Integrate with openshift-monitoring at secure(https) metrics endpoint

Author: vikaschoudhary16

install/0000_30_machine-api-operator_09_rbac.yaml

@@ -200,7 +200,14 @@ kind: ClusterRole
 metadata:
   name: machine-api-operator
 rules:
-
+  - apiGroups: ["authentication.k8s.io"]
+    resources:
+      - tokenreviews
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources:
+      - subjectaccessreviews
+    verbs: ["create"]
   - apiGroups:
       - config.openshift.io
     resources:
@@ -319,6 +326,12 @@ metadata:
   name: prometheus-k8s-machine-api-operator
   namespace: openshift-machine-api
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespace/metrics
+    verbs:
+      - get
   - apiGroups:
       - ""
     resources:

install/0000_30_machine-api-operator_10_kube-rbac-proxy-config.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kube-rbac-proxy
+  namespace: openshift-machine-api
+data:
+  config-file.yaml: |+
+    authorization:
+      resourceAttributes:
+        apiVersion: v1
+        resource: namespace
+        subresource: metrics
+        namespace: openshift-machine-api
+

install/0000_30_machine-api-operator_10_service.yaml

@@ -4,15 +4,16 @@ kind: Service
 metadata:
   name: machine-api-operator
   namespace: openshift-machine-api
+  annotations:
+    service.alpha.openshift.io/serving-cert-secret-name: machine-api-operator-tls
   labels:
     k8s-app: machine-api-operator
 spec:
   type: ClusterIP
   ports:
-  - name: metrics
-    port: 8080
-    targetPort: metrics
-    protocol: TCP
+  - name: https
+    port: 8443
+    targetPort: https
   selector:
     k8s-app: machine-api-operator
   sessionAffinity: None

install/0000_30_machine-api-operator_11_deployment.yaml

@@ -18,6 +18,20 @@ spec:
       priorityClassName: system-node-critical
       serviceAccountName: machine-api-operator
       containers:
+      - name: kube-rbac-proxy
+        image: quay.io/openshift/origin-kube-rbac-proxy:4.2
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--config-file=/etc/kube-rbac-proxy/config-file.yaml"
+        - "--logtostderr=true"
+        - "--v=10"
+        ports:
+        - containerPort: 8443
+          name: https
+        volumeMounts:
+        - name: config
+          mountPath: /etc/kube-rbac-proxy
       - name: machine-api-operator
         image: docker.io/openshift/origin-machine-api-operator:v4.0.0
         command:
@@ -36,9 +50,6 @@ spec:
               fieldPath: metadata.namespace
         - name: METRICS_PORT
           value: "8080"
-        ports:
-        - name: metrics
-          containerPort: 8080
         resources:
           requests:
             cpu: 10m
@@ -65,6 +76,9 @@ spec:
         effect: "NoExecute"
         tolerationSeconds: 120
       volumes:
+      - name: config
+        configMap:
+          name: kube-rbac-proxy
       - name: images
         configMap:
                 name: machine-api-operator-images

install/0000_30_machine-api-operator_13_servicemonitor.yaml

@@ -9,8 +9,11 @@ spec:
   endpoints:
     - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       interval: 30s
-      port: metrics
-      scheme: http
+      port: https
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: machine-api-operator.openshift-machine-api.svc
   namespaceSelector:
     matchNames:
       - openshift-machine-api

kustomization.yaml

@@ -26,6 +26,7 @@ resources:
 - install/0000_30_machine-api-operator_07_machinehealthcheck.crd.yaml
 - install/0000_30_machine-api-operator_08_machinedisruptionbudget.crd.yaml
 - install/0000_30_machine-api-operator_09_rbac.yaml
+- install/0000_30_machine-api-operator_10_kube-rbac-proxy-config.yaml
 - install/0000_30_machine-api-operator_10_service.yaml
 - install/0000_30_machine-api-operator_11_deployment.yaml
 - install/0000_30_machine-api-operator_12_clusteroperator.yaml