Integrate with openshift-monitoring at secure(https) metrics endpoint

vikaschoudhary16 · vikaschoudhary16 · commit 188be585418c · 2019-08-06T15:03:54.000+05:30
diff --git a/install/0000_30_machine-api-operator_09_rbac.yaml b/install/0000_30_machine-api-operator_09_rbac.yaml
@@ -200,7 +200,14 @@ kind: ClusterRole
 metadata:
   name: machine-api-operator
 rules:
-
+  - apiGroups: ["authentication.k8s.io"]
+    resources:
+      - tokenreviews
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources:
+      - subjectaccessreviews
+    verbs: ["create"]
   - apiGroups:
       - config.openshift.io
     resources:
@@ -319,6 +326,12 @@ metadata:
   name: prometheus-k8s-machine-api-operator
   namespace: openshift-machine-api
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespace/metrics
+    verbs:
+      - get
   - apiGroups:
       - ""
     resources:
diff --git a/install/0000_30_machine-api-operator_10_kube-rbac-proxy-config.yaml b/install/0000_30_machine-api-operator_10_kube-rbac-proxy-config.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kube-rbac-proxy
+  namespace: openshift-machine-api
+data:
+  config-file.yaml: |+
+    authorization:
+      resourceAttributes:
+        apiVersion: v1
+        resource: namespace
+        subresource: metrics
+        namespace: openshift-machine-api
+
diff --git a/install/0000_30_machine-api-operator_10_service.yaml b/install/0000_30_machine-api-operator_10_service.yaml
@@ -4,15 +4,16 @@ kind: Service
 metadata:
   name: machine-api-operator
   namespace: openshift-machine-api
+  annotations:
+    service.alpha.openshift.io/serving-cert-secret-name: machine-api-operator-tls
   labels:
     k8s-app: machine-api-operator
 spec:
   type: ClusterIP
   ports:
-  - name: metrics
-    port: 8080
-    targetPort: metrics
-    protocol: TCP
+  - name: https
+    port: 8443
+    targetPort: https
   selector:
     k8s-app: machine-api-operator
   sessionAffinity: None
diff --git a/install/0000_30_machine-api-operator_11_deployment.yaml b/install/0000_30_machine-api-operator_11_deployment.yaml
@@ -18,6 +18,24 @@ spec:
       priorityClassName: system-node-critical
       serviceAccountName: machine-api-operator
       containers:
+      - name: kube-rbac-proxy
+        image: quay.io/openshift/origin-kube-rbac-proxy:4.2.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--tls-cert-file=/etc/tls/private/tls.crt"
+        - "--tls-private-key-file=/etc/tls/private/tls.key"
+        - "--config-file=/etc/kube-rbac-proxy/config-file.yaml"
+        - "--logtostderr=true"
+        - "--v=10"
+        ports:
+        - containerPort: 8443
+          name: https
+        volumeMounts:
+        - name: config
+          mountPath: /etc/kube-rbac-proxy
+        - mountPath: /etc/tls/private
+          name: machine-api-operator-tls
       - name: machine-api-operator
         image: docker.io/openshift/origin-machine-api-operator:v4.0.0
         command:
@@ -36,9 +54,6 @@ spec:
               fieldPath: metadata.namespace
         - name: METRICS_PORT
           value: "8080"
-        ports:
-        - name: metrics
-          containerPort: 8080
         resources:
           requests:
             cpu: 10m
@@ -65,6 +80,12 @@ spec:
         effect: "NoExecute"
         tolerationSeconds: 120
       volumes:
+      - name: config
+        configMap:
+          name: kube-rbac-proxy
       - name: images
         configMap:
                 name: machine-api-operator-images
+      - name: machine-api-operator-tls
+        secret:
+          secretName: machine-api-operator-tls
diff --git a/install/0000_30_machine-api-operator_13_servicemonitor.yaml b/install/0000_30_machine-api-operator_13_servicemonitor.yaml
@@ -9,8 +9,11 @@ spec:
   endpoints:
     - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       interval: 30s
-      port: metrics
-      scheme: http
+      port: https
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: machine-api-operator.openshift-machine-api.svc
   namespaceSelector:
     matchNames:
       - openshift-machine-api
diff --git a/install/image-references b/install/image-references
@@ -54,3 +54,7 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/openshift/origin-ironic-static-ip-manager:v4.2.0
+  - name: kube-rbac-proxy
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-kube-rbac-proxy:4.2.0
diff --git a/kustomization.yaml b/kustomization.yaml
@@ -26,6 +26,7 @@ resources:
 - install/0000_30_machine-api-operator_07_machinehealthcheck.crd.yaml
 - install/0000_30_machine-api-operator_08_machinedisruptionbudget.crd.yaml
 - install/0000_30_machine-api-operator_09_rbac.yaml
+- install/0000_30_machine-api-operator_10_kube-rbac-proxy-config.yaml
 - install/0000_30_machine-api-operator_10_service.yaml
 - install/0000_30_machine-api-operator_11_deployment.yaml
 - install/0000_30_machine-api-operator_12_clusteroperator.yaml
