MON-3866: create separate metrics client cert for metrics server

Signed-off-by: Ayoub Mrini <[email protected]>
Co-authored-by: Jayapriya Pai <[email protected]>

Author: machine424

assets/cluster-monitoring-operator/metrics-server-client-certs.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server-client-certs
+  namespace: openshift-monitoring
+type: Opaque

assets/metrics-server/deployment.yaml

@@ -46,8 +46,8 @@ spec:
         - --kubelet-use-node-status-port
         - --metric-resolution=15s
         - --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt
-        - --kubelet-client-certificate=/etc/tls/metrics-client-certs/tls.crt
-        - --kubelet-client-key=/etc/tls/metrics-client-certs/tls.key
+        - --kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt
+        - --kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key
         - --tls-cert-file=/etc/tls/private/tls.crt
         - --tls-private-key-file=/etc/tls/private/tls.key
         - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
@@ -88,8 +88,8 @@ spec:
         volumeMounts:
         - mountPath: /etc/tls/private
           name: secret-metrics-server-tls
-        - mountPath: /etc/tls/metrics-client-certs
-          name: secret-metrics-client-certs
+        - mountPath: /etc/tls/metrics-server-client-certs
+          name: secret-metrics-server-client-certs
         - mountPath: /etc/tls/kubelet-serving-ca-bundle
           name: configmap-kubelet-serving-ca-bundle
         - mountPath: /etc/audit
@@ -104,9 +104,9 @@ spec:
       serviceAccountName: metrics-server
       terminationGracePeriodSeconds: 170
       volumes:
-      - name: secret-metrics-client-certs
+      - name: secret-metrics-server-client-certs
         secret:
-          secretName: metrics-client-certs
+          secretName: metrics-server-client-certs
       - name: secret-metrics-server-tls
         secret:
           secretName: metrics-server-tls

jsonnet/components/cluster-monitoring-operator.libsonnet

@@ -80,6 +80,17 @@ function(params) {
     },
   },
 
+  metricsServerClientCerts: {
+    apiVersion: 'v1',
+    kind: 'Secret',
+    metadata: {
+      name: 'metrics-server-client-certs',
+      namespace: cfg.namespace,
+    },
+    type: 'Opaque',
+    data: {},
+  },
+
   metricsClientCerts: {
     apiVersion: 'v1',
     kind: 'Secret',

jsonnet/components/metrics-server.libsonnet

@@ -197,8 +197,8 @@ function(params) {
                 '--kubelet-use-node-status-port',
                 '--metric-resolution=15s',
                 '--kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt',
-                '--kubelet-client-certificate=/etc/tls/metrics-client-certs/tls.crt',
-                '--kubelet-client-key=/etc/tls/metrics-client-certs/tls.key',
+                '--kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt',
+                '--kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key',
                 '--tls-cert-file=/etc/tls/private/tls.crt',
                 '--tls-private-key-file=/etc/tls/private/tls.key',
                 '--tls-cipher-suites=' + cfg.tlsCipherSuites,
@@ -260,8 +260,8 @@ function(params) {
                   name: 'secret-metrics-server-tls',
                 },
                 {
-                  mountPath: '/etc/tls/metrics-client-certs',
-                  name: 'secret-metrics-client-certs',
+                  mountPath: '/etc/tls/metrics-server-client-certs',
+                  name: 'secret-metrics-server-client-certs',
                 },
                 {
                   mountPath: '/etc/tls/kubelet-serving-ca-bundle',
@@ -278,9 +278,9 @@ function(params) {
           terminationGracePeriodSeconds: 170,
           volumes: [
             {
-              name: 'secret-metrics-client-certs',
+              name: 'secret-metrics-server-client-certs',
               secret: {
-                secretName: 'metrics-client-certs',
+                secretName: 'metrics-server-client-certs',
               },
             },
             {

pkg/manifests/manifests.go

@@ -242,6 +242,7 @@ var (
 	ClusterMonitoringGrpcTLSSecret                         = "cluster-monitoring-operator/grpc-tls-secret.yaml"
 	ClusterMonitoringOperatorPrometheusRule                = "cluster-monitoring-operator/prometheus-rule.yaml"
 	ClusterMonitoringMetricsClientCertsSecret              = "cluster-monitoring-operator/metrics-client-certs.yaml"
+	ClusterMonitoringMetricsServerClientCertsSecret        = "cluster-monitoring-operator/metrics-server-client-certs.yaml"
 	ClusterMonitoringFederateClientCertsSecret             = "cluster-monitoring-operator/federate-client-certs.yaml"
 	ClusterMonitoringMetricsClientCACM                     = "cluster-monitoring-operator/metrics-client-ca.yaml"
 
