MON-2212: Expose the /federate endpoint of UWM Prometheus as a service

Signed-off-by: Arunprasad Rajkumar <[email protected]>

Author: arajkumar

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 - [#1567](https://github.com/openshift/cluster-monitoring-operator/pull/1567) Enable validating webhook for AlertmanagerConfig customer resources
 - [#1557](https://github.com/openshift/cluster-monitoring-operator/pull/1557) Removing grafana from monitoring stack
+- [#1601](https://github.com/openshift/cluster-monitoring-operator/pull/1601) Expose the /federate endpoint of UWM Prometheus as a service
 
 ## 4.10
 

assets/prometheus-user-workload/cluster-role.yaml

@@ -19,6 +19,18 @@ rules:
   - /metrics
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
 - apiGroups:
   - ""
   resources:

assets/prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: kube-rbac-proxy-federate
+  namespace: openshift-user-workload-monitoring
+stringData:
+  config.yaml: |-
+    "authorization":
+      "resourceAttributes":
+        "apiVersion": "v1"
+        "resource": "namespaces"
+        "verb": "get"
+type: Opaque

assets/prometheus-user-workload/kube-rbac-proxy-secret.yaml renamed to assets/prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml

@@ -4,7 +4,7 @@ kind: Secret
 metadata:
   labels:
     app.kubernetes.io/part-of: openshift-monitoring
-  name: kube-rbac-proxy
+  name: kube-rbac-proxy-metrics
   namespace: openshift-user-workload-monitoring
 stringData:
   config.yaml: |-

assets/prometheus-user-workload/prometheus.yaml

@@ -39,6 +39,33 @@ spec:
   - serving-certs-ca-bundle
   - metrics-client-ca
   containers:
+  - args:
+    - --secure-listen-address=0.0.0.0:9092
+    - --upstream=http://127.0.0.1:9090
+    - --allow-paths=/federate
+    - --config-file=/etc/kube-rbac-proxy/config.yaml
+    - --tls-cert-file=/etc/tls/private/tls.crt
+    - --tls-private-key-file=/etc/tls/private/tls.key
+    - --client-ca-file=/etc/tls/client/client-ca.crt
+    - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+    image: quay.io/brancz/kube-rbac-proxy:v0.11.0
+    name: kube-rbac-proxy-federate
+    ports:
+    - containerPort: 9092
+      name: federate
+    resources:
+      requests:
+        cpu: 1m
+        memory: 10Mi
+    terminationMessagePolicy: FallbackToLogsOnError
+    volumeMounts:
+    - mountPath: /etc/tls/private
+      name: secret-prometheus-user-workload-tls
+    - mountPath: /etc/tls/client
+      name: configmap-metrics-client-ca
+      readOnly: true
+    - mountPath: /etc/kube-rbac-proxy
+      name: secret-kube-rbac-proxy-federate
   - args:
     - --secure-listen-address=0.0.0.0:9091
     - --upstream=http://127.0.0.1:9090
@@ -49,7 +76,7 @@ spec:
     - --client-ca-file=/etc/tls/client/client-ca.crt
     - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
     image: quay.io/brancz/kube-rbac-proxy:v0.11.0
-    name: kube-rbac-proxy
+    name: kube-rbac-proxy-metrics
     ports:
     - containerPort: 9091
       name: metrics
@@ -65,7 +92,7 @@ spec:
       name: configmap-metrics-client-ca
       readOnly: true
     - mountPath: /etc/kube-rbac-proxy
-      name: secret-kube-rbac-proxy
+      name: secret-kube-rbac-proxy-metrics
   - args:
     - --secure-listen-address=[$(POD_IP)]:10902
     - --upstream=http://127.0.0.1:10902
@@ -98,7 +125,7 @@ spec:
       name: configmap-metrics-client-ca
       readOnly: true
     - mountPath: /etc/kube-rbac-proxy
-      name: secret-kube-rbac-proxy
+      name: secret-kube-rbac-proxy-metrics
   - args:
     - sidecar
     - --prometheus.url=http://localhost:9090/
@@ -178,7 +205,8 @@ spec:
   secrets:
   - prometheus-user-workload-tls
   - prometheus-user-workload-thanos-sidecar-tls
-  - kube-rbac-proxy
+  - kube-rbac-proxy-metrics
+  - kube-rbac-proxy-federate
   securityContext:
     fsGroup: 65534
     runAsNonRoot: true

assets/prometheus-user-workload/service.yaml

@@ -16,6 +16,9 @@ spec:
   - name: metrics
     port: 9091
     targetPort: metrics
+  - name: federate
+    port: 9092
+    targetPort: federate
   - name: thanos-proxy
     port: 10902
     targetPort: thanos-proxy

jsonnet/components/prometheus-user-workload.libsonnet

@@ -55,6 +55,11 @@ function(params)
             port: 9091,
             targetPort: 'metrics',
           },
+          {
+            name: 'federate',
+            port: 9092,
+            targetPort: 'federate',
+          },
           {
             name: 'thanos-proxy',
             port: 10902,
@@ -74,6 +79,16 @@ function(params)
     // SubjectAccessReview required by the Alertmanager instances.
     clusterRole+: {
       rules+: [
+        {
+          apiGroups: ['authentication.k8s.io'],
+          resources: ['tokenreviews'],
+          verbs: ['create'],
+        },
+        {
+          apiGroups: ['authorization.k8s.io'],
+          resources: ['subjectaccessreviews'],
+          verbs: ['create'],
+        },
         {
           apiGroups: [''],
           resources: ['namespaces'],
@@ -175,7 +190,30 @@ function(params)
       },
     },
 
