results metrics exposed over https using kube-rbac-proxy

Signed-off-by: Satyam Bhardwaj <[email protected]>

Author: Satyam Bhardwaj

developer/config.yaml

@@ -6,10 +6,10 @@
 cluster_type: openshift
 
 # git_url refers to a git repo to be considered as the source of truth for Argo CD applications.
-git_url: https://github.com/openshift-pipelines/pipeline-service.git
+git_url: https://github.com/ramessesii2/pipeline-service.git
 
 # git_ref refers to the git repo's ref to be considered as the source of truth for Argo CD applications.
-git_ref: main
+git_ref: RAMESSESII2/results-kube-rbac-proxy-test
 
 # Applications to be deployed on the cluster
 apps:

developer/openshift/gitops/argocd/pipeline-service-o11y.yaml

@@ -12,8 +12,8 @@ spec:
     server: https://kubernetes.default.svc
   source:
     path: developer/openshift/gitops/argocd/pipeline-service-o11y
-    repoURL: https://github.com/openshift-pipelines/pipeline-service.git
-    targetRevision: main
+    repoURL: https://github.com/ramessesii2/pipeline-service.git
+    targetRevision: RAMESSESII2/results-kube-rbac-proxy-test
   project: default
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the

developer/openshift/gitops/argocd/pipeline-service-storage.yaml

@@ -12,8 +12,8 @@ spec:
     server: https://kubernetes.default.svc
   source:
     path: developer/openshift/gitops/argocd/pipeline-service-storage
-    repoURL: https://github.com/openshift-pipelines/pipeline-service.git
-    targetRevision: main
+    repoURL: https://github.com/ramessesii2/pipeline-service.git
+    targetRevision: RAMESSESII2/results-kube-rbac-proxy-test
   project: default
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the

developer/openshift/gitops/argocd/pipeline-service.yaml

@@ -12,8 +12,8 @@ spec:
     server: https://kubernetes.default.svc
   source:
     path: developer/openshift/gitops/argocd/pipeline-service
-    repoURL: https://github.com/openshift-pipelines/pipeline-service.git
-    targetRevision: main
+    repoURL: https://github.com/ramessesii2/pipeline-service.git
+    targetRevision: RAMESSESII2/results-kube-rbac-proxy-test
   project: default
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the

operator/gitops/argocd/pipeline-service/tekton-results/api-kube-rbac-proxy.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tekton-results-api
+  namespace: tekton-pipelines
+spec:
+  template:
+    spec:
+      containers:
+        - name: kube-rbac-proxy
+          image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12
+          args:
+            - "--secure-listen-address=0.0.0.0:9443"
+            - "--upstream=http://127.0.0.1:9090/"
+            - "--logtostderr=true"
+            - "--v=10"
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
+          ports:
+            - containerPort: 9443
+              protocol: TCP
+              name: metrics
+          resources:
+            limits:
+              cpu: 500m
+              memory: 128Mi
+            requests:
+              cpu: 5m
+              memory: 64Mi

operator/gitops/argocd/pipeline-service/tekton-results/api-service-patch.yaml

@@ -0,0 +1,10 @@
+---
+- op: replace
+  path: /spec/ports/1/name
+  value: metrics
+- op: replace
+  path: /spec/ports/1/port
+  value: 9443
+- op: replace
+  path: /spec/ports/1/targetPort
+  value: metrics

operator/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml

@@ -41,3 +41,18 @@ patches:
   - path: watcher-logging.yaml
   - path: watcher-sync.yaml
   - path: watcher-service-sync.yaml
+  - path: api-kube-rbac-proxy.yaml
+  - path: watcher-kube-rbac-proxy.yaml
+  - path: watcher-cr-patch.yaml
+  - path: watcher-service-patch.yaml
+    target:
+      version: v1
+      kind: Service
+      name: tekton-results-watcher
+      labelSelector: "app.kubernetes.io/name=tekton-results-watcher"
+  - path: api-service-patch.yaml
+    target:
+      version: v1
+      kind: Service
+      name: tekton-results-api-service
+      labelSelector: "app.kubernetes.io/name=tekton-results-api"

operator/gitops/argocd/pipeline-service/tekton-results/service-monitor.yaml

@@ -54,8 +54,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: prometheus
-      scheme: http
+      port: metrics
+      scheme: https
       bearerTokenSecret:
         name: "metrics-reader"
         key: token
@@ -75,8 +75,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: metrics
-      scheme: http
+      port: watchermetrics
+      scheme: https
       bearerTokenSecret:
         name: "metrics-reader"
         key: token

operator/gitops/argocd/pipeline-service/tekton-results/watcher-cr-patch.yaml

@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: watcher
+rules:
+  # Watcher needs to be able to create new and update existing results.
+  - apiGroups: ["results.tekton.dev"]
+    resources: ["logs", "results", "records"]
+    verbs: ["create", "get", "update"]
+  # Needed to read results and update annotations with Result ID.
+  - apiGroups: ["tekton.dev"]
+    resources: ["pipelineruns", "taskruns"]
+    verbs: ["get", "list", "patch", "update", "watch", "delete"]
+  # Watcher currently get config from APISever, so will
+  # fail to start if it does not have this permission.
+  - apiGroups: [""]
+    resources: ["configmaps", "pods"]
+    verbs: ["get", "list", "watch"]
+  # Required to read logs, when logs API is enabled
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["pipelines"]
+    verbs: ["get"]
+  # Required for enabling leader election.
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  # Watcher needs to be able to verify incoming auth tokens.
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  # Watcher needs to be able to use RBAC to verify user authorization.
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]

operator/gitops/argocd/pipeline-service/tekton-results/watcher-kube-rbac-proxy.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tekton-results-watcher
+  namespace: tekton-pipelines
+spec:
+  template:
+    spec:
+      containers:
+        - name: kube-rbac-proxy
+          image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12
+          args:
+            - "--secure-listen-address=0.0.0.0:8443"
+            - "--upstream=http://127.0.0.1:9090/"
+            - "--logtostderr=true"
+            - "--v=10"
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
+          ports:
+            - containerPort: 8443
+              protocol: TCP
+              name: watchermetrics
+          resources:
+            limits:
+              cpu: 500m
+              memory: 128Mi
+            requests:
+              cpu: 5m
+              memory: 64Mi