Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(metrics-server): use cert-manager certs #364

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat(metrics-server): use cert-manager certs #364

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7ba1b0a
ref(*): remove kube-rbac-proxy
vdice Jan 8, 2025
f957099
feat(metrics-server): use cert-manager certs
vdice Jan 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 15 additions & 16 deletions charts/spin-operator/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,21 +71,9 @@ spec:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }}
env:
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag
| default .Chart.AppVersion }}
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent
10 }}
securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
| nindent 10 }}
- mountPath: /tmp/k8s-metrics-server/metrics-certs
name: metrics-certs
readOnly: true
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "spin-operator.fullname" . }}-controller-manager
Expand All @@ -94,4 +82,15 @@ spec:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert
secretName: webhook-server-cert
- name: metrics-certs
secret:
items:
- key: ca.crt
path: ca.crt
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
optional: false
secretName: metrics-server-cert
35 changes: 3 additions & 32 deletions charts/spin-operator/templates/manager-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,14 @@ rules:
- apiGroups:
- ""
resources:
- secrets
- events
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- secrets
- services
verbs:
- create
Expand Down Expand Up @@ -47,17 +43,11 @@ rules:
- deployments/status
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- core.spinkube.dev
resources:
- spinappexecutors
- spinapps
verbs:
- create
- delete
Expand All @@ -76,25 +66,6 @@ rules:
- core.spinkube.dev
resources:
- spinappexecutors/status
verbs:
- get
- patch
- update
- apiGroups:
- core.spinkube.dev
resources:
- spinapps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- core.spinkube.dev
resources:
- spinapps/status
verbs:
- get
Expand Down
34 changes: 34 additions & 0 deletions charts/spin-operator/templates/metrics-auth-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "spin-operator.fullname" . }}-metrics-auth-role
labels:
{{- include "spin-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "spin-operator.fullname" . }}-metrics-auth-rolebinding
labels:
{{- include "spin-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "spin-operator.fullname" . }}-metrics-auth-role'
subjects:
- kind: ServiceAccount
name: '{{ include "spin-operator.fullname" . }}-controller-manager'
namespace: '{{ .Release.Namespace }}'
16 changes: 16 additions & 0 deletions charts/spin-operator/templates/metrics-certs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "spin-operator.fullname" . }}-metrics-certs
labels:
{{- include "spin-operator.labels" . | nindent 4 }}
spec:
dnsNames:
- '{{ include "{{ .Release.Namespace }}.fullname" . }}-metrics-service.{{ .Release.Namespace
}}.svc'
- '{{ include "{{ .Release.Namespace }}.fullname" . }}-metrics-service.{{ .Release.Namespace
}}.svc.{{ .Values.kubernetesClusterDomain }}'
issuerRef:
kind: Issuer
name: '{{ include "spin-operator.fullname" . }}-selfsigned-issuer'
secretName: metrics-server-cert
3 changes: 0 additions & 3 deletions charts/spin-operator/templates/metrics-reader-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,6 @@ kind: ClusterRole
metadata:
name: {{ include "spin-operator.fullname" . }}-metrics-reader
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: spin-operator
app.kubernetes.io/part-of: spin-operator
{{- include "spin-operator.labels" . | nindent 4 }}
rules:
- nonResourceURLs:
Expand Down
10 changes: 5 additions & 5 deletions ...s/spin-operator/templates/proxy-rbac.yaml → ...r/templates/metrics-role-and-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "spin-operator.fullname" . }}-proxy-role
name: {{ include "spin-operator.fullname" . }}-metrics-role
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/component: metrics-server
app.kubernetes.io/created-by: spin-operator
app.kubernetes.io/part-of: spin-operator
{{- include "spin-operator.labels" . | nindent 4 }}
Expand All @@ -24,16 +24,16 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "spin-operator.fullname" . }}-proxy-rolebinding
name: {{ include "spin-operator.fullname" . }}-metrics-rolebinding
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/component: metrics-server
app.kubernetes.io/created-by: spin-operator
app.kubernetes.io/part-of: spin-operator
{{- include "spin-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "spin-operator.fullname" . }}-proxy-role'
name: '{{ include "spin-operator.fullname" . }}-metrics-role'
subjects:
- kind: ServiceAccount
name: '{{ include "spin-operator.fullname" . }}-controller-manager'
Expand Down
5 changes: 1 addition & 4 deletions charts/spin-operator/templates/metrics-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,8 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "spin-operator.fullname" . }}-controller-manager-metrics-service
name: {{ include "spin-operator.fullname" . }}-metrics-service
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: spin-operator
app.kubernetes.io/part-of: spin-operator
control-plane: controller-manager
{{- include "spin-operator.labels" . | nindent 4 }}
spec:
Expand Down
39 changes: 4 additions & 35 deletions charts/spin-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ controllerManager:
## In general, these should be left as-is.
args:
- --health-probe-bind-address=:8082
- --metrics-bind-address=127.0.0.1:8080
- --metrics-bind-address=:8443
- --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs
- --leader-elect
- --enable-webhooks
## containerSecurityContext defines privilege and access control for the
Expand Down Expand Up @@ -38,38 +39,6 @@ controllerManager:
cpu: 10m
memory: 64Mi

## kubeRbacProxy handles RBAC authorization with the Kubernetes API server.
kubeRbacProxy:
## args are the default arguments to supply to the RBAC proxy.
## In general, these should be left as-is.
args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
## containerSecurityContext defines privilege and access control for the
## container.
## See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
## image indicates which repository and tag combination will be used for
## pulling the RBAC proxy image.
image:
repository: gcr.io/kubebuilder/kube-rbac-proxy
tag: v0.15.0
## resources represent default cpu/mem limits for the RBAC proxy container.
resources:
# TODO: update these per https://github.com/spinkube/spin-operator/issues/21
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi

# replicas represent how many pod replicas of the controllerManager to run.
replicas: 1

Expand All @@ -83,13 +52,13 @@ kubernetesClusterDomain: cluster.local

## metricsService configuration.
## This configuration should only be updated in tandem with corresponding
## controller and RBAC proxy configuration.
## controller configuration.
metricsService:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
targetPort: 8443
type: ClusterIP

## webhookService configuration.
Expand Down
Loading
Loading