Skip to content

Commit

Permalink
adding in new flag to helm operator to support metrics authn/authz
Browse files Browse the repository at this point in the history
Signed-off-by: Adam D. Cornett <[email protected]>
  • Loading branch information
acornett21 committed Nov 4, 2024
1 parent 7a3d5ad commit 51433e8
Show file tree
Hide file tree
Showing 6 changed files with 51 additions and 5 deletions.
1 change: 1 addition & 0 deletions internal/cmd/helm-operator/run/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ func NewCmd() *cobra.Command {

f.AddTo(cmd.Flags())
cmd.Flags().AddGoFlagSet(zapfs)
cmd.MarkFlagsRequiredTogether("metrics-secure", "metrics-authn-authz")
return cmd
}

Expand Down
24 changes: 20 additions & 4 deletions internal/helm/flags/flag.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"github.com/spf13/pflag"
"k8s.io/client-go/tools/leaderelection/resourcelock"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
"sigs.k8s.io/controller-runtime/pkg/webhook"
)

Expand All @@ -38,6 +39,7 @@ type Flags struct {
SuppressOverrideValues bool
EnableHTTP2 bool
SecureMetrics bool
MetricsAuthNAuthZ bool

// If not nil, used to deduce which flags were set in the CLI.
flagSet *pflag.FlagSet
Expand Down Expand Up @@ -76,14 +78,16 @@ see https://github.com/kubernetes-sigs/controller-runtime/issues/895 for more in
// TODO(2.0.0): remove
flagSet.StringVar(&f.MetricsBindAddress,
"metrics-addr",
":8080",
"The address the metric endpoint binds to",
"0",
"The address the metrics endpoint binds to. "+
"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.",
)
_ = flagSet.MarkDeprecated("metrics-addr", "use --metrics-bind-address instead")
flagSet.StringVar(&f.MetricsBindAddress,
"metrics-bind-address",
":8080",
"The address the metric endpoint binds to",
"0",
"The address the metrics endpoint binds to. "+
"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.",
)
// TODO(2.0.0): for Go/Helm the port used is: 8081
// update it to keep the project aligned to the other
Expand Down Expand Up @@ -133,6 +137,10 @@ see https://github.com/kubernetes-sigs/controller-runtime/issues/895 for more in
false,
"enables secure serving of the metrics endpoint",
)
flagSet.BoolVar(&f.MetricsAuthNAuthZ,
"metrics-authn-authz",
false,
"enables protection of the metrics endpoint with authn/authz")
}

// ToManagerOptions uses the flag set in f to configure options.
Expand Down Expand Up @@ -179,5 +187,13 @@ func (f *Flags) ToManagerOptions(options manager.Options) manager.Options {
}
options.Metrics.SecureServing = f.SecureMetrics

if f.MetricsAuthNAuthZ {
// FilterProvider is used to protect the metrics endpoint with authn/authz.
// These configurations ensure that only authorized users and service accounts
// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
// https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization
options.Metrics.FilterProvider = filters.WithAuthenticationAndAuthorization
}

return options
}
2 changes: 1 addition & 1 deletion internal/helm/flags/flag_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ var _ = Describe("Flags", func() {
})
When("the flag is not set", func() {
It("uses the default flag value when corresponding option value is empty", func() {
expOptionValue := ":8080"
expOptionValue := "0"
options.Metrics.BindAddress = ""
parseArgs(flagSet)
Expect(f.ToManagerOptions(options).Metrics.BindAddress).To(Equal(expOptionValue))
Expand Down
19 changes: 19 additions & 0 deletions internal/plugins/helm/v1/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,7 @@ func (p *initSubcommand) PostScaffold() error {
// addInitCustomizations will perform the required customizations for this plugin on the common base
func addInitCustomizations(projectName string) error {
managerFile := filepath.Join("config", "manager", "manager.yaml")
managerMetricsPatch := filepath.Join("config", "default", "manager_metrics_patch.yaml")

// todo: we ought to use afero instead. Replace this methods to insert/update
// by https://github.com/kubernetes-sigs/kubebuilder/pull/2119
Expand All @@ -200,6 +201,24 @@ func addInitCustomizations(projectName string) error {
return err
}

// Enable the proper auth/metrics flags for helm
err = util.ReplaceInFile(managerMetricsPatch,
`# This patch adds the args to allow exposing the metrics endpoint using HTTPS
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-bind-address=:8443`, `# This patch adds the args to allow exposing the metrics endpoint using HTTPS
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-bind-address=:8443
# This patch adds the args to allow securing the metrics endpoint
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-secure
# This patch adds the args to allow authn/authz the metrics endpoint
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-authn-authz`)

if err := sdkpluginutil.UpdateKustomizationsInit(); err != nil {
return fmt.Errorf("error updating kustomization.yaml files: %v", err)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,8 @@ spec:
spec:
containers:
- args:
- --metrics-authn-authz
- --metrics-secure
- --metrics-bind-address=:8443
- --leader-elect
- --leader-election-id=memcached-operator
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,11 @@
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-bind-address=:8443
# This patch adds the args to allow securing the metrics endpoint
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-secure
# This patch adds the args to allow authn/authz the metrics endpoint
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-authn-authz

0 comments on commit 51433e8

Please sign in to comment.