OCPBUGS-39417: Add service account and token for service monitoring

Adding service account and token needed for ServiceMonitoring, this will create a new service account compliance-operator-metrics and use create a metric token, and we will use that token for ServiceMonitoring.

bundle/manifests/compliance-operator-metrics_rbac.authorization.k8s.io_v1_rolebinding.yaml

@@ -8,6 +8,9 @@ roleRef:
   kind: ClusterRole
   name: compliance-operator-metrics
 subjects:
+- kind: ServiceAccount
+  name: compliance-operator-metrics
+  namespace: openshift-compliance
 - kind: ServiceAccount
   name: prometheus-k8s
   namespace: openshift-monitoring

bundle/manifests/compliance-operator-metrics_v1_serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  creationTimestamp: null
+  name: compliance-operator-metrics

bundle/manifests/metrics-token_v1_secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: compliance-operator-metrics
+  name: metrics-token
+type: kubernetes.io/service-account-token

cmd/manager/operator.go

@@ -681,7 +681,7 @@ func getDefaultRoles(platform PlatformType) []string {
 	return defaultRolesPerPlatform[PlatformGeneric]
 }
 
-func generateOperatorServiceMonitor(service *v1.Service, namespace, secretName string) *monitoring.ServiceMonitor {
+func generateOperatorServiceMonitor(service *v1.Service, namespace string) *monitoring.ServiceMonitor {
 	serviceMonitor := GenerateServiceMonitor(service)
 	for i := range serviceMonitor.Spec.Endpoints {
 		if serviceMonitor.Spec.Endpoints[i].Port == ctrlMetrics.ControllerMetricsServiceName {
@@ -691,7 +691,7 @@ func generateOperatorServiceMonitor(service *v1.Service, namespace, secretName s
 				Type: "Bearer",
 				Credentials: &v1.SecretKeySelector{
 					LocalObjectReference: v1.LocalObjectReference{
-						Name: secretName,
+						Name: "metrics-token",
 					},
 					Key: "token",
 				},
@@ -707,25 +707,6 @@ func generateOperatorServiceMonitor(service *v1.Service, namespace, secretName s
 	return serviceMonitor
 }
 
-func getSecretNameForServiceAccount(clientset *kubernetes.Clientset, namespace string, serviceAccountName string) (string, error) {
-	// List all secrets in the specified namespace
-	secrets, err := clientset.CoreV1().Secrets(namespace).List(context.TODO(), metav1.ListOptions{})
-	if err != nil {
-		return "", err
-	}
-
-	// Iterate through the secrets to find the one associated with the service account
-	for _, secret := range secrets.Items {
-		if secret.Annotations != nil {
-			if saName, exists := secret.Annotations["kubernetes.io/service-account.name"]; exists && saName == serviceAccountName {
-				return secret.Name, nil
-			}
-		}
-	}
-
-	return "", errors.New("secret for service account not found")
-}
-
 // createOrUpdateServiceMonitor creates or updates the ServiceMonitor if it already exists.
 func createOrUpdateServiceMonitor(ctx context.Context, mClient *monclientv1.MonitoringV1Client,
 	namespace string, serviceMonitor *monitoring.ServiceMonitor) error {
@@ -763,16 +744,7 @@ func handleServiceMonitor(ctx context.Context, cfg *rest.Config, mClient *moncli
 		return nil
 	}
 
-	serviceAccountName := "compliance-operator"
-	secretName, err := getSecretNameForServiceAccount(kubeClient, namespace, serviceAccountName)
-	if err != nil {
-		if kerr.IsNotFound(err) {
-			log.Infof("Unable to find secret associated with %s service account: %s", serviceAccountName, err)
-		} else {
-			log.Errorf("Failed to retrieve secret associated with %s service account for setting up metrics monitor: %s", serviceAccountName, err)
-		}
-	}
-	serviceMonitor := generateOperatorServiceMonitor(service, namespace, secretName)
+	serviceMonitor := generateOperatorServiceMonitor(service, namespace)
 
 	return createOrUpdateServiceMonitor(ctx, mClient, namespace, serviceMonitor)
 }

cmd/manager/operator_test.go

@@ -24,7 +24,7 @@ var _ = Describe("Operator Startup Function tests", func() {
 		When("Installing to non-controlled namespace", func() {
 			It("ServiceMonitor is generated with the proper TLSConfig ServerName", func() {
 				metricService := operatorMetricService("foobar")
-				sm := generateOperatorServiceMonitor(metricService, "foobar", "secret")
+				sm := generateOperatorServiceMonitor(metricService, "foobar")
 				controllerMetricServiceFound := false
 				for _, ep := range sm.Spec.Endpoints {
 					if ep.Port == metrics.ControllerMetricsServiceName && ep.TLSConfig != nil {

config/rbac/kustomization.yaml

@@ -46,4 +46,6 @@ resources:
 - tailoredprofile_editor_role.yaml
 - tailoredprofile_viewer_role.yaml
 - metrics_cluster_role.yaml
-- metrics_role_binding.yaml
+- metrics_role_binding.yaml
+- metrics_secret.yaml
+- metrics_service_account.yaml

config/rbac/metrics_role_binding.yaml

@@ -8,6 +8,9 @@ roleRef:
   kind: ClusterRole
   name: compliance-operator-metrics
 subjects:
+  - kind: ServiceAccount
+    name: compliance-operator-metrics
+    namespace: openshift-compliance
   - kind: ServiceAccount
     name: prometheus-k8s
-    namespace: openshift-monitoring
+    namespace: openshift-monitoring

config/rbac/metrics_secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: metrics-token
+  namespace: openshift-compliance
+  annotations:
+    kubernetes.io/service-account.name: compliance-operator-metrics
+type: kubernetes.io/service-account-token

config/rbac/metrics_service_account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: compliance-operator-metrics