Merge pull request #45 from Gregory-Pereira/ocp-use-authorization-credentials-for-metrics

anishasthana · web-flow · commit 71ddcbad4d06 · 2026-03-27T17:26:48.000-04:00
use authorization.credentials instead of bearerToekn
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -41,21 +41,6 @@ patches:
   target:
     kind: Deployment
 
-
-replacements:
-- source:
-    kind: Deployment
-    name: controller-manager
-    fieldPath: metadata.namespace
-  targets:
-  - select:
-      kind: ServiceMonitor
-      group: monitoring.coreos.com
-      version: v1
-      name: controller-manager-metrics-monitor
-    fieldPaths:
-    - spec.namespaceSelector.matchNames.0
-
 # Uncomment the patches line if you enable Metrics and CertManager
 # [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line.
 # This patch will protect the metrics with certManager self-signed certs.
diff --git a/config/openshift/kustomization.yaml b/config/openshift/kustomization.yaml
@@ -4,6 +4,8 @@ kind: Kustomization
 resources:
 - ../default
 - cluster-monitoring-view-binding.yaml
+- metrics-reader-token.yaml
+- prometheus-metrics-auth-binding.yaml
 
 patches:
 - path: configmap-patch.yaml
@@ -22,5 +24,9 @@ patches:
   target:
     kind: Deployment
     name: controller-manager
+- path: monitor-auth-patch.yaml
+  target:
+    kind: ServiceMonitor
+    name: controller-manager-metrics-monitor
 
 namespace: workload-variant-autoscaler-system
diff --git a/config/openshift/metrics-reader-token.yaml b/config/openshift/metrics-reader-token.yaml
@@ -0,0 +1,11 @@
+# Long-lived SA token for Prometheus to authenticate to the WVA metrics endpoint.
+# Required on OpenShift because user-workload-monitoring Prometheus rejects
+# bearerTokenFile for security. The ServiceMonitor is patched (via
+# monitor-auth-patch.yaml) to reference this Secret instead.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: workload-variant-autoscaler-metrics-reader-token
+  annotations:
+    kubernetes.io/service-account.name: workload-variant-autoscaler-controller-manager
+type: kubernetes.io/service-account-token
diff --git a/config/openshift/monitor-auth-patch.yaml b/config/openshift/monitor-auth-patch.yaml
@@ -0,0 +1,20 @@
+# Replace bearerTokenFile with authorization.credentials for OpenShift
+# user-workload-monitoring compatibility. The user-workload Prometheus Operator
+# rejects bearerTokenFile ("it accesses file system via bearer token file which
+# Prometheus specification prohibits").
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: controller-manager-metrics-monitor
+spec:
+  endpoints:
+  - port: https
+    path: /metrics
+    interval: 10s
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
+    authorization:
+      credentials:
+        name: workload-variant-autoscaler-metrics-reader-token
+        key: token
diff --git a/config/openshift/prometheus-metrics-auth-binding.yaml b/config/openshift/prometheus-metrics-auth-binding.yaml
@@ -0,0 +1,14 @@
+# Grant the OpenShift user-workload-monitoring Prometheus SA permission to
+# authenticate to the WVA metrics endpoint (tokenreviews + subjectaccessreviews).
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: workload-variant-autoscaler-ocp-prometheus-metrics-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: workload-variant-autoscaler-metrics-auth-role
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: openshift-user-workload-monitoring
