From 17a2e879500ebb65a5ed5c56bff3c7ca4e0ea446 Mon Sep 17 00:00:00 2001 From: ushabelgur Date: Tue, 4 Feb 2025 11:46:30 +0530 Subject: [PATCH 1/5] drop usage of kube-rbac-proxy and adapt to authn/authz --- cmd/apinetlet/main.go | 58 +++++++++++++++++-- cmd/controller-manager/main.go | 57 ++++++++++++++++-- cmd/metalnetlet/main.go | 55 ++++++++++++++++-- config/apinetlet/default/kustomization.yaml | 2 +- ..._patch.yaml => manager_metrics_patch.yaml} | 12 +--- config/apinetlet/rbac/kustomization.yaml | 17 +++--- .../rbac/metrics_auth_role.yaml} | 2 +- .../rbac/metrics_auth_role_binding.yaml} | 4 +- ...sterrole.yaml => metrics_reader_role.yaml} | 0 .../rbac/metrics_service.yaml} | 3 +- config/controller/default/kustomization.yaml | 2 +- ..._patch.yaml => manager_metrics_patch.yaml} | 12 +--- config/controller/rbac/kustomization.yaml | 17 +++--- .../rbac/metrics_auth_role.yaml} | 2 +- .../rbac/metrics_auth_role_binding.yaml} | 4 +- ...sterrole.yaml => metrics_reader_role.yaml} | 0 ...roxy_service.yaml => metrics_service.yaml} | 3 +- config/metalnetlet/default/kustomization.yaml | 2 +- ..._patch.yaml => manager_metrics_patch.yaml} | 12 +--- config/metalnetlet/rbac/kustomization.yaml | 17 +++--- ...proxy_role.yaml => metrics_auth_role.yaml} | 2 +- .../rbac/metrics_auth_role_binding.yaml} | 4 +- ...sterrole.yaml => metrics_reader_role.yaml} | 0 .../rbac/metrics_service.yaml} | 3 +- 24 files changed, 204 insertions(+), 86 deletions(-) rename config/apinetlet/default/{manager_auth_proxy_patch.yaml => manager_metrics_patch.yaml} (54%) rename config/{controller/rbac/auth_proxy_role.yaml => apinetlet/rbac/metrics_auth_role.yaml} (90%) rename config/{metalnetlet/rbac/auth_proxy_role_binding.yaml => apinetlet/rbac/metrics_auth_role_binding.yaml} (79%) rename config/apinetlet/rbac/{auth_proxy_client_clusterrole.yaml => metrics_reader_role.yaml} (100%) rename config/{metalnetlet/rbac/auth_proxy_service.yaml => apinetlet/rbac/metrics_service.yaml} (86%) rename config/controller/default/{manager_auth_proxy_patch.yaml => manager_metrics_patch.yaml} (54%) rename config/{apinetlet/rbac/auth_proxy_role.yaml => controller/rbac/metrics_auth_role.yaml} (90%) rename config/{apinetlet/rbac/auth_proxy_role_binding.yaml => controller/rbac/metrics_auth_role_binding.yaml} (79%) rename config/controller/rbac/{auth_proxy_client_clusterrole.yaml => metrics_reader_role.yaml} (100%) rename config/controller/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (86%) rename config/metalnetlet/default/{manager_auth_proxy_patch.yaml => manager_metrics_patch.yaml} (54%) rename config/metalnetlet/rbac/{auth_proxy_role.yaml => metrics_auth_role.yaml} (90%) rename config/{controller/rbac/auth_proxy_role_binding.yaml => metalnetlet/rbac/metrics_auth_role_binding.yaml} (79%) rename config/metalnetlet/rbac/{auth_proxy_client_clusterrole.yaml => metrics_reader_role.yaml} (100%) rename config/{apinetlet/rbac/auth_proxy_service.yaml => metalnetlet/rbac/metrics_service.yaml} (86%) diff --git a/cmd/apinetlet/main.go b/cmd/apinetlet/main.go index 62a637bf..348b3c9c 100644 --- a/cmd/apinetlet/main.go +++ b/cmd/apinetlet/main.go @@ -4,6 +4,7 @@ package main import ( + "crypto/tls" "errors" goflag "flag" "fmt" @@ -32,6 +33,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" //+kubebuilder:scaffold:imports ) @@ -57,6 +59,8 @@ func init() { func main() { var metricsAddr string + var secureMetrics bool + var enableHTTP2 bool var enableLeaderElection bool var probeAddr string @@ -67,8 +71,14 @@ func main() { var watchNamespace string var watchFilterValue string - - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + var tlsOpts []func(*tls.Config) + + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ @@ -122,11 +132,47 @@ func main() { watchNamespace: {}, } } + + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // More info: + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server + // - https://book.kubebuilder.io/reference/metrics.html + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/controller/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + + // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + } + mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - }, + Scheme: scheme, + Metrics: metricsServerOptions, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "fa89daf5.apinetlet.apinet.ironcore.dev", diff --git a/cmd/controller-manager/main.go b/cmd/controller-manager/main.go index caf3b658..8901a31c 100644 --- a/cmd/controller-manager/main.go +++ b/cmd/controller-manager/main.go @@ -4,6 +4,7 @@ package main import ( + "crypto/tls" goflag "flag" "os" @@ -17,6 +18,7 @@ import ( "github.com/ironcore-dev/ironcore-net/utils/expectations" flag "github.com/spf13/pflag" "k8s.io/utils/lru" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) @@ -47,10 +49,18 @@ func init() { func main() { var metricsAddr string + var secureMetrics bool + var enableHTTP2 bool var enableLeaderElection bool var probeAddr string - - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + var tlsOpts []func(*tls.Config) + + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ @@ -72,11 +82,46 @@ func main() { os.Exit(1) } + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // More info: + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server + // - https://book.kubebuilder.io/reference/metrics.html + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/controller/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + + // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + } + mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - }, + Scheme: scheme, + Metrics: metricsServerOptions, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "ff142330.apinet.ironcore.dev", diff --git a/cmd/metalnetlet/main.go b/cmd/metalnetlet/main.go index 543aec99..a46a4757 100644 --- a/cmd/metalnetlet/main.go +++ b/cmd/metalnetlet/main.go @@ -4,6 +4,7 @@ package main import ( + "crypto/tls" goflag "flag" "fmt" "os" @@ -17,6 +18,7 @@ import ( flag "github.com/spf13/pflag" corev1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/cluster" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) @@ -51,6 +53,8 @@ func main() { var nodeLabels map[string]string var metricsAddr string + var secureMetrics bool + var enableHTTP2 bool var enableLeaderElection bool var probeAddr string @@ -58,10 +62,16 @@ func main() { var metalnetKubeconfig string var metalnetNamespace string var disableNetworkPeering bool + var tlsOpts []func(*tls.Config) flag.StringVar(&name, "name", "", "The name of the partition the metalnetlet represents (required).") flag.StringToStringVar(&nodeLabels, "node-label", nodeLabels, "Additional labels to add to the nodes.") - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ @@ -103,11 +113,46 @@ func main() { os.Exit(1) } + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // More info: + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server + // - https://book.kubebuilder.io/reference/metrics.html + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/controller/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + + // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + } + mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - }, + Scheme: scheme, + Metrics: metricsServerOptions, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "bf12dae0.metalnetlet.apinet.ironcore.dev", diff --git a/config/apinetlet/default/kustomization.yaml b/config/apinetlet/default/kustomization.yaml index 89d784af..53253e5b 100644 --- a/config/apinetlet/default/kustomization.yaml +++ b/config/apinetlet/default/kustomization.yaml @@ -27,7 +27,7 @@ patches: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +- path: manager_metrics_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type diff --git a/config/apinetlet/default/manager_auth_proxy_patch.yaml b/config/apinetlet/default/manager_metrics_patch.yaml similarity index 54% rename from config/apinetlet/default/manager_auth_proxy_patch.yaml rename to config/apinetlet/default/manager_metrics_patch.yaml index a224be19..4d8d38d5 100644 --- a/config/apinetlet/default/manager_auth_proxy_patch.yaml +++ b/config/apinetlet/default/manager_metrics_patch.yaml @@ -9,18 +9,8 @@ spec: template: spec: containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https - name: manager args: - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" + - "--metrics-bind-address=:8443" - "--leader-elect" diff --git a/config/apinetlet/rbac/kustomization.yaml b/config/apinetlet/rbac/kustomization.yaml index 731832a6..7c492b46 100644 --- a/config/apinetlet/rbac/kustomization.yaml +++ b/config/apinetlet/rbac/kustomization.yaml @@ -9,10 +9,13 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_service.yaml +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml diff --git a/config/controller/rbac/auth_proxy_role.yaml b/config/apinetlet/rbac/metrics_auth_role.yaml similarity index 90% rename from config/controller/rbac/auth_proxy_role.yaml rename to config/apinetlet/rbac/metrics_auth_role.yaml index 80e1857c..32d2e4ec 100644 --- a/config/controller/rbac/auth_proxy_role.yaml +++ b/config/apinetlet/rbac/metrics_auth_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: proxy-role + name: metrics-auth-role rules: - apiGroups: - authentication.k8s.io diff --git a/config/metalnetlet/rbac/auth_proxy_role_binding.yaml b/config/apinetlet/rbac/metrics_auth_role_binding.yaml similarity index 79% rename from config/metalnetlet/rbac/auth_proxy_role_binding.yaml rename to config/apinetlet/rbac/metrics_auth_role_binding.yaml index ec7acc0a..e775d67f 100644 --- a/config/metalnetlet/rbac/auth_proxy_role_binding.yaml +++ b/config/apinetlet/rbac/metrics_auth_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-auth-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/config/apinetlet/rbac/auth_proxy_client_clusterrole.yaml b/config/apinetlet/rbac/metrics_reader_role.yaml similarity index 100% rename from config/apinetlet/rbac/auth_proxy_client_clusterrole.yaml rename to config/apinetlet/rbac/metrics_reader_role.yaml diff --git a/config/metalnetlet/rbac/auth_proxy_service.yaml b/config/apinetlet/rbac/metrics_service.yaml similarity index 86% rename from config/metalnetlet/rbac/auth_proxy_service.yaml rename to config/apinetlet/rbac/metrics_service.yaml index 6cf656be..a2514509 100644 --- a/config/metalnetlet/rbac/auth_proxy_service.yaml +++ b/config/apinetlet/rbac/metrics_service.yaml @@ -9,6 +9,7 @@ spec: ports: - name: https port: 8443 - targetPort: https + protocol: TCP + targetPort: 8443 selector: control-plane: controller-manager diff --git a/config/controller/default/kustomization.yaml b/config/controller/default/kustomization.yaml index 86795b69..a6951177 100644 --- a/config/controller/default/kustomization.yaml +++ b/config/controller/default/kustomization.yaml @@ -27,7 +27,7 @@ patches: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - - path: manager_auth_proxy_patch.yaml + - path: manager_metrics_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type diff --git a/config/controller/default/manager_auth_proxy_patch.yaml b/config/controller/default/manager_metrics_patch.yaml similarity index 54% rename from config/controller/default/manager_auth_proxy_patch.yaml rename to config/controller/default/manager_metrics_patch.yaml index a224be19..4d8d38d5 100644 --- a/config/controller/default/manager_auth_proxy_patch.yaml +++ b/config/controller/default/manager_metrics_patch.yaml @@ -9,18 +9,8 @@ spec: template: spec: containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https - name: manager args: - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" + - "--metrics-bind-address=:8443" - "--leader-elect" diff --git a/config/controller/rbac/kustomization.yaml b/config/controller/rbac/kustomization.yaml index 731832a6..061d130d 100644 --- a/config/controller/rbac/kustomization.yaml +++ b/config/controller/rbac/kustomization.yaml @@ -9,10 +9,13 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_service.yaml +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml \ No newline at end of file diff --git a/config/apinetlet/rbac/auth_proxy_role.yaml b/config/controller/rbac/metrics_auth_role.yaml similarity index 90% rename from config/apinetlet/rbac/auth_proxy_role.yaml rename to config/controller/rbac/metrics_auth_role.yaml index 80e1857c..32d2e4ec 100644 --- a/config/apinetlet/rbac/auth_proxy_role.yaml +++ b/config/controller/rbac/metrics_auth_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: proxy-role + name: metrics-auth-role rules: - apiGroups: - authentication.k8s.io diff --git a/config/apinetlet/rbac/auth_proxy_role_binding.yaml b/config/controller/rbac/metrics_auth_role_binding.yaml similarity index 79% rename from config/apinetlet/rbac/auth_proxy_role_binding.yaml rename to config/controller/rbac/metrics_auth_role_binding.yaml index ec7acc0a..e775d67f 100644 --- a/config/apinetlet/rbac/auth_proxy_role_binding.yaml +++ b/config/controller/rbac/metrics_auth_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-auth-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/config/controller/rbac/auth_proxy_client_clusterrole.yaml b/config/controller/rbac/metrics_reader_role.yaml similarity index 100% rename from config/controller/rbac/auth_proxy_client_clusterrole.yaml rename to config/controller/rbac/metrics_reader_role.yaml diff --git a/config/controller/rbac/auth_proxy_service.yaml b/config/controller/rbac/metrics_service.yaml similarity index 86% rename from config/controller/rbac/auth_proxy_service.yaml rename to config/controller/rbac/metrics_service.yaml index 6cf656be..a2514509 100644 --- a/config/controller/rbac/auth_proxy_service.yaml +++ b/config/controller/rbac/metrics_service.yaml @@ -9,6 +9,7 @@ spec: ports: - name: https port: 8443 - targetPort: https + protocol: TCP + targetPort: 8443 selector: control-plane: controller-manager diff --git a/config/metalnetlet/default/kustomization.yaml b/config/metalnetlet/default/kustomization.yaml index 4ddf2252..8e633f78 100644 --- a/config/metalnetlet/default/kustomization.yaml +++ b/config/metalnetlet/default/kustomization.yaml @@ -27,7 +27,7 @@ patches: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +- path: manager_metrics_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type diff --git a/config/metalnetlet/default/manager_auth_proxy_patch.yaml b/config/metalnetlet/default/manager_metrics_patch.yaml similarity index 54% rename from config/metalnetlet/default/manager_auth_proxy_patch.yaml rename to config/metalnetlet/default/manager_metrics_patch.yaml index a224be19..4d8d38d5 100644 --- a/config/metalnetlet/default/manager_auth_proxy_patch.yaml +++ b/config/metalnetlet/default/manager_metrics_patch.yaml @@ -9,18 +9,8 @@ spec: template: spec: containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https - name: manager args: - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" + - "--metrics-bind-address=:8443" - "--leader-elect" diff --git a/config/metalnetlet/rbac/kustomization.yaml b/config/metalnetlet/rbac/kustomization.yaml index 731832a6..7c492b46 100644 --- a/config/metalnetlet/rbac/kustomization.yaml +++ b/config/metalnetlet/rbac/kustomization.yaml @@ -9,10 +9,13 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_service.yaml +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml diff --git a/config/metalnetlet/rbac/auth_proxy_role.yaml b/config/metalnetlet/rbac/metrics_auth_role.yaml similarity index 90% rename from config/metalnetlet/rbac/auth_proxy_role.yaml rename to config/metalnetlet/rbac/metrics_auth_role.yaml index 80e1857c..32d2e4ec 100644 --- a/config/metalnetlet/rbac/auth_proxy_role.yaml +++ b/config/metalnetlet/rbac/metrics_auth_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: proxy-role + name: metrics-auth-role rules: - apiGroups: - authentication.k8s.io diff --git a/config/controller/rbac/auth_proxy_role_binding.yaml b/config/metalnetlet/rbac/metrics_auth_role_binding.yaml similarity index 79% rename from config/controller/rbac/auth_proxy_role_binding.yaml rename to config/metalnetlet/rbac/metrics_auth_role_binding.yaml index ec7acc0a..e775d67f 100644 --- a/config/controller/rbac/auth_proxy_role_binding.yaml +++ b/config/metalnetlet/rbac/metrics_auth_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-auth-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/config/metalnetlet/rbac/auth_proxy_client_clusterrole.yaml b/config/metalnetlet/rbac/metrics_reader_role.yaml similarity index 100% rename from config/metalnetlet/rbac/auth_proxy_client_clusterrole.yaml rename to config/metalnetlet/rbac/metrics_reader_role.yaml diff --git a/config/apinetlet/rbac/auth_proxy_service.yaml b/config/metalnetlet/rbac/metrics_service.yaml similarity index 86% rename from config/apinetlet/rbac/auth_proxy_service.yaml rename to config/metalnetlet/rbac/metrics_service.yaml index 6cf656be..a2514509 100644 --- a/config/apinetlet/rbac/auth_proxy_service.yaml +++ b/config/metalnetlet/rbac/metrics_service.yaml @@ -9,6 +9,7 @@ spec: ports: - name: https port: 8443 - targetPort: https + protocol: TCP + targetPort: 8443 selector: control-plane: controller-manager From d75e10f50ecd005fbbda2739a7ae7d7f04944e86 Mon Sep 17 00:00:00 2001 From: ushabelgur Date: Fri, 14 Feb 2025 12:07:35 +0530 Subject: [PATCH 2/5] add cert-manager integration for metrics endpoint --- cmd/apinetlet/main.go | 47 +++- cmd/controller-manager/main.go | 50 +++- cmd/metalnetlet/main.go | 49 +++- .../certmanager/certificate-metrics.yaml | 24 ++ .../apinetlet/certmanager/kustomization.yaml | 5 + .../certmanager/kustomizeconfig.yaml | 16 ++ .../default/cert_metrics_manager_patch.yaml | 30 +++ config/apinetlet/default/kustomization.yaml | 244 ++++++++++-------- .../default/manager_metrics_patch.yaml | 20 +- config/apinetlet/manager/manager.yaml | 3 + .../apinetlet/prometheus/kustomization.yaml | 9 + config/apinetlet/prometheus/monitor.yaml | 7 +- .../prometheus/monitor_tls_patch.yaml | 22 ++ .../certmanager/certificate-metrics.yaml | 24 ++ .../controller/certmanager/kustomization.yaml | 5 + .../certmanager/kustomizeconfig.yaml | 16 ++ .../default/cert_metrics_manager_patch.yaml | 30 +++ config/controller/default/kustomization.yaml | 242 +++++++++-------- .../default/manager_metrics_patch.yaml | 20 +- config/controller/manager/manager.yaml | 3 + .../controller/prometheus/kustomization.yaml | 9 + config/controller/prometheus/monitor.yaml | 7 +- .../prometheus/monitor_tls_patch.yaml | 22 ++ .../certmanager/certificate-metrics.yaml | 24 ++ .../certmanager/kustomization.yaml | 5 + .../certmanager/kustomizeconfig.yaml | 16 ++ .../default/cert_metrics_manager_patch.yaml | 30 +++ config/metalnetlet/default/kustomization.yaml | 242 +++++++++-------- .../default/manager_metrics_patch.yaml | 20 +- config/metalnetlet/manager/manager.yaml | 3 + .../metalnetlet/prometheus/kustomization.yaml | 9 + config/metalnetlet/prometheus/monitor.yaml | 7 +- .../prometheus/monitor_tls_patch.yaml | 22 ++ 33 files changed, 892 insertions(+), 390 deletions(-) create mode 100644 config/apinetlet/certmanager/certificate-metrics.yaml create mode 100644 config/apinetlet/certmanager/kustomization.yaml create mode 100644 config/apinetlet/certmanager/kustomizeconfig.yaml create mode 100644 config/apinetlet/default/cert_metrics_manager_patch.yaml create mode 100644 config/apinetlet/prometheus/monitor_tls_patch.yaml create mode 100644 config/controller/certmanager/certificate-metrics.yaml create mode 100644 config/controller/certmanager/kustomization.yaml create mode 100644 config/controller/certmanager/kustomizeconfig.yaml create mode 100644 config/controller/default/cert_metrics_manager_patch.yaml create mode 100644 config/controller/prometheus/monitor_tls_patch.yaml create mode 100644 config/metalnetlet/certmanager/certificate-metrics.yaml create mode 100644 config/metalnetlet/certmanager/kustomization.yaml create mode 100644 config/metalnetlet/certmanager/kustomizeconfig.yaml create mode 100644 config/metalnetlet/default/cert_metrics_manager_patch.yaml create mode 100644 config/metalnetlet/prometheus/monitor_tls_patch.yaml diff --git a/cmd/apinetlet/main.go b/cmd/apinetlet/main.go index 348b3c9c..e5a4e1cb 100644 --- a/cmd/apinetlet/main.go +++ b/cmd/apinetlet/main.go @@ -9,6 +9,7 @@ import ( goflag "flag" "fmt" "os" + "path/filepath" ironcorenetv1alpha1 "github.com/ironcore-dev/ironcore-net/api/core/v1alpha1" apinetletclient "github.com/ironcore-dev/ironcore-net/apinetlet/client" @@ -30,6 +31,7 @@ import ( _ "k8s.io/client-go/plugin/pkg/client/auth" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/cache" + "sigs.k8s.io/controller-runtime/pkg/certwatcher" "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" @@ -60,6 +62,7 @@ func init() { func main() { var metricsAddr string var secureMetrics bool + var metricsCertPath, metricsCertName, metricsCertKey string var enableHTTP2 bool var enableLeaderElection bool var probeAddr string @@ -77,6 +80,10 @@ func main() { "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", + "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") @@ -164,10 +171,36 @@ func main() { // can access the metrics endpoint. The RBAC are configured in 'config/controller/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + } + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/controller/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/controller/prometheus/kustomization.yaml for TLS certification. + + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + + if len(metricsCertPath) > 0 { + setupLog.Info("Initializing metrics certificate watcher using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) + + var err error + metricsCertWatcher, err = certwatcher.New( + filepath.Join(metricsCertPath, metricsCertName), + filepath.Join(metricsCertPath, metricsCertKey), + ) + if err != nil { + setupLog.Error(err, "to initialize metrics certificate watcher", "error", err) + os.Exit(1) + } - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(cfg, ctrl.Options{ @@ -288,6 +321,14 @@ func main() { os.Exit(1) } + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") + os.Exit(1) + } + } + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up health check") os.Exit(1) diff --git a/cmd/controller-manager/main.go b/cmd/controller-manager/main.go index 8901a31c..8aada562 100644 --- a/cmd/controller-manager/main.go +++ b/cmd/controller-manager/main.go @@ -7,6 +7,7 @@ import ( "crypto/tls" goflag "flag" "os" + "path/filepath" "github.com/ironcore-dev/controller-utils/configutils" ironcorenetv1alpha1 "github.com/ironcore-dev/ironcore-net/api/core/v1alpha1" @@ -18,6 +19,7 @@ import ( "github.com/ironcore-dev/ironcore-net/utils/expectations" flag "github.com/spf13/pflag" "k8s.io/utils/lru" + "sigs.k8s.io/controller-runtime/pkg/certwatcher" "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" @@ -50,6 +52,7 @@ func init() { func main() { var metricsAddr string var secureMetrics bool + var metricsCertPath, metricsCertName, metricsCertKey string var enableHTTP2 bool var enableLeaderElection bool var probeAddr string @@ -59,6 +62,10 @@ func main() { "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", + "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") @@ -97,7 +104,7 @@ func main() { tlsOpts = append(tlsOpts, disableHTTP2) } - // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // Metrics endpoint is enabled in 'config/controller/default/kustomization.yaml'. The Metrics options configure the server. // More info: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server // - https://book.kubebuilder.io/reference/metrics.html @@ -113,10 +120,37 @@ func main() { // can access the metrics endpoint. The RBAC are configured in 'config/controller/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + } - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/controller/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + + if len(metricsCertPath) > 0 { + setupLog.Info("Initializing metrics certificate watcher using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) + + var err error + metricsCertWatcher, err = certwatcher.New( + filepath.Join(metricsCertPath, metricsCertName), + filepath.Join(metricsCertPath, metricsCertKey), + ) + if err != nil { + setupLog.Error(err, "to initialize metrics certificate watcher", "error", err) + os.Exit(1) + } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(cfg, ctrl.Options{ @@ -225,6 +259,14 @@ func main() { os.Exit(1) } + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") + os.Exit(1) + } + } + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up health check") os.Exit(1) diff --git a/cmd/metalnetlet/main.go b/cmd/metalnetlet/main.go index a46a4757..6e7473b2 100644 --- a/cmd/metalnetlet/main.go +++ b/cmd/metalnetlet/main.go @@ -8,6 +8,7 @@ import ( goflag "flag" "fmt" "os" + "path/filepath" "github.com/ironcore-dev/controller-utils/configutils" "github.com/ironcore-dev/ironcore-net/api/core/v1alpha1" @@ -17,6 +18,7 @@ import ( metalnetv1alpha1 "github.com/ironcore-dev/metalnet/api/v1alpha1" flag "github.com/spf13/pflag" corev1 "k8s.io/api/core/v1" + "sigs.k8s.io/controller-runtime/pkg/certwatcher" "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" @@ -54,6 +56,7 @@ func main() { var metricsAddr string var secureMetrics bool + var metricsCertPath, metricsCertName, metricsCertKey string var enableHTTP2 bool var enableLeaderElection bool var probeAddr string @@ -70,6 +73,10 @@ func main() { "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", + "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") @@ -144,10 +151,36 @@ func main() { // can access the metrics endpoint. The RBAC are configured in 'config/controller/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + } + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/controller/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/controller/prometheus/kustomization.yaml for TLS certification. + + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + + if len(metricsCertPath) > 0 { + setupLog.Info("Initializing metrics certificate watcher using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) + + var err error + metricsCertWatcher, err = certwatcher.New( + filepath.Join(metricsCertPath, metricsCertName), + filepath.Join(metricsCertPath, metricsCertKey), + ) + if err != nil { + setupLog.Error(err, "to initialize metrics certificate watcher", "error", err) + os.Exit(1) + } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(cfg, ctrl.Options{ @@ -221,6 +254,14 @@ func main() { os.Exit(1) } + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") + os.Exit(1) + } + } + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up health check") os.Exit(1) diff --git a/config/apinetlet/certmanager/certificate-metrics.yaml b/config/apinetlet/certmanager/certificate-metrics.yaml new file mode 100644 index 00000000..935fc252 --- /dev/null +++ b/config/apinetlet/certmanager/certificate-metrics.yaml @@ -0,0 +1,24 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: system +spec: + selfSigned: { } +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: metrics-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/apinetlet/certmanager/kustomization.yaml b/config/apinetlet/certmanager/kustomization.yaml new file mode 100644 index 00000000..622d85da --- /dev/null +++ b/config/apinetlet/certmanager/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- certificate-metrics.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/apinetlet/certmanager/kustomizeconfig.yaml b/config/apinetlet/certmanager/kustomizeconfig.yaml new file mode 100644 index 00000000..90d7c313 --- /dev/null +++ b/config/apinetlet/certmanager/kustomizeconfig.yaml @@ -0,0 +1,16 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames diff --git a/config/apinetlet/default/cert_metrics_manager_patch.yaml b/config/apinetlet/default/cert_metrics_manager_patch.yaml new file mode 100644 index 00000000..676e78d4 --- /dev/null +++ b/config/apinetlet/default/cert_metrics_manager_patch.yaml @@ -0,0 +1,30 @@ +# This patch adds the args, volumes, and ports to allow the manager to use the metrics-server certs. + +# Add the volumeMount for the metrics-server certs +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true + +# Add the --metrics-cert-path argument for the metrics server +- op: add + path: /spec/template/spec/containers/0/args/- + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs + +# Add the metrics-server certs volume configuration +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert + optional: false + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key \ No newline at end of file diff --git