Add federate to rbac proxy

Signed-off-by: Mario Fernandez <mariofer@redhat.com>
openshift · Apr 20, 2023 · 440d643 · 440d643
1 parent e154bc6
commit 440d643
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 6 deletions.
diff --git a/assets/prometheus-k8s/kube-rbac-proxy-secret-federate.yaml b/assets/prometheus-k8s/kube-rbac-proxy-secret-federate.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: kube-rbac-proxy
+  namespace: openshift-monitoring
+stringData:
+  config.yaml: |-
+    "authorization":
+      "static":
+      - "path": "/metrics"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:telemeter-client"
+        "verb": "get"
+type: Opaque
diff --git a/assets/prometheus-k8s/prometheus.yaml b/assets/prometheus-k8s/prometheus.yaml
@@ -82,7 +82,7 @@ spec:
   - args:
     - --secure-listen-address=0.0.0.0:9092
     - --upstream=http://127.0.0.1:9090
-    - --allow-paths=/metrics
+    - --allow-paths=/metrics,/federate
     - --config-file=/etc/kube-rbac-proxy/config.yaml
     - --tls-cert-file=/etc/tls/private/tls.crt
     - --tls-private-key-file=/etc/tls/private/tls.key

diff --git a/jsonnet/components/prometheus.libsonnet b/jsonnet/components/prometheus.libsonnet
@@ -204,6 +204,7 @@ function(params)
     },
 
     kubeRbacProxySecret: generateSecret.staticAuthSecret(cfg.namespace, cfg.commonLabels, 'kube-rbac-proxy'),
+    kubeRbacProxySecretFederate: generateSecret.staticAuthSecretFederate(cfg.namespace, cfg.commonLabels, 'kube-rbac-proxy'),
 
     // Secret holding the token to authenticate against the Telemetry server when using native remote-write.
     telemetrySecret: {
@@ -397,7 +398,7 @@ function(params)
             args: [
               '--secure-listen-address=0.0.0.0:9092',
               '--upstream=http://127.0.0.1:9090',
-              '--allow-paths=/metrics',
+              '--allow-paths=/metrics,/federate',
               '--config-file=/etc/kube-rbac-proxy/config.yaml',
               '--tls-cert-file=/etc/tls/private/tls.crt',
               '--tls-private-key-file=/etc/tls/private/tls.key',
@@ -418,7 +419,7 @@ function(params)
               },
               {
                 mountPath: '/etc/kube-rbac-proxy',
-                name: 'secret-' + $.kubeRbacProxySecret.metadata.name,
+                name: 'secret-' + $.kubeRbacProxySecretFederate.metadata.name,
               },
             ],
           },

diff --git a/jsonnet/utils/generate-secret.libsonnet b/jsonnet/utils/generate-secret.libsonnet
@@ -26,4 +26,39 @@
       },),
     },
   },
+  staticAuthSecretFederate(cfgNamespace, cfgCommonLabels, cfgName):: {
+    apiVersion: 'v1',
+    kind: 'Secret',
+    metadata: {
+      name: cfgName,
+      namespace: cfgNamespace,
+      labels: cfgCommonLabels,
+    },
+    type: 'Opaque',
+    data: {},
+    stringData: {
+      'config.yaml': std.manifestYamlDoc({
+        authorization: {
+          static: [
+            {
+              user: {
+                name: 'system:serviceaccount:openshift-monitoring:prometheus-k8s',
+              },
+              verb: 'get',
+              path: '/metrics',
+              resourceRequest: false,
+            },
+            {
+              user: {
+                name: 'system:serviceaccount:openshift-monitoring:telemeter-client',
+              },
+              verb: 'get',
+              path: '/federate',
+              resourceRequest: false,
+            },
+          ],
+        },
+      },),
+    },
+  },
 }
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -140,6 +140,7 @@ var (
 	PrometheusK8sServiceThanosSidecar             = "prometheus-k8s/service-thanos-sidecar.yaml"
 	PrometheusK8sProxySecret                      = "prometheus-k8s/proxy-secret.yaml"
 	PrometheusRBACProxySecret                     = "prometheus-k8s/kube-rbac-proxy-secret.yaml"
+	PrometheusRBACProxySecretFederate             = "prometheus-k8s/kube-rbac-proxy-secret-federate.yaml"
 	PrometheusUserWorkloadRBACProxyMetricsSecret  = "prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml"
 	PrometheusUserWorkloadRBACProxyFederateSecret = "prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml"
 	PrometheusK8sAPIRoute                         = "prometheus-k8s/api-route.yaml"
@@ -1101,8 +1102,8 @@ func (f *Factory) ThanosRulerAlertmanagerConfigSecret() (*v1.Secret, error) {
 	return s, nil
 }
 
-func (f *Factory) PrometheusRBACProxySecret() (*v1.Secret, error) {
-	return f.NewSecret(f.assets.MustNewAssetReader(PrometheusRBACProxySecret))
+func (f *Factory) PrometheusRBACProxySecretFederate() (*v1.Secret, error) {
+	return f.NewSecret(f.assets.MustNewAssetReader(PrometheusRBACProxySecretFederate))
 }
 
 func (f *Factory) PrometheusUserWorkloadRBACProxyMetricsSecret() (*v1.Secret, error) {

diff --git a/pkg/tasks/prometheus.go b/pkg/tasks/prometheus.go
@@ -130,7 +130,7 @@ func (t *PrometheusTask) create(ctx context.Context) error {
 		return errors.Wrap(err, "creating Prometheus proxy Secret failed")
 	}
 
-	rs, err := t.factory.PrometheusRBACProxySecret()
+	rs, err := t.factory.PrometheusRBACProxySecretFederate()
 	if err != nil {
 		return errors.Wrap(err, "initializing Prometheus RBAC proxy Secret failed")
 	}