OCPNODE-2098: Add static pod for kube-rbac-proxy-crio

[rphillips]

This PR adds a static pod to the MCO to lay down a kube-rbac-proxy to secure crio's metrics port. The TLS endpoints supports cert based authentication for monitoring.

Merge information

• Allow static pod tolerations: 4.16/master : Backport to EUS 4.14
• MCO Kube-Rbac-Proxy Static pods 4.16/master : OCPNODE-2098: Add static pod for kube-rbac-proxy-crio #4175 : Backport to EUS 4.14
• Create an upgrade edge after all backports merge

After all the above backports are merged, then

• Change the Monitoring Operator to use port 9637 (with client certificates) : OCPNODE-2100: jsonnet: update crio port to TLS port 9637 cluster-monitoring-operator#2257 : This PR is only for 4.16

This PR will need to be backported to EUS 4.14.

[openshift-ci]

@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/820f5280-c6d5-11ee-97cb-3e05c7124d92-0

[openshift-ci]

@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/896bb770-c93d-11ee-8788-320a5f153a65-0

[openshift-ci]

@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0d734920-c9ca-11ee-824a-026157b75804-0

[openshift-ci]

@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/56f50e00-ca7c-11ee-974b-7cd8f62e7155-0

[openshift-ci]

@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/71d442f0-d03e-11ee-95a3-a9525782e9b1-0

[openshift-ci-robot]

@rphillips: This pull request references OCPNODE-2098 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rphillips]

/cherry-pick release-4.15

[openshift-cherrypick-robot]

@rphillips: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rphillips]

/hold until openshift/origin#28636 merges.

[openshift-ci-robot]

@rphillips: This pull request references OCPNODE-2098 which is a valid jira issue.

In response to this:

description incoming...

This PR will need to be backported to EUS 4.14.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rphillips]

/test e2e-aws-ovn

[rphillips]

/hold cancel

openshift/origin#28636 merged

[openshift-ci-robot]

@rphillips: This pull request references OCPNODE-2098 which is a valid jira issue.

In response to this:

This PR adds a static pod to the MCO to lay down a kube-rbac-proxy to secure crio's metrics port. The TLS endpoints supports cert based authentication for monitoring.

Merge information

• Allow static pod tolerations (this PR): 4.16/master : Backport to EUS 4.14
• MCO Kube-Rbac-Proxy Static pods 4.16/master : OCPNODE-2098: Add static pod for kube-rbac-proxy-crio #4175 : Backport to EUS 4.14
• Create an upgrade edge after all backports merge

After all the above backports are merged, then

• Change the Monitoring Operator to use port 9637 (with client certificates) : OCPNODE-2100: jsonnet: update crio port to TLS port 9637 cluster-monitoring-operator#2257 : This PR is only for 4.16

This PR will need to be backported to EUS 4.14.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@rphillips: This pull request references OCPNODE-2098 which is a valid jira issue.

In response to this:

This PR adds a static pod to the MCO to lay down a kube-rbac-proxy to secure crio's metrics port. The TLS endpoints supports cert based authentication for monitoring.

Merge information

• Allow static pod tolerations: 4.16/master : Backport to EUS 4.14
• MCO Kube-Rbac-Proxy Static pods 4.16/master : OCPNODE-2098: Add static pod for kube-rbac-proxy-crio #4175 : Backport to EUS 4.14
• Create an upgrade edge after all backports merge

After all the above backports are merged, then

• Change the Monitoring Operator to use port 9637 (with client certificates) : OCPNODE-2100: jsonnet: update crio port to TLS port 9637 cluster-monitoring-operator#2257 : This PR is only for 4.16

This PR will need to be backported to EUS 4.14.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[harche]

/lgtm

[cdoern]

some service account and port questions. but looks good!

[cdoern]

any specific reason for this port?

[rphillips]

The usual port is 9537. To make it easier to identify the secure port I used 9637 (100 more than the insecure one). (9637 is not in use by the /etc/services file).

[cdoern]

our kube-rbac-proxy ctrs usually use a different port, I am forgetting which. Should we mimic that here?

[rphillips]

The kube-rbac-proxy is exposing a host network port (9637) and forwarding to the host's 9537 port. I slightly deviated from the usual construct due to host networking.

[cdoern]

is this using the openshift-monitoring SA?

In our other kube-rbac-proxy pods we specify which serviceAccountName: we want to use. Where is that happening in this PR?

[rphillips]

This new kube-rbac-proxy-crio service does not have access to service account secrets due to being a static pod. Instead, we are using client side certificate validation and only allowing the system:serviceaccount:openshift-monitoring:prometheus-k8s user.

[cdoern]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cdoern, harche, rphillips

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cdoern]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rphillips]

/cherry-pick release-4.15

[openshift-cherrypick-robot]

@rphillips: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 53bbe70 and 2 for PR HEAD 757befb in total

[openshift-ci]

@rphillips: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	757befb	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[rphillips]

/test e2e-gcp-op-single-node

[openshift-cherrypick-robot]

@rphillips: #4175 failed to apply on top of branch "release-4.15":

Applying: OCPNODE-2098: add static pods for rbacproxy
Using index info to reconstruct a base tree...
M	pkg/operator/sync.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/operator/sync.go
CONFLICT (content): Merge conflict in pkg/operator/sync.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 OCPNODE-2098: add static pods for rbacproxy
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-machine-config-operator-container-v4.16.0-202403081913.p0.ga073953.assembly.stream.el8 for distgit ose-machine-config-operator.
All builds following this will include this PR.