Follow up of: kubernetes-sigs#4243 - Ensure that production configura…

…tion to protect metrics server is configurable via flags

docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go

@@ -74,6 +74,9 @@ func main() {
 	/*
 	 */
 	var metricsAddr string
+	var certDir string
+	var certName string
+	var certKey string
 	var enableLeaderElection bool
 	var probeAddr string
 	var secureMetrics bool
@@ -87,6 +90,10 @@ func main() {
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&secureMetrics, "metrics-secure", true,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.StringVar(&certDir, "cert-dir", "",
+		"The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.")
+	flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt")
+	flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
@@ -135,13 +142,18 @@ func main() {
 
 		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
 		// generate self-signed certificates for the metrics server. While convenient for development and testing,
-		// this setup is not recommended for production.
+		// this setup is not recommended for production. Not that, if cert-manager is enabled
+		// in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by
+		// specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER]
 
-		// TODO(user): If cert-manager is enabled in config/default/kustomization.yaml,
-		// you can uncomment the following lines to use the certificate managed by cert-manager.
-		// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs"
-		// metricsServerOptions.CertName = "tls.crt"
-		// metricsServerOptions.KeyName = "tls.key"
+		if certDir != "" {
+			metricsServerOptions.CertDir = certDir
+		}
+
+		if certName != "" && certKey != "" {
+			metricsServerOptions.CertName = certName
+			metricsServerOptions.KeyName = certKey
+		}
 
 	}
 

docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml

@@ -19,3 +19,18 @@ spec:
       - name: metrics-certs
         secret:
           secretName: metrics-server-cert
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - --cert-dir=/tmp/k8s-metrics-server/metrics-certs
+        - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert
+        - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key

docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml

@@ -2,3 +2,6 @@
 - op: add
   path: /spec/template/spec/containers/0/args/0
   value: --metrics-bind-address=:8443
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --secure-metrics=true

docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml

@@ -4115,6 +4115,7 @@ spec:
     spec:
       containers:
       - args:
+        - --secure-metrics=true
         - --metrics-bind-address=:8443
         - --leader-elect
         - --health-probe-bind-address=:8081

docs/book/src/getting-started/testdata/project/cmd/main.go

@@ -54,6 +54,9 @@ func init() {
 
 func main() {
 	var metricsAddr string
+	var certDir string
+	var certName string
+	var certKey string
 	var enableLeaderElection bool
 	var probeAddr string
 	var secureMetrics bool
@@ -67,6 +70,10 @@ func main() {
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&secureMetrics, "metrics-secure", true,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.StringVar(&certDir, "cert-dir", "",
+		"The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.")
+	flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt")
+	flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
@@ -115,13 +122,18 @@ func main() {
 
 		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
 		// generate self-signed certificates for the metrics server. While convenient for development and testing,
-		// this setup is not recommended for production.
-
-		// TODO(user): If cert-manager is enabled in config/default/kustomization.yaml,
-		// you can uncomment the following lines to use the certificate managed by cert-manager.
-		// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs"
-		// metricsServerOptions.CertName = "tls.crt"
-		// metricsServerOptions.KeyName = "tls.key"
+		// this setup is not recommended for production. Not that, if cert-manager is enabled
+		// in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by
+		// specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER]
+
+		if certDir != "" {
+			metricsServerOptions.CertDir = certDir
+		}
+
+		if certName != "" && certKey != "" {
+			metricsServerOptions.CertName = certName
+			metricsServerOptions.KeyName = certKey
+		}
 
 	}
 

docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml

@@ -19,3 +19,18 @@ spec:
       - name: metrics-certs
         secret:
           secretName: metrics-server-cert
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - --cert-dir=/tmp/k8s-metrics-server/metrics-certs
+        - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert
+        - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key

docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml

@@ -2,3 +2,6 @@
 - op: add
   path: /spec/template/spec/containers/0/args/0
   value: --metrics-bind-address=:8443
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --secure-metrics=true

docs/book/src/getting-started/testdata/project/dist/install.yaml

@@ -418,6 +418,7 @@ spec:
     spec:
       containers:
       - args:
+        - --secure-metrics=true
         - --metrics-bind-address=:8443
         - --leader-elect
         - --health-probe-bind-address=:8081

docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go

@@ -73,6 +73,9 @@ func main() {
 	/*
 	 */
 	var metricsAddr string
+	var certDir string
+	var certName string
+	var certKey string
 	var enableLeaderElection bool
 	var probeAddr string
 	var secureMetrics bool
@@ -86,6 +89,10 @@ func main() {
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&secureMetrics, "metrics-secure", true,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.StringVar(&certDir, "cert-dir", "",
+		"The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.")
+	flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt")
+	flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
@@ -134,13 +141,18 @@ func main() {
 
 		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
 		// generate self-signed certificates for the metrics server. While convenient for development and testing,
-		// this setup is not recommended for production.
+		// this setup is not recommended for production. Not that, if cert-manager is enabled
+		// in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by
+		// specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER]
 
-		// TODO(user): If cert-manager is enabled in config/default/kustomization.yaml,
-		// you can uncomment the following lines to use the certificate managed by cert-manager.
-		// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs"
-		// metricsServerOptions.CertName = "tls.crt"
-		// metricsServerOptions.KeyName = "tls.key"
+		if certDir != "" {
+			metricsServerOptions.CertDir = certDir
+		}
+
+		if certName != "" && certKey != "" {
+			metricsServerOptions.CertName = certName
+			metricsServerOptions.KeyName = certKey
+		}
 
