Merge pull request #1990 from marioferh/generate_federate_cert

OCPBUGS-14772: Add federate-client-certs
openshift · Jun 8, 2023 · 076da3b · 076da3b
2 parents b92687c + 5209b29
commit 076da3b
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 1 deletion.
diff --git a/assets/cluster-monitoring-operator/federate-client-certs.yaml b/assets/cluster-monitoring-operator/federate-client-certs.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  name: federate-client-certs
+  namespace: openshift-monitoring
+type: Opaque
diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet
@@ -67,6 +67,17 @@ function(params) {
     data: {},
   },
 
+  federateClientCerts: {
+    apiVersion: 'v1',
+    kind: 'Secret',
+    metadata: {
+      name: 'federate-client-certs',
+      namespace: cfg.namespace,
+    },
+    type: 'Opaque',
+    data: {},
+  },
+
   metricsClientCa: {
     apiVersion: 'v1',
     kind: 'ConfigMap',

diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -227,6 +227,7 @@ var (
 	ClusterMonitoringGrpcTLSSecret              = "cluster-monitoring-operator/grpc-tls-secret.yaml"
 	ClusterMonitoringOperatorPrometheusRule     = "cluster-monitoring-operator/prometheus-rule.yaml"
 	ClusterMonitoringMetricsClientCertsSecret   = "cluster-monitoring-operator/metrics-client-certs.yaml"
+	ClusterMonitoringFederateClientCertsSecret  = "cluster-monitoring-operator/federate-client-certs.yaml"
 	ClusterMonitoringMetricsClientCACM          = "cluster-monitoring-operator/metrics-client-ca.yaml"
 
 	TelemeterClientClusterRole            = "telemeter-client/cluster-role.yaml"

diff --git a/pkg/manifests/tls.go b/pkg/manifests/tls.go
@@ -67,6 +67,19 @@ func (f *Factory) MetricsClientCerts() (*v1.Secret, error) {
 	return s, nil
 }
 
+func (f *Factory) FederateClientCerts() (*v1.Secret, error) {
+	s, err := f.NewSecret(f.assets.MustNewAssetReader(ClusterMonitoringFederateClientCertsSecret))
+	if err != nil {
+		return nil, err
+	}
+
+	s.Namespace = f.namespace
+	s.Data = make(map[string][]byte)
+	s.Annotations = make(map[string]string)
+
+	return s, nil
+}
+
 func (f *Factory) MetricsClientCACM(apiAuthConfigmap *v1.ConfigMap) (*v1.ConfigMap, error) {
 	cm, err := f.NewConfigMap(f.assets.MustNewAssetReader(ClusterMonitoringMetricsClientCACM))
 	if err != nil {

diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
@@ -135,6 +135,7 @@ const (
 	alertmanagerCABundleConfigMap = "openshift-monitoring/alertmanager-trusted-ca-bundle"
 	grpcTLS                       = "openshift-monitoring/grpc-tls"
 	metricsClientCerts            = "openshift-monitoring/metrics-client-certs"
+	federateClientCerts           = "openshift-monitoring/federate-client-certs"
 
 	// Canonical name of the cluster-wide infrastructure resource.
 	clusterResourceName = "cluster"
@@ -436,7 +437,38 @@ func New(
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create client certificate controller")
 	}
-	o.controllersToRunFunc = append(o.controllersToRunFunc, csrController.Run, o.ruleController.Run, o.relabelController.Run)
+
+	// csrFederateController runs a controller that requests a client TLS certificate for the telemeter client. This certificate is used to authenticate against the Prometheus /federate API endpoint.
+	csrFederateController, err := csr.NewClientCertificateController(
+		csr.ClientCertOption{
+			SecretNamespace: "openshift-monitoring",
+			SecretName:      "federate-client-certs",
+		},
+		csr.CSROption{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: "system:openshift:openshift-monitoring-",
+				Labels: map[string]string{
+					"metrics.openshift.io/csr.subject": "prometheus",
+				},
+			},
+			Subject:    &pkix.Name{CommonName: "system:serviceaccount:openshift-monitoring:prometheus-k8s"},
+			SignerName: certapiv1.KubeAPIServerClientSignerName,
+		},
+		kubeInformersOperatorNS.Certificates().V1().CertificateSigningRequests(),
+		o.client.KubernetesInterface().CertificatesV1().CertificateSigningRequests(),
+		kubeInformersOperatorNS.Core().V1().Secrets(),
+		o.client.KubernetesInterface().CoreV1(),
+		o.client.EventRecorder(),
+		"OpenShiftMonitoringTelemeterClientCertRequester",
+	)
+
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create federate certificate controller")
+	}
+
+	o.controllersToRunFunc = append(o.controllersToRunFunc, csrFederateController.Run, csrController.Run)
+
+	o.controllersToRunFunc = append(o.controllersToRunFunc, o.ruleController.Run, o.relabelController.Run)
 
 	return o, nil
 }
@@ -578,6 +610,7 @@ func (o *Operator) handleEvent(obj interface{}) {
 	case alertmanagerCABundleConfigMap:
 	case grpcTLS:
 	case metricsClientCerts:
+	case federateClientCerts:
 	case uwmConfigMap:
 	default:
 		klog.V(5).Infof("ConfigMap or Secret (%s) not triggering an update.", key)

diff --git a/pkg/tasks/prometheus.go b/pkg/tasks/prometheus.go
@@ -279,6 +279,16 @@ func (t *PrometheusTask) create(ctx context.Context) error {
 		return errors.Wrap(err, "waiting for Metrics Client Certs secret failed")
 	}
 
+	federateCerts, err := t.factory.FederateClientCerts()
+	if err != nil {
+		return errors.Wrap(err, "initializing Federate Client Certs secret failed")
+	}
+
+	_, err = t.client.WaitForSecret(ctx, federateCerts)
+	if err != nil {
+		return errors.Wrap(err, "waiting for Federate Client Certs secret failed")
+	}
+
 	grpcTLS, err := t.factory.GRPCSecret()
 	if err != nil {
 		return errors.Wrap(err, "initializing Prometheus GRPC secret failed")