Skip to content

Commit 4d591de

Browse files
authored
Remove kube-rbac-proxy in favour of native metrics authentication (#170)
1 parent 3090b36 commit 4d591de

23 files changed

+356
-196
lines changed
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
# The following manifests contain a self-signed issuer CR and a certificate CR.
2+
# More document can be found at https://docs.cert-manager.io
3+
apiVersion: cert-manager.io/v1
4+
kind: Certificate
5+
metadata:
6+
labels:
7+
app.kubernetes.io/name: openshift-upgrade-controller
8+
app.kubernetes.io/managed-by: kustomize
9+
name: metrics-certs # this name should match the one appeared in kustomizeconfig.yaml
10+
namespace: system
11+
spec:
12+
# SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
13+
# replacements in the config/default/kustomization.yaml file.
14+
dnsNames:
15+
- SERVICE_NAME.SERVICE_NAMESPACE.svc
16+
- SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
17+
issuerRef:
18+
kind: Issuer
19+
name: selfsigned-issuer
20+
secretName: metrics-server-cert

config/certmanager/issuer.yaml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# The following manifest contains a self-signed issuer CR.
2+
# More information can be found at https://docs.cert-manager.io
3+
# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes.
4+
apiVersion: cert-manager.io/v1
5+
kind: Issuer
6+
metadata:
7+
labels:
8+
app.kubernetes.io/name: openshift-upgrade-controller
9+
app.kubernetes.io/managed-by: kustomize
10+
name: selfsigned-issuer
11+
namespace: system
12+
spec:
13+
selfSigned: {}

config/certmanager/kustomization.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
resources:
2+
- issuer.yaml
3+
- certificate-metrics.yaml
4+
5+
configurations:
6+
- kustomizeconfig.yaml
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# This configuration is for teaching kustomize how to update name ref substitution
2+
nameReference:
3+
- kind: Issuer
4+
group: cert-manager.io
5+
fieldSpecs:
6+
- kind: Certificate
7+
group: cert-manager.io
8+
path: spec/issuerRef/name
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# This patch adds the args, volumes, and ports to allow the manager to use the metrics-server certs.
2+
3+
# Add the volumeMount for the metrics-server certs
4+
- op: add
5+
path: /spec/template/spec/containers/0/volumeMounts/-
6+
value:
7+
mountPath: /tmp/k8s-metrics-server/metrics-certs
8+
name: metrics-certs
9+
readOnly: true
10+
11+
# Add the --metrics-cert-path argument for the metrics server
12+
- op: add
13+
path: /spec/template/spec/containers/0/args/-
14+
value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs
15+
16+
# Add the metrics-server certs volume configuration
17+
- op: add
18+
path: /spec/template/spec/volumes/-
19+
value:
20+
name: metrics-certs
21+
secret:
22+
secretName: metrics-server-cert
23+
optional: false
24+
items:
25+
- key: ca.crt
26+
path: ca.crt
27+
- key: tls.crt
28+
path: tls.crt
29+
- key: tls.key
30+
path: tls.key

config/default/kustomization.yaml

Lines changed: 68 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -16,56 +16,75 @@ bases:
1616
# - ../crd
1717
- ../rbac
1818
- ../manager
19+
- ../certmanager
1920
- ../prometheus
20-
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
21-
# crd/kustomization.yaml
22-
#- ../webhook
23-
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
24-
#- ../certmanager
21+
- metrics_service.yaml
2522

26-
patchesStrategicMerge:
27-
# Protect the /metrics endpoint by putting it behind auth.
28-
# If you want your controller-manager to expose the /metrics
29-
# endpoint w/o any authn/z, please comment the following line.
30-
- manager_auth_proxy_patch.yaml
23+
patches:
24+
- path: cert_metrics_manager_patch.yaml
25+
target:
26+
kind: Deployment
27+
- path: manager_metrics_patch.yaml
28+
target:
29+
kind: Deployment
3130

31+
replacements:
32+
- source: # Uncomment the following block to enable certificates for metrics
33+
kind: Service
34+
version: v1
35+
name: controller-manager-metrics-service
36+
fieldPath: metadata.name
37+
targets:
38+
- select:
39+
kind: Certificate
40+
group: cert-manager.io
41+
version: v1
42+
name: metrics-certs
43+
fieldPaths:
44+
- spec.dnsNames.0
45+
- spec.dnsNames.1
46+
options:
47+
delimiter: '.'
48+
index: 0
49+
create: true
50+
- select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
51+
kind: ServiceMonitor
52+
group: monitoring.coreos.com
53+
version: v1
54+
name: controller-manager-metrics-monitor
55+
fieldPaths:
56+
- spec.endpoints.0.tlsConfig.serverName
57+
options:
58+
delimiter: '.'
59+
index: 0
60+
create: true
3261

