telemeter: start telemeter deprecation by removing all objects

In openshift-4.21 we can then remove the related artifacts and code from
the repo.

Signed-off-by: Jan Fajerski <[email protected]>

Author: jan--f

manifests/image-references

@@ -46,10 +46,6 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/openshift/origin-kube-rbac-proxy:latest
-  - name: telemeter
-    from:
-      kind: DockerImage
-      name: quay.io/openshift/origin-telemeter:latest
   - name: prom-label-proxy
     from:
       kind: DockerImage

pkg/operator/operator.go

@@ -161,7 +161,6 @@ const (
 	// see https://github.com/kubernetes/apiserver/blob/b571c70e6e823fd78910c3f5b9be895a756f4cbb/pkg/server/options/authentication.go#L239
 	apiAuthenticationConfigMap    = "kube-system/extension-apiserver-authentication"
 	kubeletServingCAConfigMap     = "openshift-config-managed/kubelet-serving-ca"
-	telemeterCABundleConfigMap    = "openshift-monitoring/telemeter-trusted-ca-bundle"
 	alertmanagerCABundleConfigMap = "openshift-monitoring/alertmanager-trusted-ca-bundle"
 	grpcTLS                       = "openshift-monitoring/grpc-tls"
 	metricsClientCerts            = "openshift-monitoring/metrics-client-certs"
@@ -480,30 +479,6 @@ func New(
 		return nil, fmt.Errorf("failed to create client certificate controller: %w", err)
 	}
 
-	// csrFederateController runs a controller that requests a client TLS
-	// certificate for the telemeter client. This certificate is used to
-	// authenticate against the Prometheus /federate API endpoint.
-	csrFederateController, err := csr.NewClientCertificateController(
-		csr.ClientCertOption{
-			SecretNamespace: "openshift-monitoring",
-			SecretName:      "federate-client-certs",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "Monitoring",
-			},
-		},
-		csrOption,
-		kubeInformersOperatorNS.Certificates().V1().CertificateSigningRequests(),
-		o.client.KubernetesInterface().CertificatesV1().CertificateSigningRequests(),
-		kubeInformersOperatorNS.Core().V1().Secrets(),
-		o.client.KubernetesInterface().CoreV1(),
-		o.client.EventRecorder(),
-		"OpenShiftMonitoringTelemeterClientCertRequester",
-	)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create federate certificate controller: %w", err)
-	}
-
 	csrMetricsServerController, err := csr.NewClientCertificateController(
 		csr.ClientCertOption{
 			SecretNamespace: "openshift-monitoring",
@@ -527,7 +502,6 @@ func New(
 
 	o.controllersToRunFunc = append(
 		o.controllersToRunFunc,
-		csrFederateController.Run,
 		csrController.Run,
 		csrMetricsServerController.Run,
 		o.ruleController.Run,
@@ -664,7 +638,6 @@ func (o *Operator) handleEvent(obj interface{}) {
 	case apiAuthenticationConfigMap:
 	case kubeletServingCAConfigMap:
 	case metricsServerClientCerts:
-	case telemeterCABundleConfigMap:
 	case alertmanagerCABundleConfigMap:
 	case grpcTLS:
 	case metricsClientCerts:

pkg/tasks/telemeter.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"fmt"
 
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/klog/v2"
 
 	"github.com/openshift/cluster-monitoring-operator/pkg/client"
@@ -40,163 +39,8 @@ func NewTelemeterClientTask(client *client.Client, factory *manifests.Factory, c
 }
 
