static auth changes for node-exporter

assets/node-exporter/daemonset.yaml

@@ -65,6 +65,7 @@ spec:
         - --tls-cert-file=/etc/tls/private/tls.crt
         - --tls-private-key-file=/etc/tls/private/tls.key
         - --client-ca-file=/etc/tls/client/client-ca.crt
+        - --config-file=/etc/kube-rbac-policy/config.yaml
         env:
         - name: IP
           valueFrom:
@@ -92,6 +93,9 @@ spec:
         - mountPath: /etc/tls/client
           name: metrics-client-ca
           readOnly: false
+        - mountPath: /etc/kube-rbac-policy
+          name: node-exporter-kube-rbac-proxy-config
+          readOnly: true
       hostNetwork: true
       hostPID: true
       initContainers:
@@ -147,6 +151,9 @@ spec:
       - configMap:
           name: metrics-client-ca
         name: metrics-client-ca
+      - name: node-exporter-kube-rbac-proxy-config
+        secret:
+          secretName: node-exporter-kube-rbac-proxy-config
   updateStrategy:
     rollingUpdate:
       maxUnavailable: 10%

assets/node-exporter/kube-rbac-proxy-secret.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: node-exporter-kube-rbac-proxy-config
+  namespace: openshift-monitoring
+stringData:
+  config.yaml: |-
+    "authorization":
+      "static":
+      - "path": "/metrics"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
+type: Opaque

jsonnet/components/node-exporter.libsonnet

@@ -5,6 +5,7 @@ local wtmpPath = '/var/log/wtmp';
 local wtmpVolumeName = 'node-exporter-wtmp';
 
 local nodeExporter = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/node-exporter.libsonnet';
+local generateSecret = import '../utils/generate-secret.libsonnet';
 
 function(params)
   local cfg = params;
@@ -126,6 +127,7 @@ function(params)
                         '--tls-cert-file=/etc/tls/private/tls.crt',
                         '--tls-private-key-file=/etc/tls/private/tls.key',
                         '--client-ca-file=/etc/tls/client/client-ca.crt',
+                        '--config-file=/etc/kube-rbac-policy/config.yaml',
                       ],
                       terminationMessagePolicy: 'FallbackToLogsOnError',
                       volumeMounts: [
@@ -139,6 +141,11 @@ function(params)
                           name: 'metrics-client-ca',
                           readOnly: false,
                         },
+                        {
+                          mountPath: '/etc/kube-rbac-policy',
+                          name: 'node-exporter-kube-rbac-proxy-config',
+                          readOnly: true,
+                        },
                       ],
                       resources: {
                         requests: {
@@ -206,6 +213,12 @@ function(params)
                   name: 'metrics-client-ca',
                 },
               },
+              {
+                name: 'node-exporter-kube-rbac-proxy-config',
+                secret: {
+                  secretName: 'node-exporter-kube-rbac-proxy-config',
+                },
+              },
             ],
             securityContext: {},
             priorityClassName: 'system-cluster-critical',
@@ -216,4 +229,5 @@ function(params)
         },
       },
     },
+    kubeRbacProxySecret: generateSecret.staticAuthSecret(cfg.namespace, cfg.commonLabels, 'node-exporter-kube-rbac-proxy-config'),
   }

pkg/manifests/manifests.go

@@ -91,6 +91,7 @@ var (
 	NodeExporterSecurityContextConstraints = "node-exporter/security-context-constraints.yaml"
 	NodeExporterServiceMonitor             = "node-exporter/service-monitor.yaml"
 	NodeExporterPrometheusRule             = "node-exporter/prometheus-rule.yaml"
+	NodeExporterKubeRbacProxySecret        = "node-exporter/kube-rbac-proxy-secret.yaml"
 
 	PrometheusK8sClusterRoleBinding          = "prometheus-k8s/cluster-role-binding.yaml"
 	PrometheusK8sRoleBindingConfig           = "prometheus-k8s/role-binding-config.yaml"
@@ -774,6 +775,17 @@ func (f *Factory) NodeExporterPrometheusRule() (*monv1.PrometheusRule, error) {
 	return f.NewPrometheusRule(f.assets.MustNewAssetReader(NodeExporterPrometheusRule))
 }
 
+func (f *Factory) NodeExporterRBACProxySecret() (*v1.Secret, error) {
+	s, err := f.NewSecret(f.assets.MustNewAssetReader(NodeExporterKubeRbacProxySecret))
+	if err != nil {
+		return nil, err
+	}
+
+	s.Namespace = f.namespace
+
+	return s, nil
+}
+
 func (f *Factory) PrometheusK8sClusterRoleBinding() (*rbacv1.ClusterRoleBinding, error) {
 	crb, err := f.NewClusterRoleBinding(f.assets.MustNewAssetReader(PrometheusK8sClusterRoleBinding))
 	if err != nil {

pkg/manifests/manifests_test.go

@@ -703,6 +703,11 @@ func TestUnconfiguredManifests(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	_, err = f.NodeExporterRBACProxySecret()
+	if err != nil {
+		t.Fatal(err)
+	}
 }
 
 func TestSharingConfig(t *testing.T) {

pkg/tasks/nodeexporter.go

@@ -74,6 +74,15 @@ func (t *NodeExporterTask) Run(ctx context.Context) error {
 		return errors.Wrap(err, "reconciling node-exporter ClusterRoleBinding failed")
 	}
 
+	nes, err := t.factory.NodeExporterRBACProxySecret()
+	if err != nil {
+		return errors.Wrap(err, "intializing node-exporter rbac proxy secret failed")
+	}
+
+	err = t.client.CreateIfNotExistSecret(ctx, nes)
+	if err != nil {
+		return errors.Wrap(err, "creating node-exporter rbac proxy secret failed")
+	}
 	svc, err := t.factory.NodeExporterService()
 	if err != nil {
 		return errors.Wrap(err, "initializing node-exporter Service failed")