use TLS certificates for metrics scraping from telemeter client

assets/telemeter-client/deployment.yaml

@@ -97,6 +97,36 @@ spec:
         - mountPath: /etc/tls/private
           name: telemeter-client-tls
           readOnly: false
+      - args:
+        - --secure-listen-address=0.0.0.0:9097
+        - --upstream=http://127.0.0.1:8080
+        - --config-file=/etc/kube-rbac-proxy/config.yaml
+        - --tls-cert-file=/etc/tls/private/tls.crt
+        - --tls-private-key-file=/etc/tls/private/tls.key
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - --client-ca-file=/etc/serving-certs-ca-bundle/service-ca.crt
+        - --logtostderr=true
+        - --v=10
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
+        name: kube-rbac-proxy-metric
+        ports:
+        - containerPort: 9097
+          name: metric
+        resources:
+          requests:
+            cpu: 1m
+            memory: 15Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /etc/kube-rbac-proxy
+          name: secret-telemeter-kube-rbac-proxy-metric
+          readOnly: true
+        - mountPath: /etc/tls/private
+          name: telemeter-client-tls
+          readOnly: true
+        - mountPath: /etc/serving-certs-ca-bundle
+          name: serving-certs-ca-bundle
+          readOnly: true
       nodeSelector:
         kubernetes.io/os: linux
       priorityClassName: system-cluster-critical
@@ -111,3 +141,6 @@ spec:
       - name: telemeter-client-tls
         secret:
           secretName: telemeter-client-tls
+      - name: secret-telemeter-kube-rbac-proxy-metric
+        secret:
+          secretName: telemeter-kube-rbac-proxy-metric

assets/telemeter-client/kube-rbac-proxy-metric-secret.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/name: telemeter-client
+  name: telemeter-kube-rbac-proxy-metric
+  namespace: openshift-monitoring
+stringData:
+  config.yaml: |-
+    "authorization":
+      "static":
+      - "path": "/metrics"
+        "resourceRequest": false
+        "user":
+          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
+        "verb": "get"
+type: Opaque

assets/telemeter-client/service-monitor.yaml

@@ -7,12 +7,13 @@ metadata:
   namespace: openshift-monitoring
 spec:
   endpoints:
-  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-    interval: 30s
-    port: https
+  - interval: 30s
+    port: metric
     scheme: https
     tlsConfig:
       caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      certFile: /etc/tls/private/tls.crt
+      keyFile: /etc/tls/private/tls.key
       serverName: server-name-replaced-at-runtime
   jobLabel: k8s-app
   selector:

jsonnet/components/telemeter-client.libsonnet

@@ -1,4 +1,5 @@
 // I didn't invest much time into this file since telemeter-client is scheduled for deprecation when we enable remote-write in prometheus
+local generateSecret = import '../utils/generate-secret.libsonnet';
 
 function(params) {
   local cfg = params,
@@ -24,7 +25,23 @@ function(params) {
   clusterRole: tc.telemeterClient.clusterRole,
   serviceAccount: tc.telemeterClient.serviceAccount,
   service: tc.telemeterClient.service,
-  serviceMonitor: tc.telemeterClient.serviceMonitor,
+  serviceMonitor: tc.telemeterClient.serviceMonitor {
+    spec+: {
+      endpoints: [
+        {
+          port: 'metric',
+          interval: '30s',
+          scheme: 'https',
+          tlsConfig: {
+            caFile: '/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt',
+            serverName: 'server-name-replaced-at-runtime',
+            certFile: '/etc/tls/private/tls.crt',
+            keyFile: '/etc/tls/private/tls.key',
+          },
+        },
+      ],
+    },
+  },
   secret: tc.telemeterClient.secret,
   servingCertsCABundle: tc.telemeterClient.servingCertsCABundle,
   deployment: tc.telemeterClient.deployment {
@@ -55,7 +72,61 @@ function(params) {
                 else
                   c,
               super.containers,
-            ),
+            ) + [
+              {
+                name: 'kube-rbac-proxy-metric',
+                image: cfg.kubeRbacProxyImage,
+                resources: {
+                  requests: {
+                    cpu: '1m',
+                    memory: '15Mi',
+                  },
+                },
+                ports: [
+                  {
+                    containerPort: 9097,
+                    name: 'metric',
+                  },
+                ],
+                args: [
+                  '--secure-listen-address=0.0.0.0:9097',
+                  '--upstream=http://127.0.0.1:8080',
+                  '--config-file=/etc/kube-rbac-proxy/config.yaml',
+                  '--tls-cert-file=/etc/tls/private/tls.crt',
+                  '--tls-private-key-file=/etc/tls/private/tls.key',
+                  '--tls-cipher-suites=' + cfg.tlsCipherSuites,
+                  '--client-ca-file=/etc/serving-certs-ca-bundle/service-ca.crt',
+                  '--logtostderr=true',
+                  '--v=10',
+                ],
+                terminationMessagePolicy: 'FallbackToLogsOnError',
+                volumeMounts: [
+                  {
+                    mountPath: '/etc/kube-rbac-proxy',
+                    name: 'secret-' + $.kubeRbacProxyMetricSecret.metadata.name,
+                    readOnly: true,
+                  },
+                  {
+                    mountPath: '/etc/tls/private',
+                    name: 'telemeter-client-tls',
+                    readOnly: true,
+                  },
+                  {
+                    mountPath: '/etc/serving-certs-ca-bundle',
+                    name: 'serving-certs-ca-bundle',
+                    readOnly: true,
+                  },
+                ],
+              },
+            ],
+          volumes+: [
+            {
+              name: 'secret-' + $.kubeRbacProxyMetricSecret.metadata.name,
+              secret: {
+                secretName: $.kubeRbacProxyMetricSecret.metadata.name,
+              },
+            },
+          ],
         },
       },
     },
@@ -75,4 +146,10 @@ function(params) {
       'ca-bundle.crt': '',
     },
   },
+
+  kubeRbacProxyMetricSecret: generateSecret.staticAuthSecret(cfg.namespace, cfg.commonLabels, 'telemeter-kube-rbac-proxy-metric') + {
+    metadata+: {
+      labels: { 'app.kubernetes.io/name': 'telemeter-client' },
+    },
+  },
 }

