Authentication for metrics and version endpoint

Signed-off-by: naveenpaul1 <[email protected]>

Author: naveenpaul1

pkg/system/phase4_configuring.go

@@ -135,6 +135,32 @@ func (r *Reconciler) ReconcileSystemSecrets() error {
 	if err := r.ReconcileObject(r.SecretEndpoints, r.SetDesiredSecretEndpoints); err != nil {
 		return err
 	}
+
+	if err := r.ReconcileObject(r.SecretMetricsAuth, r.SetDesiredMetricsAuth); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// SetDesiredMetricsAuth updates the ServiceAccount as desired for reconciling
+func (r *Reconciler) SetDesiredMetricsAuth() error {
+
+	// Load string data from data
+	util.SecretResetStringDataFromData(r.SecretMetricsAuth)
+	// SecretMetricsAuth exists means the system already created and we can skip
+	if r.SecretMetricsAuth.StringData["metrics_token"] != "" {
+		return nil
+	}
+	res, err := r.NBClient.CreateAuthAPI(nb.CreateAuthParams{
+		System: r.Request.Name,
+		Role:   "metrics-auth",
+		Email:  options.OperatorAccountEmail,
+	})
+	if err != nil {
+		return fmt.Errorf("cannot create an auth token for metrics, error: %v", err)
+	}
+	r.SecretMetricsAuth.StringData["metrics_token"] = res.Token
 	return nil
 }
 
@@ -619,11 +645,11 @@ func (r *Reconciler) setDesiredEndpointMounts(podSpec *corev1.PodSpec, container
 			//this is a way to let containers explicitly know
 			//that an nsr should be mounted on them
 			envVar := corev1.EnvVar{
-				Name: "NSFS_NSR_" + nsStore.Name,
+				Name:  "NSFS_NSR_" + nsStore.Name,
 				Value: "mounted",
 			}
 
-			util.MergeEnvArrays(&container.Env, &[]corev1.EnvVar{envVar});
+			util.MergeEnvArrays(&container.Env, &[]corev1.EnvVar{envVar})
 		}
 	}
 
@@ -1583,15 +1609,42 @@ func (r *Reconciler) ReconcileServiceMonitors() error {
 
 	r.ApplyMonitoringLabels(r.ServiceMonitorMgmt)
 
-	if err := r.ReconcileObjectOptional(r.ServiceMonitorMgmt, nil); err != nil {
+	if err := r.ReconcileObjectOptional(r.ServiceMonitorMgmt, r.setDesiredServiceMonitorMgmt); err != nil {
 		return err
 	}
-	if err := r.ReconcileObjectOptional(r.ServiceMonitorS3, nil); err != nil {
+	if err := r.ReconcileObjectOptional(r.ServiceMonitorS3, r.setDesiredServiceMonitorS3); err != nil {
 		return err
 	}
 	return nil
 }
 
+// setDesiredServiceMonitorMgmt set authorization to managemnt ServiceMonitor
+func (r *Reconciler) setDesiredServiceMonitorMgmt() error {
+	r.setServiceMonitorAuthorization(r.ServiceMonitorMgmt.Spec.Endpoints)
+	return nil
+}
+
+// setDesiredServiceMonitorS3 set authorization to s3 ServiceMonitor
+func (r *Reconciler) setDesiredServiceMonitorS3() error {
+	r.setServiceMonitorAuthorization(r.ServiceMonitorS3.Spec.Endpoints)
+	return nil
+}
+
+// setServiceMonitorAuthorization set authorization to both managemnt and s3 ServiceMonitor
+func (r *Reconciler) setServiceMonitorAuthorization(endpoints []monitoringv1.Endpoint) {
+	for i := range endpoints {
+		endpoints[i].Authorization = &monitoringv1.SafeAuthorization{
+			Type: "Bearer",
+			Credentials: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: r.SecretMetricsAuth.Name,
+				},
+				Key: "metrics_token",
+			},
+		}
+	}
+}
+
 // ReconcileReadSystem calls read_system on noobaa server and stores the result
 func (r *Reconciler) ReconcileReadSystem() error {
 	// Skip if joining another NooBaa

pkg/system/reconciler.go

@@ -125,6 +125,7 @@ type Reconciler struct {
 	ExternalPgSecret          *corev1.Secret
 	ExternalPgSSLSecret       *corev1.Secret
 	BucketNotificationsPVC    *corev1.PersistentVolumeClaim
+	SecretMetricsAuth         *corev1.Secret
 
 	// CNPG resources
 	CNPGImageCatalog *cnpgv1.ImageCatalog
@@ -194,6 +195,8 @@ func NewReconciler(
 
 		CNPGImageCatalog: cnpg.GetCnpgImageCatalogObj(req.Namespace, req.Name+pgImageCatalogSuffix),
 		CNPGCluster:      cnpg.GetCnpgClusterObj(req.Namespace, req.Name+pgClusterSuffix),
+
+		SecretMetricsAuth: util.KubeObject(bundle.File_deploy_internal_secret_empty_yaml).(*corev1.Secret),
 	}
 
 	// Set Namespace
@@ -242,6 +245,7 @@ func NewReconciler(
 	r.AdapterHPA.Namespace = r.Request.Namespace
 	r.BucketLoggingPVC.Namespace = r.Request.Namespace
 	r.BucketNotificationsPVC.Namespace = r.Request.Namespace
+	r.SecretMetricsAuth.Namespace = r.Request.Namespace
 
 	// Set Names
 	r.NooBaa.Name = r.Request.Name
@@ -287,6 +291,7 @@ func NewReconciler(
 	r.AdapterHPA.Name = r.Request.Name + "-hpav2"
 	r.BucketLoggingPVC.Name = r.Request.Name + "-bucket-logging-pvc"
 	r.BucketNotificationsPVC.Name = r.Request.Name + "-bucket-notifications-pvc"
+	r.SecretMetricsAuth.Name = "metrics-auth-secret"
 
 	// Set the target service for routes.
 	r.RouteMgmt.Spec.To.Name = r.ServiceMgmt.Name