a/config/apinetlet/default/kustomization.yaml b/config/apinetlet/default/kustomization.yaml index 53253e5b..fb2bd198 100644 --- a/config/apinetlet/default/kustomization.yaml +++ b/config/apinetlet/default/kustomization.yaml @@ -19,124 +19,148 @@ resources: # crd/kustomization.yaml #- ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager +# - ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics - path: manager_metrics_patch.yaml + target: + kind: Deployment + +# Uncomment the patches line if you enable Metrics and CertManager +# [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. +# This patch will protect the metrics with certManager self-signed certs. +# - path: cert_metrics_manager_patch.yaml +# target: +# kind: Deployment # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml +# - manager_webhook_patch.yaml +# - webhookcainjection_patch.yaml -# replacement once webhooks are enabled -#replacements: -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert -# fieldPath: .metadata.namespace -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert -# fieldPath: .metadata.name -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.name -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 0 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.namespace -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 1 -# create: true +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +# Uncomment the following replacements to add the cert-manager CA injection annotations +# replacements: +# - source: # Uncomment the following block to enable certificates for metrics +# kind: Service +# version: v1 +# name: controller-manager-metrics-service +# fieldPath: metadata.name +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: metrics-cert +# fieldPaths: +# - spec.dnsNames.0 +# - spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: controller-manager-metrics-service +# fieldPath: metadata.namespace +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: metrics-cert +# fieldPaths: +# - spec.dnsNames.0 +# - spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true +# +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.namespace +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.name +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.name +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.namespace +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true diff --git a/config/apinetlet/default/manager_metrics_patch.yaml b/config/apinetlet/default/manager_metrics_patch.yaml index 4d8d38d5..187e2d2b 100644 --- a/config/apinetlet/default/manager_metrics_patch.yaml +++ b/config/apinetlet/default/manager_metrics_patch.yaml @@ -1,16 +1,4 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=:8443" - - "--leader-elect" +# This patch adds an argument to the manager container to enable the metrics endpoint over HTTPS. +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 diff --git a/config/apinetlet/manager/manager.yaml b/config/apinetlet/manager/manager.yaml index 45c15733..d6242d4b 100644 --- a/config/apinetlet/manager/manager.yaml +++ b/config/apinetlet/manager/manager.yaml @@ -30,6 +30,7 @@ spec: - command: - /manager args: + - --health-probe-bind-address=:8081 - --leader-elect image: apinetlet:latest name: manager @@ -54,5 +55,7 @@ spec: requests: cpu: 100m memory: 20Mi + volumeMounts: [] + volumes: [] serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/apinetlet/prometheus/kustomization.yaml b/config/apinetlet/prometheus/kustomization.yaml index ed137168..0a8d2d6d 100644 --- a/config/apinetlet/prometheus/kustomization.yaml +++ b/config/apinetlet/prometheus/kustomization.yaml @@ -1,2 +1,11 @@ resources: - monitor.yaml + +# [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus +# to securely reference certificates created and managed by cert-manager. +# Additionally, ensure that you uncomment the [METRICS-WITH-CERTS] patch under config/controller/default/kustomization.yaml +# to mount the "metrics-server-cert" secret in the Manager Deployment. +# patches: +# - path: monitor_tls_patch.yaml +# target: +# kind: ServiceMonitor diff --git a/config/apinetlet/prometheus/monitor.yaml b/config/apinetlet/prometheus/monitor.yaml index d19136ae..431f3e7c 100644 --- a/config/apinetlet/prometheus/monitor.yaml +++ b/config/apinetlet/prometheus/monitor.yaml @@ -10,10 +10,15 @@ metadata: spec: endpoints: - path: /metrics - port: https + port: https # Ensure this is the name of the port that exposes HTTPS metrics scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/controller/prometheus/monitor_tls_patch.yaml, + # which securely references the certificate from the 'metrics-server-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/config/apinetlet/prometheus/monitor_tls_patch.yaml b/config/apinetlet/prometheus/monitor_tls_patch.yaml new file mode 100644 index 00000000..ad510d51 --- /dev/null +++ b/config/apinetlet/prometheus/monitor_tls_patch.yaml @@ -0,0 +1,22 @@ +# Patch for Prometheus ServiceMonitor to enable secure TLS configuration +# using certificates managed by cert-manager +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - tlsConfig: + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key \ No newline at end of file diff --git a/config/controller/certmanager/certificate-metrics.yaml b/config/controller/certmanager/certificate-metrics.yaml new file mode 100644 index 00000000..935fc252 --- /dev/null +++ b/config/controller/certmanager/certificate-metrics.yaml @@ -0,0 +1,24 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: system +spec: + selfSigned: { } +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: metrics-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/controller/certmanager/kustomization.yaml b/config/controller/certmanager/kustomization.yaml new file mode 100644 index 00000000..622d85da --- /dev/null +++ b/config/controller/certmanager/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- certificate-metrics.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/controller/certmanager/kustomizeconfig.yaml b/config/controller/certmanager/kustomizeconfig.yaml new file mode 100644 index 00000000..90d7c313 --- /dev/null +++ b/config/controller/certmanager/kustomizeconfig.yaml @@ -0,0 +1,16 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames diff --git a/config/controller/default/cert_metrics_manager_patch.yaml b/config/controller/default/cert_metrics_manager_patch.yaml new file mode 100644 index 00000000..676e78d4 --- /dev/null +++ b/config/controller/default/cert_metrics_manager_patch.yaml @@ -0,0 +1,30 @@ +# This patch adds the args, volumes, and ports to allow the manager to use the metrics-server certs. + +# Add the volumeMount for the metrics-server certs +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true + +# Add the --metrics-cert-path argument for the metrics server +- op: add + path: /spec/template/spec/containers/0/args/- + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs + +# Add the metrics-server certs volume configuration +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert + optional: false + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key \ No