Add tls config for the service monitor (#5282)

This is identical to how the API server handles configuring its service
monitor and it also is using service serving certs.

Also remove some complication from the `newServiceMonitor` function and
remove the http port from the config as metrics are only served over
https.

Resolves https://issues.redhat.com/browse/MGMT-14756

internal/controller/controllers/agentserviceconfig_controller.go

@@ -656,44 +656,31 @@ func newImageServiceService(ctx context.Context, log logrus.FieldLogger, asc ASC
 }
 
 func newServiceMonitor(ctx context.Context, log logrus.FieldLogger, asc ASC) (client.Object, controllerutil.MutateFn, error) {
-	service := &corev1.Service{}
-	if err := asc.Client.Get(ctx, types.NamespacedName{Name: serviceName, Namespace: asc.namespace}, service); err != nil {
-		return nil, nil, err
-	}
-
-	endpoints := make([]monitoringv1.Endpoint, len(service.Spec.Ports))
-	for i := range service.Spec.Ports {
-		endpoints[i].Port = service.Spec.Ports[i].Name
-	}
-
-	labels := make(map[string]string)
-	for k, v := range service.ObjectMeta.Labels {
-		labels[k] = v
-	}
-
-	smSpec := monitoringv1.ServiceMonitorSpec{
-		Selector: metav1.LabelSelector{
-			MatchLabels: labels,
-		},
-		Endpoints: endpoints,
-	}
-
 	sm := &monitoringv1.ServiceMonitor{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      service.ObjectMeta.Name,
+			Name:      serviceName,
 			Namespace: asc.namespace,
-			Labels:    labels,
 		},
-		Spec: smSpec,
 	}
 
 	mutateFn := func() error {
 		if err := controllerutil.SetControllerReference(asc.Object, sm, asc.rec.Scheme); err != nil {
 			return err
 		}
 
-		sm.Spec = smSpec
-		sm.ObjectMeta.Labels = labels
+		addAppLabel(serviceName, &sm.ObjectMeta)
+		sm.Spec.Endpoints = []monitoringv1.Endpoint{{
+			Port: serviceName,
+			TLSConfig: &monitoringv1.TLSConfig{
+				CAFile: "/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt",
+				SafeTLSConfig: monitoringv1.SafeTLSConfig{
+					ServerName: fmt.Sprintf("%s.%s.svc", serviceName, asc.namespace),
+				},
+			},
+		}}
+		sm.Spec.Selector = metav1.LabelSelector{
+			MatchLabels: map[string]string{"app": serviceName},
+		}
 		return nil
 	}
 

internal/controller/controllers/agentserviceconfig_controller_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/openshift/assisted-service/internal/versions"
 	"github.com/openshift/assisted-service/models"
 	conditionsv1 "github.com/openshift/custom-resource-status/conditions/v1"
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"github.com/sirupsen/logrus"
 	"github.com/thoas/go-funk"
 	appsv1 "k8s.io/api/apps/v1"
@@ -1089,6 +1090,24 @@ var _ = Describe("ensurePostgresSecret", func() {
 	})
 })
 
+var _ = Describe("newServiceMonitor", func() {
+	It("sets tls config correctly", func() {
+		ctx := context.Background()
+		asc := newASCDefault()
+		ascr := newTestReconciler(asc)
+		ascc := initASC(ascr, asc)
+
+		AssertReconcileSuccess(ctx, common.GetTestLog(), ascc, newServiceMonitor)
+
+		found := &monitoringv1.ServiceMonitor{}
+		Expect(ascr.Client.Get(ctx, types.NamespacedName{Name: serviceName, Namespace: testNamespace}, found)).To(Succeed())
+		Expect(len(found.Spec.Endpoints)).To(Equal(1))
+		endpoint := found.Spec.Endpoints[0]
+		Expect(endpoint.TLSConfig.CAFile).To(Equal("/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt"))
+		Expect(endpoint.TLSConfig.ServerName).To(Equal("assisted-service.test-namespace.svc"))
+	})
+})
+
 var _ = Describe("ensureAssistedServiceDeployment", func() {
 	var (
 		asc   *aiv1beta1.AgentServiceConfig