From 2f012e831d5f1d96e698ad85487d5cda46dcd8e9 Mon Sep 17 00:00:00 2001 From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com> Date: Sun, 1 Dec 2024 16:10:28 +0000 Subject: [PATCH] feat/fix: enhance cert-manager integration for metrics endpoints (follow-up to PR #4243) This commit is a follow-up to PR #4243, which introduced support for using cert-manager certificates for securing the metrics endpoint and ServiceMonitor. Key enhancements: - Added support for configuring certificate integration via a Kustomize patch. - Introduced configurable flags for greater flexibility in customization. - (fix)Updated the patch logic to append volumes and arguments without overwriting existing configurations, ensuring seamless integration. These improvements enhance usability and adaptability while maintaining compatibility with the initial implementation. As the feature has not yet been released, this update ensures a polished and user-friendly integration for upcoming releases. --- .github/workflows/test-e2e-samples.yml | 8 +-- .../testdata/project/cmd/main.go | 26 ++++++--- .../certmanager_metrics_manager_patch.yaml | 56 +++++++++++------- .../project/config/default/kustomization.yaml | 10 ++-- .../config/default/manager_metrics_patch.yaml | 3 + .../testdata/project/dist/install.yaml | 1 + .../testdata/project/cmd/main.go | 28 ++++++--- .../certmanager_metrics_manager_patch.yaml | 56 +++++++++++------- .../project/config/default/kustomization.yaml | 10 ++-- .../config/default/manager_metrics_patch.yaml | 3 + .../testdata/project/dist/install.yaml | 1 + .../testdata/project/cmd/main.go | 26 ++++++--- .../certmanager_metrics_manager_patch.yaml | 56 +++++++++++------- .../project/config/default/kustomization.yaml | 10 ++-- .../config/default/manager_metrics_patch.yaml | 3 + .../testdata/project/dist/install.yaml | 11 ++-- .../cronjob-tutorial/generate_cronjob.go | 13 +---- .../certmanager_metrics_manager_patch.go | 57 ++++++++++++------- .../config/kdefault/kustomization.go | 10 ++-- .../config/kdefault/manager_metrics_patch.go | 3 + .../scaffolds/internal/templates/cmd/main.go | 28 ++++++--- test/e2e/v4/generate_test.go | 18 ++---- testdata/project-v4-multigroup/cmd/main.go | 26 ++++++--- .../certmanager_metrics_manager_patch.yaml | 56 +++++++++++------- .../config/default/kustomization.yaml | 10 ++-- .../config/default/manager_metrics_patch.yaml | 3 + .../project-v4-multigroup/dist/install.yaml | 1 + testdata/project-v4-with-plugins/cmd/main.go | 26 ++++++--- .../certmanager_metrics_manager_patch.yaml | 56 +++++++++++------- .../config/default/kustomization.yaml | 10 ++-- .../config/default/manager_metrics_patch.yaml | 3 + .../project-v4-with-plugins/dist/install.yaml | 1 + testdata/project-v4/cmd/main.go | 26 ++++++--- .../certmanager_metrics_manager_patch.yaml | 56 +++++++++++------- .../config/default/kustomization.yaml | 10 ++-- .../config/default/manager_metrics_patch.yaml | 3 + testdata/project-v4/dist/install.yaml | 1 + 37 files changed, 459 insertions(+), 266 deletions(-) diff --git a/.github/workflows/test-e2e-samples.yml b/.github/workflows/test-e2e-samples.yml index 1a73e9f6890..67f2b3cf4f2 100644 --- a/.github/workflows/test-e2e-samples.yml +++ b/.github/workflows/test-e2e-samples.yml @@ -41,7 +41,7 @@ jobs: run: | KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '55,182s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '57,184s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4/ go mod tidy @@ -82,8 +82,8 @@ jobs: sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH # Uncomment only ValidatingWebhookConfiguration # from cert-manager replaces - sed -i '55,121s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '153,182s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '57,123s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '155,184s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4-with-plugins/ go mod tidy @@ -122,7 +122,7 @@ jobs: run: | KUSTOMIZATION_FILE_PATH="testdata/project-v4-multigroup/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '55,182s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '57,185s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4-multigroup go mod tidy diff --git a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go index 458a9f8c3e2..7b40c67f2fd 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go @@ -74,6 +74,9 @@ func main() { /* */ var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -87,6 +90,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -133,15 +140,18 @@ func main() { // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // If CertDir, CertName, and KeyName are not set, controller-runtime generates self-signed certificates + // for the metrics server, suitable for development but not recommended for production. + // To use cert-manager-managed certificates, enable [METRICS WITH CERTMANAGER] in + // config/default/kustomization.yaml and specify CertDir, CertName, and KeyName accordingly. + if certDir != "" { + metricsServerOptions.CertDir = certDir + } - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml index 9cee4b4f580..21f02ba0fba 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml @@ -1,21 +1,35 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - mountPath: /tmp/k8s-metrics-server/metrics-certs - name: metrics-certs - readOnly: true - volumes: - - name: metrics-certs - secret: - secretName: metrics-server-cert +# This patch adds the args and volumes to allow the manager to use the metrics-server certs +# Ensure the volumeMounts field exists by creating it if missing +- op: add + path: /spec/template/spec/containers/0/volumeMounts + value: [] +# Add the volume mount for the serving certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +# Add the cert-dir argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-dir=/tmp/k8s-metrics-server/metrics-certs +# Add the cert-name argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert +# Add the cert-key argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key +# Ensure the volumes field exists by creating it if missing +- op: add + path: /spec/template/spec/volumes + value: [] +# Add the volume for the serving certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index ab2925bc69e..bd755d4b46e 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -41,14 +41,16 @@ patches: target: kind: Deployment +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- path: manager_webhook_patch.yaml + # Uncomment the patches line if you enable Metrics and CertManager # [METRICS WITH CERTMANGER] To enable metrics protected with certmanager, uncomment the following line. # This patch will protect the metrics with certmanager self-signed certs. - path: certmanager_metrics_manager_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -- path: manager_webhook_patch.yaml + target: + kind: Deployment # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml index 2aaef6536f4..e504b415313 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure=true diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml index c20c83edbc5..56f811fc9c0 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml @@ -4115,6 +4115,7 @@ spec: spec: containers: - args: + - --metrics-secure=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 diff --git a/docs/book/src/getting-started/testdata/project/cmd/main.go b/docs/book/src/getting-started/testdata/project/cmd/main.go index 7347d215463..537164830e4 100644 --- a/docs/book/src/getting-started/testdata/project/cmd/main.go +++ b/docs/book/src/getting-started/testdata/project/cmd/main.go @@ -54,6 +54,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -67,6 +70,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -113,15 +120,18 @@ func main() { // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + // If CertDir, CertName, and KeyName are not set, controller-runtime generates self-signed certificates + // for the metrics server, suitable for development but not recommended for production. + // To use cert-manager-managed certificates, enable [METRICS WITH CERTMANAGER] in + // config/default/kustomization.yaml and specify CertDir, CertName, and KeyName accordingly. + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml index 9cee4b4f580..21f02ba0fba 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/certmanager_metrics_manager_patch.yaml @@ -1,21 +1,35 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - mountPath: /tmp/k8s-metrics-server/metrics-certs - name: metrics-certs - readOnly: true - volumes: - - name: metrics-certs - secret: - secretName: metrics-server-cert +# This patch adds the args and volumes to allow the manager to use the metrics-server certs +# Ensure the volumeMounts field exists by creating it if missing +- op: add + path: /spec/template/spec/containers/0/volumeMounts + value: [] +# Add the volume mount for the serving certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +# Add the cert-dir argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-dir=/tmp/k8s-metrics-server/metrics-certs +# Add the cert-name argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert +# Add the cert-key argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key +# Ensure the volumes field exists by creating it if missing +- op: add + path: /spec/template/spec/volumes + value: [] +# Add the volume for the serving certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index 20d178afc14..112cff97567 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -41,14 +41,16 @@ patches: target: kind: Deployment +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- path: manager_webhook_patch.yaml + # Uncomment the patches line if you