From d1bf0425e1952e010e7914e7fdcb00c2bd15b834 Mon Sep 17 00:00:00 2001
From: Chris Sibbitt <csibbitt@redhat.com>
Date: Thu, 25 Jul 2024 04:24:21 -0400
Subject: [PATCH] Create our own token for prometheus-stf SA (#623)

* In OCP 4.16, these are no long created by default

See https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html#ocp-4-16-deprecated-features_release-notes (Legacy service account API token secrets are no longer generated for each service account)
---
 .../tasks/component_scrapeconfig.yml          | 29 +++++++++----------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/roles/servicetelemetry/tasks/component_scrapeconfig.yml b/roles/servicetelemetry/tasks/component_scrapeconfig.yml
index b05a5ac0..27447226 100644
--- a/roles/servicetelemetry/tasks/component_scrapeconfig.yml
+++ b/roles/servicetelemetry/tasks/component_scrapeconfig.yml
@@ -1,18 +1,15 @@
-- name: Look up prometheus-stf SA to get auth secret name
-  k8s_info:
-    api_version: v1
-    kind: ServiceAccount
-    namespace: '{{ ansible_operator_meta.namespace }}'
-    name: prometheus-stf
-  register: service_account
-
-- name: Look up auth secret to get token secret name
-  k8s_info:
-    api_version: v1
-    kind: Secret
-    namespace: '{{ ansible_operator_meta.namespace }}'
-    name: '{{ service_account.resources[0].secrets[0].name }}'
-  register: auth_secret
+- name: Create an access token for prometheus-stf to use in scrapeconfigs
+  k8s:
+    state: '{{ "present" if servicetelemetry_vars.backends.metrics.prometheus.enabled else "absent" }}'
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: prometheus-stf-token
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        annotations:
+          kubernetes.io/service-account.name: prometheus-stf
+      type: kubernetes.io/service-account-token
 
 - name: Create SG-specific Scrape Config manifest
   set_fact:
@@ -28,7 +25,7 @@
         authorization:
           type: bearer
           credentials:
-            name: '{{ auth_secret.resources[0].metadata.annotations['openshift.io/token-secret.name'] }}'
+            name: prometheus-stf-token
             key: token
         metricRelabelings:
           - action: labeldrop