diff --git a/bundle/manifests/numaresources-controller-manager-metrics-service_v1_service.yaml b/bundle/manifests/numaresources-controller-manager-metrics-service_v1_service.yaml new file mode 100644 index 000000000..1b5a7f1a0 --- /dev/null +++ b/bundle/manifests/numaresources-controller-manager-metrics-service_v1_service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: secret-kube-rbac-proxy-tls + creationTimestamp: null + labels: + control-plane: controller-manager + name: numaresources-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +status: + loadBalancer: {} diff --git a/bundle/manifests/numaresources-controller-manager_monitoring.coreos.com_v1_servicemonitor.yaml b/bundle/manifests/numaresources-controller-manager_monitoring.coreos.com_v1_servicemonitor.yaml new file mode 100644 index 000000000..e872dd8f0 --- /dev/null +++ b/bundle/manifests/numaresources-controller-manager_monitoring.coreos.com_v1_servicemonitor.yaml @@ -0,0 +1,18 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: numaresources-controller-manager +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + path: /metrics + scheme: https + targetPort: 8443 + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + insecureSkipVerify: false + serverName: numaresources-controller-manager-metrics-service.numaresources.svc + selector: + matchLabels: + control-plane: controller-manager diff --git a/bundle/manifests/numaresources-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/numaresources-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..34ef96620 --- /dev/null +++ b/bundle/manifests/numaresources-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: numaresources-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/bundle/manifests/numaresources-operator.clusterserviceversion.yaml b/bundle/manifests/numaresources-operator.clusterserviceversion.yaml index 28ae1e271..16bcc7532 100644 --- a/bundle/manifests/numaresources-operator.clusterserviceversion.yaml +++ b/bundle/manifests/numaresources-operator.clusterserviceversion.yaml @@ -503,6 +503,18 @@ spec: - get - list - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create serviceAccountName: numaresources-controller-manager deployments: - label: @@ -566,6 +578,35 @@ spec: memory: 20Mi securityContext: allowPrivilegeEscalation: false + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --config-file=/etc/kube-rbac-proxy/config.yaml + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --allow-paths=/metrics + - --logtostderr=true + - -v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/kube-rbac-proxy + name: secret-kube-rbac-proxy-metric + readOnly: true + - mountPath: /etc/tls/private + name: secret-kube-rbac-proxy-tls + readOnly: true securityContext: runAsNonRoot: true serviceAccountName: numaresources-controller-manager @@ -575,6 +616,13 @@ spec: key: node-role.kubernetes.io/control-plane - effect: NoSchedule key: node-role.kubernetes.io/master + volumes: + - name: secret-kube-rbac-proxy-tls + secret: + secretName: secret-kube-rbac-proxy-tls + - name: secret-kube-rbac-proxy-metric + secret: + secretName: numaresources-secret-kube-rbac-proxy-metric permissions: - rules: - apiGroups: diff --git a/bundle/manifests/numaresources-prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml b/bundle/manifests/numaresources-prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 000000000..460999b0d --- /dev/null +++ b/bundle/manifests/numaresources-prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: numaresources-prometheus-k8s +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/bundle/manifests/numaresources-prometheus-k8s_rbac.authorization.k8s.io_v1_rolebinding.yaml b/bundle/manifests/numaresources-prometheus-k8s_rbac.authorization.k8s.io_v1_rolebinding.yaml new file mode 100644 index 000000000..656bb2679 --- /dev/null +++ b/bundle/manifests/numaresources-prometheus-k8s_rbac.authorization.k8s.io_v1_rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: numaresources-prometheus-k8s +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: numaresources-prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/bundle/manifests/numaresources-secret-kube-rbac-proxy-metric_v1_secret.yaml b/bundle/manifests/numaresources-secret-kube-rbac-proxy-metric_v1_secret.yaml new file mode 100644 index 000000000..b9b6df677 --- /dev/null +++ b/bundle/manifests/numaresources-secret-kube-rbac-proxy-metric_v1_secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: numaresources-secret-kube-rbac-proxy-metric +stringData: + config.yaml: "\"authorization\":\n \"static\":\n - \"path\": \"/metrics\"\n \"resourceRequest\": + false\n \"user\":\n \"name\": \"system:serviceaccount:openshift-monitoring:prometheus-k8s\"\n + \ \"verb\": \"get\" " +type: Opaque