-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-5.7] LOG-5243: Use safe bearer token auth to scrape operator metrics #1008
[release-5.7] LOG-5243: Use safe bearer token auth to scrape operator metrics #1008
Conversation
@periklis: This pull request references LOG-5243 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: periklis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-upgrade |
1 similar comment
/test e2e-upgrade |
/lgtm |
/override ci/prow/e2e-upgrade |
@periklis: Overrode contexts on behalf of periklis: ci/prow/e2e-upgrade In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@periklis: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
e7f8e28
into
openshift:release-5.7
Description
In OpenShift clusters we have the option to scrape operator metrics either via cluster-monitoring (default case) or user-workload-monitoring (managed clusters, where users track operator metrics themselves). Until now the service monitor for scraping operator metrics was only compatible with cluster-monitoring that allows using
bearerTokenFile
andtlsConfig.caFile
. Both are not allowed when scraping with user-workload-monitoring. The Prometheus Operator in user-workload-monitoring is configured withArbitraryFSAccessThroughSMsConfig.Deny: true
which in turn disallows the prometheus binary to access it's own serviceaccount token to scrape metrics.The serviceaccount
elasticsearch-operator-metrics-reader
is introduced along with a secret that holds a long-lived API tokenand the service CA certificate. The token is referenced in theServiceMonitor
inauthorization.credentials
replacingbearerTokenFile
. The certificate is referenced in theServiceMonitor
intlsConfig.ca
replacingtlsConfig.caFile
. Also it is used by Prometheus to scrape metrics from the Elasticsearch Operatormanager
container only through thekube-rbac-proxy
sidecar. This serviceaccount is assigned in aClusterRoleBinding
namelyelasticsearch-operator-read-metrics
to get access to the Non-Resoure-URLget/metrics
. In addition theClusterRole
namedmetrics-reader
is removed from the bundle and re-introduced aselasticsearch-operator-metrics-reader
to omit naming collisions./cc @xperimental @JoaoBraveCoding