OpenShift: Copy mTLS metric certs from OCP monitoring stack (#33)

component/addons/openshift-certs.libsonnet

@@ -0,0 +1,55 @@
+local kube = import 'lib/kube.libjsonnet';
+local rl = import 'lib/resource-locker.libjsonnet';
+
+local sourceSecretNamespace = 'openshift-monitoring';
+local sourceSecretName = 'metrics-client-certs';
+
+{
+  local config = self,
+
+  local targetSecret = kube.Secret('ocp-metric-client-certs-' + config.values.prometheus.name),
+
+  local rlPatch = [
+    if o.kind == 'ResourceLocker' then
+      o {
+        spec+: {
+          patches: [
+            super.patches[0] {
+              targetObjectRef+: {
+                namespace: config.values.common.namespace,
+              },
+              sourceObjectRefs: [
+                {
+                  apiVersion: targetSecret.apiVersion,
+                  kind: targetSecret.kind,
+                  name: sourceSecretName,
+                  namespace: sourceSecretNamespace,
+                },
+              ],
+            },
+          ],
+        },
+      }
+    else o
+    for o in rl.Patch(targetSecret, {
+      data: {
+        'tls.crt': '{{ index (index . 0).data `tls.crt` }}',
+        'tls.key': '{{ index (index . 0).data `tls.key` }}',
+      },
+    })
+  ],
+
+  prometheus+: {
+    ocpMetricsClientCertSecret: targetSecret {
+      metadata+: {
+        namespace: config.values.common.namespace,
+      },
+      data:: {},
+    },
+    prometheus+: {
+      spec+: {
+        secrets+: [ targetSecret.metadata.name ],
+      },
+    },
+  } + std.foldl(function(p, x) p { [x.metadata.name + '_' + x.kind]: x }, rlPatch, {}),
+}

component/addons/openshift4.libsonnet

@@ -3,9 +3,12 @@
 // - patches the upstream ServiceMonitors to work with OpenShift.
 // - adds the `remove-securitycontext` addon to remove the security context from deployments.
 // - adds the `nodeexporter` addon to assign a sufficient SCC to the nodeexporter service account and change the default nodeexporter port.
+// - copies the metrics mTLS secrets to the stacks namespace using the `openshift-certs` addon.
 
 (import './remove-securitycontext.libsonnet')
 +
 (import './openshift4-nodeexporter.libsonnet')
 +
 (import './openshift4-control-plane.libsonnet')
++
+(import './openshift-certs.libsonnet')

tests/golden/openshift/prometheus/prometheus/20_default-instance_prometheus_ocp-metric-client-certs-default-instance-manager_ServiceAccount.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    source: https://github.com/projectsyn/component-prometheus
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: syn
+    name: ocp-metric-client-certs-default-instance-manager
+  name: ocp-metric-client-certs-default-instance-manager
+  namespace: syn-resource-locker

tests/golden/openshift/prometheus/prometheus/20_default-instance_prometheus_ocp-metric-client-certs-default-instance_ResourceLocker.yaml

@@ -0,0 +1,30 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: ResourceLocker
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    source: https://github.com/projectsyn/component-prometheus
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: syn
+    name: ocp-metric-client-certs-default-instance
+  name: ocp-metric-client-certs-default-instance
+  namespace: syn-resource-locker
+spec:
+  patches:
+    - id: patch1
+      patchTemplate: "\"data\":\n  \"tls.crt\": \"{{ index (index . 0).data `tls.crt`\
+        \ }}\"\n  \"tls.key\": \"{{ index (index . 0).data `tls.key` }}\""
+      patchType: application/strategic-merge-patch+json
+      sourceObjectRefs:
+        - apiVersion: v1
+          kind: Secret
+          name: metrics-client-certs
+          namespace: openshift-monitoring
+      targetObjectRef:
+        apiVersion: v1
+        kind: Secret
+        name: ocp-metric-client-certs-default-instance
+        namespace: syn-prometheus
+  serviceAccountRef:
+    name: ocp-metric-client-certs-default-instance-manager

tests/golden/openshift/prometheus/prometheus/20_default-instance_prometheus_ocpMetricsClientCertSecret.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    source: https://github.com/projectsyn/component-prometheus
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: syn
+    name: ocp-metric-client-certs-default-instance
+  name: ocp-metric-client-certs-default-instance
+  namespace: syn-prometheus
+type: Opaque

tests/golden/openshift/prometheus/prometheus/20_default-instance_prometheus_prometheus.yaml

@@ -41,6 +41,8 @@ spec:
       memory: 400Mi
   ruleNamespaceSelector: {}
   ruleSelector: {}
+  secrets:
+    - ocp-metric-client-certs-default-instance
   serviceAccountName: prometheus-default-instance
   serviceMonitorNamespaceSelector: {}
   serviceMonitorSelector: {}

tests/golden/openshift/prometheus/prometheus/20_default-instance_prometheus_syn-resource-locker-etric-client-certs-default-instance-manager_ClusterRole.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    source: https://github.com/projectsyn/component-prometheus
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: syn
+    name: syn-resource-locker-etric-client-certs-default-instance-manager
+  name: syn-resource-locker-etric-client-certs-default-instance-manager
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - patch
+      - watch

tests/golden/openshift/prometheus/prometheus/20_default-instance_prometheus_syn-resource-locker-etric-client-certs-default-instance-manager_ClusterRoleBinding.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    source: https://github.com/projectsyn/component-prometheus
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: syn
+    name: syn-resource-locker-etric-client-certs-default-instance-manager
+  name: syn-resource-locker-etric-client-certs-default-instance-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: syn-resource-locker-etric-client-certs-default-instance-manager
+subjects:
+  - kind: ServiceAccount
+    name: ocp-metric-client-certs-default-instance-manager
+    namespace: syn-resource-locker

tests/openshift.yml

@@ -1,5 +1,14 @@
 ---
 parameters:
+  kapitan:
+    dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-resource-locker/v2.0.1/lib/resource-locker.libjsonnet
+        output_path: vendor/lib/resource-locker.libjsonnet
+
+  resource_locker:
+    namespace: syn-resource-locker
+
   prometheus:
     kubernetes_version: '1.22'
     instances: