ROX-17083: Make PagerDuty the default receiver

[kylape]

Description

This is part of a larger effort to stop treating stage alerts as critical alerts in PagerDuty. The specific changes being made in this PR:

• Pass the severity parameter in the PagerDuty receiver configuration. This will be used in production to capture non-critical production events in PagerDuty without triggering a critical notification to on-call engineers. (These events are currently dropped in Alertmanager)
• Switch to the PagerDuty v2 Events API. This is required for PD to recognize the severity parameter. This is done by switching from service_key to routing_key.
• Updated the key in terraform_cluster.sh (and thus AWS Secrets Manager) to reflect the routing key change.
• Made PagerDuty the default receiver in the Alertmanager config. This will send non-critical alerts to PagerDuty, treating it as a hub for all events across all data plane clusters.

It's implied that the PagerDuty routing key for the stage environment will be different from the one in production. This is so the stage service can be configured to force all incidents to be considered low priority to avoid paging on-call engineers.

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
• Add secret to app-interface Vault or Secrets Manager if necessary
• RDS changes were e2e tested manually
• Check AWS limits are reasonable for changes provisioning new resources

Test manual

• get the routing_key
• set the template string in the PD severity {{ or .GroupLabels.severity 'info' }}
• render helm chart and get alertmanager.yaml
• fire up test flask app (prometheus exporter)
• configure alert to be a non-critical severity
• fire up alertmanager and prometheus locally
• trigger alert with curl command
• this should create an incident in PD and send to slack, but NOT notify me personally
• let it resolve
• configure the alert to be a critical severity
• trigger alert with curl command
• this should page me as well as create a slack message (won't normally happen
  after updating notifcation config in stage PD service)
• let it resolve

[kylape]

/retest

[kylape]

I went ahead and added the routing key to the Secret Manager for stage (but not for prod).

[stehessel]

Is this even correct yaml? Looks like some " are not correctly escaped here? Can you maybe explain what this is supposed to do? How are info alerts handled? I guess this is what you get when you have merge yaml, Helm and PagerDuty templating... 😅

[kylape]

I guess this is what you get when you have merge yaml, Helm and PagerDuty templating
Exactly :)

Honestly I thought the quotes inside the quotes wouldn't work, but it worked when I tested it. Let me try to explain this line in plain english.

I want the severity to be based on the severity label coming from the alert itself. If there is no severity label common to the group of alerts, then default to info. That looks like or .GroupLabels.severity "info" in Go templating. To properly escape for Helm templating, I needed to have the Helm templating engine output the literal string {{, since Alertmanager templating syntax is the same as Helm. To do that, I use the expression "{{" inside the double bracket syntax for evaluating Go template expressions. Thus {{ "{{" }}.

[stehessel]

Alright thanks for the explanation. Can you please put this explanation as a comment above this line?

[stehessel]

I think we have to notify on-call engineers + SRE to set up their high/low urgency notification settings correctly. Otherwise it might have the opposite effect of more pages over the weekend, when someone has low urgency linked to their phone and we now sent alerts for warning/info.

[kylape]

That's true for the production environment. For stage, the schedule is just me, so no one will get paged for those. For this weekend, I can contact the on-call engineer to have them set up the notifications correctly before the weekend starts.

[stehessel]

I guess it'll only be rolled out for stage anyway, as we would need a new release to rollout the prod changes.

[stehessel]

LGTM modulo putting the severity template explanation as a comment.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kylape, stehessel
Once this PR has been reviewed and has the lgtm label, please assign kurlov for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.