newline at end of file diff --git a/config/controller/default/kustomization.yaml b/config/controller/default/kustomization.yaml index a6951177..c3e9f349 100644 --- a/config/controller/default/kustomization.yaml +++ b/config/controller/default/kustomization.yaml @@ -19,124 +19,148 @@ resources: # crd/kustomization.yaml #- ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager +# - ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. - - path: manager_metrics_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment +# Uncomment the patches line if you enable Metrics and CertManager +# [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. +# This patch will protect the metrics with certManager self-signed certs. +# - path: cert_metrics_manager_patch.yaml +# target: +# kind: Deployment # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml #- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection #- webhookcainjection_patch.yaml -# replacement once webhooks are enabled -#replacements: -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert -# fieldPath: .metadata.namespace -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert -# fieldPath: .metadata.name -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.name -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 0 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.namespace -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 1 -# create: true +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +# Uncomment the following replacements to add the cert-manager CA injection annotations +# replacements: +# - source: # Uncomment the following block to enable certificates for metrics +# kind: Service +# version: v1 +# name: controller-manager-metrics-service +# fieldPath: metadata.name +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: metrics-cert +# fieldPaths: +# - spec.dnsNames.0 +# - spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true + +# - source: +# kind: Service +# version: v1 +# name: controller-manager-metrics-service +# fieldPath: metadata.namespace +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: metrics-cert +# fieldPaths: +# - spec.dnsNames.0 +# - spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true +# +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.namespace +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.name +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.name +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.namespace +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true \ No newline at end of file diff --git a/config/controller/default/manager_metrics_patch.yaml b/config/controller/default/manager_metrics_patch.yaml index 4d8d38d5..187e2d2b 100644 --- a/config/controller/default/manager_metrics_patch.yaml +++ b/config/controller/default/manager_metrics_patch.yaml @@ -1,16 +1,4 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=:8443" - - "--leader-elect" +# This patch adds an argument to the manager container to enable the metrics endpoint over HTTPS. +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 diff --git a/config/controller/manager/manager.yaml b/config/controller/manager/manager.yaml index 4bac1db4..b77d17ee 100644 --- a/config/controller/manager/manager.yaml +++ b/config/controller/manager/manager.yaml @@ -30,6 +30,7 @@ spec: - command: - /manager args: + - --health-probe-bind-address=:8081 - --leader-elect image: controller:latest name: manager @@ -54,5 +55,7 @@ spec: requests: cpu: 100m memory: 20Mi + volumeMounts: [] + volumes: [] serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/controller/prometheus/kustomization.yaml b/config/controller/prometheus/kustomization.yaml index ed137168..0a8d2d6d 100644 --- a/config/controller/prometheus/kustomization.yaml +++ b/config/controller/prometheus/kustomization.yaml @@ -1,2 +1,11 @@ resources: - monitor.yaml + +# [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus +# to securely reference certificates created and managed by cert-manager. +# Additionally, ensure that you uncomment the [METRICS-WITH-CERTS] patch under config/controller/default/kustomization.yaml +# to mount the "metrics-server-cert" secret in the Manager Deployment. +# patches: +# - path: monitor_tls_patch.yaml +# target: +# kind: ServiceMonitor diff --git a/config/controller/prometheus/monitor.yaml b/config/controller/prometheus/monitor.yaml index d19136ae..431f3e7c 100644 --- a/config/controller/prometheus/monitor.yaml +++ b/config/controller/prometheus/monitor.yaml @@ -10,10 +10,15 @@ metadata: spec: endpoints: - path: /metrics - port: https + port: https # Ensure this is the name of the port that exposes HTTPS metrics scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/controller/prometheus/monitor_tls_patch.yaml, + # which securely references the certificate from the 'metrics-server-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/config/controller/prometheus/monitor_tls_patch.yaml b/config/controller/prometheus/monitor_tls_patch.yaml new file mode 100644 index 00000000..ad510d51 --- /dev/null +++ b/config/controller/prometheus/monitor_tls_patch.yaml @@ -0,0 +1,22 @@ +# Patch for Prometheus ServiceMonitor to enable secure TLS configuration +# using certificates managed by cert-manager +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - tlsConfig: + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key \ No newline at end of file diff --git a/config/metalnetlet/certmanager/certificate-metrics.yaml b/config/metalnetlet/certmanager/certificate-metrics.yaml new file mode 100644 index 00000000..935fc252 --- /dev/null +++ b/config/metalnetlet/certmanager/certificate-metrics.yaml @@ -0,0 +1,24 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: system +spec: + selfSigned: { } +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: metrics-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/metalnetlet/certmanager/kustomization.yaml b/config/metalnetlet/certmanager/kustomization.yaml new file mode 100644 index 00000000..622d85da --- /dev/null +++ b/config/metalnetlet/certmanager/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- certificate-metrics.