chore(RHTAPWATCH-568): Add authentication to Service and ServiceMonitor

Signed-off-by: Kousalya Lakshmanan <[email protected]>

config/exporters/monitoring/grafana/base/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- prometheus-exporter-service-monitor.yaml
 - prometheus-exporter-service.yaml
 images:
 - name: exporter

config/exporters/monitoring/grafana/base/prometheus-exporter-service-monitor.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metrics-reader
+  namespace: appstudio-grafana-datasource-exporter
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: metrics-reader
+  namespace: appstudio-grafana-datasource-exporter
+  annotations:
+    kubernetes.io/service-account.name: metrics-reader
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: exporter-role-metrics-reader
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: exporter-role-binding-metrics-reader
+  namespace: appstudio-grafana-datasource-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: exporter-role-metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-reader
+  namespace: appstudio-grafana-datasource-exporter
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: o11y-servicemonitor
+  namespace: appstudio-grafana-datasource-exporter
+spec:
+  endpoints:
+  - path: /metrics
+    port: https
+    scheme: https
+    bearerTokenSecret:
+      name: "metrics-reader"
+      key: token
+    tlsConfig:
+      insecureSkipVerify: true
+  selector:
+    matchLabels:
+      app: grafana-datasource-exporter

config/exporters/monitoring/grafana/base/prometheus-exporter-service.yaml

@@ -32,18 +32,45 @@ roleRef:
   kind: ClusterRole
   name: exporter-cluster-role
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-rbac-proxy
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: exporter-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-rbac-proxy
+subjects:
+- kind: ServiceAccount
+  name: exporter-sa
+  namespace: appstudio-grafana-datasource-exporter
+---
 apiVersion: v1
 kind: Service
 metadata:
-  name: exporter-service
-  namespace: appstudio-grafana-datasource-exporter
   labels:
     app: grafana-datasource-exporter
+  name: exporter-service
+  namespace: appstudio-grafana-datasource-exporter
 spec:
   ports:
-  - name: http
-    port: 8090
-    targetPort: http
+  - name: https
+    port: 8443
+    targetPort: https
   selector:
     app: grafana-datasource-exporter
 ---
@@ -64,32 +91,36 @@ spec:
     spec:
       serviceAccountName: exporter-sa
       containers:
-      - name: grafana-datasource-exporter
-        image: exporter:latest
+      - name: kube-rbac-proxy
+        image: quay.io/brancz/kube-rbac-proxy:v0.14.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8090/"
+        - "--logtostderr=true"
+        - "--v=10"
         ports:
-        - containerPort: 8090
-          name: http
+        - containerPort: 8443
+          name: https
         resources:
           limits:
             cpu: 100m
-            memory: 100Mi
+            memory: 200Mi
           requests:
             cpu: 100m
-            memory: 10Mi
+            memory: 200Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+      - name: exporters
+        image: exporter:latest
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 200Mi
         securityContext:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: metrics-reader-test
-  namespace: appstudio-grafana-datasource-exporter
-spec:
-  endpoints:
-  - path: /metrics
-    port: http
-    scheme: http
-  selector:
-    matchLabels:
-      app: grafana-datasource-exporter

exporters/dsexporter/dsexporter.go

@@ -3,10 +3,10 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
-	"errors"
 
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -121,4 +121,4 @@ func main() {
 
 	fmt.Println("Server is listening on http://localhost:8090/metrics")
 	http.ListenAndServe(":8090", nil)
-}
+}

exporters/dsexporter/dsexporter_test.go

@@ -1,15 +1,15 @@
 package main
 
 import (
-	"testing"
-	"reflect"
 	"net/http"
 	"net/http/httptest"
+	"reflect"
+	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/prometheus/client_golang/prometheus/testutil"
+	"github.com/stretchr/testify/assert"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 )
@@ -134,4 +134,4 @@ func TestMain(t *testing.T) {
 
 	allDataSources = MockGetDataSourcesExists
 	assert.Equal(t, float64(1), testutil.ToFloat64(exporter))
-}
+}