chore(informer): Configure controller-runtime to not use shared list+watch informer for secrets

Signed-off-by: Hayden Roszell <[email protected]>

Author: m8rmclaren

cmd/main.go

@@ -28,10 +28,13 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/utils/clock"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -122,10 +125,18 @@ func main() {
 		}
 	}
 
+	var cacheOpts cache.Options
 	if secretAccessGrantedAtClusterLevel {
-		setupLog.Info("expecting secret access at cluster level")
+		setupLog.Info("expecting SA to have Get+List+Watch permissions for corev1 Secret resources at cluster level")
 	} else {
-		setupLog.Info(fmt.Sprintf("expecting secret access at namespace level (%s)", clusterResourceNamespace))
+		setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 Secret resources in the %q namespace", clusterResourceNamespace))
+		cacheOpts = cache.Options{
+			ByObject: map[client.Object]cache.ByObject{
+				&corev1.Secret{}: {
+					Namespaces: map[string]cache.Config{clusterResourceNamespace: cache.Config{}},
+				},
+			},
+		}
 	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
@@ -135,6 +146,7 @@ func main() {
 			SecureServing: secureMetrics,
 			TLSOpts:       tlsOpts,
 		},
+		Cache:                  cacheOpts,
 		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,

deploy/charts/command-cert-manager-issuer/README.md

@@ -85,5 +85,4 @@ The following table lists the configurable parameters of the `command-cert-manag
 | `resources`                                  | CPU/Memory resource requests/limits                                                                                                      | `{}` (with commented out options)                     |
 | `nodeSelector`                               | Node labels for pod assignment                                                                                                           | `{}`                                                  |
 | `tolerations`                                | Tolerations for pod assignment                                                                                                           | `[]`                                                  |
-| `secureMetrics.enabled`                      | Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated use of the /metrics endpoint by Prometheus. | `false`                                               |
 | `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole                                      | `false`                                               |

deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml

@@ -45,37 +45,3 @@ rules:
       - issuers/finalizers
     verbs:
       - update
-{{- if .Values.secureMetrics.enabled }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
-  name: {{ include "command-cert-manager-issuer.name" . }}-proxy-role
-rules:
-  - apiGroups:
-      - authentication.k8s.io
-    resources:
-      - tokenreviews
-    verbs:
-      - create
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - subjectaccessreviews
-    verbs:
-      - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
-  name: {{ include "command-cert-manager-issuer.name" . }}-metrics-reader
-rules:
-  - nonResourceURLs:
-      - /metrics
-    verbs:
-      - get
-{{- end }}

deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml

@@ -12,20 +12,3 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-{{- if .Values.secureMetrics.enabled }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
-  name: {{ include "command-cert-manager-issuer.name" . }}-proxy-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "command-cert-manager-issuer.name" . }}-proxy-role
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
-{{- end }}

deploy/charts/command-cert-manager-issuer/templates/deployment.yaml

@@ -17,6 +17,9 @@ spec:
       {{- end }}
       labels:
         {{- include "command-cert-manager-issuer.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -26,31 +29,6 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
-        {{- if .Values.secureMetrics.enabled }}
-        - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:8080/
-            - --logtostderr=true
-            - --v=0
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
-          name: kube-rbac-proxy
-          ports:
-            - containerPort: 8443
-              name: https
-              protocol: TCP
-          resources:
-            limits:
-              cpu: 500m
-              memory: 128Mi
-            requests:
-              cpu: 5m
-              memory: 64Mi
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
-        {{- end }}
         - args:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=127.0.0.1:8080

deploy/charts/command-cert-manager-issuer/templates/role.yaml

@@ -23,4 +23,20 @@ rules:
       - events
     verbs:
       - create
-      - patch
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch

deploy/charts/command-cert-manager-issuer/templates/rolebinding.yaml

@@ -11,4 +11,19 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRoleBinding{{ else }}RoleBinding{{ end }}
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}

deploy/charts/command-cert-manager-issuer/templates/secretrole.yaml

@@ -5,6 +5,9 @@ metadata:
   name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
   labels:
     {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+    {{- if .Values.serviceAccount.labels }}
+    {{- toYaml .Values.serviceAccount.labels | nindent 4 }}
+    {{- end }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}