Add federate to rbac proxy

Signed-off-by: Mario Fernandez <mariofer@redhat.com>

assets/prometheus-k8s/kube-rbac-proxy-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/prometheus-k8s/prometheus.yaml

@@ -82,7 +82,7 @@ spec:
   - args:
     - --secure-listen-address=0.0.0.0:9092
     - --upstream=http://127.0.0.1:9090
-    - --allow-paths=/metrics
+    - --allow-paths=/metrics,/federate
     - --config-file=/etc/kube-rbac-proxy/config.yaml
     - --tls-cert-file=/etc/tls/private/tls.crt
     - --tls-private-key-file=/etc/tls/private/tls.key

jsonnet/components/prometheus.libsonnet

@@ -203,7 +203,25 @@ function(params)
       data: {},
     },
 
-    kubeRbacProxySecret: generateSecret.staticAuthSecret(cfg.namespace, cfg.commonLabels, 'kube-rbac-proxy'),
+    kubeRbacProxySecret: generateSecret.staticAuthSecret(
+      cfg.namespace,
+      cfg.commonLabels,
+      'kube-rbac-proxy',
+      {
+        authorization+: {
+          static+: [
+            {
+              user: {
+                name: 'system:serviceaccount:openshift-monitoring:prometheus-k8s',
+              },
+              verb: 'get',
+              path: '/federate',
+              resourceRequest: false,
+            },
+          ],
+        },
+      },
+    ),
 
     // Secret holding the token to authenticate against the Telemetry server when using native remote-write.
     telemetrySecret: {
@@ -397,7 +415,7 @@ function(params)
             args: [
               '--secure-listen-address=0.0.0.0:9092',
               '--upstream=http://127.0.0.1:9090',
-              '--allow-paths=/metrics',
+              '--allow-paths=/metrics,/federate',
               '--config-file=/etc/kube-rbac-proxy/config.yaml',
               '--tls-cert-file=/etc/tls/private/tls.crt',
               '--tls-private-key-file=/etc/tls/private/tls.key',

jsonnet/utils/generate-secret.libsonnet

@@ -1,5 +1,5 @@
 {
-  staticAuthSecret(cfgNamespace, cfgCommonLabels, cfgName):: {
+  staticAuthSecret(cfgNamespace, cfgCommonLabels, cfgName, additionalConfig={}):: {
     apiVersion: 'v1',
     kind: 'Secret',
     metadata: {
@@ -23,7 +23,7 @@
             },
           ],
         },
-      },),
+      } + additionalConfig),
     },
   },
 }

test/e2e/telemeter_test.go

@@ -17,6 +17,7 @@ package e2e
 import (
 	"context"
 	"errors"
+	"fmt"
 	"testing"
 	"time"
 
@@ -98,3 +99,32 @@ func TestTelemeterRemoteWrite(t *testing.T) {
 		},
 	)
 }
+
+// TestTelemeterClient verifies that the telemeter client can collect metrics from the monitoring stack and forward them to the telemeter server.
+func TestTelemeterClient(t *testing.T) {
+	{
+		f.PrometheusK8sClient.WaitForQueryReturn(
+			t,
+			5*time.Minute,
+			`metricsclient_request_send{client="federate_to",job="telemeter-client",status_code="200"}`,
+			func(v float64) error {
+				if v == 0 {
+					return fmt.Errorf("expecting metricsclient request send more than 0 but got none")
+				}
+				return nil
+			},
+		)
+
+		f.PrometheusK8sClient.WaitForQueryReturn(
+			t,
+			5*time.Minute,
+			`federate_samples{job="telemeter-client"}`,
+			func(v float64) error {
+				if v < 10 {
+					return fmt.Errorf("expecting federate samples from telemeter client more than 10 but got %f", v)
+				}
+				return nil
+			},
+		)
+	}
+}