 	}
 

docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml

@@ -19,3 +19,18 @@ spec:
       - name: metrics-certs
         secret:
           secretName: metrics-server-cert
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - --cert-dir=/tmp/k8s-metrics-server/metrics-certs
+        - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert
+        - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key

docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml

@@ -2,3 +2,6 @@
 - op: add
   path: /spec/template/spec/containers/0/args/0
   value: --metrics-bind-address=:8443
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --secure-metrics=true

docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml

@@ -7926,9 +7926,9 @@ spec:
     spec:
       containers:
       - args:
-        - --metrics-bind-address=:8443
-        - --leader-elect
-        - --health-probe-bind-address=:8081
+        - --cert-dir=/tmp/k8s-metrics-server/metrics-certs
+        - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert
+        - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key
         command:
         - /manager
         image: controller:latest

hack/docs/internal/cronjob-tutorial/generate_cronjob.go

@@ -355,15 +355,6 @@ CronJob controller's`+" `"+`SetupWithManager`+"`"+` method.
 	}`, `
 	// +kubebuilder:docs-gen:collapse=old stuff`)
 	hackutils.CheckError("fixing main.go", err)
-
-	// Enabling metrics with certs
-	err = pluginutil.UncommentCode(
-		filepath.Join(sp.ctx.Dir, "cmd/main.go"),
-		`// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs"
-		// metricsServerOptions.CertName = "tls.crt"
-		// metricsServerOptions.KeyName = "tls.key"`, `
-	// `)
-	hackutils.CheckError("enabling metrics service options into main.go", err)
 }
 
 func (sp *Sample) updateMakefile() {

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go

@@ -56,7 +56,7 @@ metadata:
   name: controller-manager
   namespace: system
   labels:
-    app.kubernetes.io/name: {{ .ProjectName }}
+    app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
 spec:
   template:
@@ -71,4 +71,19 @@ spec:
       - name: metrics-certs
         secret:
           secretName: metrics-server-cert
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - --cert-dir=/tmp/k8s-metrics-server/metrics-certs
+        - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert
+        - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key
 `

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go

@@ -46,4 +46,7 @@ const kustomizeMetricsPatchTemplate = `# This patch adds the args to allow expos
 - op: add
   path: /spec/template/spec/containers/0/args/0
   value: --metrics-bind-address=:8443
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --secure-metrics=true
 `

pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go

@@ -256,6 +256,9 @@ func init() {
 
 func main() {
 	var metricsAddr string
+	var certDir string
+	var certName string
+	var certKey string
 	var enableLeaderElection bool
 	var probeAddr string
 	var secureMetrics bool
@@ -269,6 +272,10 @@ func main() {
 		"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&secureMetrics, "metrics-secure", true,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.StringVar(&certDir, "cert-dir", "", 
+		"The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.")
+	flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt")
+	flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
@@ -317,13 +324,18 @@ func main() {
 
 		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
 		// generate self-signed certificates for the metrics server. While convenient for development and testing,
-		// this setup is not recommended for production.
+		// this setup is not recommended for production. Not that, if cert-manager is enabled 
+		// in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by
+		// specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER]
 
-		// TODO(user): If cert-manager is enabled in config/default/kustomization.yaml,
-		// you can uncomment the following lines to use the certificate managed by cert-manager.
-		// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs"
-		// metricsServerOptions.CertName = "tls.crt"
-		// metricsServerOptions.KeyName = "tls.key"
+		if certDir != "" {
+			metricsServerOptions.CertDir = certDir
+		}
+	
+		if certName != "" && certKey != "" {
+			metricsServerOptions.CertName = certName
+			metricsServerOptions.KeyName = certKey
+		}
 
 	}
 

test/e2e/v4/generate_test.go

@@ -72,9 +72,6 @@ func GenerateV4(kbc *utils.TestContext) {
 	ExpectWithOffset(1, pluginutil.UncommentCode(
 		filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
 		`#- path: certmanager_metrics_manager_patch.yaml`, "#")).To(Succeed())
-	ExpectWithOffset(1, pluginutil.UncommentCode(
-		filepath.Join(kbc.Dir, "cmd", "main.go"),
-		tlsConfigManager, "// ")).To(Succeed())
 }
 
 // GenerateV4WithoutMetrics implements a go/v4 plugin project defined by a TestContext.
@@ -176,9 +173,6 @@ func GenerateV4WithNetworkPolicies(kbc *utils.TestContext) {
 	ExpectWithOffset(1, pluginutil.UncommentCode(
 		filepath.Join(kbc.Dir, "config", "prometheus", "kustomization.yaml"),
 		monitorTlsPatch, "#")).To(Succeed())
-	ExpectWithOffset(1, pluginutil.UncommentCode(
-		filepath.Join(kbc.Dir, "cmd", "main.go"),
-		tlsConfigManager, "// ")).To(Succeed())
 	By("uncomment kustomization.yaml to enable network policy")
 	ExpectWithOffset(1, pluginutil.UncommentCode(
 		filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
@@ -434,7 +428,3 @@ const monitorTlsPatch = `#patches:
 #  - path: monitor_tls_patch.yaml
 #    target:
 #      kind: ServiceMonitor`
-
-const tlsConfigManager = `// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs"
-		// metricsServerOptions.CertName = "tls.crt"
-		// metricsServerOptions.KeyName = "tls.key"`