Goal:

Deploy kube-rbac-proxy container inside the metric-storage's Prometheus pod. Configure the kube-rbac-proxy correctly, so that Prometheus is accessible through the proxy. This epic is about modifications to telemetry-operator only. An image will need to be propagated from openstack-operator, but that's a part of another epic.

Acceptance Criteria:

• kube-rbac-proxy runs inside the Prometheus pod
• Prometheus is reachable through the kube-rbac-proxy when a correct token is used
• Prometheus isn't reachable through the kube-rbac-proxy when using an incorrect token (or when not using a token at all)
• Original way of reaching Prometheus is still working (we can still use the current service to reach Prometheus directly and bypass kube-rbac-proxy)

Additional info

• Look at how the Prometheus object is patched to configure TLS. We can add additional containers to the pod in a similar way

• • https://github.com/openstack-k8s-operators/telemetry-operator/blob/main/pkg/metricstorage/prometheus_tls_patch.go
  • https://github.com/openstack-k8s-operators/telemetry-operator/blob/main/controllers/metricstorage_controller.go#L373
• Looking at STF may also be beneficial as STF uses oauth-proxy to secure Prometheus, which should be pretty similar.
• We already ship kube-rbac-proxy together with RHOSO, the default could be quay.io/openstack-k8s-operators/kube-rbac-proxy:v0.16.0