OCPNODE-2098: Add static pod for kube-rbac-proxy-crio

pkg/controller/template/constants.go

@@ -21,4 +21,7 @@ const (
 
 	// BaremetalRuntimeCfgKey is the key that references the baremetal-runtimecfg image in the controller
 	BaremetalRuntimeCfgKey string = "baremetalRuntimeCfgImage"
+
+	// KubeRbacProxyKey the key that references the kubeRbacProxy image
+	KubeRbacProxyKey string = "kubeRbacProxyImage"
 )

pkg/operator/bootstrap.go

@@ -150,6 +150,7 @@ func RenderBootstrap(
 		templatectrl.CorednsKey:             imgs.Coredns,
 		templatectrl.HaproxyKey:             imgs.Haproxy,
 		templatectrl.BaremetalRuntimeCfgKey: imgs.BaremetalRuntimeCfg,
+		templatectrl.KubeRbacProxyKey:       imgs.KubeRbacProxy,
 	}
 
 	config := getRenderConfig("", string(filesData[kubeAPIServerServingCA]), spec, &imgs.RenderConfigImages, infra.Status.APIServerInternalURL, nil)
@@ -176,7 +177,8 @@ func RenderBootstrap(
 		}, {
 			name:     "manifests/machineconfigserver/kube-apiserver-serving-ca-configmap.yaml",
 			filename: "manifests/kube-apiserver-serving-ca-configmap.yaml",
-		}}
+		},
+	}
 
 	manifests = appendManifestsByPlatform(manifests, *infra)
 

pkg/operator/sync.go

@@ -56,13 +56,11 @@ const (
 	requiredForUpgradeMachineConfigPoolLabelKey = "operator.machineconfiguration.openshift.io/required-for-upgrade"
 )
 
-var (
-	platformsRequiringCloudConf = sets.NewString(
-		string(configv1.AzurePlatformType),
-		string(configv1.GCPPlatformType),
-		string(configv1.OpenStackPlatformType),
-		string(configv1.VSpherePlatformType),
-	)
+var platformsRequiringCloudConf = sets.NewString(
+	string(configv1.AzurePlatformType),
+	string(configv1.GCPPlatformType),
+	string(configv1.OpenStackPlatformType),
+	string(configv1.VSpherePlatformType),
 )
 
 type manifestPaths struct {
@@ -568,6 +566,7 @@ func (optr *Operator) syncRenderConfig(_ *renderConfig) error {
 		templatectrl.CorednsKey:               imgs.Coredns,
 		templatectrl.HaproxyKey:               imgs.Haproxy,
 		templatectrl.BaremetalRuntimeCfgKey:   imgs.BaremetalRuntimeCfg,
+		templatectrl.KubeRbacProxyKey:         imgs.KubeRbacProxy,
 	}
 
 	ignitionHost, err := getIgnitionHost(&infra.Status)
@@ -1538,7 +1537,6 @@ func (optr *Operator) getCAsFromConfigMap(namespace, name, key string) ([]byte,
 // it updates boot images.
 
 func (optr *Operator) stampBootImagesCM(pool *mcfgv1.MachineConfigPool) error {
-
 	// Ensure the targeted MC for this pool was generated by the current MCO
 	renderedMC, err := optr.mcLister.Get(pool.Spec.Configuration.Name)
 	if err != nil {
@@ -1726,7 +1724,6 @@ func isPoolStatusConditionTrue(pool *mcfgv1.MachineConfigPool, conditionType mcf
 // global pull secret. It also adds a default route to the registry for the firstboot scenario.
 
 func (optr *Operator) getImageRegistryPullSecrets() ([]byte, error) {
-
 	// Check if image registry exists, if it doesn't we no-op
 	co, err := optr.mcoCOLister.Get("image-registry")
 

templates/master/01-master-kubelet/_base/files/criometricsproxy-config.yaml

@@ -0,0 +1,11 @@
+mode: 0644
+path: "/etc/kubernetes/crio-metrics-proxy.cfg"
+contents:
+  inline: |-
+    authorization:
+      static:
+        - resourceRequest: false
+          path: /metrics
+          verb: get
+          user:
+            name: system:serviceaccount:openshift-monitoring:prometheus-k8s

templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml

@@ -0,0 +1,75 @@
+mode: 0644
+path: "/etc/kubernetes/manifests/criometricsproxy.yaml"
+contents:
+  inline: |-
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: kube-rbac-proxy-crio
+      namespace: openshift-machine-config-operator
+    spec:
+      volumes:
+      - name: etc-kube
+        hostPath:
+          path: "/etc/kubernetes"
+      - name: var-lib-kubelet
+        hostPath:
+          path: "/var/lib/kubelet"
+      hostNetwork: true
+      priorityClassName: system-cluster-critical
+      initContainers:
+      - name: setup
+        terminationMessagePolicy: FallbackToLogsOnError
+        image: {{.Images.kubeRbacProxyImage}}
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: var-lib-kubelet
+          mountPath: "/var"
+          mountPropagation: HostToContainer
+        command: ['/bin/bash', '-ec']
+        args:
+        - |
+          echo -n "Waiting for kubelet key and certificate to be available"
+          while [ -n "$(test -e /var/lib/kubelet/pki/kubelet-server-current.pem)" ] ; do
+            echo -n "."
+            sleep 1
+            (( tries += 1 ))
+            if [[ "${tries}" -gt 10 ]]; then
+              echo "Timed out waiting for kubelet key and cert."
+              exit 1
+            fi
+          done
+        securityContext:
+          privileged: true
+      resources:
+        requests:
+          memory: 50Mi
+          cpu: 5m
+      containers:
+      - name: kube-rbac-proxy-crio
+        image: {{.Images.kubeRbacProxyImage}}
+        securityContext:
+          privileged: true
+        ports:
+        - containerPort: 9637
+        args:
+        - --secure-listen-address=:9637
+        - --config-file=/etc/kubernetes/crio-metrics-proxy.cfg
+        - --client-ca-file=/etc/kubernetes/kubelet-ca.crt
+        - --logtostderr=true
+        - --kubeconfig=/var/lib/kubelet/kubeconfig
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - --upstream=http://127.0.0.1:9537
+        - --tls-cert-file=/var/lib/kubelet/pki/kubelet-server-current.pem
+        - --tls-private-key-file=/var/lib/kubelet/pki/kubelet-server-current.pem
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        volumeMounts:
+        - name: etc-kube
+          mountPath: "/etc/kubernetes"
+          mountPropagation: HostToContainer
+        - name: var-lib-kubelet
+          mountPath: "/var/lib/kubelet"
+          mountPropagation: HostToContainer

templates/worker/01-worker-kubelet/_base/files/criometricsproxy-config.yaml

@@ -0,0 +1,12 @@
+mode: 0644
+mode: 0644
+path: "/etc/kubernetes/crio-metrics-proxy.cfg"
+contents:
+  inline: |-
+    authorization:
+      static:
+        - resourceRequest: false
+          path: /metrics
+          verb: get
+          user:
+            name: system:serviceaccount:openshift-monitoring:prometheus-k8s

templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml

@@ -0,0 +1,75 @@
+mode: 0644
+path: "/etc/kubernetes/manifests/criometricsproxy.yaml"
+contents:
+  inline: |-
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: kube-rbac-proxy-crio
+      namespace: openshift-machine-config-operator
+    spec:
+      volumes:
+      - name: etc-kube
+        hostPath:
+          path: "/etc/kubernetes"
+      - name: var-lib-kubelet
+        hostPath:
+          path: "/var/lib/kubelet"
+      hostNetwork: true
+      priorityClassName: system-cluster-critical
+      initContainers:
+      - name: setup
+        terminationMessagePolicy: FallbackToLogsOnError
+        image: {{.Images.kubeRbacProxyImage}}
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: var-lib-kubelet
+          mountPath: "/var"
+          mountPropagation: HostToContainer
+        command: ['/bin/bash', '-ec']
+        args:
+        - |
+          echo -n "Waiting for kubelet key and certificate to be available"
+          while [ -n "$(test -e /var/lib/kubelet/pki/kubelet-server-current.pem)" ] ; do
+            echo -n "."
+            sleep 1
+            (( tries += 1 ))
+            if [[ "${tries}" -gt 10 ]]; then
+              echo "Timed out waiting for kubelet key and cert."
+              exit 1
+            fi
+          done
+        securityContext:
+          privileged: true
+      resources:
+        requests:
+          memory: 50Mi
+          cpu: 5m
+      containers:
+      - name: kube-rbac-proxy-crio
+        image: {{.Images.kubeRbacProxyImage}}
+        securityContext:
+          privileged: true
+        ports:
+        - containerPort: 9637
+        args:
+        - --secure-listen-address=:9637
+        - --config-file=/etc/kubernetes/crio-metrics-proxy.cfg
+        - --client-ca-file=/etc/kubernetes/kubelet-ca.crt
+        - --logtostderr=true
+        - --kubeconfig=/var/lib/kubelet/kubeconfig
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - --upstream=http://127.0.0.1:9537
+        - --tls-cert-file=/var/lib/kubelet/pki/kubelet-server-current.pem
+        - --tls-private-key-file=/var/lib/kubelet/pki/kubelet-server-current.pem
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        volumeMounts:
+        - name: etc-kube
+          mountPath: "/etc/kubernetes"
+          mountPropagation: HostToContainer
+        - name: var-lib-kubelet
+          mountPath: "/var/lib/kubelet"
+          mountPropagation: HostToContainer