 func (t *TelemeterClientTask) Run(ctx context.Context) error {
-	if t.config.ClusterMonitoringConfiguration.TelemeterClientConfig.IsEnabled() && !t.config.RemoteWrite {
-		return t.create(ctx)
-	}
-
-	var reason string
-	switch {
-	case !t.config.ClusterMonitoringConfiguration.TelemeterClientConfig.IsEnabled():
-		reason = "telemetry is explicitly disabled"
-	case t.config.ClusterMonitoringConfiguration.TelemeterClientConfig.IsEnabled() && t.config.RemoteWrite:
-		reason = "remote-write is enabled instead"
-	}
-
-	if reason != "" {
-		klog.V(3).Infof("Telemeter client is disabled (because %s), existing related resources are to be destroyed.", reason)
-		return t.destroy(ctx)
-	}
-
-	return nil
-}
-
-func (t *TelemeterClientTask) create(ctx context.Context) error {
-	cacm, err := t.factory.TelemeterClientServingCertsCABundle()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter Client serving certs CA Bundle ConfigMap failed: %w", err)
-	}
-
-	_, err = t.client.CreateIfNotExistConfigMap(ctx, cacm)
-	if err != nil {
-		return fmt.Errorf("creating Telemeter Client serving certs CA Bundle ConfigMap failed: %w", err)
-	}
-
-	sa, err := t.factory.TelemeterClientServiceAccount()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client Service failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdateServiceAccount(ctx, sa)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client ServiceAccount failed: %w", err)
-	}
-
-	cr, err := t.factory.TelemeterClientClusterRole()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client ClusterRole failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdateClusterRole(ctx, cr)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client ClusterRole failed: %w", err)
-	}
-
-	crb, err := t.factory.TelemeterClientClusterRoleBinding()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client ClusterRoleBinding failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdateClusterRoleBinding(ctx, crb)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client ClusterRoleBinding failed: %w", err)
-	}
-
-	crb, err = t.factory.TelemeterClientClusterRoleBindingView()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client cluster monitoring view ClusterRoleBinding failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdateClusterRoleBinding(ctx, crb)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client cluster monitoring view ClusterRoleBinding failed: %w", err)
-	}
-
-	svc, err := t.factory.TelemeterClientService()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client Service failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdateService(ctx, svc)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client Service failed: %w", err)
-	}
-
-	s, err := t.factory.TelemeterClientSecret()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client Secret failed: %w", err)
-	}
-
-	oldS, err := t.client.GetSecret(ctx, s.Namespace, s.Name)
-	if err != nil && !apierrors.IsNotFound(err) {
-		return fmt.Errorf("getting Telemeter Client Secret failed: %w", err)
-	}
-	if oldS != nil && string(oldS.Data["token"]) == t.config.ClusterMonitoringConfiguration.TelemeterClientConfig.Token {
-		s.Data = oldS.Data
-	}
-
-	err = t.client.CreateOrUpdateSecret(ctx, s)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client Secret failed: %w", err)
-	}
-
-	krs, err := t.factory.TelemeterClientKubeRbacProxySecret()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client kube rbac proxy secret failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdateSecret(ctx, krs)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client kube rbac proxy secret failed: %w", err)
-	}
-
-	{
-		// Create trusted CA bundle ConfigMap.
-		trustedCA, err := t.factory.TelemeterTrustedCABundle()
-		if err != nil {
-			return fmt.Errorf("initializing Telemeter client trusted CA bundle ConfigMap failed: %w", err)
-		}
-
-		cbs := &caBundleSyncer{
-			client:  t.client,
-			factory: t.factory,
-			prefix:  "telemeter",
-		}
-		trustedCA, err = cbs.syncTrustedCABundle(ctx, trustedCA)
-		if err != nil {
-			return fmt.Errorf("syncing Telemeter client CA bundle ConfigMap failed: %w", err)
-		}
-
-		dep, err := t.factory.TelemeterClientDeployment(trustedCA, s)
-		if err != nil {
-			return fmt.Errorf("initializing Telemeter client Deployment failed: %w", err)
-		}
-
-		err = t.client.CreateOrUpdateDeployment(ctx, dep)
-		if err != nil {
-			return fmt.Errorf("reconciling Telemeter client Deployment failed: %w", err)
-		}
-	}
-
-	rule, err := t.factory.TelemeterClientPrometheusRule()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client Prometheus Rule failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdatePrometheusRule(ctx, rule)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client Prometheus Rule failed: %w", err)
-	}
-
-	sm, err := t.factory.TelemeterClientServiceMonitor()
-	if err != nil {
-		return fmt.Errorf("initializing Telemeter client ServiceMonitor failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdateServiceMonitor(ctx, sm)
-	if err != nil {
-		return fmt.Errorf("reconciling Telemeter client ServiceMonitor failed: %w", err)
-	}
-	return nil
+	klog.V(3).Infof("Telemeter client is deprecated and no longer used, existing related resources are to be destroyed.")
+	return t.destroy(ctx)
 }
 