@@ -1889,7 +1890,7 @@ func (f *Factory) MetricsServerRoleBindingAuthReader() (*rbacv1.RoleBinding, err
 	return f.NewRoleBinding(f.assets.MustNewAssetSlice(MetricsServerRoleBindingAuthReader))
 }
 
-func (f *Factory) MetricsServerDeployment(apiAuthSecretName string, kubeletCABundle *v1.ConfigMap, servingCASecret, metricsClientCert *v1.Secret, requestheader map[string]string) (*appsv1.Deployment, error) {
+func (f *Factory) MetricsServerDeployment(apiAuthSecretName string, kubeletCABundle *v1.ConfigMap, servingCASecret, metricsServerClientCerts *v1.Secret, requestheader map[string]string) (*appsv1.Deployment, error) {
 	dep, err := f.NewDeployment(f.assets.MustNewAssetSlice(MetricsServerDeployment))
 	if err != nil {
 		return nil, err
@@ -1934,10 +1935,10 @@ func (f *Factory) MetricsServerDeployment(apiAuthSecretName string, kubeletCABun
 	// are rotated.
 	dep.Spec.Template.Annotations["monitoring.openshift.io/serving-ca-secret-hash"] = hashByteMap(servingCASecret.Data)
 
-	// Hash the metrics client cert and propagate it as an annotation to the
-	// deployment's pods to trigger a new rollout when the metrics client cert
+	// Hash the metrics server client cert and propagate it as an annotation to the
+	// deployment's pods to trigger a new rollout when the metrics server client cert
 	// is rotated.
-	dep.Spec.Template.Annotations["monitoring.openshift.io/metrics-client-cert-hash"] = hashByteMap(metricsClientCert.Data)
+	dep.Spec.Template.Annotations["monitoring.openshift.io/metrics-server-client-certs-hash"] = hashByteMap(metricsServerClientCerts.Data)
 
 	config := f.config.ClusterMonitoringConfiguration.MetricsServerConfig
 	if config == nil {
@@ -2017,13 +2018,9 @@ func (f *Factory) MetricsServerDeployment(apiAuthSecretName string, kubeletCABun
 	return dep, nil
 }
 
-func (f *Factory) MetricsServerSecret(tlsSecret *v1.Secret, apiAuthConfigmap *v1.ConfigMap) (*v1.Secret, error) {
+func (f *Factory) MetricsServerClientCASecret(apiAuthConfigmap *v1.ConfigMap) (*v1.Secret, error) {
 	data := make(map[string]string)
 
-	for k, v := range tlsSecret.Data {
-		data[k] = string(v)
-	}
-
 	for k, v := range apiAuthConfigmap.Data {
 		data[k] = v
 	}
@@ -2033,16 +2030,14 @@ func (f *Factory) MetricsServerSecret(tlsSecret *v1.Secret, apiAuthConfigmap *v1
 	var (
 		clientCA              = r.value("client-ca-file")
 		requestheaderClientCA = r.value("requestheader-client-ca-file")
-		tlsCA                 = r.value("tls.crt")
-		tlsKey                = r.value("tls.key")
 	)
 
 	if r.Error() != nil {
 		return nil, fmt.Errorf("value not found in extension api server authentication configmap: %w", r.err)
 	}
 
 	h := fnv.New64()
-	h.Write([]byte(clientCA + requestheaderClientCA + tlsCA + tlsKey))
+	h.Write([]byte(clientCA + requestheaderClientCA))
 	hash := strconv.FormatUint(h.Sum64(), 32)
 
 	return &v1.Secret{
@@ -2057,8 +2052,6 @@ func (f *Factory) MetricsServerSecret(tlsSecret *v1.Secret, apiAuthConfigmap *v1
 		Data: map[string][]byte{
 			"client-ca-file":               []byte(clientCA),
 			"requestheader-client-ca-file": []byte(requestheaderClientCA),
-			"tls.crt":                      []byte(tlsCA),
-			"tls.key":                      []byte(tlsKey),
 		},
 	}, nil
 }

pkg/manifests/manifests_test.go

@@ -2577,7 +2577,7 @@ metricsServer:
 	}
 	metricsClientSecret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "metrics-client-cert",
+			Name:      "metrics-server-client-certs",
 			Namespace: "openshift-monitoring",
 		},
 		Data: map[string][]byte{
@@ -2637,7 +2637,7 @@ metricsServer:
 
 	podAnnotations := d.Spec.Template.Annotations
 	require.Equal(t, "eplue2a9srfkb", podAnnotations["monitoring.openshift.io/kubelet-serving-ca-bundle-hash"])
-	require.Equal(t, "arprfan3mk728", podAnnotations["monitoring.openshift.io/metrics-client-cert-hash"])
+	require.Equal(t, "arprfan3mk728", podAnnotations["monitoring.openshift.io/metrics-server-client-certs-hash"])
 	require.Equal(t, "383c7cmidrae2", podAnnotations["monitoring.openshift.io/serving-ca-secret-hash"])
 }
 

pkg/manifests/tls.go

@@ -66,6 +66,19 @@ func (f *Factory) MetricsClientCerts() (*v1.Secret, error) {
 	return s, nil
 }
 
+func (f *Factory) MetricsServerClientCerts() (*v1.Secret, error) {
+	s, err := f.NewSecret(f.assets.MustNewAssetSlice(ClusterMonitoringMetricsServerClientCertsSecret))
+	if err != nil {
+		return nil, err
+	}
+
+	s.Namespace = f.namespace
+	s.Data = make(map[string][]byte)
+	s.Annotations = make(map[string]string)
+
+	return s, nil
+}
+
 func (f *Factory) FederateClientCerts() (*v1.Secret, error) {
 	s, err := f.NewSecret(f.assets.MustNewAssetSlice(ClusterMonitoringFederateClientCertsSecret))
 	if err != nil {

pkg/operator/operator.go

@@ -62,8 +62,8 @@ type InfrastructureConfig struct {
 
 var (
 	// The cluster-policy-controller will automatically approve the
-	// CertificateSigningRequest resources issued for the prometheus-k8s
-	// service account.
+	// CertificateSigningRequest resources issued for the prometheus and metrics-server
+	// service accounts.
 	// See https://github.com/openshift/cluster-policy-controller/blob/cc787e1b1e177696817b66689a03471914083a67/pkg/cmd/controller/csr.go#L21-L46.
 	csrOption = csr.CSROption{
 		ObjectMeta: metav1.ObjectMeta{
@@ -76,6 +76,17 @@ var (
 		SignerName: certapiv1.KubeAPIServerClientSignerName,
 	}
 
+	csrMetricsServerOption = csr.CSROption{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "system:openshift:openshift-monitoring-",
+			Labels: map[string]string{
+				"metrics.openshift.io/csr.subject": "metrics-server",
+			},
+		},
+		Subject:    &pkix.Name{CommonName: "system:serviceaccount:openshift-monitoring:metrics-server"},
+		SignerName: certapiv1.KubeAPIServerClientSignerName,
+	}
+
 	// To identify "invalid UWM config only" failures
 	ErrUserWorkloadInvalidConfiguration = fmt.Errorf("invalid UWM configuration")
 )
@@ -154,6 +165,7 @@ const (
 	alertmanagerCABundleConfigMap = "openshift-monitoring/alertmanager-trusted-ca-bundle"
 	grpcTLS                       = "openshift-monitoring/grpc-tls"
 	metricsClientCerts            = "openshift-monitoring/metrics-client-certs"
+	metricsServerClientCerts      = "openshift-monitoring/metrics-server-client-certs"
 	federateClientCerts           = "openshift-monitoring/federate-client-certs"
 
 	// Canonical name of the cluster-wide infrastructure resource.
@@ -527,9 +539,35 @@ func New(
 		return nil, fmt.Errorf("failed to create federate certificate controller: %w", err)
 	}
 
-	o.controllersToRunFunc = append(o.controllersToRunFunc, csrFederateController.Run, csrController.Run)
+	csrMetricsServerController, err := csr.NewClientCertificateController(
+		csr.ClientCertOption{
+			SecretNamespace: "openshift-monitoring",
+			SecretName:      "metrics-server-client-certs",
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "Monitoring",
+			},
+		},
+		csrMetricsServerOption,
+		kubeInformersOperatorNS.Certificates().V1().CertificateSigningRequests(),
+		o.client.KubernetesInterface().CertificatesV1().CertificateSigningRequests(),
+		kubeInformersOperatorNS.Core().V1().Secrets(),
+		o.client.KubernetesInterface().CoreV1(),
+		o.client.EventRecorder(),
+		"OpenShiftMonitoringMetricsServerClientCertRequester",
+	)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create client certificate controller: %w", err)
+	}
 
-	o.controllersToRunFunc = append(o.controllersToRunFunc, o.ruleController.Run, o.relabelController.Run)
+	o.controllersToRunFunc = append(
+		o.controllersToRunFunc,
+		csrFederateController.Run,
+		csrController.Run,
+		csrMetricsServerController.Run,
+		o.ruleController.Run,
+		o.relabelController.Run,
+	)
 
 	return o, nil
 }
@@ -663,6 +701,7 @@ func (o *Operator) handleEvent(obj interface{}) {
 	case cmoConfigMap:
 	case apiAuthenticationConfigMap:
 	case kubeletServingCAConfigMap:
+	case metricsServerClientCerts:
 	case telemeterCABundleConfigMap:
 	case alertmanagerCABundleConfigMap:
 	case grpcTLS:

pkg/tasks/metricsserver.go

@@ -122,20 +122,20 @@ func (t *MetricsServerTask) Run(ctx context.Context) error {
 			return fmt.Errorf("reconciling MetricsServer Service failed: %w", err)
 		}
 
-		cacm, err := t.factory.PrometheusK8sKubeletServingCABundle(map[string]string{})
+		kubeletServingCA, err := t.factory.PrometheusK8sKubeletServingCABundle(map[string]string{})
 		if err != nil {
 			return fmt.Errorf("initializing kubelet serving CA Bundle ConfigMap failed: %w", err)
 		}
 
-		cacm, err = t.client.WaitForConfigMap(
+		kubeletServingCA, err = t.client.WaitForConfigMap(
 			ctx,
-			cacm,
+			kubeletServingCA,
 		)
 		if err != nil {
 			return err
 		}
 
-		scas, err := t.client.WaitForSecretByNsName(
+		servingCASecret, err := t.client.WaitForSecretByNsName(
 			ctx,
 			types.NamespacedName{
 				Namespace: s.Namespace,
@@ -146,17 +146,17 @@ func (t *MetricsServerTask) Run(ctx context.Context) error {
 			return err
 		}
 
-		mcs, err := t.factory.MetricsClientCerts()
+		metricsServerClientCerts, err := t.factory.MetricsServerClientCerts()
 		if err != nil {
 			return fmt.Errorf("initializing metrics-client-cert failed: %w", err)
 		}
 
-		mcs, err = t.client.WaitForSecret(
+		metricsServerClientCerts, err = t.client.WaitForSecret(
 			ctx,
-			mcs,
+			metricsServerClientCerts,
 		)
 		if err != nil {
-			return err
+			return fmt.Errorf("waiting for metrics-server-client-certs secret failed: %w", err)
 		}
 
 		{
@@ -171,19 +171,14 @@ func (t *MetricsServerTask) Run(ctx context.Context) error {
 			}
 		}
 
-		tlsSecret, err := t.client.WaitForSecretByNsName(ctx, types.NamespacedName{Namespace: t.namespace, Name: "metrics-server-tls"})
-		if err != nil {
-			return fmt.Errorf("failed to wait for metrics-server-tls secret: %w", err)
-		}
-
 		apiAuthConfigmap, err := t.client.WaitForConfigMapByNsName(ctx, types.NamespacedName{Namespace: "kube-system", Name: "extension-apiserver-authentication"})
 		if err != nil {
 			return fmt.Errorf("failed to wait for kube-system/extension-apiserver-authentication configmap: %w", err)
 		}
 
-		secret, err := t.factory.MetricsServerSecret(tlsSecret, apiAuthConfigmap)
+		secret, err := t.factory.MetricsServerClientCASecret(apiAuthConfigmap)
 		if err != nil {
-			return fmt.Errorf("failed to create metrics-server secret: %w", err)
+			return fmt.Errorf("failed to create metrics-server client-ca secret: %w", err)
 		}
 
 		err = t.deleteOldMetricsServerSecrets(secret.Labels["monitoring.openshift.io/hash"])
@@ -193,10 +188,10 @@ func (t *MetricsServerTask) Run(ctx context.Context) error {
 
 		err = t.client.CreateOrUpdateSecret(ctx, secret)
 		if err != nil {
-			return fmt.Errorf("reconciling MetricsServer Secret failed: %w", err)
+			return fmt.Errorf("reconciling metrics-server client-ca secret failed: %w", err)
 		}
 
-		dep, err := t.factory.MetricsServerDeployment(secret.Name, cacm, scas, mcs, apiAuthConfigmap.Data)
+		dep, err := t.factory.MetricsServerDeployment(secret.Name, kubeletServingCA, servingCASecret, metricsServerClientCerts, apiAuthConfigmap.Data)
 		if err != nil {
 			return fmt.Errorf("initializing MetricsServer Deployment failed: %w", err)
 		}