use k8s bearer token file instead actual token itself to handle key rotations

Author: movence

receiver/awscontainerinsightreceiver/internal/k8sapiserver/prometheus_scraper.go

@@ -29,7 +29,8 @@ const (
 	caFile             = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 	collectionInterval = 60 * time.Second
 	// needs to start with "containerInsightsKubeAPIServerScraper" for histogram deltas in the emf exporter
-	jobName = "containerInsightsKubeAPIServerScraper"
+	jobName                        = "containerInsightsKubeAPIServerScraper"
+	serviceAccountTokenDefaultPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" // #nosec
 )
 
 var controlPlaneMetricAllowList = []string{
@@ -72,7 +73,6 @@ type PrometheusScraperOpts struct {
 	Host                component.Host
 	ClusterNameProvider clusterNameProvider
 	LeaderElection      *LeaderElection
-	BearerToken         string
 }
 
 func NewPrometheusScraper(opts PrometheusScraperOpts) (*PrometheusScraper, error) {
@@ -101,6 +101,10 @@ func NewPrometheusScraper(opts PrometheusScraperOpts) (*PrometheusScraper, error
 				CAFile:             caFile,
 				InsecureSkipVerify: false,
 			},
+			Authorization: &configutil.Authorization{
+				Type:            "Bearer",
+				CredentialsFile: serviceAccountTokenDefaultPath,
+			},
 		},
 		ScrapeInterval:  model.Duration(collectionInterval),
 		ScrapeTimeout:   model.Duration(collectionInterval),
@@ -145,12 +149,6 @@ func NewPrometheusScraper(opts PrometheusScraperOpts) (*PrometheusScraper, error
 		},
 	}
 
-	if opts.BearerToken != "" {
-		scrapeConfig.HTTPClientConfig.BearerToken = configutil.Secret(opts.BearerToken)
-	} else {
-		opts.TelemetrySettings.Logger.Warn("bearer token is not set, control plane metrics will not be published")
-	}
-
 	promConfig := prometheusreceiver.Config{
 		PrometheusConfig: &prometheusreceiver.PromConfig{
 			ScrapeConfigs: []*config.ScrapeConfig{scrapeConfig},

receiver/awscontainerinsightreceiver/internal/k8sapiserver/prometheus_scraper_test.go

@@ -101,7 +101,6 @@ func TestNewPrometheusScraperBadInputs(t *testing.T) {
 			Host:                componenttest.NewNopHost(),
 			ClusterNameProvider: mockClusterNameProvider{},
 			LeaderElection:      nil,
-			BearerToken:         "",
 		},
 		{
 			Ctx:                 context.TODO(),
@@ -111,7 +110,6 @@ func TestNewPrometheusScraperBadInputs(t *testing.T) {
 			Host:                componenttest.NewNopHost(),
 			ClusterNameProvider: mockClusterNameProvider{},
 			LeaderElection:      &leaderElection,
-			BearerToken:         "",
 		},
 		{
 			Ctx:                 context.TODO(),
@@ -121,7 +119,6 @@ func TestNewPrometheusScraperBadInputs(t *testing.T) {
 			Host:                nil,
 			ClusterNameProvider: mockClusterNameProvider{},
 			LeaderElection:      &leaderElection,
-			BearerToken:         "",
 		},
 		{
 			Ctx:                 context.TODO(),
@@ -131,7 +128,6 @@ func TestNewPrometheusScraperBadInputs(t *testing.T) {
 			Host:                componenttest.NewNopHost(),
 			ClusterNameProvider: nil,
 			LeaderElection:      &leaderElection,
-			BearerToken:         "",
 		},
 	}
 
@@ -172,7 +168,6 @@ func TestNewPrometheusScraperEndToEnd(t *testing.T) {
 		Host:                componenttest.NewNopHost(),
 		ClusterNameProvider: mockClusterNameProvider{},
 		LeaderElection:      &leaderElection,
-		BearerToken:         "",
 	})
 	assert.NoError(t, err)
 	assert.Equal(t, mockClusterNameProvider{}, scraper.clusterNameProvider)

receiver/awscontainerinsightreceiver/receiver.go

@@ -12,13 +12,6 @@ import (
 	"time"
 
 	"github.com/amazon-contributing/opentelemetry-collector-contrib/extension/awsmiddleware"
-	"go.opentelemetry.io/collector/component"
-	"go.opentelemetry.io/collector/consumer"
-	"go.opentelemetry.io/collector/pdata/pmetric"
-	"go.opentelemetry.io/collector/receiver"
-	"go.uber.org/zap"
-	"k8s.io/client-go/rest"
-
 	ci "github.com/open-telemetry/opentelemetry-collector-contrib/internal/aws/containerinsight"
 	"github.com/open-telemetry/opentelemetry-collector-contrib/internal/aws/k8s/k8sclient"
 	"github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awscontainerinsightreceiver/internal/cadvisor"
@@ -33,6 +26,11 @@ import (
 	"github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awscontainerinsightreceiver/internal/prometheusscraper/decoratorconsumer"
 	"github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awscontainerinsightreceiver/internal/stores"
 	"github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awscontainerinsightreceiver/internal/stores/kubeletutil"
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/consumer"
+	"go.opentelemetry.io/collector/pdata/pmetric"
+	"go.opentelemetry.io/collector/receiver"
+	"go.uber.org/zap"
 )
 
 const (
@@ -270,16 +268,6 @@ func (acir *awsContainerInsightReceiver) initPrometheusScraper(ctx context.Conte
 	}
 
 	acir.settings.Logger.Debug("kube apiserver endpoint found", zap.String("endpoint", endpoint))
-	// use the same leader
-
-	restConfig, err := rest.InClusterConfig()
-	if err != nil {
-		return err
-	}
-	bearerToken := restConfig.BearerToken
-	if bearerToken == "" {
-		return errors.New("bearer token was empty")
-	}
 
 	acir.prometheusScraper, err = k8sapiserver.NewPrometheusScraper(k8sapiserver.PrometheusScraperOpts{
 		Ctx:                 ctx,
@@ -289,7 +277,6 @@ func (acir *awsContainerInsightReceiver) initPrometheusScraper(ctx context.Conte
 		Host:                host,
 		ClusterNameProvider: hostInfo,
 		LeaderElection:      leaderElection,
-		BearerToken:         bearerToken,
 	})
 	return err
 }