 func (t *TelemeterClientTask) destroy(ctx context.Context) error {

test/e2e/config_test.go

@@ -427,83 +427,6 @@ func TestClusterMonitorOSMConfig(t *testing.T) {
 	}
 }
 
-func TestClusterMonitorTelemeterClientConfig(t *testing.T) {
-	const (
-		deploymentName = "telemeter-client"
-	)
-
-	data := `telemeterClient:
-  tolerations:
-    - operator: "Exists"
-`
-	f.MustCreateOrUpdateConfigMap(t, f.BuildCMOConfigMap(t, data))
-
-	for _, tc := range []scenario{
-		{
-			name:      "test the telemeter-client deployment is rolled out",
-			assertion: f.AssertDeploymentExistsAndRollout(deploymentName, f.Ns),
-		},
-		{
-			name: "assert pod configuration is as expected",
-			assertion: f.AssertPodConfiguration(
-				f.Ns,
-				"app.kubernetes.io/name=telemeter-client",
-				[]framework.PodAssertion{
-					expectCatchAllToleration(),
-				},
-			),
-		},
-	} {
-		if ok := t.Run(tc.name, tc.assertion); !ok {
-			t.Fatalf("scenario %q failed", tc.name)
-		}
-	}
-}
-
-func TestTelemeterClientSecret(t *testing.T) {
-	for _, tc := range []struct {
-		name         string
-		oldC         string
-		newC         string
-		tokenChanged bool
-	}{
-		{
-			name: "Existing Secret",
-			oldC: `telemeterClient:
-  token: mySecretToken
-`,
-			newC: `telemeterClient:
-  token: mySecretToken
-`,
-			tokenChanged: false,
-		},
-		{
-			name: "Existing Secret, new token",
-			oldC: `telemeterClient:
-  token: mySecretToken
-`,
-			newC: `telemeterClient:
-  token: myNewSecretToken
-`,
-			tokenChanged: true,
-		},
-	} {
-
-		t.Run(tc.name, func(t *testing.T) {
-			f.MustCreateOrUpdateConfigMap(t, f.BuildCMOConfigMap(t, tc.oldC))
-			oldS := f.MustGetSecret(t, "telemeter-client", f.Ns)
-			f.MustCreateOrUpdateConfigMap(t, f.BuildCMOConfigMap(t, tc.newC))
-			if tc.tokenChanged {
-				f.AssertValueInSecretNotEquals(oldS.GetName(), oldS.GetNamespace(), "token", string(oldS.Data["token"]))
-				f.AssertValueInSecretNotEquals(oldS.GetName(), oldS.GetNamespace(), "salt", string(oldS.Data["salt"]))
-				return
-			}
-			f.AssertValueInSecretEquals(oldS.GetName(), oldS.GetNamespace(), "token", string(oldS.Data["token"]))
-			f.AssertValueInSecretEquals(oldS.GetName(), oldS.GetNamespace(), "salt", string(oldS.Data["salt"]))
-		})
-	}
-}
-
 func TestClusterMonitorThanosQuerierConfig(t *testing.T) {
 	const (
 		deploymentName = "thanos-querier"

test/e2e/main_test.go

@@ -165,7 +165,6 @@ func testTargetsUp(t *testing.T) {
 		"alertmanager-main",
 		"cluster-monitoring-operator",
 		"openshift-state-metrics",
-		"telemeter-client",
 		"thanos-querier",
 	}
 

test/e2e/prometheus_test.go

@@ -39,7 +39,7 @@ func TestPrometheusMetrics(t *testing.T) {
 		"alertmanager-main":             2,
 		"kube-state-metrics":            2, // one for the kube metrics + one for the metrics of the process itself.
 		"openshift-state-metrics":       2, // ditto.
-		"telemeter-client":              1,
+		"telemeter-client":              0,
 	}
 
 	for service, metric := range expected {