description | description for the test | string | No |
| connection | connection string to connect to the server | string | Yes |
| query | query that needs to be executed on the server | string | Yes |
| resultsFunction | function that tests query output for pass/fail (must return boolean) | string | No |
| displayTemplate | template to display query results in text (overrides default bar format for UI) | string | No |
The fields for displayTemplate are:
.results: rows returned by the query
This check will try to connect to a specified Mssql database, run a query against it and verify the results.
mssql:
- connection: 'server=localhost;user id=sa;password=S0m3S3curep@sswd;port=1433;database=master'
description: 'The mssql test'
query: "SELECT * from names"
resultsFunction: '[[ if index .results 0 "surname" | eq "khandelwal" ]]true[[else]]false[[end]]'
displayTemplate: '[[ index .results 0 ]]'| Field | Description | Scheme | Required |
|---|---|---|---|
| description | description for the test | string | No |
| connection | connection string to connect to the server | string | Yes |
| query | query that needs to be executed on the server | string | Yes |
| resultsFunction | function that tests query output for pass/fail (must return boolean) | string | No |
| displayTemplate | template to display query results in text (overrides default bar format for UI) | string | No |
The fields for displayTemplate (see Display Types) are:
.results: rows returned by the query
This check will execute ping against the specified redis instance and check its availability
redis:
- addr: 'localhost:6379'
description: 'The redis test'
db: 0| Field | Description | Scheme | Required |
|---|---|---|---|
| addr | host:port address. | string | Yes |
| db | database to be selected after connecting to the server. | int | Yes |
| description | description for canary | string | No |
| auth | username and password value, configMapKeyRef or SecretKeyRef for redis server | Object | No |
This check will try to connect to a specified Elasticsearch database, run a query against it and verify the results.
elasticsearch:
- url: http://elasticsearch-host.example.com:9200
description: elasticsearch checker
index: index_name
query: |
{
"query": {
"term": {
"system.role": "api"
}
}
}
results: 3| Field | Description | Scheme | Required |
|---|---|---|---|
| url | host:port address. | string | Yes |
| description | description for the test | string | No |
| index | index against which query should be ran | string | Yes |
| query | query that needs to be executed on the server | string | Yes |
| results | number of expected hits | int | Yes |
| auth | username and password value, configMapKeyRef or SecretKeyRef for elasticsearch server | Object | No |
This check will:
- list objects in the bucket to check for Read permissions
- PUT an object into the bucket for Write permissions
- download previous uploaded object to check for Get permissions
s3:
- buckets:
- name: "test-bucket"
region: "us-east-1"
endpoint: "https://test-bucket.s3.us-east-1.amazonaws.com"
secretKey: "<access-key>"
accessKey: "<secret-key>"
objectPath: "path/to/object"| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description for the check | string | Yes |
| bucket | Array of Bucket objects to be checked | Bucket | Yes |
| accessKey | AWS access Key to access Bucket | string | Yes |
| secretKey | AWS secret Key to access Bucket | string | Yes |
| objectPath | Path of object in bucket to | string | Yes |
| skipTLSVerify | skip TLS verify when connecting to s3 | bool | Yes |
Folder Check provides an abstraction over checker related to folder. Currently, used to perform the following checks:
| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of check | string | No |
| name | name for the check | string | No |
| Icon | custom icon to display on the UI | string | No |
| Test | Template to test the result against | Object | No |
| Display | Template to display the result in | Object | No |
| Path | Path to the object, needs to be prefixed with the protocol. See example below | string | Yes |
| SMBConnection | Object | No | |
| AWSConnection | Object | No | |
| GCPConnection | Object | No | |
| Filter | Used to filter the objects | Object | No |
| FolderTest | Parameters to test the folder against | Object | No |
This check will:
- search objects matching the provided object path pattern
- check that latest object is no older than provided
maxAgevalue in seconds - check that latest object size is not smaller than provided
minSizevalue in bytes
For working with folder check, the bucket name needs to be prefixed with s3://
folder:
# Check for any backup not older than 7 days and min size 25 bytes
- path: s3://refactoringtest-tarun
awsConnection:
accessKey:
valueFrom:
secretKeyRef:
key: access-key
name: aws
secretKey:
valueFrom:
secretKeyRef:
key: secret-key
name: aws
region: "ap-south-1"
maxAge: 7d
maxSize: 25bThis check will:
- search objects matching the provided object path pattern
- check that latest object is no older than provided
maxAgevalue in seconds - check that latest object size is not smaller than provided
minSizevalue in bytes
For working with folder check, the bucket name needs to be prefixed with gcs://
folder:
- description: gcs auth test
path: gcs://somegcsbucket
gcpConnection:
credentials:
valueFrom:
configMapKeyRef:
key: canary-checker-df017acc453c.json
name: sa
minAge: 1m
maxAge: 5h
minSize: 2M
maxCount: 2
minCount: 5This check connects to a samba server to check folder freshness. This check will:
- verify most recently modified file fulfills the
minAgeandmaxAgeconstraints (each an optional bound) - verify files present in the mount is more than
minCount
folder:
- server: smb://192.168.1.9
smbConnection:
auth:
username:
value: samba
password:
valueFrom:
secretKeyRef:
key: smb-password
name: smb
sharename: "Some Public Folder"
searchPath: a/b/c
minAge: 10h
maxAge: 20h
description: "Success SMB server"Or with server in path format:
folder:
- server: '\\192.168.1.5\Some Public Folder\somedir'
smbConnection:
auth:
username:
value: samba
password:
value: password
sharename: "sharename" #will be overwritten by 'Some Public Folder'
searchPath: a/b/c #will be overwritten by 'somedir'
minAge: 10h
maxAge: 100h
description: "Success SMB server"The user can define server in two formats:
- host:
192.168.1.9,www.server.com - path:
\\www.server.com\e$\a\b\c
For path format:
www.server.comis the hoste$is the sharename (overridessharenamefield)a/b/cthe sub-dir relative to mount representing the test root (overridessearchPathfield)
This check will:
- query a Restic Repository for contents
- check the integrity and consistency of repo and data-blobs
- check bakup freshness
restic:
- repository: s3:http://minio.infra/restic-repo
password:
value: S0M3p@sswd
maxAge: 5h30m
checkIntegrity: true
accessKey:
value: some-access-key
secretKey:
value: some-secret-key
description: The restic test| Field | Description | Scheme | Required |
|---|---|---|---|
| reposiory | the location of your restic repository | string | Yes |
| password | password value or valueFrom configMapKeyRef or SecretKeyRef to access your restic repository | string | Yes |
| maxAge | the max age for backup allowed..eg: 5h30m | string | Yes |
| accessKey | access key value or valueFrom configMapKeyRef or SecretKeyRef to access your s3/minio bucket | string | No |
| secretkey | secret key value or valueFrom configMapKeyRef or SecretKeyRef to access your s3/minio bucket | string | No |
| description | the description about the canary | string | Yes |
| checkIntegrity | whether to check integrity for the specified repo | bool | No |
| caCert | path to ca-root crt in case of self-signed certificates is used | string | No |
This check will execute the jmeter cli to execute the JMX test plan on the specified host.
Note: JMeter is a memory hungry Java application and you will likely need to increase the default memory limit from 512Mi to 1-2Gi or higher depending on the complexity, count, and frequency of jmeter tests
jmeter:
- jmx:
name: jmx-test-plan
valueFrom:
configMapKeyRef:
key: jmeter-test.xml
name: jmeter
host: "some-host"
port: 8080
properties:
- remote_hosts=127.0.0.1
systemProperties:
- user.dir=/home/mstover/jmeter_stuff
description: "The Jmeter test" | Field | Description | Scheme | Required |
|---|---|---|---|
| jmx | configmap or Secret reference to get the JMX test plan | Object | Yes |
| host | the server against which test plan needs to be executed | String | No |
| port | the port on which the server is running | Int | No |
| properties | defines the local Jmeter properties | []String | No |
| systemProperties | defines the java system property | []String | No |
| description | the description of the canary | String | Yes |
| responseDuration | the duration under which all the test should pass | String | No |
| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of check | string | Yes |
| endpoint | HTTP endpoint to crawl | string | Yes |
| maxSSLExpiry | maximum number of days until the SSL Certificate expires. | int | Yes |
| Field | Description | Scheme | Required |
|---|---|---|---|
| script | Inline commands or Absolute path to the script that needs to be executed | Yes | |
| description | description for the check | string | No |
| display | format on how the result is going to be displayed on the console | Template | No |
| test | test against which result needs to be verified | Template | No |
| Field | Description | Scheme | Required |
|---|---|---|---|
| description | Description of cGit heck | string | Yes |
| endpoint | Endpoint to establish a TCP connection with | string | Yes |
| thresholdMillis | Maximum time in ms to wait for connection to be established | int64 | Yes |
The check occurs on the specified container's completion and parses any junit test reports in the container (at the testResults path):
junit:
- testResults: "/tmp/junit-results/"
description: "junit demo test"
displayTemplate: 'Passed: [[.passed]]; Failed: [[.failed]]; Skipped: [[.skipped]]; Error: [[.error]]'
spec:
containers:
- name: jes
image: docker.io/tarun18/junit-test-pass
command: ["/start.sh"]| Field | Description | Scheme | Required |
|---|---|---|---|
| testResults | directory where the results will be published | string | Yes |
| description | description about the test | string | No |
| spec | pod specification | corev1.PodSpec | Yes |
| displayTemplate | template to display testResults results in text (default: Passed: [[.passed]], Failed: [[.failed]]) |
string | No |
Note: For this
corev1.PodSpecimplementation, only containers field is required.
The fields for displayTemplate (see Display Types) are:
.passed: number of tests passed.failed: number of tests failed.skipped: number of tests skipped.error: number of tests errored
The fields for displayTemplate (see Display Types) are:
.age: age of most recently modified file.count: number of files present in the mount
Most checks display a bar/historgram on the UI. Some checks display text data. Some depend on the fields specified in the check.
Where display is text, the displayTemplate field allows a user to configure the output format. The displayTemplate field accepts a template with delimiter [[ ]] and supports all the functions of gomplate.
Checks that currently have support for displayTemplate are:
This guide provides a step-by-step process for creating your local setup with the canary-checker: dev Guide.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent