From ef65ff05a91bc49d0bc8474cefe3f5b0c880c4cb Mon Sep 17 00:00:00 2001 From: Gerard de Leeuw Date: Tue, 6 Sep 2022 09:50:14 +0200 Subject: [PATCH] chore: add v0.6.x to metadata, fix metrics service Part of #1070 Signed-off-by: Gerard de Leeuw Signed-off-by: Andrey Smirnov --- .../config/default/kustomization.yaml | 1 + .../default/manager_auth_proxy_patch.yaml | 21 +++++++++++++++++++ .../config/prometheus/monitor.yaml | 1 - .../config/rbac/auth_proxy_service.yaml | 6 +++--- .../config/rbac/kustomization.yaml | 6 +++--- .../config/kustomization.yaml | 14 ++++++------- .../config/manager_auth_proxy_patch.yaml | 21 +++++++++++++++++++ .../config/prometheus/monitor.yaml | 4 ++-- .../config/rbac/auth_proxy_service.yaml | 4 ++-- config/metadata/metadata.yaml | 3 +++ 10 files changed, 63 insertions(+), 18 deletions(-) create mode 100644 app/caps-controller-manager/config/default/manager_auth_proxy_patch.yaml create mode 100644 app/sidero-controller-manager/config/manager_auth_proxy_patch.yaml diff --git a/app/caps-controller-manager/config/default/kustomization.yaml b/app/caps-controller-manager/config/default/kustomization.yaml index 78b9d944f..cd904c0a0 100644 --- a/app/caps-controller-manager/config/default/kustomization.yaml +++ b/app/caps-controller-manager/config/default/kustomization.yaml @@ -14,6 +14,7 @@ bases: - ../manager patchesStrategicMerge: + - manager_auth_proxy_patch.yaml - manager_webhook_patch.yaml - webhookcainjection_patch.yaml diff --git a/app/caps-controller-manager/config/default/manager_auth_proxy_patch.yaml b/app/caps-controller-manager/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..a49c0574f --- /dev/null +++ b/app/caps-controller-manager/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,21 @@ +# This patch inject a sidecar container which is an HTTP proxy for the controller manager, +# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https diff --git a/app/caps-controller-manager/config/prometheus/monitor.yaml b/app/caps-controller-manager/config/prometheus/monitor.yaml index 32500acc6..f7a243f53 100644 --- a/app/caps-controller-manager/config/prometheus/monitor.yaml +++ b/app/caps-controller-manager/config/prometheus/monitor.yaml @@ -1,4 +1,3 @@ - # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor diff --git a/app/caps-controller-manager/config/rbac/auth_proxy_service.yaml b/app/caps-controller-manager/config/rbac/auth_proxy_service.yaml index 700a86cc9..7b290b306 100644 --- a/app/caps-controller-manager/config/rbac/auth_proxy_service.yaml +++ b/app/caps-controller-manager/config/rbac/auth_proxy_service.yaml @@ -7,8 +7,8 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 - targetPort: https + - name: https + port: 8443 + targetPort: https selector: control-plane: caps-controller-manager diff --git a/app/caps-controller-manager/config/rbac/kustomization.yaml b/app/caps-controller-manager/config/rbac/kustomization.yaml index 290256d13..ec5355864 100644 --- a/app/caps-controller-manager/config/rbac/kustomization.yaml +++ b/app/caps-controller-manager/config/rbac/kustomization.yaml @@ -6,6 +6,6 @@ resources: # Comment the following 3 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. - # - auth_proxy_service.yaml - # - auth_proxy_role.yaml - # - auth_proxy_role_binding.yaml + - auth_proxy_service.yaml + - auth_proxy_role.yaml + - auth_proxy_role_binding.yaml diff --git a/app/sidero-controller-manager/config/kustomization.yaml b/app/sidero-controller-manager/config/kustomization.yaml index 1875fd3f8..0327245b3 100644 --- a/app/sidero-controller-manager/config/kustomization.yaml +++ b/app/sidero-controller-manager/config/kustomization.yaml @@ -16,13 +16,13 @@ patchesStrategicMerge: # Protect the /metrics endpoint by putting it behind auth. # Only one of manager_auth_proxy_patch.yaml and # manager_prometheus_metrics_patch.yaml should be enabled. - #- manager_auth_proxy_patch.yaml - # If you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z, uncomment the following line and - # comment manager_auth_proxy_patch.yaml. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. -#- manager_prometheus_metrics_patch.yaml + - manager_auth_proxy_patch.yaml + # If you want your controller-manager to expose the /metrics + # endpoint w/o any authn/z, uncomment the following line and + # comment manager_auth_proxy_patch.yaml. + # Only one of manager_auth_proxy_patch.yaml and + # manager_prometheus_metrics_patch.yaml should be enabled. + #- manager_prometheus_metrics_patch.yaml - manager_webhook_patch.yaml - webhookcainjection_patch.yaml vars: diff --git a/app/sidero-controller-manager/config/manager_auth_proxy_patch.yaml b/app/sidero-controller-manager/config/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..a49c0574f --- /dev/null +++ b/app/sidero-controller-manager/config/manager_auth_proxy_patch.yaml @@ -0,0 +1,21 @@ +# This patch inject a sidecar container which is an HTTP proxy for the controller manager, +# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https diff --git a/app/sidero-controller-manager/config/prometheus/monitor.yaml b/app/sidero-controller-manager/config/prometheus/monitor.yaml index 77aff0521..028ccd47e 100644 --- a/app/sidero-controller-manager/config/prometheus/monitor.yaml +++ b/app/sidero-controller-manager/config/prometheus/monitor.yaml @@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: - control-plane: caps-controller-manager + control-plane: sidero-controller-manager name: metrics-monitor namespace: system spec: @@ -11,4 +11,4 @@ spec: - path: /metrics port: https selector: - control-plane: caps-controller-manager + control-plane: sidero-controller-manager diff --git a/app/sidero-controller-manager/config/rbac/auth_proxy_service.yaml b/app/sidero-controller-manager/config/rbac/auth_proxy_service.yaml index 7b290b306..41dcd3c90 100644 --- a/app/sidero-controller-manager/config/rbac/auth_proxy_service.yaml +++ b/app/sidero-controller-manager/config/rbac/auth_proxy_service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: labels: - control-plane: caps-controller-manager + control-plane: sidero-controller-manager name: controller-manager-metrics-service namespace: system spec: @@ -11,4 +11,4 @@ spec: port: 8443 targetPort: https selector: - control-plane: caps-controller-manager + control-plane: sidero-controller-manager diff --git a/config/metadata/metadata.yaml b/config/metadata/metadata.yaml index 2b919a530..be8a059fe 100644 --- a/config/metadata/metadata.yaml +++ b/config/metadata/metadata.yaml @@ -16,3 +16,6 @@ releaseSeries: - major: 0 minor: 5 contract: v1beta1 + - major: 0 + minor: 6 + contract: v1beta1