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/metalnetlet/certmanager/kustomizeconfig.yaml b/config/metalnetlet/certmanager/kustomizeconfig.yaml new file mode 100644 index 00000000..90d7c313 --- /dev/null +++ b/config/metalnetlet/certmanager/kustomizeconfig.yaml @@ -0,0 +1,16 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames diff --git a/config/metalnetlet/default/cert_metrics_manager_patch.yaml b/config/metalnetlet/default/cert_metrics_manager_patch.yaml new file mode 100644 index 00000000..676e78d4 --- /dev/null +++ b/config/metalnetlet/default/cert_metrics_manager_patch.yaml @@ -0,0 +1,30 @@ +# This patch adds the args, volumes, and ports to allow the manager to use the metrics-server certs. + +# Add the volumeMount for the metrics-server certs +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true + +# Add the --metrics-cert-path argument for the metrics server +- op: add + path: /spec/template/spec/containers/0/args/- + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs + +# Add the metrics-server certs volume configuration +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert + optional: false + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key \ No newline at end of file diff --git a/config/metalnetlet/default/kustomization.yaml b/config/metalnetlet/default/kustomization.yaml index 8e633f78..7fc69d9a 100644 --- a/config/metalnetlet/default/kustomization.yaml +++ b/config/metalnetlet/default/kustomization.yaml @@ -24,119 +24,143 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics - path: manager_metrics_patch.yaml + target: + kind: Deployment + +# Uncomment the patches line if you enable Metrics and CertManager +# [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. +# This patch will protect the metrics with certManager self-signed certs. +# - path: cert_metrics_manager_patch.yaml +# target: +# kind: Deployment # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml +# - manager_webhook_patch.yaml +# - webhookcainjection_patch.yaml -# replacement once webhooks are enabled -#replacements: -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert -# fieldPath: .metadata.namespace -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert -# fieldPath: .metadata.name -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.name -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 0 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.namespace -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 1 -# create: true +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +# Uncomment the following replacements to add the cert-manager CA injection annotations +# replacements: +# - source: # Uncomment the following block to enable certificates for metrics +# kind: Service +# version: v1 +# name: controller-manager-metrics-service +# fieldPath: metadata.name +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: metrics-cert +# fieldPaths: +# - spec.dnsNames.0 +# - spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: controller-manager-metrics-service +# fieldPath: metadata.namespace +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: metrics-cert +# fieldPaths: +# - spec.dnsNames.0 +# - spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true +# +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.namespace +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.name +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.name +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.namespace +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true diff --git a/config/metalnetlet/default/manager_metrics_patch.yaml b/config/metalnetlet/default/manager_metrics_patch.yaml index 4d8d38d5..daee1828 100644 --- a/config/metalnetlet/default/manager_metrics_patch.yaml +++ b/config/metalnetlet/default/manager_metrics_patch.yaml @@ -1,16 +1,4 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=:8443" - - "--leader-elect" +# This patch adds an argument to the manager container to enable the metrics endpoint over HTTPS. +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 \ No newline at end of file diff --git a/config/metalnetlet/manager/manager.yaml b/config/metalnetlet/manager/manager.yaml index dd0e15a2..e16a0a94 100644 --- a/config/metalnetlet/manager/manager.yaml +++ b/config/metalnetlet/manager/manager.yaml @@ -30,6 +30,7 @@ spec: - command: - /manager args: + - --health-probe-bind-address=:8081 - --leader-elect image: metalnetlet:latest name: manager @@ -54,5 +55,7 @@ spec: requests: cpu: 100m memory: 20Mi + volumeMounts: [] + volumes: [] serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/metalnetlet/prometheus/kustomization.yaml b/config/metalnetlet/prometheus/kustomization.yaml index ed137168..0a8d2d6d 100644 --- a/config/metalnetlet/prometheus/kustomization.yaml +++ b/config/metalnetlet/prometheus/kustomization.yaml @@ -1,2 +1,11 @@ resources: - monitor.yaml + +# [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus +# to securely reference certificates created and managed by cert-manager. +# Additionally, ensure that you uncomment the [METRICS-WITH-CERTS] patch under config/controller/default/kustomization.yaml +# to mount the "metrics-server-cert" secret in the Manager Deployment. +# patches: +# - path: monitor_tls_patch.yaml +# target: +# kind: ServiceMonitor diff --git a/config/metalnetlet/prometheus/monitor.yaml b/config/metalnetlet/prometheus/monitor.yaml index d19136ae..431f3e7c 100644 --- a/config/metalnetlet/prometheus/monitor.yaml +++ b/config/metalnetlet/prometheus/monitor.yaml @@ -10,10 +10,15 @@ metadata: spec: endpoints: - path: /metrics - port: https + port: https # Ensure this is the name of the port that exposes HTTPS metrics scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/controller/prometheus/monitor_tls_patch.yaml, + # which securely references the certificate from the 'metrics-server-cert' secret. insecureSkipVerify: true selector: matchLabels: diff --git a/config/metalnetlet/prometheus/monitor_tls_patch.yaml b/config/metalnetlet/prometheus/monitor_tls_patch.yaml new file mode 100644 index 00000000..ad510d51 --- /dev/null +++ b/config/metalnetlet/prometheus/monitor_tls_patch.yaml @@ -0,0 +1,22 @@ +# Patch for Prometheus ServiceMonitor to enable secure TLS configuration +# using certificates managed by cert-manager +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - tlsConfig: + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key \ No newline at end of file From 5f417e2b3b26eca92048ab54d717a1493f7c9ab6 Mon Sep 17 00:00:00 2001 From: ushabelgur Date: Fri, 14 Feb 2025 13:40:24 +0530 Subject: [PATCH 3/5] refactoring --- config/apinetlet/certmanager/certificate-metrics.yaml | 6 +++--- config/apinetlet/default/kustomization.yaml | 6 ++++-- config/controller/certmanager/certificate-metrics.yaml | 6 +++--- config/controller/default/kustomization.yaml | 6 ++++-- config/metalnetlet/certmanager/certificate-metrics.yaml | 6 +++--- config/metalnetlet/default/kustomization.yaml | 6 ++++-- 6 files changed, 21 insertions(+), 15 deletions(-) diff --git a/config/apinetlet/certmanager/certificate-metrics.yaml b/config/apinetlet/certmanager/certificate-metrics.yaml index 935fc252..9fe7870c 100644 --- a/config/apinetlet/certmanager/certificate-metrics.yaml +++ b/config/apinetlet/certmanager/certificate-metrics.yaml @@ -14,10 +14,10 @@ kind: Certificate metadata: name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system -spec: # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize +spec: # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer diff --git a/config/apinetlet/default/kustomization.yaml b/config/apinetlet/default/kustomization.yaml index fb2bd198..fa8073e0 100644 --- a/config/apinetlet/default/kustomization.yaml +++ b/config/apinetlet/default/kustomization.yaml @@ -9,8 +9,10 @@ namespace: apinetlet-system namePrefix: apinetlet- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue resources: - ../rbac diff --git a/config/controller/certmanager/certificate-metrics.yaml b/config/controller/certmanager/certificate-metrics.yaml index 935fc252..9fe7870c 100644 --- a/config/controller/certmanager/certificate-metrics.yaml +++ b/config/controller/certmanager/certificate-metrics.yaml @@ -14,10 +14,10 @@ kind: Certificate metadata: name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system -spec: # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize +spec: # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer diff --git a/config/controller/default/kustomization.yaml b/config/controller/default/kustomization.yaml index c3e9f349..ac1b74ca 100644 --- a/config/controller/default/kustomization.yaml +++ b/config/controller/default/kustomization.yaml @@ -9,8 +9,10 @@ namespace: ironcore-net-system namePrefix: ironcore-net- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue resources: - ../rbac diff --git a/config/metalnetlet/certmanager/certificate-metrics.yaml b/config/metalnetlet/certmanager/certificate-metrics.yaml index 935fc252..9fe7870c 100644 --- a/config/metalnetlet/certmanager/certificate-metrics.yaml +++ b/config/metalnetlet/certmanager/certificate-metrics.yaml @@ -14,10 +14,10 @@ kind: Certificate metadata: name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system -spec: # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize +spec: # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer diff --git a/config/metalnetlet/default/kustomization.yaml b/config/metalnetlet/default/kustomization.yaml index 7fc69d9a..41e40870 100644 --- a/config/metalnetlet/default/kustomization.yaml +++ b/config/metalnetlet/default/kustomization.yaml @@ -9,8 +9,10 @@ namespace: metalnetlet-system namePrefix: metalnetlet- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue resources: - ../rbac From 8e72f2dab8a1858079c237b417e4b96a09b6f805 Mon Sep 17 00:00:00 2001 From: ushabelgur Date: Mon, 17 Feb 2025 15:12:30 +0530 Subject: [PATCH 4/5] refactoring --- config/apinetlet/certmanager/certificate-metrics.yaml | 2 +- config/apinetlet/default/kustomization.yaml | 4 ++-- config/controller/certmanager/certificate-metrics.yaml | 2 +- config/controller/default/kustomization.yaml | 4 ++-- config/metalnetlet/certmanager/certificate-metrics.yaml | 2 +- config/metalnetlet/default/kustomization.yaml | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/config/apinetlet/certmanager/certificate-metrics.yaml b/config/apinetlet/certmanager/certificate-metrics.yaml index 9fe7870c..1348edfe 100644 --- a/config/apinetlet/certmanager/certificate-metrics.yaml +++ b/config/apinetlet/certmanager/certificate-metrics.yaml @@ -12,7 +12,7 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml + name: metrics-certs # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: diff --git a/config/apinetlet/default/kustomization.yaml b/config/apinetlet/default/kustomization.yaml index fa8073e0..26696d3f 100644 --- a/config/apinetlet/default/kustomization.yaml +++ b/config/apinetlet/default/kustomization.yaml @@ -59,7 +59,7 @@ patches: # kind: Certificate # group: cert-manager.io # version: v1 -# name: metrics-cert +# name: metrics-certs # fieldPaths: # - spec.dnsNames.0 # - spec.dnsNames.1 @@ -77,7 +77,7 @@ patches: # kind: Certificate # group: cert-manager.io # version: v1 -# name: metrics-cert +# name: metrics-certs # fieldPaths: # - spec.dnsNames.0 # - spec.dnsNames.1 diff --git a/config/controller/certmanager/certificate-metrics.yaml b/config/controller/certmanager/certificate-metrics.yaml index 9fe7870c..1348edfe 100644 --- a/config/controller/certmanager/certificate-metrics.yaml +++ b/config/controller/certmanager/certificate-metrics.yaml @@ -12,7 +12,7 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml + name: metrics-certs # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: diff --git a/config/controller/default/kustomization.yaml b/config/controller/default/kustomization.yaml index ac1b74ca..b0fa83ea 100644 --- a/config/controller/default/kustomization.yaml +++ b/config/controller/default/kustomization.yaml @@ -58,7 +58,7 @@ patches: # kind: Certificate # group: cert-manager.io # version: v1 -# name: metrics-cert +# name: metrics-certs # fieldPaths: # - spec.dnsNames.0 # - spec.dnsNames.1 @@ -77,7 +77,7 @@ patches: # kind: Certificate # group: cert-manager.io # version: v1 -# name: metrics-cert +# name: metrics-certs # fieldPaths: # - spec.dnsNames.0 # - spec.dnsNames.1 diff --git a/config/metalnetlet/certmanager/certificate-metrics.yaml b/config/metalnetlet/certmanager/certificate-metrics.yaml index 9fe7870c..1348edfe 100644 --- a/config/metalnetlet/certmanager/certificate-metrics.yaml +++ b/config/metalnetlet/certmanager/certificate-metrics.yaml @@ -12,7 +12,7 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: metrics-cert # this name should match the one appeared in kustomizeconfig.yaml + name: metrics-certs # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: diff --git a/config/metalnetlet/default/kustomization.yaml b/config/metalnetlet/default/kustomization.yaml index 41e40870..b0dc37d0 100644 --- a/config/metalnetlet/default/kustomization.yaml +++ b/config/metalnetlet/default/kustomization.yaml @@ -59,7 +59,7 @@ patches: # kind: Certificate # group: cert-manager.io # version: v1 -# name: metrics-cert +# name: metrics-certs # fieldPaths: # - spec.dnsNames.0 # - spec.dnsNames.1 @@ -77,7 +77,7 @@ patches: # kind: Certificate # group: cert-manager.io # version: v1 -# name: metrics-cert +# name: metrics-certs # fieldPaths: # - spec.dnsNames.0 # - spec.dnsNames.1 From e60970601ee76d2f428b2963fb95c70415ecb0ba Mon Sep 17 00:00:00 2001 From: ushabelgur Date: Wed, 5 Mar 2025 10:44:15 +0530 Subject: [PATCH 5/5] correct help text for http2 flag --- cmd/apinetlet/main.go | 3 +-- cmd/controller-manager/main.go | 3 +-- cmd/metalnetlet/main.go | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/cmd/apinetlet/main.go b/cmd/apinetlet/main.go index e5a4e1cb..b29afde1 100644 --- a/cmd/apinetlet/main.go +++ b/cmd/apinetlet/main.go @@ -84,8 +84,7 @@ func main() { "The directory that contains the metrics server certificate.") flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") - flag.BoolVar(&enableHTTP2, "enable-http2", false, - "If set, HTTP/2 will be enabled for the metrics and webhook servers") + flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ diff --git a/cmd/controller-manager/main.go b/cmd/controller-manager/main.go index 8aada562..f98bd0bb 100644 --- a/cmd/controller-manager/main.go +++ b/cmd/controller-manager/main.go @@ -66,8 +66,7 @@ func main() { "The directory that contains the metrics server certificate.") flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") - flag.BoolVar(&enableHTTP2, "enable-http2", false, - "If set, HTTP/2 will be enabled for the metrics and webhook servers") + flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ diff --git a/cmd/metalnetlet/main.go b/cmd/metalnetlet/main.go index 6e7473b2..302ba94d 100644 --- a/cmd/metalnetlet/main.go +++ b/cmd/metalnetlet/main.go @@ -77,8 +77,7 @@ func main() { "The directory that contains the metrics server certificate.") flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") - flag.BoolVar(&enableHTTP2, "enable-http2", false, - "If set, HTTP/2 will be enabled for the metrics and webhook servers") + flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+