From 9a8aa821f75de141cb60f5279e6e10aca65cd468 Mon Sep 17 00:00:00 2001 From: Michael Nairn Date: Fri, 16 Feb 2024 12:20:21 +0000 Subject: [PATCH] Remove metrics auth proxy Removes the metrics auth proxy container form the default deployment to make it consistent with all other kuadrant components. --- ...er-manager-metrics-service_v1_service.yaml | 17 +++---- .../dns-operator.clusterserviceversion.yaml | 45 +++---------------- config/default/kustomization.yaml | 7 +-- config/default/manager_metrics_patch.yaml | 16 +++++++ config/manager/kustomization.yaml | 2 + config/manager/manager.yaml | 2 +- config/manager/metrics_service.yaml | 15 +++++++ config/prometheus/monitor.yaml | 7 +-- config/rbac/kustomization.yaml | 8 ++-- 9 files changed, 52 insertions(+), 67 deletions(-) create mode 100644 config/default/manager_metrics_patch.yaml create mode 100644 config/manager/metrics_service.yaml diff --git a/bundle/manifests/dns-operator-controller-manager-metrics-service_v1_service.yaml b/bundle/manifests/dns-operator-controller-manager-metrics-service_v1_service.yaml index 5a16efc9..71f93519 100644 --- a/bundle/manifests/dns-operator-controller-manager-metrics-service_v1_service.yaml +++ b/bundle/manifests/dns-operator-controller-manager-metrics-service_v1_service.yaml @@ -3,21 +3,14 @@ kind: Service metadata: creationTimestamp: null labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: dns-operator - app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service - app.kubernetes.io/part-of: dns-operator - control-plane: controller-manager + control-plane: dns-operator-controller-manager name: dns-operator-controller-manager-metrics-service spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https + - name: metrics + port: 8080 + targetPort: metrics selector: - control-plane: controller-manager + control-plane: dns-operator-controller-manager status: loadBalancer: {} diff --git a/bundle/manifests/dns-operator.clusterserviceversion.yaml b/bundle/manifests/dns-operator.clusterserviceversion.yaml index 51dab4bc..a33dc472 100644 --- a/bundle/manifests/dns-operator.clusterserviceversion.yaml +++ b/bundle/manifests/dns-operator.clusterserviceversion.yaml @@ -71,7 +71,7 @@ metadata: capabilities: Basic Install categories: Integration & Delivery containerImage: quay.io/kuadrant/dns-operator:latest - createdAt: "2024-02-13T21:19:36Z" + createdAt: "2024-02-16T12:20:36Z" description: A Kubernetes Operator to manage the lifecycle of DNS resources operators.operatorframework.io/builder: operator-sdk-v1.33.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 @@ -196,18 +196,6 @@ spec: - get - patch - update - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create serviceAccountName: dns-operator-controller-manager deployments: - label: @@ -234,31 +222,7 @@ spec: spec: containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --metrics-bind-address=:8080 - --leader-elect command: - /manager @@ -270,6 +234,9 @@ spec: initialDelaySeconds: 15 periodSeconds: 20 name: manager + ports: + - containerPort: 8080 + name: metrics readinessProbe: httpGet: path: /readyz @@ -278,7 +245,7 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m + cpu: 200m memory: 128Mi requests: cpu: 10m diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index a7281728..d5488bd8 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -27,12 +27,7 @@ resources: #- ../prometheus patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml - - +- manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000..2fea5d50 --- /dev/null +++ b/config/default/manager_metrics_patch.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=:8080" + - "--leader-elect" + ports: + - containerPort: 8080 + name: metrics diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index b0a91934..a2d3dac0 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,5 +1,7 @@ resources: - manager.yaml +- metrics_service.yaml + apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index c9d6052d..2e9c384a 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -64,7 +64,7 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m + cpu: 200m memory: 128Mi requests: cpu: 10m diff --git a/config/manager/metrics_service.yaml b/config/manager/metrics_service.yaml new file mode 100644 index 00000000..e3eb3658 --- /dev/null +++ b/config/manager/metrics_service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: dns-operator-controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: metrics + port: 8080 + targetPort: metrics + selector: + control-plane: dns-operator-controller-manager diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index c075d71b..87108407 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -16,11 +16,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a6..40bc8c2a 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -12,7 +12,7 @@ resources: # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +#- auth_proxy_service.yaml +#- auth_proxy_role.yaml +#- auth_proxy_role_binding.yaml +#- auth_proxy_client_clusterrole.yaml