enable Metrics and CertManager # [METRICS WITH CERTMANGER] To enable metrics protected with certmanager, uncomment the following line. # This patch will protect the metrics with certmanager self-signed certs. #- path: certmanager_metrics_manager_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- path: manager_webhook_patch.yaml +# target: +# kind: Deployment # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml index 2aaef6536f4..e504b415313 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure=true diff --git a/docs/book/src/getting-started/testdata/project/dist/install.yaml b/docs/book/src/getting-started/testdata/project/dist/install.yaml index 6af37f625be..67101b7ee61 100644 --- a/docs/book/src/getting-started/testdata/project/dist/install.yaml +++ b/docs/book/src/getting-started/testdata/project/dist/install.yaml @@ -418,6 +418,7 @@ spec: spec: containers: - args: + - --metrics-secure=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 diff --git a/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go b/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go index a199eec734b..ef8f78f921b 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go @@ -73,6 +73,9 @@ func main() { /* */ var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -86,6 +89,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -132,15 +139,18 @@ func main() { // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // If CertDir, CertName, and KeyName are not set, controller-runtime generates self-signed certificates + // for the metrics server, suitable for development but not recommended for production. + // To use cert-manager-managed certificates, enable [METRICS WITH CERTMANAGER] in + // config/default/kustomization.yaml and specify CertDir, CertName, and KeyName accordingly. + if certDir != "" { + metricsServerOptions.CertDir = certDir + } - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml index 9cee4b4f580..21f02ba0fba 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/certmanager_metrics_manager_patch.yaml @@ -1,21 +1,35 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - mountPath: /tmp/k8s-metrics-server/metrics-certs - name: metrics-certs - readOnly: true - volumes: - - name: metrics-certs - secret: - secretName: metrics-server-cert +# This patch adds the args and volumes to allow the manager to use the metrics-server certs +# Ensure the volumeMounts field exists by creating it if missing +- op: add + path: /spec/template/spec/containers/0/volumeMounts + value: [] +# Add the volume mount for the serving certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +# Add the cert-dir argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-dir=/tmp/k8s-metrics-server/metrics-certs +# Add the cert-name argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert +# Add the cert-key argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key +# Ensure the volumes field exists by creating it if missing +- op: add + path: /spec/template/spec/volumes + value: [] +# Add the volume for the serving certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml index 9cba521a7c6..6f235869533 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml @@ -41,14 +41,16 @@ patches: target: kind: Deployment +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- path: manager_webhook_patch.yaml + # Uncomment the patches line if you enable Metrics and CertManager # [METRICS WITH CERTMANGER] To enable metrics protected with certmanager, uncomment the following line. # This patch will protect the metrics with certmanager self-signed certs. - path: certmanager_metrics_manager_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -- path: manager_webhook_patch.yaml + target: + kind: Deployment # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml index 2aaef6536f4..e504b415313 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure=true diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml index 8a9b9c9f3ab..23b2553b614 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml @@ -7926,9 +7926,13 @@ spec: spec: containers: - args: + - --metrics-secure=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 + - --cert-dir=/tmp/k8s-metrics-server/metrics-certs + - --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert + - --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key command: - /manager image: controller:latest @@ -7962,9 +7966,6 @@ spec: drop: - ALL volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - mountPath: /tmp/k8s-metrics-server/metrics-certs name: metrics-certs readOnly: true @@ -7975,10 +7976,6 @@ spec: serviceAccountName: project-controller-manager terminationGracePeriodSeconds: 10 volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert - name: metrics-certs secret: secretName: metrics-server-cert diff --git a/hack/docs/internal/cronjob-tutorial/generate_cronjob.go