Remove kube-rbac-proxy and open metrics endpoint

Author: ChristianZaccaria

config/default/kustomization.yaml

@@ -25,11 +25,15 @@ bases:
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 # - ../prometheus
 
+resources:
+# Add metrics service
+- metrics_service.yaml
+
 patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+# - manager_auth_proxy_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type

config/default/manager_auth_proxy_patch.yaml

@@ -5,10 +5,10 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: metrics
+    port: 8080
     protocol: TCP
-    targetPort: 8080
+    targetPort: metrics
   selector:
     app.kubernetes.io/name: codeflare-operator
     app.kubernetes.io/part-of: codeflare

config/rbac/auth_proxy_service.yaml renamed to config/default/metrics_service.yaml

@@ -3,7 +3,7 @@ kind: ControllerManagerConfig
 health:
   healthProbeBindAddress: :8081
 metrics:
-  bindAddress: 127.0.0.1:8080
+  bindAddress: 0.0.0.0:8080
 webhook:
   port: 9443
 leaderElection:

config/manager/controller_manager_config.yaml

@@ -35,7 +35,9 @@ spec:
       - command:
         - /manager
         args:
-        - --leader-elect
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=0.0.0.0:8080"
+        - "--leader-elect"
         image: controller:latest
         imagePullPolicy: Always
         name: manager
@@ -44,6 +46,10 @@ spec:
           capabilities:
             drop:
               - "ALL"
+        ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: metrics
         livenessProbe:
           httpGet:
             path: /healthz

config/manager/manager.yaml

@@ -10,10 +10,3 @@ resources:
 - edit_role_binding.yaml  # We are using this binding as mcad requires this role
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -44,6 +44,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
 - apiGroups:
   - codeflare.codeflare.dev
   resources:

config/rbac/auth_proxy_role.yaml

@@ -124,6 +124,8 @@ func (r *MCADReconciler) DeleteResource(params *MCADParams, template string, fns
 // +kubebuilder:rbac:groups=extensions,resources=replicasets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers;csinodes;csistoragecapacities,verbs=get;list;watch
+// +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
+// +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
 
 func (r *MCADReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("namespace", req.Namespace)