Added operator metrics ssl and auth configuration

netobserv · Mar 9, 2023 · 5db2a1c · 5db2a1c
1 parent 7213a26
commit 5db2a1c
Show file tree

Hide file tree

Showing 10 changed files with 62 additions and 12 deletions.
diff --git a/bundle/manifests/netobserv-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/bundle/manifests/netobserv-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml
@@ -0,0 +1,19 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: netobserv-metrics-monitor
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
+    path: /metrics
+    port: https
+    scheme: https
+    tlsConfig:
+      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      serverName: metrics.netobserv-metrics-service.svc
+  selector:
+    matchLabels:
+      control-plane: controller-manager
diff --git a/bundle/manifests/netobserv-metrics-service_v1_service.yaml b/bundle/manifests/netobserv-metrics-service_v1_service.yaml
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: manager-metrics-tls
   creationTimestamp: null
   labels:
     control-plane: controller-manager

diff --git a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml
@@ -700,7 +700,6 @@ spec:
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=10
-                - --ignore-paths=/metrics
                 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
                 name: kube-rbac-proxy
                 ports:

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -23,7 +23,6 @@ spec:
           - "--secure-listen-address=0.0.0.0:8443"
           - "--upstream=http://127.0.0.1:8080/"
           - "--logtostderr=true"
-          - "--ignore-paths=/metrics"
           - "--v=10"
         ports:
           - containerPort: 8443

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -67,7 +67,6 @@ spec:
           - "--upstream=http://127.0.0.1:8080/"
           - "--logtostderr=true"
           - "--v=10"
-          - "--ignore-paths=/metrics"
         ports:
           - containerPort: 8443
             protocol: TCP

diff --git a/config/openshift/kustomization.yaml b/config/openshift/kustomization.yaml
@@ -8,16 +8,19 @@ namespace: netobserv
 # field above.
 namePrefix: netobserv-
 
-# Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
+resources:
+- monitor.yaml
 
+patches:
+  - path: ./monitoring-patch.yaml
+    target:
+      kind: Deployment
+      name: controller-manager
 bases:
 - ../crd
 - ../rbac
 - ../manager
 - ../webhook
-- ../prometheus
 - namespace.yaml
 patchesStrategicMerge:
 - patch.yaml
diff --git a/config/prometheus/monitor.yaml → config/openshift/monitor.yaml b/config/prometheus/monitor.yaml → config/openshift/monitor.yaml
@@ -1,4 +1,3 @@
-
 # Prometheus Monitor Service (Metrics)
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
@@ -9,11 +8,14 @@ metadata:
   namespace: system
 spec:
   endpoints:
-    - path: /metrics
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      path: /metrics
+      interval: 30s
       port: https
       scheme: https
       tlsConfig:
-        insecureSkipVerify: true
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: netobserv-metrics-service.netobserv.svc
   selector:
     matchLabels:
       control-plane: controller-manager
diff --git a/config/openshift/monitoring-patch.yaml b/config/openshift/monitoring-patch.yaml
@@ -0,0 +1,27 @@
+# Check that the 0 container is the expected one
+- op: test
+  path: /spec/template/spec/containers/1/name
+  value: kube-rbac-proxy
+
+- op: add
+  path: "/spec/template/spec/volumes/-"
+  value:
+    name: manager-metric-tls
+    secret:
+      secretName: manager-metrics-tls
+      defaultMode: 420
+
+- op: add
+  path: "/spec/template/spec/containers/1/volumeMounts"
+  value:
+    - name: manager-metric-tls
+      readOnly: true
+      mountPath: /etc/tls/private
+
+- op: add
+  path: "/spec/template/spec/containers/1/args/-"
+  value: '--tls-cert-file=/etc/tls/private/tls.crt'
+
+- op: add
+  path: "/spec/template/spec/containers/1/args/-"
+  value: '--tls-private-key-file=/etc/tls/private/tls.key'
diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
@@ -3,6 +3,8 @@ kind: Service
 metadata:
   labels:
     control-plane: controller-manager
+  annotations:
+        service.beta.openshift.io/serving-cert-secret-name: manager-metrics-tls
   name: metrics-service
   namespace: system
 spec: