Skip to content

Commit fed54b4

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #613 from Vincent056/metric_token
OCPBUGS-39417: Add service account and token for service monitoring
2 parents 067ed66 + 53656f1 commit fed54b4

File tree

1,637 files changed

+458843
-657
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

1,637 files changed

+458843
-657
lines changed

bundle/manifests/compliance-operator-metrics_rbac.authorization.k8s.io_v1_rolebinding.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ roleRef:
88
kind: ClusterRole
99
name: compliance-operator-metrics
1010
subjects:
11+
- kind: ServiceAccount
12+
name: compliance-operator-metrics
13+
namespace: openshift-compliance
1114
- kind: ServiceAccount
1215
name: prometheus-k8s
1316
namespace: openshift-monitoring

bundle/manifests/compliance-operator-metrics_v1_serviceaccount.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
apiVersion: v1
2+
kind: ServiceAccount
3+
metadata:
4+
creationTimestamp: null
5+
name: compliance-operator-metrics

cmd/manager/common.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,10 @@ import (
2626
)
2727

2828
const (
29-
maxRetries = 15
30-
maxRetriesForTimestamp = 3
29+
maxRetries = 15
30+
maxRetriesForTimestamp = 3
31+
complianceOperatorMetricsSA = "compliance-operator-metrics"
32+
complianceOperatorMetricsSecretName = "compliance-operator-metrics-token"
3133
)
3234

3335
var cmdLog = logf.Log.WithName("cmd")

cmd/manager/operator.go

Lines changed: 27 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -439,7 +439,7 @@ func addMetrics(ctx context.Context, cfg *rest.Config, kClient *kubernetes.Clien
439439
os.Exit(1)
440440
}
441441

442-
if err := handleServiceMonitor(ctx, cfg, mClient, kClient, operatorNs, metricsService); err != nil {
442+
if err := handleServiceMonitor(ctx, cfg, mClient, operatorNs, metricsService); err != nil {
443443
log.Error(err, "Error creating ServiceMonitor")
444444
os.Exit(1)
445445
}
@@ -531,6 +531,28 @@ func ensureMetricsServiceAndSecret(ctx context.Context, kClient *kubernetes.Clie
531531
}
532532
}
533533

534+
// Check if the metrics service account token secret exists. If not, create it and trigger a restart.
535+
_, err = kClient.CoreV1().Secrets(ns).Get(ctx, complianceOperatorMetricsSecretName, metav1.GetOptions{})
536+
if err != nil {
537+
if kerr.IsNotFound(err) {
538+
secret := &v1.Secret{
539+
ObjectMeta: metav1.ObjectMeta{
540+
Name: complianceOperatorMetricsSecretName,
541+
Namespace: ns,
542+
Annotations: map[string]string{
543+
"kubernetes.io/service-account.name": complianceOperatorMetricsSA,
544+
},
545+
},
546+
Type: v1.SecretTypeServiceAccountToken,
547+
}
548+
if _, createErr := kClient.CoreV1().Secrets(ns).Create(context.TODO(), secret, metav1.CreateOptions{}); createErr != nil && !kerr.IsAlreadyExists(createErr) {
549+
return nil, createErr
550+
}
551+
return nil, errors.New("operator metrics token not found; restarting as the service may have just been created")
552+
}
553+
return nil, err
554+
}
555+
534556
return returnService, nil
535557
}
536558

@@ -681,7 +703,7 @@ func getDefaultRoles(platform PlatformType) []string {
681703
return defaultRolesPerPlatform[PlatformGeneric]
682704
}
683705

684-
func generateOperatorServiceMonitor(service *v1.Service, namespace, secretName string) *monitoring.ServiceMonitor {
706+
func generateOperatorServiceMonitor(service *v1.Service, namespace string) *monitoring.ServiceMonitor {
685707
serviceMonitor := GenerateServiceMonitor(service)
686708
for i := range serviceMonitor.Spec.Endpoints {
687709
if serviceMonitor.Spec.Endpoints[i].Port == ctrlMetrics.ControllerMetricsServiceName {
@@ -691,7 +713,7 @@ func generateOperatorServiceMonitor(service *v1.Service, namespace, secretName s
691713
Type: "Bearer",
692714
Credentials: &v1.SecretKeySelector{
693715
LocalObjectReference: v1.LocalObjectReference{
694-
Name: secretName,
716+
Name: complianceOperatorMetricsSecretName,
695717
},
696718
Key: "token",
697719
},
@@ -707,25 +729,6 @@ func generateOperatorServiceMonitor(service *v1.Service, namespace, secretName s
707729
return serviceMonitor
708730
}
709731

710-
func getSecretNameForServiceAccount(clientset *kubernetes.Clientset, namespace string, serviceAccountName string) (string, error) {
711-
// List all secrets in the specified namespace
712-
secrets, err := clientset.CoreV1().Secrets(namespace).List(context.TODO(), metav1.ListOptions{})
713-
if err != nil {
714-
return "", err
715-
}
716-
717-
// Iterate through the secrets to find the one associated with the service account
718-
for _, secret := range secrets.Items {
719-
if secret.Annotations != nil {
720-
if saName, exists := secret.Annotations["kubernetes.io/service-account.name"]; exists && saName == serviceAccountName {
721-
return secret.Name, nil
722-
}
723-
}
724-
}
725-
726-
return "", errors.New("secret for service account not found")
727-
}
728-
729732
// createOrUpdateServiceMonitor creates or updates the ServiceMonitor if it already exists.
730733
func createOrUpdateServiceMonitor(ctx context.Context, mClient *monclientv1.MonitoringV1Client,
731734
namespace string, serviceMonitor *monitoring.ServiceMonitor) error {
@@ -751,7 +754,7 @@ func createOrUpdateServiceMonitor(ctx context.Context, mClient *monclientv1.Moni
751754

752755
// handleServiceMonitor attempts to create a ServiceMonitor out of service, and updates it to include the controller
753756
// metrics paths.
754-
func handleServiceMonitor(ctx context.Context, cfg *rest.Config, mClient *monclientv1.MonitoringV1Client, kubeClient *kubernetes.Clientset,
757+
func handleServiceMonitor(ctx context.Context, cfg *rest.Config, mClient *monclientv1.MonitoringV1Client,
755758
namespace string, service *v1.Service) error {
756759
ok, err := ResourceExists(discovery.NewDiscoveryClientForConfigOrDie(cfg),
757760
"monitoring.coreos.com/v1", "ServiceMonitor")
@@ -763,16 +766,7 @@ func handleServiceMonitor(ctx context.Context, cfg *rest.Config, mClient *moncli
763766
return nil
764767
}
765768

766-
serviceAccountName := "compliance-operator"
767-
secretName, err := getSecretNameForServiceAccount(kubeClient, namespace, serviceAccountName)
768-
if err != nil {
769-
if kerr.IsNotFound(err) {
770-
log.Infof("Unable to find secret associated with %s service account: %s", serviceAccountName, err)
771-
} else {
772-
log.Errorf("Failed to retrieve secret associated with %s service account for setting up metrics monitor: %s", serviceAccountName, err)
773-
}
774-
}
775-
serviceMonitor := generateOperatorServiceMonitor(service, namespace, secretName)
769+
serviceMonitor := generateOperatorServiceMonitor(service, namespace)
776770

777771
return createOrUpdateServiceMonitor(ctx, mClient, namespace, serviceMonitor)
778772
}

cmd/manager/operator_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ var _ = Describe("Operator Startup Function tests", func() {
2424
When("Installing to non-controlled namespace", func() {
2525
It("ServiceMonitor is generated with the proper TLSConfig ServerName", func() {
2626
metricService := operatorMetricService("foobar")
27-
sm := generateOperatorServiceMonitor(metricService, "foobar", "secret")
27+
sm := generateOperatorServiceMonitor(metricService, "foobar")
2828
controllerMetricServiceFound := false
2929
for _, ep := range sm.Spec.Endpoints {
3030
if ep.Port == metrics.ControllerMetricsServiceName && ep.TLSConfig != nil {

config/rbac/kustomization.yaml

Lines changed: 49 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -1,49 +1,50 @@
11
resources:
2-
# All RBAC will be applied under this service account in
3-
# the deployment namespace. You may comment out this resource
4-
# if your manager will use a service account that exists at
5-
# runtime. Be sure to update RoleBinding and ClusterRoleBinding
6-
# subjects if changing service account names.
7-
- operator_service_account.yaml
8-
- operator_cluster_role.yaml
9-
- operator_cluster_role_binding.yaml
10-
- operator_role.yaml
11-
- operator_role_binding.yaml
12-
- api_resource_collector_service_account.yaml
13-
- api_resource_collector_role.yaml
14-
- api_resource_collector_role_binding.yaml
15-
- api_resource_collector_cluster_role.yaml
16-
- api_resource_collector_cluster_role_binding.yaml
17-
- profileparser_service_account.yaml
18-
- profileparser_role.yaml
19-
- profileparser_role_binding.yaml
20-
- remediation_aggregator_service_account.yaml
21-
- remediation_aggregator_role.yaml
22-
- remediation_aggregator_role_binding.yaml
23-
- remediation_aggregator_cluster_role.yaml
24-
- remediation_aggregator_cluster_role_binding.yaml
25-
- rerunner_service_account.yaml
26-
- rerunner_role.yaml
27-
- rerunner_role_binding.yaml
28-
- resultscollector_service_account.yaml
29-
- resultscollector_role.yaml
30-
- resultscollector_role_binding.yaml
31-
- resultserver_service_account.yaml
32-
- resultserver_role.yaml
33-
- resultserver_role_binding.yaml
34-
- leader_election_role.yaml
35-
- leader_election_role_binding.yaml
36-
- complianceremediation_editor_role.yaml
37-
- complianceremediation_viewer_role.yaml
38-
- compliancescan_editor_role.yaml
39-
- compliancescan_viewer_role.yaml
40-
- compliancesuite_editor_role.yaml
41-
- compliancesuite_viewer_role.yaml
42-
- profilebundle_editor_role.yaml
43-
- profilebundle_viewer_role.yaml
44-
- scansettingbinding_editor_role.yaml
45-
- scansettingbinding_viewer_role.yaml
46-
- tailoredprofile_editor_role.yaml
47-
- tailoredprofile_viewer_role.yaml
48-
- metrics_cluster_role.yaml
49-
- metrics_role_binding.yaml
2+
# All RBAC will be applied under this service account in
3+
# the deployment namespace. You may comment out this resource
4+
# if your manager will use a service account that exists at
5+
# runtime. Be sure to update RoleBinding and ClusterRoleBinding
6+
# subjects if changing service account names.
7+
- operator_service_account.yaml
8+
- operator_cluster_role.yaml
9+
- operator_cluster_role_binding.yaml
10+
- operator_role.yaml
11+
- operator_role_binding.yaml
12+
- api_resource_collector_service_account.yaml
13+
- api_resource_collector_role.yaml
14+
- api_resource_collector_role_binding.yaml
15+
- api_resource_collector_cluster_role.yaml
16+
- api_resource_collector_cluster_role_binding.yaml
17+
- profileparser_service_account.yaml
18+
- profileparser_role.yaml
19+
- profileparser_role_binding.yaml
20+
- remediation_aggregator_service_account.yaml
21+
- remediation_aggregator_role.yaml
22+
- remediation_aggregator_role_binding.yaml
23+
- remediation_aggregator_cluster_role.yaml
24+
- remediation_aggregator_cluster_role_binding.yaml
25+
- rerunner_service_account.yaml
26+
- rerunner_role.yaml
27+
- rerunner_role_binding.yaml
28+
- resultscollector_service_account.yaml
29+
- resultscollector_role.yaml
30+
- resultscollector_role_binding.yaml
31+
- resultserver_service_account.yaml
32+
- resultserver_role.yaml
33+
- resultserver_role_binding.yaml
34+
- leader_election_role.yaml
35+
- leader_election_role_binding.yaml
36+
- complianceremediation_editor_role.yaml
37+
- complianceremediation_viewer_role.yaml
38+
- compliancescan_editor_role.yaml
39+
- compliancescan_viewer_role.yaml
40+
- compliancesuite_editor_role.yaml
41+
- compliancesuite_viewer_role.yaml
42+
- profilebundle_editor_role.yaml
43+
- profilebundle_viewer_role.yaml
44+
- scansettingbinding_editor_role.yaml
45+
- scansettingbinding_viewer_role.yaml
46+
- tailoredprofile_editor_role.yaml
47+
- tailoredprofile_viewer_role.yaml
48+
- metrics_cluster_role.yaml
49+
- metrics_role_binding.yaml
50+
- metrics_service_account.yaml

config/rbac/metrics_role_binding.yaml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ roleRef:
88
kind: ClusterRole
99
name: compliance-operator-metrics
1010
subjects:
11+
- kind: ServiceAccount
12+
name: compliance-operator-metrics
13+
namespace: openshift-compliance
1114
- kind: ServiceAccount
1215
name: prometheus-k8s
13-
namespace: openshift-monitoring
16+
namespace: openshift-monitoring

config/rbac/metrics_service_account.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
apiVersion: v1
2+
kind: ServiceAccount
3+
metadata:
4+
name: compliance-operator-metrics

go.mod

Lines changed: 55 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,55 @@ require (
1313
sigs.k8s.io/controller-runtime v0.19.0
1414
)
1515

