report token fallback: basicAuth for kubeVersion lt 1.20.0

reporter/v2/cmd/reporter/report/report.go

@@ -28,7 +28,7 @@ import (
 
 var log = logf.Log.WithName("reporter_report_cmd")
 
-var name, namespace, cafile, tokenFile, uploadTarget, localFilePath string
+var name, namespace, cafile, tokenFile, passwordFile, uploadTarget, localFilePath string
 var local, upload bool
 var retry int
 
@@ -61,6 +61,7 @@ var ReportCmd = &cobra.Command{
 			Retry:           ptr.Int(retry),
 			CaFile:          cafile,
 			TokenFile:       tokenFile,
+			PasswordFile:    passwordFile,
 			Local:           local,
 			Upload:          upload,
 			UploaderTarget:  uploadTarget,
@@ -93,6 +94,7 @@ func init() {
 	ReportCmd.Flags().StringVar(&namespace, "namespace", "", "namespace of the report")
 	ReportCmd.Flags().StringVar(&cafile, "cafile", "", "cafile for prometheus")
 	ReportCmd.Flags().StringVar(&tokenFile, "tokenfile", "", "token file for prometheus")
+	ReportCmd.Flags().StringVar(&passwordFile, "passwordfile", "", "password file for prometheus basicauth")
 	ReportCmd.Flags().StringVar(&uploadTarget, "uploadTarget", "redhat-insights", "target to upload to")
 	ReportCmd.Flags().StringVar(&localFilePath, "localFilePath", ".", "target to upload to")
 	ReportCmd.Flags().BoolVar(&local, "local", false, "run locally")

reporter/v2/pkg/reporter/config.go

@@ -33,6 +33,7 @@ type Config struct {
 	Retry           *int
 	CaFile          string
 	TokenFile       string
+	PasswordFile    string
 	Local           bool
 	Upload          bool
 	UploaderTarget

v2/assets/reporter/job.yaml

@@ -21,25 +21,13 @@ spec:
               'report',
               '--cafile',
               '/etc/configmaps/operator-cert-ca-bundle/service-ca.crt',
-              '--tokenfile',
-              '/etc/auth-service-account/token',
             ]
           runAsUser:
           volumeMounts:
             - mountPath: /etc/configmaps/operator-cert-ca-bundle
               name: operator-certs-ca-bundle
               readOnly: true
-            - mountPath: /etc/auth-service-account
-              name: token-vol
-              readOnly: true
       volumes:
         - configMap:
             name: operator-certs-ca-bundle
           name: operator-certs-ca-bundle
-        - name: token-vol
-          projected:
-            sources:
-              - serviceAccountToken:
-                  audience: rhm-prometheus-meterbase.openshift-redhat-marketplace.svc
-                  expirationSeconds: 3600
-                  path: token

v2/controllers/marketplace/meterbase_controller.go

@@ -36,6 +36,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	merrors "emperror.dev/errors"
+	"github.com/blang/semver"
 	olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	prometheusv1 "github.com/prometheus/client_golang/api/prometheus/v1"
@@ -583,6 +584,17 @@ func (r *MeterBaseReconciler) generateExpectedDates(endTime time.Time, loc *time
 }
 
 func (r *MeterBaseReconciler) newMeterReport(namespace string, startTime time.Time, endTime time.Time, meterReportName string, instance *marketplacev1alpha1.MeterBase, prometheusServiceName string) *marketplacev1alpha1.MeterReport {
+	// If kubeVersion < 1.20 TokenRequest and TokenRequestProjection are beta and not assumed available, use basicAuth (https port). Logical default if unknown kubeVersion parse failure
+	// If kubeVersion >= 1.20  TokenRequest and TokenRequestProjection are GA and assumed available, use token (rbac port)
+	v1200, _ := semver.Make("1.20.0")
+	kubeVersion := r.cfg.Infrastructure.KubernetesVersion()
+	parsedKubeVersion, _ := semver.ParseTolerant(kubeVersion)
+
+	targetPort := intstr.FromString("rbac")
+	if parsedKubeVersion.LT(v1200) {
+		targetPort = intstr.FromString("https")
+	}
+
 	return &marketplacev1alpha1.MeterReport{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      meterReportName,
@@ -594,7 +606,7 @@ func (r *MeterBaseReconciler) newMeterReport(namespace string, startTime time.Ti
 			PrometheusService: &common.ServiceReference{
 				Name:       prometheusServiceName,
 				Namespace:  instance.Namespace,
-				TargetPort: intstr.FromString("rbac"),
+				TargetPort: targetPort,
 			},
 		},
 	}
@@ -1316,6 +1328,7 @@ func labelsForPrometheusOperator(name string) map[string]string {
 	return map[string]string{"prometheus": name}
 }
 
+
 // Return Prometheus ActiveTargets with HealthBad or Unknown status
 func (r *MeterBaseReconciler) healthBadActiveTargets(cc ClientCommandRunner, request reconcile.Request, reqLogger logr.Logger) ([]common.Target, error) {
 	targets := []common.Target{}

v2/pkg/manifests/factory.go

@@ -25,6 +25,7 @@ import (
 	"io"
 	"strings"
 
+	"github.com/blang/semver"
 	"github.com/gotidy/ptr"
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	marketplacev1alpha1 "github.com/redhat-marketplace/redhat-marketplace-operator/v2/apis/marketplace/v1alpha1"
@@ -509,6 +510,39 @@ func (f *Factory) ReporterJob(
 		container.Args = append(container.Args, report.Spec.ExtraArgs...)
 	}
 
+	// If kubeVersion < 1.20 TokenRequest and TokenRequestProjection are beta and not assumed available, use basicAuth. Logical default if unknown kubeVersion parse failure
+	// If kubeVersion >= 1.20  TokenRequest and TokenRequestProjection are GA and assumed available, use token
+	v1200, _ := semver.Make("1.20.0")
+	kubeVersion := f.operatorConfig.Infrastructure.KubernetesVersion()
+
+	parsedKubeVersion, _ := semver.ParseTolerant(kubeVersion)
+
+	if parsedKubeVersion.LT(v1200) {
+		secretVolumeSource := corev1.SecretVolumeSource{SecretName: "rhm-meterbase-datasources"}
+		volumeSource := corev1.VolumeSource{Secret: &secretVolumeSource}
+		j.Spec.Template.Spec.Volumes = append(j.Spec.Template.Spec.Volumes, corev1.Volume{Name: "password-vol", VolumeSource: volumeSource})
+
+		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{Name: "password-vol", ReadOnly: true, MountPath: "/etc/auth-basic"})
+
+		container.Args = append(container.Args,
+			"--passwordfile",
+			"/etc/auth-basic/basicAuthSecret",
+		)
+	} else {
+		var expirationSeconds int64 = 3600
+		serviceAccountTokenProjection := corev1.ServiceAccountTokenProjection{Audience: "rhm-prometheus-meterbase.openshift-redhat-marketplace.svc", ExpirationSeconds: &expirationSeconds, Path: "token"}
+		projectedVolumeSource := corev1.ProjectedVolumeSource{Sources: []corev1.VolumeProjection{{ServiceAccountToken: &serviceAccountTokenProjection}}}
+		volumeSource := corev1.VolumeSource{Projected: &projectedVolumeSource}
+		j.Spec.Template.Spec.Volumes = append(j.Spec.Template.Spec.Volumes, corev1.Volume{Name: "token-vol", VolumeSource: volumeSource})
+
+		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{Name: "token-vol", ReadOnly: true, MountPath: "/etc/auth-service-account"})
+
+		container.Args = append(container.Args,
+			"--tokenfile",
+			"/etc/auth-service-account/token",
+		)
+	}
+
 	// Keep last 3 days of data
 	j.Spec.TTLSecondsAfterFinished = ptr.Int32(86400 * 3)
 	j.Spec.Template.Spec.Containers[0] = container