Skip to content

Commit 2de6e79

Browse files
btaanibtaani
authored
feat(operator): update metrics authentication to remove dependency on kube-rbac-proxy (#20853)
1 parent 1b96366 commit 2de6e79

File tree

36 files changed

+118
-174
lines changed

36 files changed

+118
-174
lines changed

operator/api/config/v1/projectconfig_types.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,11 @@ type ControllerMetrics struct {
173173
// It can be set to "0" to disable the metrics serving.
174174
// +optional
175175
BindAddress string `json:"bindAddress,omitempty"`
176+
177+
// Secure is the flag used to enable/disable TLS authentication to
178+
// access the metrics endpoint
179+
// +optional
180+
Secure bool `json:"secure,omitempty"`
176181
}
177182

178183
// ControllerHealth defines the health configs.

operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-service_v1_service.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,10 @@ metadata:
1414
name: loki-operator-controller-manager-metrics-service
1515
spec:
1616
ports:
17-
- name: https
17+
- name: metrics
1818
port: 8443
1919
protocol: TCP
20-
targetPort: https
20+
targetPort: metrics
2121
selector:
2222
app.kubernetes.io/managed-by: operator-lifecycle-manager
2323
app.kubernetes.io/name: loki-operator

operator/bundle/community-openshift/manifests/loki-operator-manager-config_v1_configmap.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,8 @@ data:
66
health:
77
healthProbeBindAddress: :8081
88
metrics:
9-
bindAddress: 127.0.0.1:8080
9+
bindAddress: :8443
10+
secure: true
1011
webhook:
1112
port: 9443
1213
leaderElection:

operator/bundle/community-openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ spec:
2020
path: /metrics
2121
scheme: https
2222
scrapeTimeout: 10s
23-
targetPort: 8443
23+
targetPort: metrics
2424
tlsConfig:
2525
ca:
2626
secret:

operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml

Lines changed: 4 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -152,7 +152,7 @@ metadata:
152152
categories: OpenShift Optional, Logging & Tracing
153153
certified: "false"
154154
containerImage: docker.io/grafana/loki-operator:0.9.0
155-
createdAt: "2026-02-24T17:37:32Z"
155+
createdAt: "2026-02-25T18:26:49Z"
156156
description: The Community Loki Operator provides Kubernetes native deployment
157157
and management of Loki and related logging components.
158158
features.operators.openshift.io/disconnected: "true"
@@ -1982,7 +1982,7 @@ spec:
19821982
- containerPort: 9443
19831983
name: webhook-server
19841984
protocol: TCP
1985-
- containerPort: 8080
1985+
- containerPort: 8443
19861986
name: metrics
19871987
readinessProbe:
19881988
httpGet:
@@ -2003,32 +2003,9 @@ spec:
20032003
- mountPath: /controller_manager_config.yaml
20042004
name: manager-config
20052005
subPath: controller_manager_config.yaml
2006-
- args:
2007-
- --secure-listen-address=0.0.0.0:8443
2008-
- --upstream=http://127.0.0.1:8080/
2009-
- --logtostderr=true
2010-
- --tls-cert-file=/var/run/secrets/serving-cert/tls.crt
2011-
- --tls-private-key-file=/var/run/secrets/serving-cert/tls.key
2012-
- --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256
2013-
- --tls-min-version=VersionTLS12
2014-
- --v=0
2015-
image: quay.io/openshift/origin-kube-rbac-proxy:latest
2016-
name: kube-rbac-proxy
2017-
ports:
2018-
- containerPort: 8443
2019-
name: https
2020-
resources:
2021-
requests:
2022-
cpu: 200m
2023-
memory: 256Mi
2024-
securityContext:
2025-
allowPrivilegeEscalation: false
2026-
capabilities:
2027-
drop:
2028-
- ALL
2029-
volumeMounts:
2030-
- mountPath: /var/run/secrets/serving-cert
2006+
- mountPath: /tmp/k8s-metrics-server/serving-certs
20312007
name: loki-operator-metrics-cert
2008+
readOnly: true
20322009
nodeSelector:
20332010
kubernetes.io/os: linux
20342011
securityContext:

