Expose metric endpoint on https

cmd/machine-api-operator/start.go

@@ -145,7 +145,7 @@ func startMetricsCollectionAndServer(ctx *ControllerContext) {
 		metricsPort = v
 	}
 	glog.V(4).Info("Starting server to serve prometheus metrics")
-	go startHTTPMetricServer(fmt.Sprintf(":%d", metricsPort))
+	go startHTTPMetricServer(fmt.Sprintf("localhost:%d", metricsPort))
 }
 
 func startHTTPMetricServer(metricsPort string) {

config/machine-api-operator-deployment.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: machine-api-operator
+  namespace: openshift-machine-api
+  labels:
+    k8s-app: machine-api-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: machine-api-operator
+  template:
+    metadata:
+      labels:
+        k8s-app: machine-api-operator
+    spec:
+      priorityClassName: system-node-critical
+      serviceAccountName: machine-api-operator
+      containers:
+      - name: kube-rbac-proxy
+        image: quay.io/openshift/origin-kube-rbac-proxy:4.2.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://localhost:8080/"
+        - "--config-file=/etc/kube-rbac-proxy/config-file.yaml"
+        - "--logtostderr=true"
+        - "--v=10"
+        ports:
+        - containerPort: 8443
+          name: https
+        volumeMounts:
+        - name: config
+          mountPath: /etc/kube-rbac-proxy
+      - name: machine-api-operator
+        image: docker.io/openshift/origin-machine-api-operator:v4.0.0
+        command:
+        - "/machine-api-operator"
+        args:
+        - "start"
+        - "--images-json=/etc/machine-api-operator-config/images/images.json"
+        - "--alsologtostderr"
+        - "--v=3"
+        env:
+        - name: RELEASE_VERSION
+          value: "0.0.1-snapshot"
+        - name: COMPONENT_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: METRICS_PORT
+          value: "8080"
+        resources:
+          requests:
+            cpu: 10m
+            memory: 50Mi
+        volumeMounts:
+        - name: images
+          mountPath: /etc/machine-api-operator-config/images
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      restartPolicy: Always
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      tolerations:
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
+      - key: "node.kubernetes.io/unreachable"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 120
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 120
+      volumes:
+      - name: config
+        configMap:
+          name: kube-rbac-proxy
+      - name: images
+        configMap:
+          name: machine-api-operator-images

install/0000_30_machine-api-operator_09_rbac.yaml

@@ -200,7 +200,14 @@ kind: ClusterRole
 metadata:
   name: machine-api-operator
 rules:
-
+  - apiGroups: ["authentication.k8s.io"]
+    resources:
+      - tokenreviews
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources:
+      - subjectaccessreviews
+    verbs: ["create"]
   - apiGroups:
       - config.openshift.io
     resources:
@@ -319,6 +326,12 @@ metadata:
   name: prometheus-k8s-machine-api-operator
   namespace: openshift-machine-api
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespace/metrics
+    verbs:
+      - get
   - apiGroups:
       - ""
     resources:

install/0000_30_machine-api-operator_10_kube-rbac-proxy-config.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kube-rbac-proxy
+  namespace: openshift-machine-api
+data:
+  config-file.yaml: |+
+    authorization:
+      resourceAttributes:
+        apiVersion: v1
+        resource: namespace
+        subresource: metrics
+        namespace: openshift-machine-api
+

install/0000_30_machine-api-operator_10_service.yaml

@@ -4,15 +4,16 @@ kind: Service
 metadata:
   name: machine-api-operator
   namespace: openshift-machine-api
+  annotations:
+    service.alpha.openshift.io/serving-cert-secret-name: machine-api-operator-tls
   labels:
     k8s-app: machine-api-operator
 spec:
   type: ClusterIP
   ports:
-  - name: metrics
-    port: 8080
-    targetPort: metrics
-    protocol: TCP
+  - name: https
+    port: 8443
+    targetPort: https
   selector:
     k8s-app: machine-api-operator
   sessionAffinity: None

install/0000_30_machine-api-operator_11_deployment.yaml

@@ -18,6 +18,24 @@ spec:
       priorityClassName: system-node-critical
       serviceAccountName: machine-api-operator
       containers:
+      - name: kube-rbac-proxy
+        image: quay.io/openshift/origin-kube-rbac-proxy:4.2.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://localhost:8080/"
+        - "--tls-cert-file=/etc/tls/private/tls.crt"
+        - "--tls-private-key-file=/etc/tls/private/tls.key"
+        - "--config-file=/etc/kube-rbac-proxy/config-file.yaml"
+        - "--logtostderr=true"
+        - "--v=10"
+        ports:
+        - containerPort: 8443
+          name: https
+        volumeMounts:
+        - name: config
+          mountPath: /etc/kube-rbac-proxy
+        - mountPath: /etc/tls/private
+          name: machine-api-operator-tls
       - name: machine-api-operator
         image: docker.io/openshift/origin-machine-api-operator:v4.0.0
         command:
@@ -36,9 +54,6 @@ spec:
               fieldPath: metadata.namespace
         - name: METRICS_PORT
           value: "8080"
-        ports:
-        - name: metrics
-          containerPort: 8080
         resources:
           requests:
             cpu: 10m
@@ -65,6 +80,12 @@ spec:
         effect: "NoExecute"
         tolerationSeconds: 120
       volumes:
+      - name: config
+        configMap:
+          name: kube-rbac-proxy
       - name: images
         configMap:
                 name: machine-api-operator-images
+      - name: machine-api-operator-tls
+        secret:
+          secretName: machine-api-operator-tls

install/0000_90_machine-api-operator_03_servicemonitor.yaml

@@ -9,8 +9,11 @@ spec:
   endpoints:
     - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       interval: 30s
-      port: metrics
-      scheme: http
+      port: https
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: machine-api-operator.openshift-machine-api.svc
   namespaceSelector:
     matchNames:
       - openshift-machine-api

install/image-references

@@ -54,3 +54,7 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/openshift/origin-ironic-static-ip-manager:v4.2.0
+  - name: kube-rbac-proxy
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-kube-rbac-proxy:4.2.0

kustomization.yaml

@@ -26,8 +26,9 @@ resources:
 - install/0000_30_machine-api-operator_07_machinehealthcheck.crd.yaml
 - install/0000_30_machine-api-operator_08_machinedisruptionbudget.crd.yaml
 - install/0000_30_machine-api-operator_09_rbac.yaml
+- install/0000_30_machine-api-operator_10_kube-rbac-proxy-config.yaml
 - install/0000_30_machine-api-operator_10_service.yaml
-- install/0000_30_machine-api-operator_11_deployment.yaml
+- config/machine-api-operator-deployment.yaml
 - install/0000_30_machine-api-operator_12_clusteroperator.yaml