33-
34-
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
35-
# crd/kustomization.yaml
36-
#- manager_webhook_patch.yaml
37-
38-
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
39-
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
40-
# 'CERTMANAGER' needs to be enabled to use ca injection
41-
#- webhookcainjection_patch.yaml
42-
43-
# the following config is for teaching kustomize how to do var substitution
44-
vars:
45-
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
46-
#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
47-
# objref:
48-
# kind: Certificate
49-
# group: cert-manager.io
50-
# version: v1
51-
# name: serving-cert # this name should match the one in certificate.yaml
52-
# fieldref:
53-
# fieldpath: metadata.namespace
54-
#- name: CERTIFICATE_NAME
55-
# objref:
56-
# kind: Certificate
57-
# group: cert-manager.io
58-
# version: v1
59-
# name: serving-cert # this name should match the one in certificate.yaml
60-
#- name: SERVICE_NAMESPACE # namespace of the service
61-
# objref:
62-
# kind: Service
63-
# version: v1
64-
# name: webhook-service
65-
# fieldref:
66-
# fieldpath: metadata.namespace
67-
#- name: SERVICE_NAME
68-
# objref:
69-
# kind: Service
70-
# version: v1
71-
# name: webhook-service
62+
- source:
63+
kind: Service
64+
version: v1
65+
name: controller-manager-metrics-service
66+
fieldPath: metadata.namespace
67+
targets:
68+
- select:
69+
kind: Certificate
70+
group: cert-manager.io
71+
version: v1
72+
name: metrics-certs
73+
fieldPaths:
74+
- spec.dnsNames.0
75+
- spec.dnsNames.1
76+
options:
77+
delimiter: '.'
78+
index: 1
79+
create: true
80+
- select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
81+
kind: ServiceMonitor
82+
group: monitoring.coreos.com
83+
version: v1
84+
name: controller-manager-metrics-monitor
85+
fieldPaths:
86+
- spec.endpoints.0.tlsConfig.serverName
87+
options:
88+
delimiter: '.'
89+
index: 1
90+
create: true

config/default/manager_auth_proxy_patch.yaml

Lines changed: 0 additions & 55 deletions
This file was deleted.

config/default/manager_config_patch.yaml

Lines changed: 0 additions & 10 deletions
This file was deleted.
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
# This patch adds the args to allow exposing the metrics endpoint using HTTPS
2+
- op: add
3+
path: /spec/template/spec/containers/0/args/0
4+
value: --metrics-bind-address=:8443

config/rbac/auth_proxy_service.yaml renamed to config/default/metrics_service.yaml

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,7 @@ kind: Service
33
metadata:
44
labels:
55
control-plane: controller-manager
6-
app.kubernetes.io/name: service
7-
app.kubernetes.io/instance: controller-manager-metrics-service
8-
app.kubernetes.io/component: kube-rbac-proxy
9-
app.kubernetes.io/created-by: openshift-upgrade-controller
10-
app.kubernetes.io/part-of: openshift-upgrade-controller
6+
app.kubernetes.io/name: openshift-upgrade-controller
117
app.kubernetes.io/managed-by: kustomize
128
name: controller-manager-metrics-service
139
namespace: system
@@ -16,6 +12,6 @@ spec:
1612
- name: https
1713
port: 8443
1814
protocol: TCP
19-
targetPort: https
15+
targetPort: 8443
2016
selector:
2117
control-plane: controller-manager

config/manager/manager.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,5 +74,7 @@ spec:
7474
requests:
7575
cpu: 10m
7676
memory: 32Mi
77+
volumeMounts: []
7778
serviceAccountName: controller-manager
7879
terminationGracePeriodSeconds: 10
80+
volumes: []

config/prometheus/kustomization.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,7 @@
11
resources:
22
- monitor.yaml
3+
4+
patches:
5+
- path: monitor_tls_patch.yaml
6+
target:
7+
kind: ServiceMonitor
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Patch for Prometheus ServiceMonitor to enable secure TLS configuration
2+
# using certificates managed by cert-manager
3+
- op: replace
4+
path: /spec/endpoints/0/tlsConfig
5+
value:
6+
# SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
7+
serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
8+
insecureSkipVerify: false
9+
ca:
10+
secret:
11+
name: metrics-server-cert
12+
key: ca.crt
13+
cert:
14+
secret:
15+
name: metrics-server-cert
16+
key: tls.crt
17+
keySecret:
18+
name: metrics-server-cert
19+
key: tls.key

config/rbac/auth_proxy_client_clusterrole.yaml

Lines changed: 0 additions & 16 deletions
This file was deleted.

config/rbac/auth_proxy_role.yaml

Lines changed: 0 additions & 24 deletions
This file was deleted.

config/rbac/auth_proxy_role_binding.yaml

Lines changed: 0 additions & 19 deletions
This file was deleted.

0 commit comments

Comments
 (0)