b/hack/docs/internal/cronjob-tutorial/generate_cronjob.go index a2b17b3b32a..7426fe7cc69 100644 --- a/hack/docs/internal/cronjob-tutorial/generate_cronjob.go +++ b/hack/docs/internal/cronjob-tutorial/generate_cronjob.go @@ -355,15 +355,6 @@ CronJob controller's`+" `"+`SetupWithManager`+"`"+` method. }`, ` // +kubebuilder:docs-gen:collapse=old stuff`) hackutils.CheckError("fixing main.go", err) - - // Enabling metrics with certs - err = pluginutil.UncommentCode( - filepath.Join(sp.ctx.Dir, "cmd/main.go"), - `// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key"`, ` - // `) - hackutils.CheckError("enabling metrics service options into main.go", err) } func (sp *Sample) updateMakefile() { @@ -602,7 +593,9 @@ func (sp *Sample) updateKustomization() { err = pluginutil.UncommentCode( filepath.Join(sp.ctx.Dir, "config/default/kustomization.yaml"), - `#- path: certmanager_metrics_manager_patch.yaml`, `#`) + `#- path: certmanager_metrics_manager_patch.yaml +# target: +# kind: Deployment`, `#`) hackutils.CheckError("enabling certmanager_metrics_manager_patch.yaml", err) err = pluginutil.UncommentCode( diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go index 31859c3fd89..edcf08d4eed 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/certmanager_metrics_manager_patch.go @@ -50,25 +50,40 @@ func (f *CertManagerMetricsPatch) SetTemplateDefaults() error { return nil } -const metricsManagerPatchTemplate = `apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - app.kubernetes.io/name: {{ .ProjectName }} - app.kubernetes.io/managed-by: kustomize -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - mountPath: /tmp/k8s-metrics-server/metrics-certs - name: metrics-certs - readOnly: true - volumes: - - name: metrics-certs - secret: - secretName: metrics-server-cert +// nolint:lll +const metricsManagerPatchTemplate = `# This patch adds the args and volumes to allow the manager to use the metrics-server certs +# Ensure the volumeMounts field exists by creating it if missing +- op: add + path: /spec/template/spec/containers/0/volumeMounts + value: [] +# Add the volume mount for the serving certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +# Add the cert-dir argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-dir=/tmp/k8s-metrics-server/metrics-certs +# Add the cert-name argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert +# Add the cert-key argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key +# Ensure the volumes field exists by creating it if missing +- op: add + path: /spec/template/spec/volumes + value: [] +# Add the volume for the serving certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert ` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go index f6122cb8854..dde53f64307 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go @@ -86,14 +86,16 @@ patches: target: kind: Deployment +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- path: manager_webhook_patch.yaml + # Uncomment the patches line if you enable Metrics and CertManager # [METRICS WITH CERTMANGER] To enable metrics protected with certmanager, uncomment the following line. # This patch will protect the metrics with certmanager self-signed certs. #- path: certmanager_metrics_manager_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- path: manager_webhook_patch.yaml +# target: +# kind: Deployment # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go index ca822c79315..218bcc24ec7 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_metrics_patch.go @@ -46,4 +46,7 @@ const kustomizeMetricsPatchTemplate = `# This patch adds the args to allow expos - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure=true ` diff --git a/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go b/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go index 136be031810..de4056c2e8c 100644 --- a/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go +++ b/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go @@ -256,6 +256,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -269,6 +272,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -315,15 +322,18 @@ func main() { // https://pkg.go.dev/sigs.k8s.io/controller-runtime@{{ .ControllerRuntimeVersion }}/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + // If CertDir, CertName, and KeyName are not set, controller-runtime generates self-signed certificates + // for the metrics server, suitable for development but not recommended for production. + // To use cert-manager-managed certificates, enable [METRICS WITH CERTMANAGER] in + // config/default/kustomization.yaml and specify CertDir, CertName, and KeyName accordingly. + if certDir != "" { + metricsServerOptions.CertDir = certDir + } + + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index 19a751ef511..a93f05c24be 