From 243d64052295a64a73c2f43854f62b4cbf5a4aa4 Mon Sep 17 00:00:00 2001 From: paulfantom Date: Sat, 7 Oct 2023 11:16:16 +0200 Subject: [PATCH 1/2] declaratively configure SA Token Secret for prometheus Pod --- .../kube-prometheus/components/prometheus.libsonnet | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/jsonnet/kube-prometheus/components/prometheus.libsonnet b/jsonnet/kube-prometheus/components/prometheus.libsonnet index 5532f532c1..f13aa7fce8 100644 --- a/jsonnet/kube-prometheus/components/prometheus.libsonnet +++ b/jsonnet/kube-prometheus/components/prometheus.libsonnet @@ -164,6 +164,18 @@ function(params) { automountServiceAccountToken: true, }, + serviceAccountToken: { + apiVersion: 'v1', + kind: 'Secret', + metadata: p._metadata { + name: p._metadata.name + '-token', + annotations: { + 'kubernetes.io/service-account.name': p.serviceAccount.metadata.name, + }, + }, + type: 'kubernetes.io/service-account-token', + }, + service: { apiVersion: 'v1', kind: 'Service', From dbfa22eccb72d3467e1309403d1a84ddf4fdd6fd Mon Sep 17 00:00:00 2001 From: paulfantom Date: Sat, 7 Oct 2023 11:16:28 +0200 Subject: [PATCH 2/2] generate manifests --- kustomization.yaml | 1 + manifests/prometheus-serviceAccountToken.yaml | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 manifests/prometheus-serviceAccountToken.yaml diff --git a/kustomization.yaml b/kustomization.yaml index e0d8039ed7..b73e1675b4 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -62,6 +62,7 @@ resources: - ./manifests/prometheus-roleSpecificNamespaces.yaml - ./manifests/prometheus-service.yaml - ./manifests/prometheus-serviceAccount.yaml +- ./manifests/prometheus-serviceAccountToken.yaml - ./manifests/prometheus-serviceMonitor.yaml - ./manifests/prometheusAdapter-apiService.yaml - ./manifests/prometheusAdapter-clusterRole.yaml diff --git a/manifests/prometheus-serviceAccountToken.yaml b/manifests/prometheus-serviceAccountToken.yaml new file mode 100644 index 0000000000..e79e42fd21 --- /dev/null +++ b/manifests/prometheus-serviceAccountToken.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: prometheus-k8s + labels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/instance: k8s + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 2.47.0 + name: prometheus-k8s-token + namespace: monitoring +type: kubernetes.io/service-account-token