diff --git a/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml b/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml index bb0f0019343e1b..5e6a60b9736448 100644 --- a/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml +++ b/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml @@ -28,7 +28,7 @@ spec: # Allow prometheus scraping from proxy /metrics endpoint - ports: - protocol: TCP - port: 9145 + port: 9500 from: - namespaceSelector: matchLabels: diff --git a/chart/templates/proxy-deployment.yaml b/chart/templates/proxy-deployment.yaml index a9b28701e02661..b6c975566ef5fb 100644 --- a/chart/templates/proxy-deployment.yaml +++ b/chart/templates/proxy-deployment.yaml @@ -51,7 +51,33 @@ spec: - -c - "sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range='1024 65000'" containers: -{{ include "gitpod.kube-rbac-proxy" $this | indent 6 }} + # TODO: remove once Caddy can listen only in localhost + - name: kube-rbac-proxy + args: + - --v=10 + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9545/ + env: + - name: IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9500 + name: metrics + protocol: TCP + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 - name: proxy image: {{ template "gitpod.comp.imageFull" $this }} {{ include "gitpod.container.imagePullPolicy" $this | indent 8 }} diff --git a/components/proxy/conf/Caddyfile b/components/proxy/conf/Caddyfile index ff90675ad1e6f5..2c1bddd4844bfd 100644 --- a/components/proxy/conf/Caddyfile +++ b/components/proxy/conf/Caddyfile @@ -131,7 +131,8 @@ respond /ready 200 } -localhost:9500 { +# TODO: refactor once we can listen only in localhost +:9545 { metrics /metrics { disable_openmetrics }