Switch from mTLS to bearer token authentication

operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-token_v1_secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: loki-operator-controller-manager
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.5.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.5.0
+  name: loki-operator-controller-manager-metrics-token
+type: kubernetes.io/service-account-token

operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-03-11T09:15:46Z"
+    createdAt: "2024-03-11T10:13:36Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     features.operators.openshift.io/disconnected: "true"
@@ -1678,7 +1678,7 @@ spec:
           - subjectaccessreviews
           verbs:
           - create
-        serviceAccountName: default
+        serviceAccountName: loki-operator-controller-manager
       deployments:
       - label:
           app.kubernetes.io/instance: loki-operator-v0.5.0
@@ -1779,6 +1779,7 @@ spec:
                 runAsNonRoot: true
                 seccompProfile:
                   type: RuntimeDefault
+              serviceAccountName: loki-operator-controller-manager
               terminationGracePeriodSeconds: 10
               volumes:
               - configMap:
@@ -1812,7 +1813,7 @@ spec:
           verbs:
           - create
           - patch
-        serviceAccountName: default
+        serviceAccountName: loki-operator-controller-manager
     strategy: deployment
   installModes:
   - supported: false

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-03-11T09:15:44Z"
+    createdAt: "2024-03-11T10:13:34Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown
@@ -1658,7 +1658,7 @@ spec:
           - subjectaccessreviews
           verbs:
           - create
-        serviceAccountName: default
+        serviceAccountName: loki-operator-controller-manager
       deployments:
       - label:
           app.kubernetes.io/instance: loki-operator-v0.5.0
@@ -1748,6 +1748,7 @@ spec:
                 kubernetes.io/os: linux
               securityContext:
                 runAsNonRoot: true
+              serviceAccountName: loki-operator-controller-manager
               terminationGracePeriodSeconds: 10
               volumes:
               - name: webhook-cert
@@ -1780,7 +1781,7 @@ spec:
           verbs:
           - create
           - patch
-        serviceAccountName: default
+        serviceAccountName: loki-operator-controller-manager
     strategy: deployment
   installModes:
   - supported: false

operator/bundle/openshift/manifests/loki-operator-controller-manager-metrics-token_v1_secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: loki-operator-controller-manager
+  labels:
+    app.kubernetes.io/instance: loki-operator-0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: cluster-logging
+    app.kubernetes.io/version: 0.1.0
+  name: loki-operator-controller-manager-metrics-token
+type: kubernetes.io/service-account-token

operator/bundle/openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml

@@ -11,7 +11,12 @@ metadata:
   name: loki-operator-metrics-monitor
 spec:
   endpoints:
-  - interval: 30s
+  - authorization:
+      credentials:
+        key: token
+        name: loki-operator-controller-manager-metrics-token
+      type: bearer
+    interval: 30s
     path: /metrics
     scheme: https
     scrapeTimeout: 10s
@@ -21,13 +26,6 @@ spec:
         configMap:
           key: service-ca.crt
           name: loki-operator-controller-manager-metrics-ca
-      cert:
-        secret:
-          key: tls.crt
-          name: loki-operator-metrics
-      keySecret:
-        key: tls.key
-        name: loki-operator-metrics
       serverName: loki-operator-controller-manager-metrics-service.openshift-operators-redhat.svc
   selector:
     matchLabels:

operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:0.1.0
-    createdAt: "2024-03-11T09:15:47Z"
+    createdAt: "2024-03-11T10:13:39Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements
@@ -1663,7 +1663,7 @@ spec:
           - subjectaccessreviews
           verbs:
           - create
-        serviceAccountName: default
+        serviceAccountName: loki-operator-controller-manager
       deployments:
       - label:
           app.kubernetes.io/instance: loki-operator-0.1.0
@@ -1764,6 +1764,7 @@ spec:
                 runAsNonRoot: true
                 seccompProfile:
                   type: RuntimeDefault
+              serviceAccountName: loki-operator-controller-manager
               terminationGracePeriodSeconds: 10
               volumes:
               - configMap:
@@ -1797,7 +1798,7 @@ spec:
           verbs:
           - create
           - patch
-        serviceAccountName: default
+        serviceAccountName: loki-operator-controller-manager
     strategy: deployment
   installModes:
   - supported: false

operator/config/manager/manager.yaml

@@ -39,4 +39,5 @@ spec:
           periodSeconds: 10
       nodeSelector:
         kubernetes.io/os: linux
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10

operator/config/overlays/openshift/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
 - ../../manager
 - ../../webhook
 - ../../prometheus
+- manager_metrics_secret_token.yaml
 - manager_metrics_configmap_ca.yaml
 
 # Adds namespace to all resources.

operator/config/overlays/openshift/manager_metrics_secret_token.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: controller-manager-metrics-token
+  annotations:
+    kubernetes.io/service-account.name: loki-operator-controller-manager
+type: kubernetes.io/service-account-token

operator/config/overlays/openshift/prometheus_service_monitor_patch.yaml

@@ -11,16 +11,14 @@ spec:
       scheme: https
       interval: 30s
       scrapeTimeout: 10s
+      authorization:
+        type: bearer
+        credentials:
+          key: token
+          name: loki-operator-controller-manager-metrics-token
       tlsConfig:
         ca:
           configMap:
             key: service-ca.crt
             name: loki-operator-controller-manager-metrics-ca
-        cert:
-          secret:
-            key: tls.crt
-            name: loki-operator-metrics
-        keySecret:
-          key: tls.key
-          name: loki-operator-metrics
         serverName: loki-operator-controller-manager-metrics-service.openshift-operators-redhat.svc

operator/config/rbac/auth_proxy_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

operator/config/rbac/kustomization.yaml

@@ -9,3 +9,4 @@ resources:
 - auth_proxy_client_clusterrole.yaml
 - prometheus_role.yaml
 - prometheus_role_binding.yaml
+- serviceaccount.yaml

operator/config/rbac/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

operator/config/rbac/role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: lokistack-manager
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

operator/config/rbac/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system