From 191cf783a276b0c31d745e6e1f9eda6ecc9e8630 Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Mon, 27 Feb 2023 10:53:49 +0100 Subject: [PATCH] Add federate to rbac proxy Signed-off-by: Mario Fernandez --- .../kube-rbac-proxy-metric-secret.yaml | 5 +++++ assets/alertmanager/kube-rbac-proxy-metric-secret.yaml | 5 +++++ assets/kube-state-metrics/kube-rbac-proxy-secret.yaml | 5 +++++ assets/node-exporter/kube-rbac-proxy-secret.yaml | 5 +++++ .../openshift-state-metrics/kube-rbac-proxy-secret.yaml | 5 +++++ assets/prometheus-k8s/kube-rbac-proxy-secret.yaml | 5 +++++ assets/prometheus-k8s/prometheus.yaml | 3 ++- .../kube-rbac-proxy-secret.yaml | 5 +++++ assets/prometheus-operator/kube-rbac-proxy-secret.yaml | 5 +++++ .../kube-rbac-proxy-metrics-secret.yaml | 5 +++++ assets/telemeter-client/deployment.yaml | 8 +++++++- assets/telemeter-client/kube-rbac-proxy-secret.yaml | 5 +++++ assets/thanos-querier/kube-rbac-proxy-metric-secret.yaml | 5 +++++ assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml | 5 +++++ jsonnet/components/prometheus.libsonnet | 3 ++- jsonnet/components/telemeter-client.libsonnet | 2 +- jsonnet/utils/generate-secret.libsonnet | 8 ++++++++ 17 files changed, 80 insertions(+), 4 deletions(-) diff --git a/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml b/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml index 54dd1ec3cd..3b0ca3e072 100644 --- a/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml +++ b/assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml b/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml index 2888e7df8c..967d07b426 100644 --- a/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml +++ b/assets/alertmanager/kube-rbac-proxy-metric-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/kube-state-metrics/kube-rbac-proxy-secret.yaml b/assets/kube-state-metrics/kube-rbac-proxy-secret.yaml index d05b685d7e..b407719018 100644 --- a/assets/kube-state-metrics/kube-rbac-proxy-secret.yaml +++ b/assets/kube-state-metrics/kube-rbac-proxy-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/node-exporter/kube-rbac-proxy-secret.yaml b/assets/node-exporter/kube-rbac-proxy-secret.yaml index 791a01ffe4..3f7325a991 100644 --- a/assets/node-exporter/kube-rbac-proxy-secret.yaml +++ b/assets/node-exporter/kube-rbac-proxy-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/openshift-state-metrics/kube-rbac-proxy-secret.yaml b/assets/openshift-state-metrics/kube-rbac-proxy-secret.yaml index 8bf6c0709e..9927e626be 100644 --- a/assets/openshift-state-metrics/kube-rbac-proxy-secret.yaml +++ b/assets/openshift-state-metrics/kube-rbac-proxy-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/prometheus-k8s/kube-rbac-proxy-secret.yaml b/assets/prometheus-k8s/kube-rbac-proxy-secret.yaml index d7af59587c..e18efbe4bc 100644 --- a/assets/prometheus-k8s/kube-rbac-proxy-secret.yaml +++ b/assets/prometheus-k8s/kube-rbac-proxy-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/prometheus-k8s/prometheus.yaml b/assets/prometheus-k8s/prometheus.yaml index 2af7a76c32..b2bef131b4 100644 --- a/assets/prometheus-k8s/prometheus.yaml +++ b/assets/prometheus-k8s/prometheus.yaml @@ -82,13 +82,14 @@ spec: - args: - --secure-listen-address=0.0.0.0:9092 - --upstream=http://127.0.0.1:9090 - - --allow-paths=/metrics + - --allow-paths=/metrics,/federate - --config-file=/etc/kube-rbac-proxy/config.yaml - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - --client-ca-file=/etc/tls/client/client-ca.crt - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - --logtostderr=true + - --v=10 image: quay.io/brancz/kube-rbac-proxy:v0.14.0 name: kube-rbac-proxy ports: diff --git a/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml b/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml index 6f1d8326ae..6f61985d12 100644 --- a/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml +++ b/assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/prometheus-operator/kube-rbac-proxy-secret.yaml