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -71,10 +71,9 @@ func GenerateV4(kbc *utils.TestContext) { monitorTlsPatch, "#")).To(Succeed()) ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), - `#- path: certmanager_metrics_manager_patch.yaml`, "#")).To(Succeed()) - ExpectWithOffset(1, pluginutil.UncommentCode( - filepath.Join(kbc.Dir, "cmd", "main.go"), - tlsConfigManager, "// ")).To(Succeed()) + `#- path: certmanager_metrics_manager_patch.yaml +# target: +# kind: Deployment`, "#")).To(Succeed()) } // GenerateV4WithoutMetrics implements a go/v4 plugin project defined by a TestContext. @@ -172,13 +171,12 @@ func GenerateV4WithNetworkPolicies(kbc *utils.TestContext) { metricsTarget, "#")).To(Succeed()) ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), - `#- path: certmanager_metrics_manager_patch.yaml`, "#")).To(Succeed()) + `#- path: certmanager_metrics_manager_patch.yaml +# target: +# kind: Deployment`, "#")).To(Succeed()) ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "prometheus", "kustomization.yaml"), monitorTlsPatch, "#")).To(Succeed()) - ExpectWithOffset(1, pluginutil.UncommentCode( - filepath.Join(kbc.Dir, "cmd", "main.go"), - tlsConfigManager, "// ")).To(Succeed()) By("uncomment kustomization.yaml to enable network policy") ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), @@ -434,7 +432,3 @@ const monitorTlsPatch = `#patches: # - path: monitor_tls_patch.yaml # target: # kind: ServiceMonitor` - -const tlsConfigManager = `// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key"` diff --git a/testdata/project-v4-multigroup/cmd/main.go b/testdata/project-v4-multigroup/cmd/main.go index 275bd9065c7..390a333698d 100644 --- a/testdata/project-v4-multigroup/cmd/main.go +++ b/testdata/project-v4-multigroup/cmd/main.go @@ -95,6 +95,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -108,6 +111,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -154,15 +161,18 @@ func main() { // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // If CertDir, CertName, and KeyName are not set, controller-runtime generates self-signed certificates + // for the metrics server, suitable for development but not recommended for production. + // To use cert-manager-managed certificates, enable [METRICS WITH CERTMANAGER] in + // config/default/kustomization.yaml and specify CertDir, CertName, and KeyName accordingly. + if certDir != "" { + metricsServerOptions.CertDir = certDir + } - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/testdata/project-v4-multigroup/config/default/certmanager_metrics_manager_patch.yaml b/testdata/project-v4-multigroup/config/default/certmanager_metrics_manager_patch.yaml index a6b8d9bc0de..21f02ba0fba 100644 --- a/testdata/project-v4-multigroup/config/default/certmanager_metrics_manager_patch.yaml +++ b/testdata/project-v4-multigroup/config/default/certmanager_metrics_manager_patch.yaml @@ -1,21 +1,35 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - app.kubernetes.io/name: project-v4-multigroup - app.kubernetes.io/managed-by: kustomize -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - mountPath: /tmp/k8s-metrics-server/metrics-certs - name: metrics-certs - readOnly: true - volumes: - - name: metrics-certs - secret: - secretName: metrics-server-cert +# This patch adds the args and volumes to allow the manager to use the metrics-server certs +# Ensure the volumeMounts field exists by creating it if missing +- op: add + path: /spec/template/spec/containers/0/volumeMounts + value: [] +# Add the volume mount for the serving certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +# Add the cert-dir argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-dir=/tmp/k8s-metrics-server/metrics-certs +# Add the cert-name argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert +# Add the cert-key argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key +# Ensure the volumes field exists by creating it if missing +- op: add + path: /spec/template/spec/volumes + value: [] +# Add the volume for the serving certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 69cc961d470..115fd33d4a2 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -41,14 +41,16 @@ patches: target: kind: Deployment +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- path: manager_webhook_patch.yaml + # Uncomment the patches line if you enable Metrics and CertManager # [METRICS WITH CERTMANGER] To enable metrics protected with certmanager, uncomment the following line. # This patch will protect the metrics with certmanager self-signed certs. #- path: certmanager_metrics_manager_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -- path: manager_webhook_patch.yaml +# target: +# kind: Deployment # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml index 2aaef6536f4..e504b415313 100644 --- a/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml +++ b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure=true diff --git a/testdata/project-v4-multigroup/dist/install.yaml b/testdata/project-v4-multigroup/dist/install.yaml index 9e6adf59b9d..3c02224937b 100644 --- a/testdata/project-v4-multigroup/dist/install.yaml +++ b/testdata/project-v4-multigroup/dist/install.yaml @@ -2112,6 +2112,7 @@ spec: spec: containers: - args: + - --metrics-secure=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 diff --git a/testdata/project-v4-with-plugins/cmd/main.go b/testdata/project-v4-with-plugins/cmd/main.go index f01870085dc..dc6f1163b33 100644 --- a/testdata/project-v4-with-plugins/cmd/main.go +++ b/testdata/project-v4-with-plugins/cmd/main.go @@ -60,6 +60,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -73,6 +76,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -119,15 +126,18 @@ func main() { // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // If CertDir, CertName, and KeyName are not set, controller-runtime generates self-signed certificates + // for the metrics server, suitable for development but not recommended for production. + // To use cert-manager-managed certificates, enable [METRICS WITH CERTMANAGER] in + // config/default/kustomization.yaml and specify CertDir, CertName, and KeyName accordingly. + if certDir != "" { + metricsServerOptions.CertDir = certDir + } - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/testdata/project-v4-with-plugins/config/default/certmanager_metrics_manager_patch.yaml b/testdata/project-v4-with-plugins/config/default/certmanager_metrics_manager_patch.yaml index ed2f033ddbb..21f02ba0fba 100644 --- a/testdata/project-v4-with-plugins/config/default/certmanager_metrics_manager_patch.yaml +++ b/testdata/project-v4-with-plugins/config/default/certmanager_metrics_manager_patch.yaml @@ -1,21 +1,35 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - app.kubernetes.io/name: project-v4-with-plugins - app.kubernetes.io/managed-by: kustomize -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - mountPath: /tmp/k8s-metrics-server/metrics-certs - name: metrics-certs - readOnly: true - volumes: - - name: metrics-certs - secret: - secretName: metrics-server-cert +# This patch adds the args and volumes to allow the manager to use the metrics-server certs +# Ensure the volumeMounts field exists by creating it if missing +- op: add + path: /spec/template/spec/containers/0/volumeMounts + value: [] +# Add the volume mount for the serving certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +# Add the cert-dir argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-dir=/tmp/k8s-metrics-server/metrics-certs +# Add the cert-name argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert +# Add the cert-key argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key +# Ensure the volumes field exists by creating it if missing +- op: add + path: /spec/template/spec/volumes + value: [] +# Add the volume for the serving certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert diff --git a/testdata/project-v4-with-plugins/config/default/kustomization.yaml b/testdata/project-v4-with-plugins/config/default/kustomization.yaml index cbbd06934bb..ea4bd28971e 100644 --- a/testdata/project-v4-with-plugins/config/default/kustomization.yaml +++ b/testdata/project-v4-with-plugins/config/default/kustomization.yaml @@ -41,14 +41,16 @@ patches: target: kind: Deployment +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- path: manager_webhook_patch.yaml + # Uncomment the patches line if you enable Metrics and CertManager # [METRICS WITH CERTMANGER] To enable metrics protected with certmanager, uncomment the following line. # This patch will protect the metrics with certmanager self-signed certs. #- path: certmanager_metrics_manager_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -- path: manager_webhook_patch.yaml +# target: +# kind: Deployment # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/testdata/project-v4-with-plugins/config/default/manager_metrics_patch.yaml b/testdata/project-v4-with-plugins/config/default/manager_metrics_patch.yaml index 2aaef6536f4..e504b415313 100644 --- a/testdata/project-v4-with-plugins/config/default/manager_metrics_patch.yaml +++ b/testdata/project-v4-with-plugins/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure=true diff --git a/testdata/project-v4-with-plugins/dist/install.yaml b/testdata/project-v4-with-plugins/dist/install.yaml index 79528f60b21..d018ea04896 100644 --- a/testdata/project-v4-with-plugins/dist/install.yaml +++ b/testdata/project-v4-with-plugins/dist/install.yaml @@ -805,6 +805,7 @@ spec: spec: containers: - args: + - --metrics-secure=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 diff --git a/testdata/project-v4/cmd/main.go b/testdata/project-v4/cmd/main.go index 1a72e4c73c1..530a725e811 