CNF-11234: Enable RTE metrics to be scraped securely by Prometheus

[rbaturov]

This is a follow-up PR for Enable NROP metrics to be to scraped securely by Prometheus .

This PR encompasses and integrates all the needed infrastructure to enable secured communication for scraping metrics by Prometheus, now for RTE.

A follow-up PR will be posted for e2e tests later.

To validate that this PR is functioning correctly, please follow these steps:

1. build image of the operator (make docker-build docker-push)
2. run: make deploy
3. Attach to one of the prometheus pods oc exec -it prometheus-k8s-0 -n openshift-monitoring /bin/bash
4. run:

curl -v \
--cacert /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt \
-H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
https://numaresources-rte-metrics-service.numaresources.svc:2112/metrics

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[ffromani]

/retest

[ffromani]

I'm not sure we need a separate manifest set. I'. mot saying I'm against it but I'd like to see if/how we can merge it with the existing manifest set

[ffromani]

ok, this is a role, hence it is ONLY granted in the NROP namespace, right? Stll this is very broad, we need to narrow down AND document in the commit message why do we need these permissions

[rbaturov]

I agree, you are right. we want in only in the NROP namespace.

[rbaturov]

@ffromani
I've tried to create a separate role (not clusterRole) and a RoleBinding.
But adding the label
//+kubebuilder:rbac:groups="",resources=services,verbs=*
followed by make manifests appends its in the clusterRole.
Not sure how we can avoide this and append this in the dedicated role.

[ffromani]

why do we need the cast here?

[rbaturov]

If I'll remove the casting:
I'll get this error when using r.Client.Get:
cannot use existingObj (variable of type runtime.Object) as client.Object value in argument to r.Client.Get: runtime.Object does not implement client.Object (missing method GetAnnotations)

[ffromani]

and why do we use DeepCopyObject() and not DeepCopy() ?

[rbaturov]

@ffromani This because the client.Object implements DeepCopyObject() and not DeepCopy()

[rbaturov]

I'm not sure we need a separate manifest set. I'. mot saying I'm against it but I'd like to see if/how we can merge it with the existing manifest set

I agree on this one.
But I coudln't figure out a more appropriate place to put this manifest.

[ffromani]

/approve
/lgtm

good starting point for 4.19 and onwards

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ffromani, rbaturov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ffromani]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ffromani]

/hold

need to check RBAC rules again

[ffromani]

/lgtm cancel

[rbaturov]

/hold

need to check RBAC rules again

Regarding this, it is correct that now I have granted permission to the operator to manage service objects across the entire cluster and not narrowed it down to NROP namespace.
As I said before, I'm not sure how we can create a role not a clusterrole for this matter.

[rbaturov]

/retest-required

[rbaturov]

/retest-required

[rbaturov]

/retest-required

[ffromani]

/retest-required

the first retest it's a freebie, but past that we need to check why tests are failing and only when we are confident it's actually an infra issue we should retest

[rbaturov]

/retest-required

the first retest it's a freebie, but past that we need to check why tests are failing and only when we are confident it's actually an infra issue we should retest

I saw there was a timeout. I'm not sure this is the infra indeed, I wanted to give it a try before deep diving into that
Edit: actually I forgot this is the second retest. will take a look now

[openshift-ci-robot]

@rbaturov: This pull request references CNF-11234 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

This is a follow-up PR for Enable NROP metrics to be to scraped securely by Prometheus .

This PR encompasses and integrates all the needed infrastructure to enable secured communication for scraping metrics by Prometheus, now for RTE.

A follow-up PR will be posted for e2e tests later.

To validate that this PR is functioning correctly, please follow these steps:

1. build image of the operator (make docker-build docker-push)
2. run: make deploy
3. Attach to one of the prometheus pods oc exec -it prometheus-k8s-0 -n openshift-monitoring /bin/bash
4. run:

curl -v \
--cacert /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt \
-H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
https://numaresources-rte-metrics-service.numaresources.svc:2112/metrics

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ffromani]

/lgtm

we can narrow down permissions later on

[ffromani]

/hold cancel

[Tal-or]

/lgtm
Good enough for now. Thanks!