Reload bearer token from disk to work with kubernetes bound-service-a…

…ccount-tokens
DataDog · Feb 11, 2022 · 0071d68 · 0071d68
1 parent 3616496
commit 0071d68
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 19 deletions.
diff --git a/datadog_checks_base/datadog_checks/base/checks/openmetrics/base_check.py b/datadog_checks_base/datadog_checks/base/checks/openmetrics/base_check.py
@@ -139,6 +139,8 @@ def check(self, instance):
                 "You have to collect at least one metric from the endpoint: {}".format(scraper_config['prometheus_url'])
             )
 
+        scraper_config['_bearer_token'] = self._get_bearer_token(scraper_config['bearer_token_auth'], scraper_config['bearer_token_path'])
+
         self.process(scraper_config)
 
     def get_scraper_config(self, instance):

diff --git a/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py b/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py
@@ -398,32 +398,30 @@ def get_http_handler(self, scraper_config):
         The http handler is cached using `prometheus_url` as key.
         """
         prometheus_url = scraper_config['prometheus_url']
-        if prometheus_url in self._http_handlers:
-            return self._http_handlers[prometheus_url]
+        http_handler = self._http_handlers[prometheus_url]
+        if http_handler is None
+          # TODO: Deprecate this behavior in Agent 8
+          if scraper_config['ssl_ca_cert'] is False:
+              scraper_config['ssl_verify'] = False
 
-        # TODO: Deprecate this behavior in Agent 8
-        if scraper_config['ssl_ca_cert'] is False:
-            scraper_config['ssl_verify'] = False
+          # TODO: Deprecate this behavior in Agent 8
+          if scraper_config['ssl_verify'] is False:
+              scraper_config.setdefault('tls_ignore_warning', True)
 
-        # TODO: Deprecate this behavior in Agent 8
-        if scraper_config['ssl_verify'] is False:
-            scraper_config.setdefault('tls_ignore_warning', True)
+          http_handler = self._http_handlers[prometheus_url] = RequestsWrapper(
+              scraper_config, self.init_config, self.HTTP_CONFIG_REMAPPER, self.log
+          )
 
-        http_handler = self._http_handlers[prometheus_url] = RequestsWrapper(
-            scraper_config, self.init_config, self.HTTP_CONFIG_REMAPPER, self.log
-        )
+          # TODO: Determine if we really need this
+          http_handler.options['headers'].setdefault('accept-encoding', 'gzip')
 
-        headers = http_handler.options['headers']
+          # Explicitly set the content type we accept
+          http_handler.options['headers'].setdefault('accept', 'text/plain')
 
+        # even when using the cached handler we need to re-set this token since it could have changed
         bearer_token = scraper_config['_bearer_token']
         if bearer_token is not None:
-            headers['Authorization'] = 'Bearer {}'.format(bearer_token)
-
-        # TODO: Determine if we really need this
-        headers.setdefault('accept-encoding', 'gzip')
-
-        # Explicitly set the content type we accept
-        headers.setdefault('accept', 'text/plain')
+            http_handler.options['headers']['Authorization'] = 'Bearer {}'.format(bearer_token)
 
         return http_handler
 

diff --git a/kube_apiserver_metrics/datadog_checks/kube_apiserver_metrics/kube_apiserver_metrics.py b/kube_apiserver_metrics/datadog_checks/kube_apiserver_metrics/kube_apiserver_metrics.py
@@ -110,6 +110,12 @@ def check(self, instance):
         if not self.kube_apiserver_config['metrics_mapper']:
             url = self.kube_apiserver_config['prometheus_url']
             raise CheckException("You have to collect at least one metric from the endpoint: {}".format(url))
+
+        # reload from path in case the token was refreshed
+        # see https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md
+        # same as datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py
+        self.kube_apiserver_config['_bearer_token'] = self._get_bearer_token(self.kube_apiserver_config['bearer_token_auth'], self.kube_apiserver_config['bearer_token_path'])
+
         self.process(self.kube_apiserver_config, metric_transformers=self.metric_transformers)
 
     def get_scraper_config(self, instance):

diff --git a/kube_controller_manager/datadog_checks/kube_controller_manager/kube_controller_manager.py b/kube_controller_manager/datadog_checks/kube_controller_manager/kube_controller_manager.py
@@ -142,6 +142,10 @@ def check(self, instance):
         # Get the configuration for this specific instance
         scraper_config = self.get_scraper_config(instance)
 
+        # TODO: load given token path when set
+        token = open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r').read().rstrip()
+        scraper_config['_bearer_token'] = token
+
         # Populate the metric transformers dict
         transformers = {}
         limiters = self.DEFAUT_RATE_LIMITERS + instance.get("extra_limiters", [])

diff --git a/kubelet/datadog_checks/kubelet/kubelet.py b/kubelet/datadog_checks/kubelet/kubelet.py
@@ -344,6 +344,10 @@ def check(self, instance):
         self.process_stats_summary(
             self.pod_list_utils, self.stats, self.instance_tags, self.use_stats_summary_as_source
         )
+        # TODO: load given token path when set
+        token = open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r').read().rstrip()
+        self.cadvisor_scraper_config['_bearer_token'] = token
+        self.kubelet_scraper_config['_bearer_token'] = token
 
         if self.cadvisor_legacy_url:  # Legacy cAdvisor
             self.log.debug('processing legacy cadvisor metrics')