move metrics-client-ca cm creation before prometheus-operator to be a…

…ble to progress The prometheus-operator itself is using an kube-rbac-proxy and therefore needs to have the client-ca for its deployment.
openshift · Jul 20, 2021 · 311b1ad · 311b1ad
1 parent 1ff88ef
commit 311b1ad
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 15 deletions.
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
@@ -512,6 +512,7 @@ func (o *Operator) sync(key string) error {
 		// update prometheus-operator before anything else because it is responsible for managing many other resources (e.g. Prometheus, Alertmanager, Thanos Ruler, ...).
 		tasks.NewTaskGroup(
 			[]*tasks.TaskSpec{
+				tasks.NewTaskSpec("Updating metrics scraping client CA", tasks.NewMetricsClientCATask(o.client, factory)),
 				tasks.NewTaskSpec("Updating Prometheus Operator", tasks.NewPrometheusOperatorTask(o.client, factory)),
 			}),
 		tasks.NewTaskGroup(

diff --git a/pkg/tasks/clustermonitoringoperator.go b/pkg/tasks/clustermonitoringoperator.go
@@ -120,20 +120,5 @@ func (t *ClusterMonitoringOperatorTask) Run() error {
 		return errors.Wrap(err, "error creating Cluster Monitoring Operator GRPC TLS secret")
 	}
 
-	apiAuthConfigmap, err := t.client.GetConfigmap("kube-system", "extension-apiserver-authentication")
-	if err != nil {
-		return errors.Wrap(err, "failed to load kube-system/extension-apiserver-authentication configmap")
-	}
-
-	cm, err := t.factory.MetricsClientCACM(apiAuthConfigmap)
-	if err != nil {
-		return errors.Wrap(err, "initializing Metrics Client CA failed")
-	}
-
-	err = t.client.CreateOrUpdateConfigMap(cm)
-	if err != nil {
-		return errors.Wrap(err, "reconciling Metrics Client CA ConfigMap failed")
-	}
-
 	return nil
 }
diff --git a/pkg/tasks/metrics_client_ca.go b/pkg/tasks/metrics_client_ca.go
@@ -0,0 +1,42 @@
+package tasks
+
+import (
+	"github.com/openshift/cluster-monitoring-operator/pkg/client"
+	"github.com/openshift/cluster-monitoring-operator/pkg/manifests"
+	"github.com/pkg/errors"
+)
+
+type MetricsClientCATask struct {
+	client  *client.Client
+	factory *manifests.Factory
+}
+
+// NewMetricsClientCATask returns and instance of MetricsClientCATask which creates
+// and updates the client-CA ConfigMap that is required by our deployments of the
+// kube-rbac-proxy in order to be able to authenticate client-cert authenticated
+// metrics requests
+func NewMetricsClientCATask(client *client.Client, factory *manifests.Factory) *MetricsClientCATask {
+	return &MetricsClientCATask{
+		client:  client,
+		factory: factory,
+	}
+}
+
+func (t *MetricsClientCATask) Run() error {
+	apiAuthConfigmap, err := t.client.GetConfigmap("kube-system", "extension-apiserver-authentication")
+	if err != nil {
+		return errors.Wrap(err, "failed to load kube-system/extension-apiserver-authentication configmap")
+	}
+
+	cm, err := t.factory.MetricsClientCACM(apiAuthConfigmap)
+	if err != nil {
+		return errors.Wrap(err, "initializing Metrics Client CA failed")
+	}
+
+	err = t.client.CreateOrUpdateConfigMap(cm)
+	if err != nil {
+		return errors.Wrap(err, "reconciling Metrics Client CA ConfigMap failed")
+	}
+
+	return nil
+}