diff --git a/operator/CHANGELOG.md b/operator/CHANGELOG.md index 08c2a5a1c8f8..b4aca5f3c444 100644 --- a/operator/CHANGELOG.md +++ b/operator/CHANGELOG.md @@ -1,5 +1,6 @@ ## Main +- [12164](https://github.com/grafana/loki/pull/12164) **periklis**: Use safe bearer token authentication to scrape operator metrics - [12216](https://github.com/grafana/loki/pull/12216) **xperimental**: Fix duplicate operator metrics due to ServiceMonitor selector - [12212](https://github.com/grafana/loki/pull/12212) **xperimental**: Keep credentialMode in status when updating schemas - [12165](https://github.com/grafana/loki/pull/12165) **JoaoBraveCoding**: Change attribute value used for CCO-based credential mode diff --git a/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml b/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml new file mode 100644 index 000000000000..9c9303fdc710 --- /dev/null +++ b/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: loki-operator-v0.5.0 + app.kubernetes.io/managed-by: operator-lifecycle-manager + app.kubernetes.io/name: loki-operator + app.kubernetes.io/part-of: loki-operator + app.kubernetes.io/version: 0.5.0 + name: loki-operator-controller-manager-metrics-reader diff --git a/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-token_v1_secret.yaml b/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-token_v1_secret.yaml new file mode 100644 index 000000000000..9cae4a32e437 --- /dev/null +++ b/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-token_v1_secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: loki-operator-controller-manager-metrics-reader + labels: + app.kubernetes.io/instance: loki-operator-v0.5.0 + app.kubernetes.io/managed-by: operator-lifecycle-manager + app.kubernetes.io/name: loki-operator + app.kubernetes.io/part-of: loki-operator + app.kubernetes.io/version: 0.5.0 + name: loki-operator-controller-manager-metrics-token +type: kubernetes.io/service-account-token diff --git a/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml new file mode 100644 index 000000000000..b966e0657909 --- /dev/null +++ b/operator/bundle/community-openshift/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: loki-operator-v0.5.0 + app.kubernetes.io/managed-by: operator-lifecycle-manager + app.kubernetes.io/name: loki-operator + app.kubernetes.io/part-of: loki-operator + app.kubernetes.io/version: 0.5.0 + name: loki-operator-controller-manager-read-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: loki-operator-metrics-reader +subjects: +- kind: ServiceAccount + name: loki-operator-controller-manager-metrics-reader + namespace: kubernetes-operators diff --git a/operator/bundle/community-openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/operator/bundle/community-openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml index 3f698d26b476..eeebada3645f 100644 --- a/operator/bundle/community-openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml +++ b/operator/bundle/community-openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml @@ -11,14 +11,21 @@ metadata: name: loki-operator-metrics-monitor spec: endpoints: - - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + - authorization: + credentials: + key: token + name: loki-operator-controller-manager-metrics-token + type: bearer interval: 30s path: /metrics scheme: https scrapeTimeout: 10s targetPort: 8443 tlsConfig: - caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + ca: + secret: + key: service-ca.crt + name: loki-operator-controller-manager-metrics-token serverName: loki-operator-controller-manager-metrics-service.kubernetes-operators.svc selector: matchLabels: diff --git a/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml index 282c59b85c8d..b4e86a8a4742 100644 --- a/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml +++ b/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml @@ -1678,7 +1678,7 @@ spec: - subjectaccessreviews verbs: - create - serviceAccountName: default + serviceAccountName: loki-operator-controller-manager deployments: - label: app.kubernetes.io/instance: loki-operator-v0.5.0 @@ -1779,6 +1779,7 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault + serviceAccountName: loki-operator-controller-manager terminationGracePeriodSeconds: 10 volumes: - configMap: @@ -1812,7 +1813,7 @@ spec: verbs: - create - patch - serviceAccountName: default + serviceAccountName: loki-operator-controller-manager strategy: deployment installModes: - supported: false diff --git a/operator/bundle/community/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml b/operator/bundle/community/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml new file mode 100644 index 000000000000..9c9303fdc710 --- /dev/null +++ b/operator/bundle/community/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: loki-operator-v0.5.0 + app.kubernetes.io/managed-by: operator-lifecycle-manager + app.kubernetes.io/name: loki-operator + app.kubernetes.io/part-of: loki-operator + app.kubernetes.io/version: 0.5.0 + name: loki-operator-controller-manager-metrics-reader diff --git a/operator/bundle/community/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/operator/bundle/community/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml new file mode 100644 index 000000000000..5566aa328069 --- /dev/null +++ b/operator/bundle/community/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: loki-operator-v0.5.0 + app.kubernetes.io/managed-by: operator-lifecycle-manager + app.kubernetes.io/name: loki-operator + app.kubernetes.io/part-of: loki-operator + app.kubernetes.io/version: 0.5.0 + name: loki-operator-controller-manager-read-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: loki-operator-metrics-reader +subjects: +- kind: ServiceAccount + name: loki-operator-controller-manager-metrics-reader + namespace: loki-operator diff --git a/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml index 70e8484817b1..b2797ebaf8a6 100644 --- a/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml +++ b/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml @@ -1658,7 +1658,7 @@ spec: - subjectaccessreviews verbs: - create - serviceAccountName: default + serviceAccountName: loki-operator-controller-manager deployments: - label: app.kubernetes.io/instance: loki-operator-v0.5.0 @@ -1748,6 +1748,7 @@ spec: kubernetes.io/os: linux securityContext: runAsNonRoot: true + serviceAccountName: loki-operator-controller-manager terminationGracePeriodSeconds: 10 volumes: - name: webhook-cert @@ -1780,7 +1781,7 @@ spec: verbs: - create - patch - serviceAccountName: default + serviceAccountName: loki-operator-controller-manager strategy: deployment installModes: - supported: false diff --git a/operator/bundle/openshift/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml b/operator/bundle/openshift/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml new file mode 100644 index 000000000000..7a2ab31a78a4 --- /dev/null +++ b/operator/bundle/openshift/manifests/loki-operator-controller-manager-metrics-reader_v1_serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: loki-operator-0.1.0 + app.kubernetes.io/managed-by: operator-lifecycle-manager + app.kubernetes.io/name: loki-operator + app.kubernetes.io/part-of: cluster-logging + app.kubernetes.io/version: 0.1.0 + name: loki-operator-controller-manager-metrics-reader diff --git a/operator/bundle/openshift/manifests/loki-operator-controller-manager-metrics-token_v1_secret.yaml b/operator/bundle/openshift/manifests/loki-operator-controller-manager-metrics-token_v1_secret.yaml new file mode 100644 index 000000000000..8abb584b4ea2 --- /dev/null +++ b/operator/bundle/openshift/manifests/loki-operator-controller-manager-metrics-token_v1_secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: loki-operator-controller-manager-metrics-reader + labels: + app.kubernetes.io/instance: loki-operator-0.1.0 + app.kubernetes.io/managed-by: operator-lifecycle-manager + app.kubernetes.io/name: loki-operator + app.kubernetes.io/part-of: cluster-logging + app.kubernetes.io/version: 0.1.0 + name: loki-operator-controller-manager-metrics-token +type: kubernetes.io/service-account-token diff --git a/operator/bundle/openshift/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/operator/bundle/openshift/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml new file mode 100644 index 000000000000..040591c9f7bb --- /dev/null +++ b/operator/bundle/openshift/manifests/loki-operator-controller-manager-read-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: loki-operator-0.1.0 + app.kubernetes.io/managed-by: operator-lifecycle-manager + app.kubernetes.io/name: loki-operator + app.kubernetes.io/part-of: cluster-logging + app.kubernetes.io/version: 0.1.0 + name: loki-operator-controller-manager-read-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: loki-operator-metrics-reader +subjects: +- kind: ServiceAccount + name: loki-operator-controller-manager-metrics-reader + namespace: openshift-operators-redhat diff --git a/operator/bundle/openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/operator/bundle/openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml index 7c62cf058519..bdb0ee3344d2 100644 --- a/operator/bundle/openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml +++ b/operator/bundle/openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml @@ -11,14 +11,21 @@ metadata: name: loki-operator-metrics-monitor spec: endpoints: - - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + - authorization: + credentials: + key: token + name: loki-operator-controller-manager-metrics-token + type: bearer interval: 30s path: /metrics scheme: https scrapeTimeout: 10s targetPort: 8443 tlsConfig: - caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + ca: + secret: + key: service-ca.crt + name: loki-operator-controller-manager-metrics-token serverName: loki-operator-controller-manager-metrics-service.openshift-operators-redhat.svc selector: matchLabels: diff --git a/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml index ee2dcb513fe3..aa3871373e30 100644 --- a/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml +++ b/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml @@ -1663,7 +1663,7 @@ spec: - subjectaccessreviews verbs: - create - serviceAccountName: default + serviceAccountName: loki-operator-controller-manager deployments: - label: app.kubernetes.io/instance: loki-operator-0.1.0 @@ -1764,6 +1764,7 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault + serviceAccountName: loki-operator-controller-manager terminationGracePeriodSeconds: 10 volumes: - configMap: @@ -1797,7 +1798,7 @@ spec: verbs: - create - patch - serviceAccountName: default + serviceAccountName: loki-operator-controller-manager strategy: deployment installModes: - supported: false diff --git a/operator/config/manager/manager.yaml b/operator/config/manager/manager.yaml index 3b617b00b1c4..fe6a940c3885 100644 --- a/operator/config/manager/manager.yaml +++ b/operator/config/manager/manager.yaml @@ -39,4 +39,5 @@ spec: periodSeconds: 10 nodeSelector: kubernetes.io/os: linux + serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/operator/config/overlays/community-openshift/prometheus_service_monitor_patch.yaml b/operator/config/overlays/community-openshift/prometheus_service_monitor_patch.yaml index 82f75710f84f..7ece571465a0 100644 --- a/operator/config/overlays/community-openshift/prometheus_service_monitor_patch.yaml +++ b/operator/config/overlays/community-openshift/prometheus_service_monitor_patch.yaml @@ -6,12 +6,19 @@ metadata: name: metrics-monitor spec: endpoints: - - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - path: /metrics + - path: /metrics targetPort: 8443 scheme: https interval: 30s scrapeTimeout: 10s + authorization: + type: bearer + credentials: + key: token + name: loki-operator-controller-manager-metrics-token tlsConfig: - caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + ca: + secret: + key: service-ca.crt + name: loki-operator-controller-manager-metrics-token serverName: loki-operator-controller-manager-metrics-service.kubernetes-operators.svc diff --git a/operator/config/overlays/openshift/kustomization.yaml b/operator/config/overlays/openshift/kustomization.yaml index 9a74cbddba34..cdd65f1cbeaf 100644 --- a/operator/config/overlays/openshift/kustomization.yaml +++ b/operator/config/overlays/openshift/kustomization.yaml @@ -4,6 +4,7 @@ resources: - ../../manager - ../../webhook - ../../prometheus +- manager_metrics_secret_token.yaml # Adds namespace to all resources. namespace: openshift-operators-redhat diff --git a/operator/config/overlays/openshift/manager_metrics_secret_token.yaml b/operator/config/overlays/openshift/manager_metrics_secret_token.yaml new file mode 100644 index 000000000000..b4847d3a3e48 --- /dev/null +++ b/operator/config/overlays/openshift/manager_metrics_secret_token.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: controller-manager-metrics-token + annotations: + kubernetes.io/service-account.name: loki-operator-controller-manager-metrics-reader +type: kubernetes.io/service-account-token diff --git a/operator/config/overlays/openshift/prometheus_service_monitor_patch.yaml b/operator/config/overlays/openshift/prometheus_service_monitor_patch.yaml index 35c522749b6d..35d6b0362cd7 100644 --- a/operator/config/overlays/openshift/prometheus_service_monitor_patch.yaml +++ b/operator/config/overlays/openshift/prometheus_service_monitor_patch.yaml @@ -6,12 +6,19 @@ metadata: name: metrics-monitor spec: endpoints: - - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - path: /metrics + - path: /metrics targetPort: 8443 scheme: https interval: 30s scrapeTimeout: 10s + authorization: + type: bearer + credentials: + key: token + name: loki-operator-controller-manager-metrics-token tlsConfig: - caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + ca: + secret: + key: service-ca.crt + name: loki-operator-controller-manager-metrics-token serverName: loki-operator-controller-manager-metrics-service.openshift-operators-redhat.svc diff --git a/operator/config/rbac/auth_proxy_client_clusterrolebinding.yaml b/operator/config/rbac/auth_proxy_client_clusterrolebinding.yaml new file mode 100644 index 000000000000..7228087e23ed --- /dev/null +++ b/operator/config/rbac/auth_proxy_client_clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: controller-manager-read-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-reader +subjects: +- kind: ServiceAccount + name: controller-manager-metrics-reader + namespace: system diff --git a/operator/config/rbac/auth_proxy_client_serviceaccount.yaml b/operator/config/rbac/auth_proxy_client_serviceaccount.yaml new file mode 100644 index 000000000000..041ac56b630c --- /dev/null +++ b/operator/config/rbac/auth_proxy_client_serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager-metrics-reader + namespace: system diff --git a/operator/config/rbac/auth_proxy_role_binding.yaml b/operator/config/rbac/auth_proxy_role_binding.yaml index 48ed1e4b85c4..ec7acc0a1b79 100644 --- a/operator/config/rbac/auth_proxy_role_binding.yaml +++ b/operator/config/rbac/auth_proxy_role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: proxy-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/operator/config/rbac/kustomization.yaml b/operator/config/rbac/kustomization.yaml index b48c43c1690b..c8b43e2fe40f 100644 --- a/operator/config/rbac/kustomization.yaml +++ b/operator/config/rbac/kustomization.yaml @@ -7,5 +7,8 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +- auth_proxy_client_clusterrolebinding.yaml +- auth_proxy_client_serviceaccount.yaml - prometheus_role.yaml - prometheus_role_binding.yaml +- serviceaccount.yaml diff --git a/operator/config/rbac/leader_election_role_binding.yaml b/operator/config/rbac/leader_election_role_binding.yaml index eed16906f4dc..1d1321ed4f02 100644 --- a/operator/config/rbac/leader_election_role_binding.yaml +++ b/operator/config/rbac/leader_election_role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: leader-election-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/operator/config/rbac/role_binding.yaml b/operator/config/rbac/role_binding.yaml index e97e9b5e1e83..93d27e99a43e 100644 --- a/operator/config/rbac/role_binding.yaml +++ b/operator/config/rbac/role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: lokistack-manager subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/operator/config/rbac/serviceaccount.yaml b/operator/config/rbac/serviceaccount.yaml new file mode 100644 index 000000000000..7cd6025bfc4a --- /dev/null +++ b/operator/config/rbac/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager + namespace: system