charts: use service-account token secret for ServiceMonitor auth (#50)

Signed-off-by: Tamal Saha <tamal@appscode.com>

Author: tamalsaha

apis/installer/v1alpha1/aws_credential_manager_types.go

@@ -77,13 +77,14 @@ type AwsCredentialManagerSpec struct {
 	// +optional
 	LivenessProbe *core.Probe `json:"livenessProbe"`
 	// +optional
-	ReadinessProbe *core.Probe        `json:"readinessProbe"`
-	Service        ServiceSpec        `json:"service"`
-	ServiceAccount ServiceAccountSpec `json:"serviceAccount"`
-	Volumes        []core.Volume      `json:"volumes"`
-	VolumeMounts   []core.VolumeMount `json:"volumeMounts"`
+	ReadinessProbe *core.Probe              `json:"readinessProbe"`
+	Service        ServiceSpec              `json:"service"`
+	ServiceAccount StaticServiceAccountSpec `json:"serviceAccount"`
+	Volumes        []core.Volume            `json:"volumes"`
+	VolumeMounts   []core.VolumeMount       `json:"volumeMounts"`
 	// +optional
-	Distro shared.DistroSpec `json:"distro"`
+	Distro     shared.DistroSpec `json:"distro"`
+	Monitoring Monitoring        `json:"monitoring"`
 	// +optional
 	Apiserver AwsCredentialManagerApiserver `json:"apiserver"`
 	// +optional

apis/installer/v1alpha1/gcp_credential_manager_types.go

@@ -77,13 +77,14 @@ type GcpCredentialManagerSpec struct {
 	// +optional
 	LivenessProbe *core.Probe `json:"livenessProbe"`
 	// +optional
-	ReadinessProbe *core.Probe        `json:"readinessProbe"`
-	Service        ServiceSpec        `json:"service"`
-	ServiceAccount ServiceAccountSpec `json:"serviceAccount"`
-	Volumes        []core.Volume      `json:"volumes"`
-	VolumeMounts   []core.VolumeMount `json:"volumeMounts"`
+	ReadinessProbe *core.Probe              `json:"readinessProbe"`
+	Service        ServiceSpec              `json:"service"`
+	ServiceAccount StaticServiceAccountSpec `json:"serviceAccount"`
+	Volumes        []core.Volume            `json:"volumes"`
+	VolumeMounts   []core.VolumeMount       `json:"volumeMounts"`
 	// +optional
-	Distro shared.DistroSpec `json:"distro"`
+	Distro     shared.DistroSpec `json:"distro"`
+	Monitoring Monitoring        `json:"monitoring"`
 	// +optional
 	Apiserver GcpCredentialManagerApiserver `json:"apiserver"`
 	// +optional

apis/installer/v1alpha1/types.go

@@ -42,6 +42,12 @@ type ServiceAccountSpec struct {
 	Annotations map[string]string `json:"annotations"`
 }
 
+type StaticServiceAccountSpec struct {
+	Create bool `json:"create"`
+	//+optional
+	Annotations map[string]string `json:"annotations"`
+}
+
 // +kubebuilder:validation:Enum=prometheus.io;prometheus.io/operator;prometheus.io/builtin
 type MonitoringAgent string
 

apis/installer/v1alpha1/zz_generated.deepcopy.go

@@ -58,7 +58,6 @@ The following table lists the configurable parameters of the `aws-credential-man
 | fullnameOverride                      |                                                                                                                                                                                                                                                   | <code>""</code>                                                                                                                                                                                |
 | serviceAccount.create                 | Specifies whether a service account should be created                                                                                                                                                                                             | <code>true</code>                                                                                                                                                                              |
 | serviceAccount.annotations            | Annotations to add to the service account                                                                                                                                                                                                         | <code>{}</code>                                                                                                                                                                                |
-| serviceAccount.name                   | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                                                                                                            | <code>""</code>                                                                                                                                                                                |
 | podAnnotations                        |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
 | podLabels                             |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
 | podSecurityContext                    |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
@@ -97,6 +96,8 @@ The following table lists the configurable parameters of the `aws-credential-man
 | apiserver.servingCerts.caCrt          | CA certficate used by serving certificate of webhook server.                                                                                                                                                                                      | <code>""</code>                                                                                                                                                                                |
 | apiserver.servingCerts.serverCrt      | Serving certficate used by webhook server.                                                                                                                                                                                                        | <code>""</code>                                                                                                                                                                                |
 | apiserver.servingCerts.serverKey      | Private key for the serving certificate used by webhook server.                                                                                                                                                                                   | <code>""</code>                                                                                                                                                                                |
+| monitoring.agent                      | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")                                                                                                                                              | <code>""</code>                                                                                                                                                                                |
+| monitoring.serviceMonitor.labels      | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`.                                                                               | <code>{}</code>                                                                                                                                                                                |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:

charts/aws-credential-manager/README.md

@@ -54,11 +54,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "aws-credential-manager.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "aws-credential-manager.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
+aws-credential-manager
 {{- end }}
 
 {{/*

charts/aws-credential-manager/templates/_helpers.tpl

@@ -0,0 +1,12 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "aws-credential-manager.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "aws-credential-manager.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}

charts/aws-credential-manager/templates/metrics-token-secret.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: aws-credential-manager
+  name: {{ include "aws-credential-manager.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-credential-manager.labels" . | nindent 4 }}

charts/aws-credential-manager/templates/serviceaccount.yaml

@@ -0,0 +1,37 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- if .Values.monitoring.serviceMonitor.labels }}
+    {{- range $key, $val := .Values.monitoring.serviceMonitor.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- else }}
+    {{- include "aws-credential-manager.selectorLabels" . | nindent 4 }}
+  {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "aws-credential-manager.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - targetPort: 9443
+    authorization:
+      credentials:
+        key: token
+        name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
+      type: Bearer
+    path: /metrics
+    scheme: https
+    tlsConfig:
+      ca:
+        secret:
+          name: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
+          key: ca.crt
+      serverName: "{{ include "aws-credential-manager.webhookServiceName" . }}.{{ .Release.Namespace }}.svc"
+{{- end }}

charts/aws-credential-manager/templates/servicemonitor.yaml

@@ -610,6 +610,25 @@ properties:
         format: int32
         type: integer
     type: object
+  monitoring:
+    properties:
+      agent:
+        enum:
+        - prometheus.io
+        - prometheus.io/operator
+        - prometheus.io/builtin
+        type: string
+      serviceMonitor:
+        properties:
+          labels:
+            additionalProperties:
+              type: string
+            type: object
+        type: object
+    required:
+    - agent
+    - serviceMonitor
+    type: object
   nameOverride:
     type: string
   nodeSelector:
@@ -912,8 +931,6 @@ properties:
         type: object
       create:
         type: boolean
-      name:
-        type: string
     required:
     - create
     type: object
@@ -1774,6 +1791,7 @@ properties:
     type: array
 required:
 - image
+- monitoring
 - replicaCount
 - service
 - serviceAccount