Merge pull request #20 from 3scale-ops/clean/remove-rbac-proxy

clean: remove rbac proxy
3scale-ops · May 16, 2022 · 6febffd · 6febffd
2 parents f54def1 + b92570f
commit 6febffd
Show file tree

Hide file tree

Showing 18 changed files with 80 additions and 162 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,7 +6,7 @@ on:
       - main
 
 jobs:
-  build:
+  release:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v2
@@ -47,13 +47,17 @@ jobs:
         uses: docker/login-action@v1
         with:
           registry: quay.io
-          username: ${{ secrets.REGISTRY_USER }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
       - name: Push new operator image
         if: ${{ env.NEW_RELEASE != '' }}
         run: make container-push
 
+      - name: Push new operator image as latest
+        if: ${{ env.NEW_RELEASE != '' }}
+        run: make operator-push-latest
+
       - name: Publish new bundle image in saas-operator catalog
         if: ${{ env.NEW_RELEASE != '' }}
         run: make bundle-publish

diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 0.1.0
+VERSION ?= 0.1.1
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -50,6 +50,9 @@ IMG_TAG ?= v$(VERSION)
 # Image URL to use all building/pushing image targets
 IMG ?= $(IMAGE_TAG_BASE):$(IMG_TAG)
 
+# Image URL to use latest building/pushing image targets
+IMG_LATEST ?= $(IMAGE_TAG_BASE):latest
+
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.23
 
@@ -128,7 +131,7 @@ container-push: ## Push container image with the manager.
 
 .PHONY: container-tag
 container-tag: ## Push container image with the manager.
-	$(CONTAINER_RUNTIME) tag ${IMG} ${IMG_LATEST}
+	$(CONTAINER_RUNTIME) tag ${IMG} ${IMG_RETAG}
 
 ##@ Deployment
 
@@ -229,7 +232,7 @@ BUNDLE_IMGS ?= $(BUNDLE_IMG)
 CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION)
 
 # The latest image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0).
-CATALOG_IMG_LATEST ?= $(IMAGE_TAG_BASE)-catalog:latest
+CATALOG_BASE_IMG ?= $(IMAGE_TAG_BASE)-catalog:latest
 
 # Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image.
 ifneq ($(origin CATALOG_BASE_IMG), undefined)
@@ -282,12 +285,17 @@ bump-release: ## Write release name to "pkg/version" package
 bundle-publish: bundle-build bundle-push catalog-build catalog-push catalog-retag-latest ## Generates and pushes all required images for a release
 
 catalog-retag-latest:
-	$(MAKE) container-tag IMG=$(CATALOG_IMG) IMG_LATEST=$(CATALOG_IMG_LATEST)
-	$(MAKE) container-push IMG=$(CATALOG_IMG_LATEST)
+	$(MAKE) container-tag IMG=$(CATALOG_IMG) IMG_RETAG=$(CATALOG_BASE_IMG)
+	$(MAKE) container-push IMG=$(CATALOG_BASE_IMG)
 
 GH_REPO ?= 3scale-ops/aws-nlb-helper-operator
 GH_REPO_RELEASES_URL ?= https://api.github.com/repos/$(GH_REPO)/releases/tags
 
+.PHONY: operator-push-latest
+operator-push-latest: ## Push latest operator container image with the manager.
+	$(MAKE) container-tag IMG=$(IMG) IMG_RETAG=$(IMG_LATEST)
+	$(CONTAINER_RUNTIME) push ${IMG_LATEST}
+
 get-new-release:
 	@if [[ v$(VERSION) == *"-alpha"* ]]; then echo; \
 	elif curl -o /dev/null --fail --silent \

diff --git a/...-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/...-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml
@@ -0,0 +1,13 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: aws-nlb-helper-operator-controller-manager-metrics-monitor
+spec:
+  endpoints:
+  - path: /metrics
+    port: metrics
+  selector:
+    matchLabels:
+      control-plane: controller-manager
diff --git a/bundle/manifests/aws-nlb-helper-operator-controller-manager-metrics-service_v1_service.yaml b/bundle/manifests/aws-nlb-helper-operator-controller-manager-metrics-service_v1_service.yaml
@@ -7,10 +7,10 @@ metadata:
   name: aws-nlb-helper-operator-controller-manager-metrics-service
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: metrics
+    port: 8080
     protocol: TCP
-    targetPort: https
+    targetPort: metrics
   selector:
     control-plane: controller-manager
 status:

diff --git a/...ests/aws-nlb-helper-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/...ests/aws-nlb-helper-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
diff --git a/bundle/manifests/aws-nlb-helper-operator.clusterserviceversion.yaml b/bundle/manifests/aws-nlb-helper-operator.clusterserviceversion.yaml
@@ -14,7 +14,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/3scale-ops/aws-nlb-helper-operator
     support: Red Hat
-  name: aws-nlb-helper-operator.v0.1.0
+  name: aws-nlb-helper-operator.v0.1.1
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -118,18 +118,6 @@ spec:
           - services/status
           verbs:
           - get
-        - apiGroups:
-          - authentication.k8s.io
-          resources:
-          - tokenreviews
-          verbs:
-          - create
-        - apiGroups:
-          - authorization.k8s.io
-          resources:
-          - subjectaccessreviews
-          verbs:
-          - create
         serviceAccountName: aws-nlb-helper-operator-controller-manager
       deployments:
       - label:
@@ -150,24 +138,26 @@ spec:
             spec:
               containers:
               - args:
-                - --health-probe-bind-address=:8081
-                - --metrics-bind-address=127.0.0.1:8080
                 - --leader-elect
+                - --metrics-bind-address=0.0.0.0:8080
                 command:
                 - /manager
                 env:
                 - name: WATCH_NAMESPACE
                   valueFrom:
                     fieldRef:
                       fieldPath: metadata.annotations['olm.targetNamespaces']
-                image: quay.io/3scale/aws-nlb-helper-operator:v0.1.0
+                image: quay.io/3scale/aws-nlb-helper-operator:v0.1.1
                 livenessProbe:
                   httpGet:
                     path: /healthz
                     port: 8081
                   initialDelaySeconds: 15
                   periodSeconds: 20
                 name: manager
+                ports:
+                - containerPort: 8080
+                  name: metrics
                 readinessProbe:
                   httpGet:
                     path: /readyz
@@ -183,24 +173,6 @@ spec:
                     memory: 64Mi
                 securityContext:
                   allowPrivilegeEscalation: false
-              - args:
-                - --secure-listen-address=0.0.0.0:8443
-                - --upstream=http://127.0.0.1:8080/
-                - --logtostderr=true
-                - --v=0
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: https
-                  protocol: TCP
-                resources:
-                  limits:
-                    cpu: 500m
-                    memory: 128Mi
-                  requests:
-                    cpu: 5m
-                    memory: 64Mi
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: aws-nlb-helper-operator-controller-manager
@@ -265,4 +237,4 @@ spec:
   provider:
     name: Red Hat
     url: https://www.3scale.net/
-  version: 0.1.0
+  version: 0.1.1
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -15,12 +15,8 @@ namePrefix: aws-nlb-helper-operator-
 bases:
   - ../rbac
   - ../manager
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-#- ../prometheus
+  - ../prometheus
 
 patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-  - manager_auth_proxy_patch.yaml
+  - manager_metrics_patch.yaml
   - manager_env_olmtargetnamespaces_patch.yaml
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml
@@ -0,0 +1,16 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          args:
+            - --leader-elect
+            - --metrics-bind-address=0.0.0.0:8080
+          ports:
+            - containerPort: 8080
+              name: metrics
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -13,4 +13,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/3scale/aws-nlb-helper-operator
-  newTag: v0.1.0
+  newTag: v0.1.1
diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml
@@ -1,2 +1,3 @@
 resources:
-- monitor.yaml
+  - monitor.yaml
+  - service.yaml
diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml
@@ -9,11 +9,7 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
-      scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
+      port: metrics
   selector:
     matchLabels:
       control-plane: controller-manager
diff --git a/config/rbac/auth_proxy_service.yaml → config/prometheus/service.yaml b/config/rbac/auth_proxy_service.yaml → config/prometheus/service.yaml
@@ -1,3 +1,4 @@
+# Service (Metrics)
 apiVersion: v1
 kind: Service
 metadata:
@@ -7,9 +8,9 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
-    protocol: TCP
-    targetPort: https
+    - name: metrics
+      port: 8080
+      targetPort: metrics
+      protocol: TCP
   selector:
     control-plane: controller-manager
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -1,18 +1,11 @@
 resources:
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
-- service_account.yaml
-- role.yaml
-- role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+  # All RBAC will be applied under this service account in
+  # the deployment namespace. You may comment out this resource
+  # if your manager will use a service account that exists at
+  # runtime. Be sure to update RoleBinding and ClusterRoleBinding
+  # subjects if changing service account names.
+  - service_account.yaml
+  - role.yaml
+  - role_binding.yaml
+  - leader_election_role.yaml
+  - leader_election_role_binding.yaml