-    kubeRbacProxySecret: generateSecret.staticAuthSecret(cfg.namespace, cfg.commonLabels, 'kube-rbac-proxy'),
+    kubeRbacProxyMetricsSecret: generateSecret.staticAuthSecret(cfg.namespace, cfg.commonLabels, 'kube-rbac-proxy-metrics'),
+
+    kubeRbacProxyFederateSecret: {
+      apiVersion: 'v1',
+      kind: 'Secret',
+      metadata: {
+        name: 'kube-rbac-proxy-federate',
+        namespace: cfg.namespace,
+        labels: cfg.commonLabels,
+      },
+      type: 'Opaque',
+      data: {},
+      stringData: {
+        'config.yaml': std.manifestYamlDoc({
+          authorization: {
+            resourceAttributes: {
+              apiVersion: 'v1',
+              resource: 'namespaces',
+              verb: 'get',
+            },
+          },
+        }),
+      },
+    },
 
     prometheus+: {
       spec+: {
@@ -225,7 +263,8 @@ function(params)
         secrets: [
           'prometheus-user-workload-tls',
           'prometheus-user-workload-thanos-sidecar-tls',
-          $.kubeRbacProxySecret.metadata.name,
+          $.kubeRbacProxyMetricsSecret.metadata.name,
+          $.kubeRbacProxyFederateSecret.metadata.name,
         ],
         configMaps: ['serving-certs-ca-bundle', 'metrics-client-ca'],
         probeNamespaceSelector: cfg.namespaceSelector,
@@ -237,7 +276,49 @@ function(params)
         priorityClassName: 'openshift-user-critical',
         containers: [
           {
-            name: 'kube-rbac-proxy',
+            name: 'kube-rbac-proxy-federate',
+            image: cfg.kubeRbacProxyImage,
+            resources: {
+              requests: {
+                memory: '10Mi',
+                cpu: '1m',
+              },
+            },
+            ports: [
+              {
+                containerPort: 9092,
+                name: 'federate',
+              },
+            ],
+            args: [
+              '--secure-listen-address=0.0.0.0:9092',
+              '--upstream=http://127.0.0.1:9090',
+              '--allow-paths=/federate',
+              '--config-file=/etc/kube-rbac-proxy/config.yaml',
+              '--tls-cert-file=/etc/tls/private/tls.crt',
+              '--tls-private-key-file=/etc/tls/private/tls.key',
+              '--client-ca-file=/etc/tls/client/client-ca.crt',
+              '--tls-cipher-suites=' + cfg.tlsCipherSuites,
+            ],
+            terminationMessagePolicy: 'FallbackToLogsOnError',
+            volumeMounts: [
+              {
+                mountPath: '/etc/tls/private',
+                name: 'secret-prometheus-user-workload-tls',
+              },
+              {
+                mountPath: '/etc/tls/client',
+                name: 'configmap-metrics-client-ca',
+                readOnly: true,
+              },
+              {
+                mountPath: '/etc/kube-rbac-proxy',
+                name: 'secret-' + $.kubeRbacProxyFederateSecret.metadata.name,
+              },
+            ],
+          },
+          {
+            name: 'kube-rbac-proxy-metrics',
             image: cfg.kubeRbacProxyImage,
             resources: {
               requests: {
@@ -274,7 +355,7 @@ function(params)
               },
               {
                 mountPath: '/etc/kube-rbac-proxy',
-                name: 'secret-' + $.kubeRbacProxySecret.metadata.name,
+                name: 'secret-' + $.kubeRbacProxyMetricsSecret.metadata.name,
               },
             ],
           },
@@ -325,7 +406,7 @@ function(params)
               },
               {
                 mountPath: '/etc/kube-rbac-proxy',
-                name: 'secret-' + $.kubeRbacProxySecret.metadata.name,
+                name: 'secret-' + $.kubeRbacProxyMetricsSecret.metadata.name,
               },
             ],
           },

pkg/manifests/manifests.go

@@ -118,7 +118,8 @@ var (
 	PrometheusK8sServiceThanosSidecar                 = "prometheus-k8s/service-thanos-sidecar.yaml"
 	PrometheusK8sProxySecret                          = "prometheus-k8s/proxy-secret.yaml"
 	PrometheusRBACProxySecret                         = "prometheus-k8s/kube-rbac-proxy-secret.yaml"
-	PrometheusUserWorkloadRBACProxySecret             = "prometheus-user-workload/kube-rbac-proxy-secret.yaml"
+	PrometheusUserWorkloadRBACProxyMetricsSecret      = "prometheus-user-workload/kube-rbac-proxy-metrics-secret.yaml"
+	PrometheusUserWorkloadRBACProxyFederateSecret     = "prometheus-user-workload/kube-rbac-proxy-federate-secret.yaml"
 	PrometheusK8sAPIRoute                             = "prometheus-k8s/api-route.yaml"
 	PrometheusK8sFederateRoute                        = "prometheus-k8s/federate-route.yaml"
 	PrometheusK8sHtpasswd                             = "prometheus-k8s/htpasswd-secret.yaml"
@@ -1243,8 +1244,19 @@ func (f *Factory) PrometheusRBACProxySecret() (*v1.Secret, error) {
 	return s, nil
 }
 
-func (f *Factory) PrometheusUserWorkloadRBACProxySecret() (*v1.Secret, error) {
-	s, err := f.NewSecret(f.assets.MustNewAssetReader(PrometheusUserWorkloadRBACProxySecret))
+func (f *Factory) PrometheusUserWorkloadRBACProxyMetricsSecret() (*v1.Secret, error) {
+	s, err := f.NewSecret(f.assets.MustNewAssetReader(PrometheusUserWorkloadRBACProxyMetricsSecret))
+	if err != nil {
+		return nil, err
+	}
+
+	s.Namespace = f.namespaceUserWorkload
+
+	return s, nil
+}
+
+func (f *Factory) PrometheusUserWorkloadRBACProxyFederateSecret() (*v1.Secret, error) {
+	s, err := f.NewSecret(f.assets.MustNewAssetReader(PrometheusUserWorkloadRBACProxyFederateSecret))
 	if err != nil {
 		return nil, err
 	}
@@ -1783,7 +1795,8 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret) (*monv1.Prometheus,
 	}
 
 	for i, container := range p.Spec.Containers {
-		if container.Name == "kube-rbac-proxy" || container.Name == "kube-rbac-proxy-thanos" {
+		switch container.Name {
+		case "kube-rbac-proxy-metrics", "kube-rbac-proxy-federate", "kube-rbac-proxy-thanos":
 			p.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
 			p.Spec.Containers[i].Args = f.setTLSSecurityConfiguration(container.Args, KubeRbacProxyTLSCipherSuitesFlag, KubeRbacProxyMinTLSVersionFlag)
 		}

pkg/tasks/prometheus_user_workload.go

@@ -16,6 +16,7 @@ package tasks
 
 import (
 	"context"
+
 	"github.com/openshift/cluster-monitoring-operator/pkg/client"
 	"github.com/openshift/cluster-monitoring-operator/pkg/manifests"
 	"github.com/pkg/errors"
@@ -188,7 +189,7 @@ func (t *PrometheusUserWorkloadTask) create(ctx context.Context) error {
 		return errors.Wrap(err, "error creating UserWorkload Prometheus Client GRPC TLS secret")
 	}
 
-	rs, err := t.factory.PrometheusUserWorkloadRBACProxySecret()
+	rs, err := t.factory.PrometheusUserWorkloadRBACProxyMetricsSecret()
 	if err != nil {
 		return errors.Wrap(err, "initializing UserWorkload Prometheus RBAC proxy Secret failed")
 	}
@@ -198,6 +199,16 @@ func (t *PrometheusUserWorkloadTask) create(ctx context.Context) error {
 		return errors.Wrap(err, "creating or updating UserWorkload Prometheus RBAC proxy Secret failed")
 	}
 
+	fs, err := t.factory.PrometheusUserWorkloadRBACProxyFederateSecret()
+	if err != nil {
+		return errors.Wrap(err, "initializing UserWorkload Prometheus RBAC federate endpoint Secret failed")
+	}
+
+	err = t.client.CreateOrUpdateSecret(ctx, fs)
+	if err != nil {
+		return errors.Wrap(err, "creating or updating UserWorkload Prometheus RBAC federate endpoint Secret failed")
+	}
+
 	secret, err := t.factory.PrometheusUserWorkloadAdditionalAlertManagerConfigsSecret()
 	if err != nil {
 		return errors.Wrap(err, "initializing UserWorkload Prometheus additionalAlertmanagerConfigs secret failed")
@@ -429,7 +440,7 @@ func (t *PrometheusUserWorkloadTask) destroy(ctx context.Context) error {
 		return errors.Wrap(err, "initializing UserWorkload serving certs CA Bundle ConfigMap failed")
 	}
 
-	rs, err := t.factory.PrometheusUserWorkloadRBACProxySecret()
+	rs, err := t.factory.PrometheusUserWorkloadRBACProxyMetricsSecret()
 	if err != nil {
 		return errors.Wrap(err, "initializing UserWorkload Prometheus RBAC proxy Secret failed")
 	}