jsonnet/main.jsonnet

@@ -310,6 +310,7 @@ local inCluster =
         namespace: $.values.common.namespace,
         kubeRbacProxyImage: $.values.common.images.kubeRbacProxy,
         commonLabels+: $.values.common.commonLabels,
+        tlsCipherSuites: $.values.common.tlsCipherSuites,
       },
       controlPlane: {
         namespace: $.values.common.namespace,

pkg/manifests/manifests.go

@@ -197,6 +197,7 @@ var (
 	TelemeterClientClusterRoleBinding     = "telemeter-client/cluster-role-binding.yaml"
 	TelemeterClientClusterRoleBindingView = "telemeter-client/cluster-role-binding-view.yaml"
 	TelemeterClientDeployment             = "telemeter-client/deployment.yaml"
+	TelemeterClientRBACProxyMetricSecret  = "telemeter-client/kube-rbac-proxy-metric-secret.yaml"
 	TelemeterClientSecret                 = "telemeter-client/secret.yaml"
 	TelemeterClientService                = "telemeter-client/service.yaml"
 	TelemeterClientServiceAccount         = "telemeter-client/service-account.yaml"
@@ -3219,6 +3220,8 @@ func (f *Factory) TelemeterClientDeployment(proxyCABundleCM *v1.ConfigMap) (*app
 			d.Spec.Template.Spec.Containers[i].Image = f.config.Images.PrometheusConfigReloader
 		case "kube-rbac-proxy":
 			d.Spec.Template.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
+		case "kube-rbac-proxy-metric":
+			d.Spec.Template.Spec.Containers[i].Image = f.config.Images.KubeRbacProxy
 		}
 	}
 
@@ -3256,6 +3259,18 @@ func (f *Factory) TelemeterClientServiceAccount() (*v1.ServiceAccount, error) {
 	return s, nil
 }
 
+// TelemeterClientRBACProxyMetricSecret generates a new Secret for metric endpoint proxy of Telemeter client .
+func (f *Factory) TelemeterClientRBACProxyMetricSecret() (*v1.Secret, error) {
+	s, err := f.NewSecret(f.assets.MustNewAssetReader(TelemeterClientRBACProxyMetricSecret))
+	if err != nil {
+		return nil, err
+	}
+
+	s.Namespace = f.namespace
+
+	return s, nil
+}
+
 // TelemeterClientSecret generates a new Secret for Telemeter client.
 func (f *Factory) TelemeterClientSecret() (*v1.Secret, error) {
 	s, err := f.NewSecret(f.assets.MustNewAssetReader(TelemeterClientSecret))

pkg/tasks/telemeter.go

@@ -112,6 +112,16 @@ func (t *TelemeterClientTask) create(ctx context.Context) error {
 		return errors.Wrap(err, "reconciling Telemeter client Service failed")
 	}
 
+	rs, err := t.factory.TelemeterClientRBACProxyMetricSecret()
+	if err != nil {
+		return errors.Wrap(err, "initializing Telemeter client Metric proxy Secret failed")
+	}
+
+	err = t.client.CreateOrUpdateSecret(ctx, rs)
+	if err != nil {
+		return errors.Wrap(err, "reconciling Telemeter client Metric proxy Secret failed")
+	}
+
 	s, err := t.factory.TelemeterClientSecret()
 	if err != nil {
 		return errors.Wrap(err, "initializing Telemeter client Secret failed")
@@ -185,6 +195,16 @@ func (t *TelemeterClientTask) destroy(ctx context.Context) error {
 		return errors.Wrap(err, "deleting Telemeter client Deployment failed")
 	}
 
+	rs, err := t.factory.TelemeterClientRBACProxyMetricSecret()
+	if err != nil {
+		return errors.Wrap(err, "initializing Telemeter client Metric proxy Secret failed")
+	}
+
+	err = t.client.DeleteSecret(ctx, rs)
+	if err != nil {
+		return errors.Wrap(err, "deleting Telemeter client Metric proxy Secret failed")
+	}
+
 	s, err := t.factory.TelemeterClientSecret()
 	if err != nil {
 		return errors.Wrap(err, "initializing Telemeter client Secret failed")