Merge pull request #1030 from grafana-operator/remove-rbac-proxy

Remove rbac proxy
grafana · May 4, 2023 · 0f0239f · 0f0239f
2 parents 8ec3fa0 + 54a8fc1
commit 0f0239f
Show file tree

Hide file tree

Showing 20 changed files with 116 additions and 220 deletions.
diff --git a/bundle/manifests/grafana-operator-operator-metrics-service_v1_service.yaml b/bundle/manifests/grafana-operator-operator-metrics-service_v1_service.yaml
@@ -7,10 +7,10 @@ metadata:
   name: grafana-operator-operator-metrics-service
 spec:
   ports:
-  - name: https
+  - name: metrics
     port: 8443
     protocol: TCP
-    targetPort: https
+    targetPort: metrics
   selector:
     control-plane: controller-manager
 status:

diff --git a/bundle/manifests/grafana-operator.clusterserviceversion.yaml b/bundle/manifests/grafana-operator.clusterserviceversion.yaml
@@ -295,18 +295,6 @@ spec:
           - list
           - update
           - watch
-        - apiGroups:
-          - authentication.k8s.io
-          resources:
-          - tokenreviews
-          verbs:
-          - create
-        - apiGroups:
-          - authorization.k8s.io
-          resources:
-          - subjectaccessreviews
-          verbs:
-          - create
         serviceAccountName: grafana-operator-controller-manager
       deployments:
       - label:
@@ -325,6 +313,8 @@ spec:
             spec:
               containers:
               - args:
+                - --health-probe-bind-address=:8081
+                - --metrics-bind-address=0.0.0.0:9090
                 - --leader-elect
                 env:
                 - name: WATCH_NAMESPACE
@@ -340,6 +330,10 @@ spec:
                   initialDelaySeconds: 15
                   periodSeconds: 20
                 name: manager
+                ports:
+                - containerPort: 9090
+                  name: metrics
+                  protocol: TCP
                 readinessProbe:
                   httpGet:
                     path: /readyz

diff --git a/bundle/manifests/grafana.integreatly.org_grafanadashboards.yaml b/bundle/manifests/grafana.integreatly.org_grafanadashboards.yaml
@@ -44,6 +44,15 @@ spec:
                 type: array
               folder:
                 type: string
+              grafanaCom:
+                properties:
+                  id:
+                    type: integer
+                  revision:
+                    type: integer
+                required:
+                - id
+                type: object
               gzipJson:
                 format: byte
                 type: string
@@ -108,6 +117,11 @@ spec:
                 type: string
               hash:
                 type: string
+              lastResync:
+                format: date-time
+                type: string
+              uid:
+                type: string
             type: object
         type: object
     served: true

diff --git a/bundle/manifests/grafana.integreatly.org_grafanas.yaml b/bundle/manifests/grafana.integreatly.org_grafanas.yaml
@@ -116,6 +116,15 @@ spec:
                       template:
                         properties:
                           metadata:
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                type: object
                             type: object
                           spec:
                             properties:

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -24,6 +24,10 @@ bases:
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
+resources:
+# Add metrics service
+  - metrics_service.yaml
+
 patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
diff --git a/config/rbac/auth_proxy_service.yaml → config/default/metrics_service.yaml b/config/rbac/auth_proxy_service.yaml → config/default/metrics_service.yaml
@@ -7,9 +7,9 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
-    protocol: TCP
-    targetPort: https
+    - name: metrics
+      port: 8443
+      protocol: TCP
+      targetPort: metrics
   selector:
     control-plane: controller-manager
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -25,36 +25,42 @@ spec:
       securityContext:
         runAsNonRoot: true
       containers:
-      - args:
-        - --leader-elect
-        image: controller:latest
-        name: manager
-        imagePullPolicy: Always
-        securityContext:
-          allowPrivilegeEscalation: false
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 8081
-          initialDelaySeconds: 15
-          periodSeconds: 20
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: 8081
-          initialDelaySeconds: 5
-          periodSeconds: 10
-        resources:
-          limits:
-            cpu: 200m
-            memory: 100Mi
-          requests:
-            cpu: 100m
-            memory: 20Mi
-        env:
-          - name: WATCH_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.annotations['olm.targetNamespaces']
+        - args:
+            - --health-probe-bind-address=:8081
+            - --metrics-bind-address=0.0.0.0:9090
+            - --leader-elect
+          image: controller:latest
+          name: manager
+          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+          ports:
+            - containerPort: 9090
+              protocol: TCP
+              name: metrics
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 200m
+              memory: 100Mi
+            requests:
+              cpu: 100m
+              memory: 20Mi
+          env:
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.annotations['olm.targetNamespaces']
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -9,10 +9,3 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
diff --git a/deploy/helm/grafana-operator/README.md b/deploy/helm/grafana-operator/README.md
@@ -41,18 +41,9 @@ It's easier to just manage this configuration outside of the operator.
 | image.repository | string | `"ghcr.io/grafana-operator/grafana-operator"` | grafana operator image repository |
 | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` | image pull secrets |
-| kubeRbacProxy.args | list | `["--secure-listen-address=0.0.0.0:8443","--upstream=http://127.0.0.1:8080/","--logtostderr=true","--v=10"]` | kubeRbacProxy container args |
-| kubeRbacProxy.enabled | bool | `true` | enable kuberRbacProxy |
-| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use in kubeRbacProxy container |
-| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | The image repository to use in kubeRbacProxy container |
-| kubeRbacProxy.image.tag | string | `"v0.8.0"` | The image tag to use in kubeRbacProxy container |
-| kubeRbacProxy.livenessProbe | object | `{}` | kubeRbacProxy liveness probe |
-| kubeRbacProxy.readinessProbe | object | `{}` | kubeRbacProxy readyness probe |
-| kubeRbacProxy.resources | object | `{}` | kubeRbacProxy resources |
-| kubeRbacProxy.securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | kubeRbacProxy securityContext |
-| kubeRbacProxy.service.port | int | `8443` | kubeRbacProxy service port |
-| kubeRbacProxy.service.type | string | `"ClusterIP"` | kubeRbacProxy service type |
 | leaderElect | bool | `false` | If you want to run multiple replicas of the grafana-operator, this is not recommended. |
+| metricsService.metricsPort | int | `9090` | metrics service port |
+| metricsService.type | string | `"ClusterIP"` | metrics service type |
 | nameOverride | string | `""` |  |
 | namespaceScope | bool | `false` | If the operator should run in namespace-scope or not, if true the operator will only be able to manage instances in the same namespace |
 | nodeSelector | object | `{}` | pod node selector |

diff --git a/deploy/helm/grafana-operator/templates/deployment.yaml b/deploy/helm/grafana-operator/templates/deployment.yaml
@@ -44,10 +44,14 @@ spec:
               {{- end }}
           args:
             - --health-probe-bind-address=:8081
-            - --metrics-bind-address=127.0.0.1:8080
+            - --metrics-bind-address=0.0.0.0:{{ .Values.metricsService.metricsPort }}
             {{- if .Values.leaderElect }}
             - --leader-elect
             {{- end }}
+          ports:
+            - containerPort: {{ .Values.metricsService.metricsPort }}
+              name: metrics
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /healthz
@@ -60,35 +64,6 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-        {{- if .Values.kubeRbacProxy.enabled }}
-        - name: kube-rbac-proxy
-          {{- with .Values.kubeRbacProxy.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          image: "{{ .Values.kubeRbacProxy.image.repository }}:{{ .Values.kubeRbacProxy.image.tag }}"
-          imagePullPolicy: {{ .Values.kubeRbacProxy.imagePullPolicy }}
-          {{- with .Values.kubeRbacProxy.args }}
-          args:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          ports:
-            - containerPort: {{ .Values.kubeRbacProxy.service.port }}
-              name: metrics
-              protocol: TCP
-          {{- with .Values.kubeRbacProxy.livenessProbe }}
-          livenessProbe:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.kubeRbacProxy.readinessProbe }}
-          readinessProbe:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.kubeRbacProxy.resources }}
-          resources:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/deploy/helm/grafana-operator/templates/service.yaml b/deploy/helm/grafana-operator/templates/service.yaml
@@ -5,11 +5,11 @@ metadata:
   labels:
     {{- include "grafana-operator.labels" . | nindent 4 }}
 spec:
-  type: {{ .Values.kubeRbacProxy.service.type }}
+  type: {{ .Values.metricsService.type }}
   ports:
-    - port: {{ .Values.kubeRbacProxy.service.port }}
+    - port: {{ .Values.metricsService.metricsPort }}
       targetPort: metrics
       protocol: TCP
-      name: https
+      name: metrics
   selector:
     {{- include "grafana-operator.selectorLabels" . | nindent 4 }}