Add federate to rbac proxy

Signed-off-by: Mario Fernandez <mariofer@redhat.com>

assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/alertmanager/kube-rbac-proxy-metric-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/kube-state-metrics/kube-rbac-proxy-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/node-exporter/kube-rbac-proxy-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/openshift-state-metrics/kube-rbac-proxy-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/prometheus-k8s/kube-rbac-proxy-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/prometheus-k8s/prometheus.yaml

@@ -82,13 +82,14 @@ spec:
   - args:
     - --secure-listen-address=0.0.0.0:9092
     - --upstream=http://127.0.0.1:9090
-    - --allow-paths=/metrics
+    - --allow-paths=/metrics,/federate
     - --config-file=/etc/kube-rbac-proxy/config.yaml
     - --tls-cert-file=/etc/tls/private/tls.crt
     - --tls-private-key-file=/etc/tls/private/tls.key
     - --client-ca-file=/etc/tls/client/client-ca.crt
     - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
     - --logtostderr=true
+    - --v=10
     image: quay.io/brancz/kube-rbac-proxy:v0.14.0
     name: kube-rbac-proxy
     ports:

assets/prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/prometheus-operator/kube-rbac-proxy-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/telemeter-client/deployment.yaml

@@ -67,6 +67,12 @@ spec:
         - mountPath: /etc/telemeter
           name: secret-telemeter-client
           readOnly: false
+        - mountPath: /etc/tls/private
+          name: telemeter-client-tls
+          readOnly: false
+        - mountPath: /etc/tls/client
+          name: metrics-client-ca
+          readOnly: true
       - args:
         - --reload-url=http://localhost:8080/-/reload
         - --watched-dir=/etc/serving-certs-ca-bundle

assets/telemeter-client/kube-rbac-proxy-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/thanos-querier/kube-rbac-proxy-metric-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

assets/thanos-ruler/kube-rbac-proxy-metrics-secret.yaml

@@ -15,4 +15,9 @@ stringData:
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
         "verb": "get"
+      - "path": "/federate"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
 type: Opaque

jsonnet/components/prometheus.libsonnet

@@ -397,13 +397,14 @@ function(params)
             args: [
               '--secure-listen-address=0.0.0.0:9092',
               '--upstream=http://127.0.0.1:9090',
-              '--allow-paths=/metrics',
+              '--allow-paths=/metrics,/federate',
               '--config-file=/etc/kube-rbac-proxy/config.yaml',
               '--tls-cert-file=/etc/tls/private/tls.crt',
               '--tls-private-key-file=/etc/tls/private/tls.key',
               '--client-ca-file=/etc/tls/client/client-ca.crt',
               '--tls-cipher-suites=' + cfg.tlsCipherSuites,
               '--logtostderr=true',
+              '--v=10',
             ],
             terminationMessagePolicy: 'FallbackToLogsOnError',
             volumeMounts: [

jsonnet/components/telemeter-client.libsonnet

@@ -82,7 +82,7 @@ function(params) {
                       },
                       {
                         mountPath: '/etc/tls/client',
-                        name: 'metrics-client-ca',
+                        name: 'metrics-client-cafeo',
                         readOnly: true,
                       },
                     ],

jsonnet/utils/generate-secret.libsonnet

@@ -21,6 +21,14 @@
               path: '/metrics',
               resourceRequest: false,
             },
+            {
+              user: {
+                name: 'system:serviceaccount:openshift-monitoring:prometheus-k8s',
+              },
+              verb: 'get',
+              path: '/federate',
+              resourceRequest: false,
+            },
           ],
         },
       },),