From 0ea320bc322c80f1a4886305af22fc11cb1c6a0c Mon Sep 17 00:00:00 2001
From: Grace Do <xgrace@gmail.com>
Date: Tue, 17 Sep 2024 09:55:42 -0700
Subject: [PATCH] fix(kps): Secure access to node-exporter metrics (2.8)
 (#2624)

* fix(kps): Secure access to node-exporter metrics

* feat(licenses): Add new kube-rbac-proxy image

* feat(kps): Bump app version

* fix(licenses): Fix registry/version

* feat(kps): Missed a version bump
---
 licenses.d2iq.yaml                                        | 5 +++++
 .../{48.3.2 => 48.3.3}/defaults/cm.yaml                   | 8 +++++++-
 .../{48.3.2 => 48.3.3}/defaults/kustomization.yaml        | 0
 .../{48.3.2 => 48.3.3}/etcd-metrics-proxy.yaml            | 2 +-
 .../{48.3.2 => 48.3.3}/etcd-metrics-proxy/cert.yaml       | 0
 .../etcd-metrics-proxy/client-rbac.yaml                   | 0
 .../etcd-metrics-proxy/kube-rbac-proxy.yaml               | 0
 .../{48.3.2 => 48.3.3}/grafana-dashboards/calico.json     | 0
 .../grafana-dashboards/controller-runtime.json            | 0
 .../grafana-dashboards/flux-cluster-stats.json            | 0
 .../grafana-dashboards/flux-control-plane.json            | 0
 .../grafana-dashboards/kustomization.yaml                 | 0
 .../{48.3.2 => 48.3.3}/grafana-dashboards/pv-stats.json   | 0
 .../{48.3.2 => 48.3.3}/helmrelease.yaml                   | 2 +-
 .../{48.3.2 => 48.3.3}/helmrelease/extra-images.txt       | 0
 .../helmrelease/kube-prometheus-stack.yaml                | 2 +-
 .../{48.3.2 => 48.3.3}/helmrelease/kustomization.yaml     | 0
 .../{48.3.2 => 48.3.3}/kustomization.yaml                 | 0
 18 files changed, 15 insertions(+), 4 deletions(-)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/defaults/cm.yaml (98%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/defaults/kustomization.yaml (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/etcd-metrics-proxy.yaml (92%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/etcd-metrics-proxy/cert.yaml (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/etcd-metrics-proxy/client-rbac.yaml (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/etcd-metrics-proxy/kube-rbac-proxy.yaml (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/grafana-dashboards/calico.json (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/grafana-dashboards/controller-runtime.json (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/grafana-dashboards/flux-cluster-stats.json (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/grafana-dashboards/flux-control-plane.json (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/grafana-dashboards/kustomization.yaml (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/grafana-dashboards/pv-stats.json (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/helmrelease.yaml (93%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/helmrelease/extra-images.txt (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/helmrelease/kube-prometheus-stack.yaml (97%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/helmrelease/kustomization.yaml (100%)
 rename services/kube-prometheus-stack/{48.3.2 => 48.3.3}/kustomization.yaml (100%)

diff --git a/licenses.d2iq.yaml b/licenses.d2iq.yaml
index d7940b4105..54cde45e80 100644
--- a/licenses.d2iq.yaml
+++ b/licenses.d2iq.yaml
@@ -355,6 +355,11 @@ resources:
       - license_path: LICENSE
         ref: ${image_tag}
         url: https://github.com/brancz/kube-rbac-proxy
+  - container_image: quay.io/brancz/kube-rbac-proxy:v0.14.0
+    sources:
+      - license_path: LICENSE
+        ref: ${image_tag}
+        url: https://github.com/brancz/kube-rbac-proxy
   - container_image: ghcr.io/fluxcd/helm-controller:v0.37.4
     sources:
       - license_path: LICENSE
diff --git a/services/kube-prometheus-stack/48.3.2/defaults/cm.yaml b/services/kube-prometheus-stack/48.3.3/defaults/cm.yaml
similarity index 98%
rename from services/kube-prometheus-stack/48.3.2/defaults/cm.yaml
rename to services/kube-prometheus-stack/48.3.3/defaults/cm.yaml
index 8fc64d8e38..bb5983795b 100644
--- a/services/kube-prometheus-stack/48.3.2/defaults/cm.yaml
+++ b/services/kube-prometheus-stack/48.3.3/defaults/cm.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: kube-prometheus-stack-48.3.2-d2iq-defaults
+  name: kube-prometheus-stack-48.3.3-d2iq-defaults
   namespace: ${releaseNamespace}
 data:
   values.yaml: |
@@ -457,8 +457,14 @@ data:
             prometheus.kommander.d2iq.io/select: "true"
     prometheus-node-exporter:
       priorityClassName: "dkp-critical-priority"
+      kubeRBACProxy:
+        enabled: true
       prometheus:
         monitor:
+          scheme: https
+          bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+          tlsConfig:
+            insecureSkipVerify: true
           additionalLabels:
             prometheus.kommander.d2iq.io/select: "true"
           relabelings:
diff --git a/services/kube-prometheus-stack/48.3.2/defaults/kustomization.yaml b/services/kube-prometheus-stack/48.3.3/defaults/kustomization.yaml
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/defaults/kustomization.yaml
rename to services/kube-prometheus-stack/48.3.3/defaults/kustomization.yaml
diff --git a/services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy.yaml b/services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy.yaml
similarity index 92%
rename from services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy.yaml
rename to services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy.yaml
index e7e4e26d14..ed32ecf52c 100644
--- a/services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy.yaml
+++ b/services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy.yaml
@@ -9,7 +9,7 @@ spec:
   wait: true
   interval: 6h
   retryInterval: 1m
-  path: ./services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy
+  path: ./services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy
   sourceRef:
     kind: GitRepository
     name: management
diff --git a/services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy/cert.yaml b/services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy/cert.yaml
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy/cert.yaml
rename to services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy/cert.yaml
diff --git a/services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy/client-rbac.yaml b/services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy/client-rbac.yaml
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy/client-rbac.yaml
rename to services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy/client-rbac.yaml
diff --git a/services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy/kube-rbac-proxy.yaml b/services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy/kube-rbac-proxy.yaml
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/etcd-metrics-proxy/kube-rbac-proxy.yaml
rename to services/kube-prometheus-stack/48.3.3/etcd-metrics-proxy/kube-rbac-proxy.yaml
diff --git a/services/kube-prometheus-stack/48.3.2/grafana-dashboards/calico.json b/services/kube-prometheus-stack/48.3.3/grafana-dashboards/calico.json
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/grafana-dashboards/calico.json
rename to services/kube-prometheus-stack/48.3.3/grafana-dashboards/calico.json
diff --git a/services/kube-prometheus-stack/48.3.2/grafana-dashboards/controller-runtime.json b/services/kube-prometheus-stack/48.3.3/grafana-dashboards/controller-runtime.json
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/grafana-dashboards/controller-runtime.json
rename to services/kube-prometheus-stack/48.3.3/grafana-dashboards/controller-runtime.json
diff --git a/services/kube-prometheus-stack/48.3.2/grafana-dashboards/flux-cluster-stats.json b/services/kube-prometheus-stack/48.3.3/grafana-dashboards/flux-cluster-stats.json
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/grafana-dashboards/flux-cluster-stats.json
rename to services/kube-prometheus-stack/48.3.3/grafana-dashboards/flux-cluster-stats.json
diff --git a/services/kube-prometheus-stack/48.3.2/grafana-dashboards/flux-control-plane.json b/services/kube-prometheus-stack/48.3.3/grafana-dashboards/flux-control-plane.json
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/grafana-dashboards/flux-control-plane.json
rename to services/kube-prometheus-stack/48.3.3/grafana-dashboards/flux-control-plane.json
diff --git a/services/kube-prometheus-stack/48.3.2/grafana-dashboards/kustomization.yaml b/services/kube-prometheus-stack/48.3.3/grafana-dashboards/kustomization.yaml
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/grafana-dashboards/kustomization.yaml
rename to services/kube-prometheus-stack/48.3.3/grafana-dashboards/kustomization.yaml
diff --git a/services/kube-prometheus-stack/48.3.2/grafana-dashboards/pv-stats.json b/services/kube-prometheus-stack/48.3.3/grafana-dashboards/pv-stats.json
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/grafana-dashboards/pv-stats.json
rename to services/kube-prometheus-stack/48.3.3/grafana-dashboards/pv-stats.json
diff --git a/services/kube-prometheus-stack/48.3.2/helmrelease.yaml b/services/kube-prometheus-stack/48.3.3/helmrelease.yaml
similarity index 93%
rename from services/kube-prometheus-stack/48.3.2/helmrelease.yaml
rename to services/kube-prometheus-stack/48.3.3/helmrelease.yaml
index 3f4f18df70..db625d1610 100644
--- a/services/kube-prometheus-stack/48.3.2/helmrelease.yaml
+++ b/services/kube-prometheus-stack/48.3.3/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   wait: true
   interval: 6h
   retryInterval: 1m
-  path: ./services/kube-prometheus-stack/48.3.2/helmrelease
+  path: ./services/kube-prometheus-stack/48.3.3/helmrelease
   sourceRef:
     kind: GitRepository
     name: management
diff --git a/services/kube-prometheus-stack/48.3.2/helmrelease/extra-images.txt b/services/kube-prometheus-stack/48.3.3/helmrelease/extra-images.txt
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/helmrelease/extra-images.txt
rename to services/kube-prometheus-stack/48.3.3/helmrelease/extra-images.txt
diff --git a/services/kube-prometheus-stack/48.3.2/helmrelease/kube-prometheus-stack.yaml b/services/kube-prometheus-stack/48.3.3/helmrelease/kube-prometheus-stack.yaml
similarity index 97%
rename from services/kube-prometheus-stack/48.3.2/helmrelease/kube-prometheus-stack.yaml
rename to services/kube-prometheus-stack/48.3.3/helmrelease/kube-prometheus-stack.yaml
index b0b6a0fca4..94084b47f7 100644
--- a/services/kube-prometheus-stack/48.3.2/helmrelease/kube-prometheus-stack.yaml
+++ b/services/kube-prometheus-stack/48.3.3/helmrelease/kube-prometheus-stack.yaml
@@ -27,7 +27,7 @@ spec:
   releaseName: kube-prometheus-stack
   valuesFrom:
     - kind: ConfigMap
-      name: kube-prometheus-stack-48.3.2-d2iq-defaults
+      name: kube-prometheus-stack-48.3.3-d2iq-defaults
     - kind: ConfigMap
       name: kube-prometheus-stack-mgmt-overrides
       optional: true
diff --git a/services/kube-prometheus-stack/48.3.2/helmrelease/kustomization.yaml b/services/kube-prometheus-stack/48.3.3/helmrelease/kustomization.yaml
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/helmrelease/kustomization.yaml
rename to services/kube-prometheus-stack/48.3.3/helmrelease/kustomization.yaml
diff --git a/services/kube-prometheus-stack/48.3.2/kustomization.yaml b/services/kube-prometheus-stack/48.3.3/kustomization.yaml
similarity index 100%
rename from services/kube-prometheus-stack/48.3.2/kustomization.yaml
rename to services/kube-prometheus-stack/48.3.3/kustomization.yaml