Prepare release 1.7.0 - Add token to Blackbox Exporter ConfigMap

deploy/cluster-roles/blackbox-exporter-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: blackbox-exporter
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get

deploy/cluster-roles/blackbox-exporter-clusterrole_binding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: blackbox-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: blackbox-exporter
+subjects:
+  - kind: ServiceAccount
+    name: blackbox-exporter-service-account
+    namespace: redhat-rhoam-middleware-monitoring-operator
+userNames:
+  - system:serviceaccount:application-monitoring:blackbox-exporter-service-account

pkg/controller/applicationmonitoring/applicationmonitoring_controller.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/md5"
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -362,6 +363,36 @@ func (r *ReconcileApplicationMonitoring) reconcileBlackboxExporterConfig(cr *app
 	if r.extraParams == nil {
 		r.extraParams = map[string]string{}
 	}
+
+	// Add bearer_token to ConfigMap to allow Blackbox exporter requests to get through proxy in front of Grafana service
+	blackboxServiceAccount := &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "blackbox-exporter-service-account",
+			Namespace: "redhat-rhoam-middleware-monitoring-operator",
+		},
+	}
+	if err := r.client.Get(ctx, client.ObjectKey{Name: blackboxServiceAccount.Name, Namespace: blackboxServiceAccount.Namespace}, blackboxServiceAccount); err != nil {
+		log.Error(err, "client.Get")
+		return fmt.Errorf("error getting blackbox exporter service account: %s", err.Error())
+	}
+	var secretName string
+	for _, secret := range blackboxServiceAccount.Secrets {
+		if res, _ := regexp.MatchString("blackbox-exporter-service-account-token", secret.Name); res {
+			secretName = secret.Name
+		}
+	}
+	blackboxServiceAccountSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: secretName,
+			Namespace: "redhat-rhoam-middleware-monitoring-operator",
+		},
+	}
+	if err := r.client.Get(ctx, client.ObjectKey{Name: blackboxServiceAccountSecret.Name, Namespace: blackboxServiceAccountSecret.Namespace}, blackboxServiceAccountSecret); err != nil {
+		log.Error(err, "client.Get")
+		return fmt.Errorf("error getting blackbox exporter secret: %s", err.Error())
+	}
+	blackboxServiceAccountToken := blackboxServiceAccountSecret.Data["token"]
+	r.extraParams["bearerToken"] = string(blackboxServiceAccountToken)
 	r.extraParams["selfSignedCerts"] = strconv.FormatBool(cr.Spec.SelfSignedCerts)
 	templateHelper := newTemplateHelper(cr, r.extraParams)
 	blackboxExporterConfig, err := templateHelper.loadTemplate("blackbox/blackbox-exporter-config")

pkg/controller/blackboxtarget/blackboxtarget_controller.go

@@ -3,13 +3,16 @@ package blackboxtarget
 import (
 	"context"
 	"fmt"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	applicationmonitoringv1alpha1 "github.com/integr8ly/application-monitoring-operator/pkg/apis/applicationmonitoring/v1alpha1"
 	"github.com/integr8ly/application-monitoring-operator/pkg/controller/common"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -116,6 +119,20 @@ func (r *ReconcileBlackboxTarget) Reconcile(request reconcile.Request) (reconcil
 func (r *ReconcileBlackboxTarget) reconcileConfig(cr *applicationmonitoringv1alpha1.BlackboxTarget) (reconcile.Result, error) {
 	log.Info(fmt.Sprintf("BlackboxTarget reconcileConfig CR:%s Phase: %v", cr.ObjectMeta.Name, cr.Status.Phase))
 
+	// Create blackbox-exporter-service-account
+	blackBoxExporterServiceAccount := &v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "blackbox-exporter-service-account",
+			Namespace: cr.GetNamespace(),
+		},
+	}
+	_, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, blackBoxExporterServiceAccount, func() error {
+		return nil
+	})
+	if err != nil {
+		log.Error(err, "Unable to create: blackbox-exporter-service-account")
+	}
+
 	bbtList := common.GetBTConfig()
 	crName := cr.ObjectMeta.Name
 	// Remove the finalizer so the CR can be deleted

templates/blackbox/blackbox-exporter-config.yaml

@@ -11,6 +11,7 @@ modules:
         ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
         cert_file: /etc/tls/private/tls.crt
         key_file: /etc/tls/private/tls.key{{end}}
+      bearer_token: {{ index .ExtraParams "bearerToken" }}
   http_post_2xx:
     prober: http
     http: