fixup! Add the trusted CA bundle in UWM Prometheus pods

openshift · May 29, 2023 · 6ea7a45 · 6ea7a45
1 parent e9a8c72
commit 6ea7a45
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 34 deletions.
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -1693,6 +1693,22 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret, trustedCABundleCM *
 		return nil, err
 	}
 
+	volumeName := "prometheus-user-workload-trusted-ca-bundle"
+	volume := trustedCABundleVolume(trustedCABundleCM.Name, volumeName)
+	volume.VolumeSource.ConfigMap.Items = append(volume.VolumeSource.ConfigMap.Items, v1.KeyToPath{
+		Key:  TrustedCABundleKey,
+		Path: "tls-ca-bundle.pem",
+	})
+	p.Spec.Volumes = append(p.Spec.Volumes, volume)
+	p.Spec.Volumes = append(p.Spec.Volumes, v1.Volume{
+		Name: "secret-grpc-tls",
+		VolumeSource: v1.VolumeSource{
+			Secret: &v1.SecretVolumeSource{
+				SecretName: grpcTLS.GetName(),
+			},
+		},
+	})
+
 	for i, container := range p.Spec.Containers {
 		switch container.Name {
 		case "prometheus":
@@ -1705,6 +1721,11 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret, trustedCABundleCM *
 				PeriodSeconds:    15,
 				FailureThreshold: 240,
 			}
+			// Support CA bundles for Prometheus UWM.
+			p.Spec.Containers[i].VolumeMounts = append(
+				p.Spec.Containers[i].VolumeMounts,
+				trustedCABundleVolumeMount(volumeName),
+			)
 		case "kube-rbac-proxy-metrics", "kube-rbac-proxy-federate", "kube-rbac-proxy-thanos":
 			p.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
 			p.Spec.Containers[i].Args = f.setTLSSecurityConfiguration(container.Args, KubeRbacProxyTLSCipherSuitesFlag, KubeRbacProxyMinTLSVersionFlag)
@@ -1717,15 +1738,6 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret, trustedCABundleCM *
 		setupAlerting(p, platformAlertmanagerService, f.namespace)
 	}
 
-	p.Spec.Volumes = append(p.Spec.Volumes, v1.Volume{
-		Name: "secret-grpc-tls",
-		VolumeSource: v1.VolumeSource{
-			Secret: &v1.SecretVolumeSource{
-				SecretName: grpcTLS.GetName(),
-			},
-		},
-	})
-
 	alertManagerConfigs := f.config.AdditionalAlertmanagerConfigsForPrometheusUserWorkload()
 	if len(alertManagerConfigs) > 0 {
 		p.Spec.AdditionalAlertManagerConfigs = &v1.SecretKeySelector{
@@ -1737,27 +1749,6 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret, trustedCABundleCM *
 		p.Spec.Secrets = append(p.Spec.Secrets, getAdditionalAlertmanagerSecrets(alertManagerConfigs)...)
 	}
 
-	if trustedCABundleCM != nil {
-		volumeName := "prometheus-user-workload-trusted-ca-bundle"
-		volume := trustedCABundleVolume(trustedCABundleCM.Name, volumeName)
-		volume.VolumeSource.ConfigMap.Items = append(volume.VolumeSource.ConfigMap.Items, v1.KeyToPath{
-			Key:  TrustedCABundleKey,
-			Path: "tls-ca-bundle.pem",
-		})
-		p.Spec.Volumes = append(p.Spec.Volumes, volume)
-
-		// we only need the trusted CA bundle in:
-		// 1. Prometheus, because users might want to configure external remote write.
-		for i, container := range p.Spec.Containers {
-			if container.Name == "prometheus" {
-				p.Spec.Containers[i].VolumeMounts = append(
-					p.Spec.Containers[i].VolumeMounts,
-					trustedCABundleVolumeMount(volumeName),
-				)
-			}
-		}
-	}
-
 	return p, nil
 }
 

diff --git a/pkg/tasks/helpers.go b/pkg/tasks/helpers.go
@@ -18,11 +18,12 @@ import (
 	"context"
 	"time"
 
-	"github.com/openshift/cluster-monitoring-operator/pkg/client"
-	"github.com/openshift/cluster-monitoring-operator/pkg/manifests"
 	"github.com/pkg/errors"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+
+	"github.com/openshift/cluster-monitoring-operator/pkg/client"
+	"github.com/openshift/cluster-monitoring-operator/pkg/manifests"
 )
 
 type caBundleSyncer struct {
@@ -83,7 +84,7 @@ func (cbs *caBundleSyncer) syncTrustedCABundle(ctx context.Context, trustedCA *v
 		ctx,
 		trustedCA.GetNamespace(),
 		cbs.prefix,
-		string(hashedCM.Labels["monitoring.openshift.io/hash"]),
+		hashedCM.Labels["monitoring.openshift.io/hash"],
 	)
 	return hashedCM, errors.Wrap(err, "deleting old trusted CA bundle configmaps failed")
 }
diff --git a/pkg/tasks/prometheus_user_workload.go b/pkg/tasks/prometheus_user_workload.go
@@ -385,7 +385,7 @@ func (t *PrometheusUserWorkloadTask) destroy(ctx context.Context) error {
 		return errors.Wrap(err, "deleting UserWorkload trusted CA Bundle ConfigMap failed")
 	}
 
-	err = t.client.DeleteConfigMap(ctx, hashedTrustedCA)
+	err = t.client.DeleteHashedConfigMap(ctx, hashedTrustedCA.GetNamespace(), "prometheus-user-workload", hashedTrustedCA.Labels["monitoring.openshift.io/hash"])
 	if err != nil {
 		return errors.Wrap(err, "deleting UserWorkload trusted CA Bundle ConfigMap failed")
 	}