100644 --- a/testdata/project-v4/cmd/main.go +++ b/testdata/project-v4/cmd/main.go @@ -63,6 +63,9 @@ func init() { func main() { var metricsAddr string + var certDir string + var certName string + var certKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -76,6 +79,10 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&certDir, "cert-dir", "", + "The directory of TLS certificate to use for verifying HTTPS connections for the metrics server.") + flag.StringVar(&certName, "cert-name", "", "CertName is the server certificate name. Defaults to tls.crt") + flag.StringVar(&certKey, "cert-key", "", "KeyName is the server key name. Defaults to tls.key") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -122,15 +129,18 @@ func main() { // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. + // If CertDir, CertName, and KeyName are not set, controller-runtime generates self-signed certificates + // for the metrics server, suitable for development but not recommended for production. + // To use cert-manager-managed certificates, enable [METRICS WITH CERTMANAGER] in + // config/default/kustomization.yaml and specify CertDir, CertName, and KeyName accordingly. + if certDir != "" { + metricsServerOptions.CertDir = certDir + } - // TODO(user): If cert-manager is enabled in config/default/kustomization.yaml, - // you can uncomment the following lines to use the certificate managed by cert-manager. - // metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs" - // metricsServerOptions.CertName = "tls.crt" - // metricsServerOptions.KeyName = "tls.key" + if certName != "" && certKey != "" { + metricsServerOptions.CertName = certName + metricsServerOptions.KeyName = certKey + } } diff --git a/testdata/project-v4/config/default/certmanager_metrics_manager_patch.yaml b/testdata/project-v4/config/default/certmanager_metrics_manager_patch.yaml index 862a49388f2..21f02ba0fba 100644 --- a/testdata/project-v4/config/default/certmanager_metrics_manager_patch.yaml +++ b/testdata/project-v4/config/default/certmanager_metrics_manager_patch.yaml @@ -1,21 +1,35 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - app.kubernetes.io/name: project-v4 - app.kubernetes.io/managed-by: kustomize -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - mountPath: /tmp/k8s-metrics-server/metrics-certs - name: metrics-certs - readOnly: true - volumes: - - name: metrics-certs - secret: - secretName: metrics-server-cert +# This patch adds the args and volumes to allow the manager to use the metrics-server certs +# Ensure the volumeMounts field exists by creating it if missing +- op: add + path: /spec/template/spec/containers/0/volumeMounts + value: [] +# Add the volume mount for the serving certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +# Add the cert-dir argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-dir=/tmp/k8s-metrics-server/metrics-certs +# Add the cert-name argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-name=/tmp/k8s-metrics-server/metrics-certs/tls.cert +# Add the cert-key argument +- op: add + path: /spec/template/spec/containers/0/args/- + value: --cert-key=/tmp/k8s-metrics-server/metrics-certs/tls.key +# Ensure the volumes field exists by creating it if missing +- op: add + path: /spec/template/spec/volumes + value: [] +# Add the volume for the serving certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index 3ad5f1c67e8..7e651449b7b 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -41,14 +41,16 @@ patches: target: kind: Deployment +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- path: manager_webhook_patch.yaml + # Uncomment the patches line if you enable Metrics and CertManager # [METRICS WITH CERTMANGER] To enable metrics protected with certmanager, uncomment the following line. # This patch will protect the metrics with certmanager self-signed certs. #- path: certmanager_metrics_manager_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -- path: manager_webhook_patch.yaml +# target: +# kind: Deployment # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/testdata/project-v4/config/default/manager_metrics_patch.yaml b/testdata/project-v4/config/default/manager_metrics_patch.yaml index 2aaef6536f4..e504b415313 100644 --- a/testdata/project-v4/config/default/manager_metrics_patch.yaml +++ b/testdata/project-v4/config/default/manager_metrics_patch.yaml @@ -2,3 +2,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443 +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure=true diff --git a/testdata/project-v4/dist/install.yaml b/testdata/project-v4/dist/install.yaml index 33f1336fa30..199cce55a10 100644 --- a/testdata/project-v4/dist/install.yaml +++ b/testdata/project-v4/dist/install.yaml @@ -675,6 +675,7 @@ spec: spec: containers: - args: + - --metrics-secure=true - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081