From 167e3cfac4300e0f9ee6902a73f2d4c1e76e546d Mon Sep 17 00:00:00 2001 From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com> Date: Sun, 1 Dec 2024 16:10:28 +0000 Subject: [PATCH] Follow up of: #4243 - Ensure that production configuration to protect metrics server is configurable via flags --- .../testdata/project/cmd/main.go | 24 ++++++++++++----- .../certmanager_metrics_manager_patch.yaml | 15 +++++++++++ .../config/default/manager_metrics_patch.yaml | 3 +++ .../testdata/project/dist/install.yaml | 1 + .../testdata/project/cmd/main.go | 26 ++++++++++++++----- .../certmanager_metrics_manager_patch.yaml | 15 +++++++++++ .../config/default/manager_metrics_patch.yaml | 3 +++ .../testdata/project/dist/install.yaml | 1 + .../testdata/project/cmd/main.go | 24 ++++++++++++----- .../certmanager_metrics_manager_patch.yaml | 15 +++++++++++ .../config/default/manager_metrics_patch.yaml | 3 +++ .../testdata/project/dist/install.yaml | 6 ++--- .../cronjob-tutorial/generate_cronjob.go | 9 ------- .../certmanager_metrics_manager_patch.go | 17 +++++++++++- .../config/kdefault/manager_metrics_patch.go | 3 +++ .../scaffolds/internal/templates/cmd/main.go | 24 ++++++++++++----- test/e2e/v4/generate_test.go | 10 ------- testdata/project-v4-multigroup/cmd/main.go | 24 ++++++++++++----- .../certmanager_metrics_manager_patch.yaml | 17 +++++++++++- .../config/default/manager_metrics_patch.yaml | 3 +++ .../project-v4-multigroup/dist/install.yaml | 1 + testdata/project-v4-with-plugins/cmd/main.go | 24 ++++++++++++----- .../certmanager_metrics_manager_patch.yaml | 17 +++++++++++- .../config/default/manager_metrics_patch.yaml | 3 +++ .../project-v4-with-plugins/dist/install.yaml | 1 + testdata/project-v4/cmd/main.go | 24 ++++++++++++----- .../certmanager_metrics_manager_patch.yaml | 17 +++++++++++- .../config/default/manager_metrics_patch.yaml | 3 +++ testdata/project-v4/dist/install.yaml | 1 + 29 files changed, 265 insertions(+), 69 deletions(-) diff --git a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go index 458a9f8c3e2..c22d335951b 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go @@ -74,6 +74,9 @@ func main() { /* */ var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -87,6 +90,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -135,13 +142,18 @@ func main() { // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // this setup is not recommended for production. Not that, if cert-manager is enabled + // in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by + // specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER] - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml index 9cee4b4f580..0575afd5cc9 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml @@ -19,3 +19,18 @@ spec: - name: metrics-certs secret: secretName: metrics-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml index 2aaef6536f4..ab9e84df5f6 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --secure-metrics=true diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml index c20c83edbc5..b96d78addf4 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml @@ -4115,6 +4115,7 @@ spec: spec: containers: - args: + - --secure-metrics=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 diff --git a/docs/book/src/getting-started/testdata/project/cmd/main.go b/docs/book/src/getting-started/testdata/project/cmd/main.go index 7347d215463..27899cbb785 100644 --- a/docs/book/src/getting-started/testdata/project/cmd/main.go +++ b/docs/book/src/getting-started/testdata/project/cmd/main.go @@ -54,6 +54,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -67,6 +70,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -115,13 +122,18 @@ func main() { // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + // this setup is not recommended for production. Not that, if cert-manager is enabled + // in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by + // specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER] + + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml index 9cee4b4f580..0575afd5cc9 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml @@ -19,3 +19,18 @@ spec: - name: metrics-certs secret: secretName: metrics-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key diff --git a/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml index 2aaef6536f4..ab9e84df5f6 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --secure-metrics=true diff --git a/docs/book/src/getting-started/testdata/project/dist/install.yaml b/docs/book/src/getting-started/testdata/project/dist/install.yaml index 6af37f625be..5a2a8bf21da 100644 --- a/docs/book/src/getting-started/testdata/project/dist/install.yaml +++ b/docs/book/src/getting-started/testdata/project/dist/install.yaml @@ -418,6 +418,7 @@ spec: spec: containers: - args: + - --secure-metrics=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 diff --git a/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go b/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go index a199eec734b..a0cd7078a4f 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go @@ -73,6 +73,9 @@ func main() { /* */ var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -86,6 +89,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -134,13 +141,18 @@ func main() { // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // this setup is not recommended for production. Not that, if cert-manager is enabled + // in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by + // specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER] - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml index 9cee4b4f580..0575afd5cc9 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml @@ -19,3 +19,18 @@ spec: - name: metrics-certs secret: secretName: metrics-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml index 2aaef6536f4..ab9e84df5f6 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --secure-metrics=true diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml index 8a9b9c9f3ab..04b16d294bb 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml @@ -7926,9 +7926,9 @@ spec: spec: containers: - args: - - --metrics-bind-address=:8443 - - --leader-elect - - --health-probe-bind-address=:8081 + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key command: - /manager image: controller:latest diff --git a/hack/docs/internal/cronjob-tutorial/generate_cronjob.go b/hack/docs/internal/cronjob-tutorial/generate_cronjob.go index a2b17b3b32a..2ff4c0cb35c 100644 --- a/hack/docs/internal/cronjob-tutorial/generate_cronjob.go +++ b/hack/docs/internal/cronjob-tutorial/generate_cronjob.go @@ -355,15 +355,6 @@ CronJob controller's`+" `"+`SetupWithManager`+"`"+` method. }`, ` // +kubebuilder:docs-gen:collapse=old stuff`) hackutils.CheckError("fixing main.go", err) - - // Enabling metrics with certs - err = pluginutil.UncommentCode( - filepath.Join(sp.ctx.Dir, "cmd/main.go"), - `// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key"`, ` - // `) - hackutils.CheckError("enabling metrics service options into main.go", err) } func (sp *Sample) updateMakefile() { diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go index 31859c3fd89..17cc13f43d6 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go @@ -56,7 +56,7 @@ metadata: name: controller-manager namespace: system labels: - app.kubernetes.io/name: {{ .ProjectName }} + app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize spec: template: @@ -71,4 +71,19 @@ spec: - name: metrics-certs secret: secretName: metrics-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key ` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go index ca822c79315..9e3b345f0fd 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go @@ -46,4 +46,7 @@ const kustomizeMetricsPatchTemplate = `# This patch adds the args to allow expos - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --secure-metrics=true ` diff --git a/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go b/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go index 136be031810..2526e74bfa4 100644 --- a/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go +++ b/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go @@ -256,6 +256,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -269,6 +272,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -317,13 +324,18 @@ func main() { // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // this setup is not recommended for production. Not that, if cert-manager is enabled + // in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by + // specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER] - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index 19a751ef511..c72d0908615 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -72,9 +72,6 @@ func GenerateV4(kbc *utils.TestContext) { ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), `#- path: certmanager_metrics_manager_patch.yaml`, "#")).To(Succeed()) - ExpectWithOffset(1, pluginutil.UncommentCode( - filepath.Join(kbc.Dir, "cmd", "main.go"), - tlsConfigManager, "// ")).To(Succeed()) } // GenerateV4WithoutMetrics implements a go/v4 plugin project defined by a TestContext. @@ -176,9 +173,6 @@ func GenerateV4WithNetworkPolicies(kbc *utils.TestContext) { ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "prometheus", "kustomization.yaml"), monitorTlsPatch, "#")).To(Succeed()) - ExpectWithOffset(1, pluginutil.UncommentCode( - filepath.Join(kbc.Dir, "cmd", "main.go"), - tlsConfigManager, "// ")).To(Succeed()) By("uncomment kustomization.yaml to enable network policy") ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), @@ -434,7 +428,3 @@ const monitorTlsPatch = `#patches: # - path: monitor_tls_patch.yaml # target: # kind: ServiceMonitor` - -const tlsConfigManager = `// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key"` diff --git a/testdata/project-v4-multigroup/cmd/main.go b/testdata/project-v4-multigroup/cmd/main.go index 275bd9065c7..96f0a8df1bf 100644 --- a/testdata/project-v4-multigroup/cmd/main.go +++ b/testdata/project-v4-multigroup/cmd/main.go @@ -95,6 +95,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -108,6 +111,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -156,13 +163,18 @@ func main() { // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // this setup is not recommended for production. Not that, if cert-manager is enabled + // in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by + // specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER] - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/testdata/project-v4-multigroup/config/default/certmanager_metrics_manager_patch.yaml b/testdata/project-v4-multigroup/config/default/certmanager_metrics_manager_patch.yaml index a6b8d9bc0de..0575afd5cc9 100644 --- a/testdata/project-v4-multigroup/config/default/certmanager_metrics_manager_patch.yaml +++ b/testdata/project-v4-multigroup/config/default/certmanager_metrics_manager_patch.yaml @@ -4,7 +4,7 @@ metadata: name: controller-manager namespace: system labels: - app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize spec: template: @@ -19,3 +19,18 @@ spec: - name: metrics-certs secret: secretName: metrics-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key diff --git a/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml index 2aaef6536f4..ab9e84df5f6 100644 --- a/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml +++ b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --secure-metrics=true diff --git a/testdata/project-v4-multigroup/dist/install.yaml b/testdata/project-v4-multigroup/dist/install.yaml index 9e6adf59b9d..2aab0a760da 100644 --- a/testdata/project-v4-multigroup/dist/install.yaml +++ b/testdata/project-v4-multigroup/dist/install.yaml @@ -2112,6 +2112,7 @@ spec: spec: containers: - args: + - --secure-metrics=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 diff --git a/testdata/project-v4-with-plugins/cmd/main.go b/testdata/project-v4-with-plugins/cmd/main.go index f01870085dc..ce1c78057e9 100644 --- a/testdata/project-v4-with-plugins/cmd/main.go +++ b/testdata/project-v4-with-plugins/cmd/main.go @@ -60,6 +60,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -73,6 +76,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -121,13 +128,18 @@ func main() { // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // this setup is not recommended for production. Not that, if cert-manager is enabled + // in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by + // specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER] - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/testdata/project-v4-with-plugins/config/default/certmanager_metrics_manager_patch.yaml b/testdata/project-v4-with-plugins/config/default/certmanager_metrics_manager_patch.yaml index ed2f033ddbb..0575afd5cc9 100644 --- a/testdata/project-v4-with-plugins/config/default/certmanager_metrics_manager_patch.yaml +++ b/testdata/project-v4-with-plugins/config/default/certmanager_metrics_manager_patch.yaml @@ -4,7 +4,7 @@ metadata: name: controller-manager namespace: system labels: - app.kubernetes.io/name: project-v4-with-plugins + app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize spec: template: @@ -19,3 +19,18 @@ spec: - name: metrics-certs secret: secretName: metrics-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key diff --git a/testdata/project-v4-with-plugins/config/default/manager_metrics_patch.yaml b/testdata/project-v4-with-plugins/config/default/manager_metrics_patch.yaml index 2aaef6536f4..ab9e84df5f6 100644 --- a/testdata/project-v4-with-plugins/config/default/manager_metrics_patch.yaml +++ b/testdata/project-v4-with-plugins/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --secure-metrics=true diff --git a/testdata/project-v4-with-plugins/dist/install.yaml b/testdata/project-v4-with-plugins/dist/install.yaml index 79528f60b21..4bb33f714a1 100644 --- a/testdata/project-v4-with-plugins/dist/install.yaml +++ b/testdata/project-v4-with-plugins/dist/install.yaml @@ -805,6 +805,7 @@ spec: spec: containers: - args: + - --secure-metrics=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 diff --git a/testdata/project-v4/cmd/main.go b/testdata/project-v4/cmd/main.go index 1a72e4c73c1..d261c70dff1 100644 --- a/testdata/project-v4/cmd/main.go +++ b/testdata/project-v4/cmd/main.go @@ -63,6 +63,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -76,6 +79,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -124,13 +131,18 @@ func main() { // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // this setup is not recommended for production. Not that, if cert-manager is enabled + // in config/default/kustomization.yaml, you can use the certificate managed by cert-manager by + // specifying the CertDir, CertName, and KeyName by uncommenting [METRICS WITH CERTMANGER] - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/testdata/project-v4/config/default/certmanager_metrics_manager_patch.yaml b/testdata/project-v4/config/default/certmanager_metrics_manager_patch.yaml index 862a49388f2..0575afd5cc9 100644 --- a/testdata/project-v4/config/default/certmanager_metrics_manager_patch.yaml +++ b/testdata/project-v4/config/default/certmanager_metrics_manager_patch.yaml @@ -4,7 +4,7 @@ metadata: name: controller-manager namespace: system labels: - app.kubernetes.io/name: project-v4 + app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize spec: template: @@ -19,3 +19,18 @@ spec: - name: metrics-certs secret: secretName: metrics-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key diff --git a/testdata/project-v4/config/default/manager_metrics_patch.yaml b/testdata/project-v4/config/default/manager_metrics_patch.yaml index 2aaef6536f4..ab9e84df5f6 100644 --- a/testdata/project-v4/config/default/manager_metrics_patch.yaml +++ b/testdata/project-v4/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --secure-metrics=true diff --git a/testdata/project-v4/dist/install.yaml b/testdata/project-v4/dist/install.yaml index 33f1336fa30..89852e9c75f 100644 --- a/testdata/project-v4/dist/install.yaml +++ b/testdata/project-v4/dist/install.yaml @@ -675,6 +675,7 @@ spec: spec: containers: - args: + - --secure-metrics=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081