16+
require (
17+
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 // indirect
18+
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
19+
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
20+
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
21+
github.com/alecthomas/units v0.0.0-20240626203959-61d1e3462e30 // indirect
22+
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
23+
github.com/bboreham/go-loser v0.0.0-20230920113527-fcc2c21820a3 // indirect
24+
github.com/dennwc/varint v1.0.0 // indirect
25+
github.com/edsrzf/mmap-go v1.1.0 // indirect
26+
github.com/facette/natsort v0.0.0-20181210072756-2cd4dd1e2dcb // indirect
27+
github.com/felixge/httpsnoop v1.0.4 // indirect
28+
github.com/go-kit/log v0.2.1 // indirect
29+
github.com/go-logfmt/logfmt v0.6.0 // indirect
30+
github.com/go-logr/stdr v1.2.2 // indirect
31+
github.com/go-openapi/analysis v0.22.2 // indirect
32+
github.com/go-openapi/errors v0.22.0 // indirect
33+
github.com/go-openapi/loads v0.21.5 // indirect
34+
github.com/go-openapi/spec v0.20.14 // indirect
35+
github.com/go-openapi/strfmt v0.23.0 // indirect
36+
github.com/go-openapi/validate v0.23.0 // indirect
37+
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
38+
github.com/golang/snappy v0.0.4 // indirect
39+
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
40+
github.com/jmespath/go-jmespath v0.4.0 // indirect
41+
github.com/jpillora/backoff v1.0.0 // indirect
42+
github.com/julienschmidt/httprouter v1.3.0 // indirect
43+
github.com/klauspost/compress v1.17.9 // indirect
44+
github.com/kylelemons/godebug v1.1.0 // indirect
45+
github.com/mitchellh/mapstructure v1.5.0 // indirect
46+
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
47+
github.com/oklog/ulid v1.3.1 // indirect
48+
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
49+
github.com/prometheus/alertmanager v0.27.0 // indirect
50+
github.com/prometheus/common/sigv4 v0.1.0 // indirect
51+
go.mongodb.org/mongo-driver v1.14.0 // indirect
52+
go.opentelemetry.io/collector/pdata v1.12.0 // indirect
53+
go.opentelemetry.io/collector/semconv v0.105.0 // indirect
54+
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
55+
go.opentelemetry.io/otel v1.28.0 // indirect
56+
go.opentelemetry.io/otel/metric v1.28.0 // indirect
57+
go.opentelemetry.io/otel/trace v1.28.0 // indirect
58+
go.uber.org/atomic v1.11.0 // indirect
59+
go.uber.org/goleak v1.3.0 // indirect
60+
golang.org/x/crypto v0.26.0 // indirect
61+
google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect
62+
google.golang.org/grpc v1.65.0 // indirect
63+
)
64+
1665
require (
1766
github.com/ajeddeloh/go-json v0.0.0-20200220154158-5ae607161559 // indirect
1867
github.com/antchfx/xmlquery v1.4.1
@@ -34,7 +83,7 @@ require (
3483
github.com/google/go-cmp v0.6.0
3584
github.com/google/gofuzz v1.2.0 // indirect
3685
github.com/google/uuid v1.6.0
37-
github.com/imdario/mergo v0.3.13 // indirect
86+
github.com/imdario/mergo v0.3.16 // indirect
3887
github.com/itchyny/gojq v0.12.16
3988
github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056
4089
github.com/json-iterator/go v1.1.12 // indirect
@@ -90,7 +139,7 @@ require (
90139

91140
require (
92141
github.com/antchfx/xpath v1.3.1 // indirect
93-
github.com/aws/aws-sdk-go v1.53.5 // indirect
142+
github.com/aws/aws-sdk-go v1.54.19 // indirect
94143
github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
95144
github.com/coreos/fcct v0.5.0 // indirect
96145
github.com/coreos/go-json v0.0.0-20230131223807-18775e0fb4fb // indirect
@@ -105,9 +154,9 @@ require (
105154
github.com/fatih/color v1.17.0 // indirect
106155
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
107156
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
108-
github.com/go-openapi/jsonpointer v0.20.0 // indirect
109-
github.com/go-openapi/jsonreference v0.20.2 // indirect
110-
github.com/go-openapi/swag v0.22.4 // indirect
157+
github.com/go-openapi/jsonpointer v0.20.2 // indirect
158+
github.com/go-openapi/jsonreference v0.20.4 // indirect
159+
github.com/go-openapi/swag v0.22.9 // indirect
111160
github.com/gobuffalo/flect v1.0.2 // indirect
112161
github.com/google/gnostic-models v0.6.8 // indirect
113162
github.com/gookit/color v1.5.4 // indirect
@@ -123,6 +172,7 @@ require (
123172
github.com/onsi/ginkgo/v2 v2.20.0 // indirect
124173
github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87 // indirect
125174
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
175+
github.com/prometheus/prometheus v0.54.1
126176
github.com/rivo/uniseg v0.4.7 // indirect
127177
github.com/robfig/cron v1.2.0 // indirect
128178
github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect

0 commit comments

Comments
 (0)