Expose metric endpoint on https

[vikaschoudhary16]

This PR is adding changes to expose metrics endpoint on https and also changes at other objects for integration with openshift-monitoring at https.
This PR is also restricting http port access only on loopback ip.

Approach for https support:

kube-rbac-proxy container is being run alongside operator container which runs metrics server in the same pod. kube-rbac -proxy validates authz and authn on behalf of the metrics server and if success, proxies the incoming https request to the metrics server(which is listening on 127.0.0.1 and http port 8080).

How authn and authz is being validated by kube-rbac-proxy

It uses TokenReviews() and SubjectAccessReviews() apis internally for validation of token authentication and authorization respectively. These apis are used against a stub resource, namespace/metrics which is passed as config to the kube-rbac-proxy

apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-rbac-proxy
  namespace: openshift-machine-api
data:
  config-file.yaml: |+
    authorization:
      resourceAttributes:
        apiVersion: v1
        resource: namespace
        subresource: metrics
        namespace: openshift-machine-api

RBAC permissions for this rule are defined same as that we expect for metrics endpoint.
So when a https request is received for metrics endpoint, token and rbac of the request user is validated against this stub resource. If it passes, proxied to the metrics endpoint.

How I tested it locally

• launch a cluster using installer
• make cluster-version deployment replica to 0
• change mao image with the one with the PR changes
• change/create all the api objects(like clusterrole, rbac-config etc) that are part of this PR
• I had to make a curl command on the metrics service with service account, prometheus-k8s. I got this token using following command:

kubectl -n openshift-monitoring get secret $(kubectl -n openshift-monitoring get sa prometheus-k8s -o 'jsonpath={.secrets[0].name}') -o 'jsonpath={.data.token}' | base64 -d

• Next, created a pod in the openshift-monitoring namespace to make curl call at service
• Then copy token obtained above in the curl container and make the curl call

curl -v -s -k -H "Authorization: Bearer cat ./token2" https://machine-api-operator.openshift-machine-api.svc:8443/metrics

This should return metrics

[vikaschoudhary16]

/test integration

[vikaschoudhary16]

/test e2e-aws

[vikaschoudhary16]

/test e2e-aws

[vikaschoudhary16]

/test e2e-aws

[vikaschoudhary16]

/test e2e-aws

[vikaschoudhary16]

/test integration

[vikaschoudhary16]

/test integration

[vikaschoudhary16]

/test e2e-aws

[vikaschoudhary16]

/test e2e-aws

[frobware]

This image refers to v4.0 whereas the kube-rbac-proxy refers to 4.2.0. Is this intentional?

[vikaschoudhary16]

mao image version is same as it is today in https://github.com/openshift/machine-api-operator/blob/master/install/0000_30_machine-api-operator_11_deployment.yaml#L22

kube-rbac-proxy image 4.2.0 is taken just to be latest. Not sure if these two should be same. I see both image streams 4.0.0 and 4.2.0 in the install/image-references, so chose to follow the same pattern and use 4.2.0

[frobware]

Do we care that we listen on IPv4 only? Why not explicitly use localhost which would cover IPv6 too?

[vikaschoudhary16]

/retest

[enxebre]

can you elaborate why we need this file?

[vikaschoudhary16]

This is required for the k8s-e2e ci job which runs test against the k8s. In the original deployment, we are mounting a secret into the pod. Based on the annotation in the mao metrics service object, this secret will get created automatically in the openshift cluster. With the minikube cluster, this secret will not be there and thus deployment will fail. To workaround this, in the k8s-e2e tests this deployment will be used which is not mounting secrets.

[vikaschoudhary16]

/test e2e-aws

[enxebre]

/approve
@openshift/openshift-team-monitoring could anyone have a quick look? cc @simonpasquier @s-urbaniak @paulfantom

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enxebre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[brancz]

this should be an image stream no?

[brancz]

nevermind, it is

[brancz]

this will use an at startup generated self-signed cert, is that intended?

[vikaschoudhary16]

yes, and this is related, https://github.com/openshift/machine-api-operator/pull/368/files/5d2b38bc7a0e838f2032a29c6efb7c966c256912#diff-56c9657f199776b5f04119428ca26c17R8

[spangenberg]

/lgtm

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@vikaschoudhary16: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-scaleup-rhel7	5d2b38b	link	/test e2e-aws-scaleup-rhel7

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.