operator/bundle/community/manifests/loki-operator-controller-manager-metrics-service_v1_service.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,10 @@ metadata:
1212
name: loki-operator-controller-manager-metrics-service
1313
spec:
1414
ports:
15-
- name: https
15+
- name: metrics
1616
port: 8443
1717
protocol: TCP
18-
targetPort: https
18+
targetPort: metrics
1919
selector:
2020
app.kubernetes.io/managed-by: operator-lifecycle-manager
2121
app.kubernetes.io/name: loki-operator

operator/bundle/community/manifests/loki-operator-manager-config_v1_configmap.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,8 @@ data:
66
health:
77
healthProbeBindAddress: :8081
88
metrics:
9-
bindAddress: 127.0.0.1:8080
9+
bindAddress: :8080
10+
secure: false
1011
webhook:
1112
port: 9443
1213
leaderElection:

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

Lines changed: 3 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -152,7 +152,7 @@ metadata:
152152
categories: OpenShift Optional, Logging & Tracing
153153
certified: "false"
154154
containerImage: docker.io/grafana/loki-operator:0.9.0
155-
createdAt: "2026-02-24T17:37:30Z"
155+
createdAt: "2026-02-25T18:26:47Z"
156156
description: The Community Loki Operator provides Kubernetes native deployment
157157
and management of Loki and related logging components.
158158
operators.operatorframework.io/builder: operator-sdk-unknown
@@ -1959,11 +1959,11 @@ spec:
19591959
periodSeconds: 20
19601960
name: manager
19611961
ports:
1962+
- containerPort: 8080
1963+
name: metrics
19621964
- containerPort: 9443
19631965
name: webhook-server
19641966
protocol: TCP
1965-
- containerPort: 8080
1966-
name: metrics
19671967
readinessProbe:
19681968
httpGet:
19691969
path: /readyz
@@ -1981,29 +1981,8 @@ spec:
19811981
- mountPath: /controller_manager_config.yaml
19821982
name: manager-config
19831983
subPath: controller_manager_config.yaml
1984-
- args:
1985-
- --secure-listen-address=0.0.0.0:8443
1986-
- --upstream=http://127.0.0.1:8080/
1987-
- --logtostderr=true
1988-
- --v=0
1989-
image: quay.io/brancz/kube-rbac-proxy:v0.18.1
1990-
name: kube-rbac-proxy
1991-
ports:
1992-
- containerPort: 8443
1993-
name: https
1994-
resources:
1995-
requests:
1996-
cpu: 200m
1997-
memory: 256Mi
1998-
securityContext:
1999-
allowPrivilegeEscalation: false
2000-
capabilities:
2001-
drop:
2002-
- ALL
20031984
nodeSelector:
20041985
kubernetes.io/os: linux
2005-
securityContext:
2006-
runAsNonRoot: true
20071986
serviceAccountName: loki-operator-controller-manager
20081987
terminationGracePeriodSeconds: 10
20091988
volumes:

operator/bundle/openshift/manifests/loki-operator-controller-manager-metrics-service_v1_service.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,10 @@ metadata:
1414
name: loki-operator-controller-manager-metrics-service
1515
spec:
1616
ports:
17-
- name: https
17+
- name: metrics
1818
port: 8443
1919
protocol: TCP
20-
targetPort: https
20+
targetPort: metrics
2121
selector:
2222
app.kubernetes.io/managed-by: operator-lifecycle-manager
2323
app.kubernetes.io/name: loki-operator

operator/bundle/openshift/manifests/loki-operator-manager-config_v1_configmap.yaml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,8 @@ data:
66
health:
77
healthProbeBindAddress: :8081
88
metrics:
9-
# Bind only on this host to allow accessing metrics
10-
# only via the kube-rbac-proxy sidecar.
11-
bindAddress: 127.0.0.1:8080
9+
bindAddress: :8443
10+
secure: true
1211
webhook:
1312
port: 9443
1413
leaderElection:

0 commit comments

Comments
 (0)