LOG-8977: Secure the metrics endpoint to restrict scraping to autorized client

[jcantrill]

Description

This PR:

• Enhances to the CLO to restrict scraping of metrics to users with a valid token and certs
• Adds an operator e2e test for validating operator scraping with metrics and certs
• Adds a test helper class to execute 'oc run' commands
• Fixes 'oc get' helper to provide stderr when the command errors
• blocks LOG-8972: Enhance cluster-logging-operator to react to cluster TLS Profile updates #3228

Links

• https://redhat.atlassian.net/browse/LOG-8977

cc @kabirbhartiRH @anpingli

[openshift-ci-robot]

@jcantrill: This pull request references LOG-8977 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.8.0" version, but no target version was set.

Details

In response to this:

Description

This PR:

• Enhances to the CLO to restrict scraping of metrics to users with a valid token and certs
• Adds an operator e2e test for validating operator scraping with metrics and certs
• Adds a test helper class to execute 'oc run' commands
• Fixes 'oc get' helper to provide stderr when the command errors

Links

• https://redhat.atlassian.net/browse/LOG-8977

cc @kabirbhartiRH @anpingli

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcantrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jcantrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@jcantrill: This pull request references LOG-8977 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.8.0" version, but no target version was set.

Details

In response to this:

Description

This PR:

• Enhances to the CLO to restrict scraping of metrics to users with a valid token and certs
• Adds an operator e2e test for validating operator scraping with metrics and certs
• Adds a test helper class to execute 'oc run' commands
• Fixes 'oc get' helper to provide stderr when the command errors
• blocks LOG-8972: Enhance cluster-logging-operator to react to cluster TLS Profile updates #3228

Links

• https://redhat.atlassian.net/browse/LOG-8977

cc @kabirbhartiRH @anpingli

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jcantrill]

/hold

[anpingli]

LGTM

1. Monitoring can scrape metrics using the Prometheus account token.
2. Access to the cluster-logging-operator-metrics:8686 service is restricted via TLS. A valid bearer token is required for authentication
3. tls-scanner passed.
   The configured tlsprofile is updated following the API server update.
   API Configured MinVersion is updated following the API server update.
   Ingress Configured MinVersion is VersionTLS12 when use old profile(>VersionTLS10).

Note: once tls-profile is updated. the cluster may take more than 30 minutes to Green status.

[jcantrill]

/tide merge-method squash

[jcantrill]

/label tide/merge-method-squash

[Clee2691]

/lgtm

[Clee2691]

I think this should actually continue to be a generic metrics-auth. The LFME PR #3247 will also need to use this ClusterRole.

[jcantrill]

This is likely true but the change was made here because the operator-sdk, when building the bundle has some logic where when it does not see 'cluster-logging-operator-metrics-auth' for this role, it creates separate bundle manifest files for the clusterrole and clusterrolebinding instead of adding them into the CSV and identifying the permissions the operator requires.

This is a side-affect of our config files which are a kustomize manifest and when you follow the normal artifact generation, you would normally set the 'namePrefix' field which applies to all created resources. We have variances and may be able to resolve them otherwise but this change is not that.

[Clee2691]

I can reconcile a clusterrolebinding with this clusterrole for the LFME

[jcantrill]

/retest

[jcantrill]

/hold cancel

[jcantrill]

/retest

[vparfonov]

/test e2e-target

[vparfonov]

/retest

[jcantrill]

/test functional-target

[jcantrill]

/override ci/prow/functional-target

[openshift-ci]

@jcantrill: Overrode contexts on behalf of jcantrill: ci/prow/functional-target

Details

In response to this:

/override ci/prow/functional-target

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Clee2691]

/lgtm

[jcantrill]

/retest

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD e47fca0 and 2 for PR HEAD 964fe35 in total

[vparfonov]

/test functional-target

[jcantrill]

/test functional-target

[openshift-ci]

@jcantrill: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.