diff --git a/internal/cmd/helm-operator/run/cmd.go b/internal/cmd/helm-operator/run/cmd.go index 0ae71a1ab5..a30f0b49e1 100644 --- a/internal/cmd/helm-operator/run/cmd.go +++ b/internal/cmd/helm-operator/run/cmd.go @@ -75,6 +75,12 @@ func NewCmd() *cobra.Command { cmd := &cobra.Command{ Use: "run", Short: "Run the operator", + Args: func(cmd *cobra.Command, args []string) error { + if cmd.Flag("metrics-require-rbac").Changed && !cmd.Flag("metrics-secure").Changed { + return fmt.Errorf("--metrics-secure flag is required when --metrics-require-rbac is present") + } + return nil + }, Run: func(cmd *cobra.Command, _ []string) { logf.SetLogger(zapf.New(zapf.UseFlagOptions(opts))) run(cmd, f) @@ -83,7 +89,6 @@ func NewCmd() *cobra.Command { f.AddTo(cmd.Flags()) cmd.Flags().AddGoFlagSet(zapfs) - cmd.MarkFlagsRequiredTogether("metrics-secure", "metrics-authn-authz") return cmd } diff --git a/internal/helm/flags/flag.go b/internal/helm/flags/flag.go index 3ef7c0142a..1b0a7e4272 100644 --- a/internal/helm/flags/flag.go +++ b/internal/helm/flags/flag.go @@ -39,7 +39,7 @@ type Flags struct { SuppressOverrideValues bool EnableHTTP2 bool SecureMetrics bool - MetricsAuthNAuthZ bool + MetricsRequireRBAC bool // If not nil, used to deduce which flags were set in the CLI. flagSet *pflag.FlagSet @@ -78,16 +78,14 @@ see https://github.com/kubernetes-sigs/controller-runtime/issues/895 for more in // TODO(2.0.0): remove flagSet.StringVar(&f.MetricsBindAddress, "metrics-addr", - "0", - "The address the metrics endpoint binds to. "+ - "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.", + ":8080", + "The address the metric endpoint binds to", ) _ = flagSet.MarkDeprecated("metrics-addr", "use --metrics-bind-address instead") flagSet.StringVar(&f.MetricsBindAddress, "metrics-bind-address", - "0", - "The address the metrics endpoint binds to. "+ - "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.", + ":8080", + "The address the metric endpoint binds to", ) // TODO(2.0.0): for Go/Helm the port used is: 8081 // update it to keep the project aligned to the other @@ -137,10 +135,11 @@ see https://github.com/kubernetes-sigs/controller-runtime/issues/895 for more in false, "enables secure serving of the metrics endpoint", ) - flagSet.BoolVar(&f.MetricsAuthNAuthZ, - "metrics-authn-authz", + flagSet.BoolVar(&f.MetricsRequireRBAC, + "metrics-require-rbac", false, - "enables protection of the metrics endpoint with authn/authz") + "enables protection of the metrics endpoint with RBAC-based authn/authz."+ + "see https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization for more info") } // ToManagerOptions uses the flag set in f to configure options. @@ -187,7 +186,7 @@ func (f *Flags) ToManagerOptions(options manager.Options) manager.Options { } options.Metrics.SecureServing = f.SecureMetrics - if f.MetricsAuthNAuthZ { + if f.MetricsRequireRBAC { // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: diff --git a/internal/helm/flags/flag_test.go b/internal/helm/flags/flag_test.go index e2e3db6d65..aa6d2392af 100644 --- a/internal/helm/flags/flag_test.go +++ b/internal/helm/flags/flag_test.go @@ -52,7 +52,7 @@ var _ = Describe("Flags", func() { }) When("the flag is not set", func() { It("uses the default flag value when corresponding option value is empty", func() { - expOptionValue := "0" + expOptionValue := ":8080" options.Metrics.BindAddress = "" parseArgs(flagSet) Expect(f.ToManagerOptions(options).Metrics.BindAddress).To(Equal(expOptionValue)) diff --git a/internal/plugins/helm/v1/init.go b/internal/plugins/helm/v1/init.go index 546b72be43..733b10614a 100644 --- a/internal/plugins/helm/v1/init.go +++ b/internal/plugins/helm/v1/init.go @@ -214,10 +214,10 @@ func addInitCustomizations(projectName string) error { - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-secure -# This patch adds the args to allow authn/authz the metrics endpoint +# This patch adds the args to allow RBAC-based authn/authz the metrics endpoint - op: add path: /spec/template/spec/containers/0/args/0 - value: --metrics-authn-authz`) + value: --metrics-require-rbac`) if err != nil { return err } diff --git a/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml index 1920679af7..3fb6db52f2 100644 --- a/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml +++ b/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml @@ -267,7 +267,7 @@ spec: spec: containers: - args: - - --metrics-authn-authz + - --metrics-require-rbac - --metrics-secure - --metrics-bind-address=:8443 - --leader-elect diff --git a/testdata/helm/memcached-operator/config/default/manager_metrics_patch.yaml b/testdata/helm/memcached-operator/config/default/manager_metrics_patch.yaml index f41cdc5e0c..a3cb2f1865 100644 --- a/testdata/helm/memcached-operator/config/default/manager_metrics_patch.yaml +++ b/testdata/helm/memcached-operator/config/default/manager_metrics_patch.yaml @@ -6,7 +6,7 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-secure -# This patch adds the args to allow authn/authz the metrics endpoint +# This patch adds the args to allow RBAC-based authn/authz the metrics endpoint - op: add path: /spec/template/spec/containers/0/args/0 - value: --metrics-authn-authz + value: --metrics-require-rbac