Merge pull request #86 from appuio/native-metrics-auth

Remove `kube-rbac-proxy` in favour of native metrics authentication

Author: bastjan

class/defaults.yml

@@ -13,11 +13,7 @@ parameters:
       openshift_upgrade_controller:
         registry: ghcr.io
         image: appuio/openshift-upgrade-controller
-        tag: v0.13.0
-      kube_rbac_proxy:
-        registry: quay.io
-        image: brancz/kube-rbac-proxy
-        tag: v0.18.2
+        tag: v0.14.0
       oc:
         registry: quay.io
         image: appuio/oc

component/openshift-upgrade-controller.jsonnet

@@ -42,13 +42,98 @@ com.Kustomization(
       newTag: image.tag,
       newName: '%(registry)s/%(image)s' % image,
     },
-    'quay.io/brancz/kube-rbac-proxy': {
-      local image = params.images.kube_rbac_proxy,
-      newTag: image.tag,
-      newName: '%(registry)s/%(image)s' % image,
-    },
   },
   params.kustomize_input {
+    // Inner kustomization layers are immutable, so we need to re-replace the namespace after changing it in an outer layer
+    replacements: [
+      {
+        source: {
+          kind: 'Service',
+          version: 'v1',
+          name: 'controller-manager-metrics-service',
+          fieldPath: 'metadata.name',
+        },
+        targets: [
+          {
+            select: {
+              kind: 'Certificate',
+              group: 'cert-manager.io',
+              version: 'v1',
+              name: 'metrics-certs',
+            },
+            fieldPaths: [
+              'spec.dnsNames.0',
+              'spec.dnsNames.1',
+            ],
+            options: {
+              delimiter: '.',
+              index: 0,
+              create: true,
+            },
+          },
+          {
+            select: {
+              kind: 'ServiceMonitor',
+              group: 'monitoring.coreos.com',
+              version: 'v1',
+              name: 'controller-manager-metrics-monitor',
+            },
+            fieldPaths: [
+              'spec.endpoints.0.tlsConfig.serverName',
+            ],
+            options: {
+              delimiter: '.',
+              index: 0,
+              create: true,
+            },
+          },
+        ],
+      },
+      {
+        source: {
+          kind: 'Service',
+          version: 'v1',
+          name: 'controller-manager-metrics-service',
+          fieldPath: 'metadata.namespace',
+        },
+        targets: [
+          {
+            select: {
+              kind: 'Certificate',
+              group: 'cert-manager.io',
+              version: 'v1',
+              name: 'metrics-certs',
+            },
+            fieldPaths: [
+              'spec.dnsNames.0',
+              'spec.dnsNames.1',
+            ],
+            options: {
+              delimiter: '.',
+              index: 1,
+              create: true,
+            },
+          },
+          {
+            select: {
+              kind: 'ServiceMonitor',
+              group: 'monitoring.coreos.com',
+              version: 'v1',
+              name: 'controller-manager-metrics-monitor',
+            },
+            fieldPaths: [
+              'spec.endpoints.0.tlsConfig.serverName',
+            ],
+            options: {
+              delimiter: '.',
+              index: 1,
+              create: true,
+            },
+          },
+        ],
+      },
+    ],
+
     patches+: [
       patch(removeUpstreamNamespace),
       setPriorityClass,

tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/apps_v1_deployment_openshift-upgrade-controller-controller-manager.yaml

@@ -23,56 +23,17 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: kubernetes.io/arch
-                operator: In
-                values:
-                - amd64
-                - arm64
-                - ppc64le
-                - s390x
-              - key: kubernetes.io/os
-                operator: In
-                values:
-                - linux
       containers:
       - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=0
-        image: quay.io/brancz/kube-rbac-proxy:v0.18.2
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-      - args:
-        - --health-probe-bind-address=:8081
-        - --metrics-bind-address=127.0.0.1:8080
+        - --metrics-bind-address=:8443
         - --leader-elect
+        - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs
         env:
         - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: ghcr.io/appuio/openshift-upgrade-controller:v0.13.0
+        image: ghcr.io/appuio/openshift-upgrade-controller:v0.14.0
         livenessProbe:
           httpGet:
             path: /healthz
@@ -98,10 +59,26 @@ spec:
           capabilities:
             drop:
             - ALL
+        volumeMounts:
+        - mountPath: /tmp/k8s-metrics-server/metrics-certs
+          name: metrics-certs
+          readOnly: true
       priorityClassName: system-cluster-critical
       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: openshift-upgrade-controller-controller-manager
       terminationGracePeriodSeconds: 10
+      volumes:
+      - name: metrics-certs
+        secret:
+          items:
+          - key: ca.crt
+            path: ca.crt
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          optional: false
+          secretName: metrics-server-cert

tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/cert-manager.io_v1_certificate_openshift-upgrade-controller-metrics-certs.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: openshift-upgrade-controller
+  name: openshift-upgrade-controller-metrics-certs
+  namespace: appuio-openshift-upgrade-controller
+spec:
+  dnsNames:
+  - openshift-upgrade-controller-controller-manager-metrics-service.appuio-openshift-upgrade-controller.svc
+  - openshift-upgrade-controller-controller-manager-metrics-service.appuio-openshift-upgrade-controller.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: openshift-upgrade-controller-selfsigned-issuer
+  secretName: metrics-server-cert

tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/cert-manager.io_v1_issuer_openshift-upgrade-controller-selfsigned-issuer.yaml

@@ -0,0 +1,10 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: openshift-upgrade-controller
+  name: openshift-upgrade-controller-selfsigned-issuer
+  namespace: appuio-openshift-upgrade-controller
+spec:
+  selfSigned: {}

tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/monitoring.coreos.com_v1_servicemonitor_openshift-upgrade-controller-controller-manager-metrics-monitor.yaml

@@ -23,7 +23,19 @@ spec:
     port: https
     scheme: https
     tlsConfig:
-      insecureSkipVerify: true
+      ca:
+        secret:
+          key: ca.crt
+          name: metrics-server-cert
+      cert:
+        secret:
+          key: tls.crt
+          name: metrics-server-cert
+      insecureSkipVerify: false
+      keySecret:
+        key: tls.key
+        name: metrics-server-cert
+      serverName: openshift-upgrade-controller-controller-manager-metrics-service.appuio-openshift-upgrade-controller.svc
   selector:
     matchLabels:
       control-plane: controller-manager

…shift-upgrade-controller-proxy-role.yaml …pgrade-controller-metrics-auth-role.yamltests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/rbac.authorization.k8s.io_v1_clusterrole_openshift-upgrade-controller-proxy-role.yaml renamed to tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/rbac.authorization.k8s.io_v1_clusterrole_openshift-upgrade-controller-metrics-auth-role.yaml tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/rbac.authorization.k8s.io_v1_clusterrole_openshift-upgrade-controller-proxy-role.yaml renamed to tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/rbac.authorization.k8s.io_v1_clusterrole_openshift-upgrade-controller-metrics-auth-role.yaml

@@ -2,13 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: openshift-upgrade-controller
-    app.kubernetes.io/instance: proxy-role
     app.kubernetes.io/managed-by: commodore
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/part-of: openshift-upgrade-controller
-  name: openshift-upgrade-controller-proxy-role
+  name: openshift-upgrade-controller-metrics-auth-role
 rules:
 - apiGroups:
   - authentication.k8s.io

tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/rbac.authorization.k8s.io_v1_clusterrole_openshift-upgrade-controller-metrics-reader.yaml

@@ -2,12 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: openshift-upgrade-controller
-    app.kubernetes.io/instance: metrics-reader
     app.kubernetes.io/managed-by: commodore
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/part-of: openshift-upgrade-controller
   name: openshift-upgrade-controller-metrics-reader
 rules:
 - nonResourceURLs:

tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_openshift-upgrade-controller-metrics-auth-rolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+  name: openshift-upgrade-controller-metrics-auth-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: openshift-upgrade-controller-metrics-auth-role
+subjects:
+- kind: ServiceAccount
+  name: openshift-upgrade-controller-controller-manager
+  namespace: appuio-openshift-upgrade-controller