b/assets/prometheus-operator/kube-rbac-proxy-secret.yaml index b6955d140c..97ce34ce7b 100644 --- a/assets/prometheus-operator/kube-rbac-proxy-secret.yaml +++ b/assets/prometheus-operator/kube-rbac-proxy-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml b/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml index de5aa259dd..4becac9ded 100644 --- a/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml +++ b/assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/telemeter-client/deployment.yaml b/assets/telemeter-client/deployment.yaml index 8e3a28bdf1..d8d60053b8 100644 --- a/assets/telemeter-client/deployment.yaml +++ b/assets/telemeter-client/deployment.yaml @@ -67,6 +67,12 @@ spec: - mountPath: /etc/telemeter name: secret-telemeter-client readOnly: false + - mountPath: /etc/tls/private + name: telemeter-client-tls + readOnly: false + - mountPath: /etc/tls/client + name: metrics-client-ca + readOnly: true - args: - --reload-url=http://localhost:8080/-/reload - --watched-dir=/etc/serving-certs-ca-bundle @@ -105,7 +111,7 @@ spec: name: secret-telemeter-client-kube-rbac-proxy-config readOnly: true - mountPath: /etc/tls/client - name: metrics-client-ca + name: metrics-client-cafeo readOnly: true nodeSelector: kubernetes.io/os: linux diff --git a/assets/telemeter-client/kube-rbac-proxy-secret.yaml b/assets/telemeter-client/kube-rbac-proxy-secret.yaml index 91924236f8..25e5f2f26e 100644 --- a/assets/telemeter-client/kube-rbac-proxy-secret.yaml +++ b/assets/telemeter-client/kube-rbac-proxy-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/thanos-querier/kube-rbac-proxy-metric-secret.yaml b/assets/thanos-querier/kube-rbac-proxy-metric-secret.yaml index b5152f3900..7706558f3d 100644 --- a/assets/thanos-querier/kube-rbac-proxy-metric-secret.yaml +++ b/assets/thanos-querier/kube-rbac-proxy-metric-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml b/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml index d6f507f039..c6595f90d2 100644 --- a/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml +++ b/assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml @@ -15,4 +15,9 @@ stringData: "user": "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" + - "path": "/federate" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" type: Opaque diff --git a/jsonnet/components/prometheus.libsonnet b/jsonnet/components/prometheus.libsonnet index 399342698b..da04c9e1e4 100644 --- a/jsonnet/components/prometheus.libsonnet +++ b/jsonnet/components/prometheus.libsonnet @@ -397,13 +397,14 @@ function(params) args: [ '--secure-listen-address=0.0.0.0:9092', '--upstream=http://127.0.0.1:9090', - '--allow-paths=/metrics', + '--allow-paths=/metrics,/federate', '--config-file=/etc/kube-rbac-proxy/config.yaml', '--tls-cert-file=/etc/tls/private/tls.crt', '--tls-private-key-file=/etc/tls/private/tls.key', '--client-ca-file=/etc/tls/client/client-ca.crt', '--tls-cipher-suites=' + cfg.tlsCipherSuites, '--logtostderr=true', + '--v=10', ], terminationMessagePolicy: 'FallbackToLogsOnError', volumeMounts: [ diff --git a/jsonnet/components/telemeter-client.libsonnet b/jsonnet/components/telemeter-client.libsonnet index 4829a6c8f3..b0e29bd079 100644 --- a/jsonnet/components/telemeter-client.libsonnet +++ b/jsonnet/components/telemeter-client.libsonnet @@ -82,7 +82,7 @@ function(params) { }, { mountPath: '/etc/tls/client', - name: 'metrics-client-ca', + name: 'metrics-client-cafeo', readOnly: true, }, ], diff --git a/jsonnet/utils/generate-secret.libsonnet b/jsonnet/utils/generate-secret.libsonnet index acf1a0dced..e076ea3929 100644 --- a/jsonnet/utils/generate-secret.libsonnet +++ b/jsonnet/utils/generate-secret.libsonnet @@ -21,6 +21,14 @@ path: '/metrics', resourceRequest: false, }, + { + user: { + name: 'system:serviceaccount:openshift-monitoring:prometheus-k8s', + }, + verb: 'get', + path: '/federate', + resourceRequest: false, + }, ], }, },),