Skip to content

WIP: Remove kube-rbac-proxy from PSM #1190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tmshort wants to merge 1 commit into
base: main
Choose a base branch
from
Open

WIP: Remove kube-rbac-proxy from PSM #1190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 37 additions & 11 deletions cmd/package-server-manager/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,11 @@ import (
"fmt"
"os"

"github.com/sirupsen/logrus"
"github.com/spf13/cobra"

olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server"

"k8s.io/apimachinery/pkg/fields"
_ "k8s.io/client-go/plugin/pkg/client/auth"
Expand All @@ -17,7 +19,6 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/healthz"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
"sigs.k8s.io/controller-runtime/pkg/manager"
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
Expand All @@ -30,8 +31,8 @@ import (
const (
defaultName = "packageserver"
defaultNamespace = "openshift-operator-lifecycle-manager"
defaultMetricsPort = "0"
defaultHealthCheckPort = ":8080"
defaultMetricsPort = "0" // Disable controller-runtime metrics (using pkg/lib/server instead)
defaultHealthCheckPort = "" // Disable controller-runtime health (using pkg/lib/server instead)
defaultPprofPort = ":6060"
defaultInterval = ""
leaderElectionConfigmapName = "packageserver-controller-lock"
Expand Down Expand Up @@ -75,11 +76,43 @@ func run(cmd *cobra.Command, args []string) error {
if err != nil {
return err
}
tlsCertPath, err := cmd.Flags().GetString("tls-cert")
if err != nil {
return err
}
tlsKeyPath, err := cmd.Flags().GetString("tls-key")
if err != nil {
return err
}
clientCAPath, err := cmd.Flags().GetString("client-ca")
if err != nil {
return err
}

ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
setupLog := ctrl.Log.WithName("setup")

restConfig := ctrl.GetConfigOrDie()

// Create logrus logger for the server library
logger := logrus.New()

// Start HTTPS server with metrics/health endpoints
listenAndServe, err := server.GetListenAndServeFunc(
server.WithLogger(logger),
server.WithTLS(&tlsCertPath, &tlsKeyPath, &clientCAPath),
server.WithKubeConfig(restConfig),
)
if err != nil {
setupLog.Error(err, "failed to setup health/metric/pprof service")
return err
}

go func() {
if err := listenAndServe(); err != nil {
setupLog.Error(err, "server error")
}
}()
le := leaderelection.GetLeaderElectionConfig(setupLog, restConfig, !disableLeaderElection)

packageserverCSVFields := fields.Set{"metadata.name": name}
Expand Down Expand Up @@ -136,14 +169,7 @@ func run(cmd *cobra.Command, args []string) error {
return err
}

if err := mgr.AddReadyzCheck("ping", healthz.Ping); err != nil {
setupLog.Error(err, "failed to establish a readyz check")
return err
}
if err := mgr.AddHealthzCheck("ping", healthz.Ping); err != nil {
setupLog.Error(err, "failed to establish a healthz check")
return err
}
// Health checks are now handled by pkg/lib/server (not controller-runtime)
// +kubebuilder:scaffold:builder
setupLog.Info("starting manager")
if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
Expand Down
3 changes: 3 additions & 0 deletions cmd/package-server-manager/start.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ func newStartCmd() *cobra.Command {
cmd.Flags().String("interval", defaultInterval, "configures the wakeup interval for the packageserver csc resource")
cmd.Flags().String("metrics", defaultMetricsPort, "configures the metrics port that the process exposes")
cmd.Flags().Bool("disable-leader-election", false, "configures whether leader election will be disabled")
cmd.Flags().String("tls-cert", "", "path to use for certificate key (requires tls-key)")
cmd.Flags().String("tls-key", "", "path to use for private key (requires tls-cert)")
cmd.Flags().String("client-ca", "", "path to watch for client ca bundle")

return cmd
}
56 changes: 25 additions & 31 deletions manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,33 +31,6 @@ spec:
serviceAccountName: olm-operator-serviceaccount
priorityClassName: "system-cluster-critical"
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:9090/
- --tls-cert-file=/etc/tls/private/tls.crt
- --tls-private-key-file=/etc/tls/private/tls.key
- --logtostderr=true
image: quay.io/openshift/origin-kube-rbac-proxy:latest
imagePullPolicy: IfNotPresent
name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
ports:
- containerPort: 8443
name: metrics
protocol: TCP
resources:
requests:
memory: 20Mi
cpu: 10m
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/tls/private
name: package-server-manager-serving-cert
- name: package-server-manager
securityContext:
allowPrivilegeEscalation: false
Expand All @@ -72,7 +45,12 @@ spec:
- $(PACKAGESERVER_NAME)
- --namespace
- $(PACKAGESERVER_NAMESPACE)
- "--metrics=:9090"
- --tls-cert
- /srv-cert/tls.crt
- --tls-key
- /srv-cert/tls.key
- --client-ca
- /profile-collector-cert/tls.crt
image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
imagePullPolicy: IfNotPresent
env:
Expand All @@ -92,17 +70,30 @@ spec:
requests:
cpu: 10m
memory: 10Mi
ports:
- containerPort: 8443
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8080
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: 8080
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: srv-cert
mountPath: "/srv-cert"
readOnly: true
- name: profile-collector-cert
mountPath: "/profile-collector-cert"
readOnly: true
nodeSelector:
kubernetes.io/os: linux
tolerations:
Expand All @@ -118,6 +109,9 @@ spec:
operator: Exists
tolerationSeconds: 120
volumes:
- name: package-server-manager-serving-cert
- name: srv-cert
secret:
secretName: package-server-manager-serving-cert
- name: profile-collector-cert
secret:
secretName: package-server-manager-serving-cert
56 changes: 25 additions & 31 deletions manifests/0000_50_olm_06-psm-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,33 +31,6 @@ spec:
serviceAccountName: olm-operator-serviceaccount
priorityClassName: "system-cluster-critical"
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:9090/
- --tls-cert-file=/etc/tls/private/tls.crt
- --tls-private-key-file=/etc/tls/private/tls.key
- --logtostderr=true
image: quay.io/openshift/origin-kube-rbac-proxy:latest
imagePullPolicy: IfNotPresent
name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
ports:
- containerPort: 8443
name: metrics
protocol: TCP
resources:
requests:
memory: 20Mi
cpu: 10m
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/tls/private
name: package-server-manager-serving-cert
- name: package-server-manager
securityContext:
allowPrivilegeEscalation: false
Expand All @@ -72,7 +45,12 @@ spec:
- $(PACKAGESERVER_NAME)
- --namespace
- $(PACKAGESERVER_NAMESPACE)
- "--metrics=:9090"
- --tls-cert
- /srv-cert/tls.crt
- --tls-key
- /srv-cert/tls.key
- --client-ca
- /profile-collector-cert/tls.crt
image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
imagePullPolicy: IfNotPresent
env:
Expand All @@ -92,17 +70,30 @@ spec:
requests:
cpu: 10m
memory: 10Mi
ports:
- containerPort: 8443
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8080
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: 8080
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: srv-cert
mountPath: "/srv-cert"
readOnly: true
- name: profile-collector-cert
mountPath: "/profile-collector-cert"
readOnly: true
nodeSelector:
kubernetes.io/os: linux
node-role.kubernetes.io/master: ""
Expand All @@ -119,6 +110,9 @@ spec:
operator: Exists
tolerationSeconds: 120
volumes:
- name: package-server-manager-serving-cert
- name: srv-cert
secret:
secretName: package-server-manager-serving-cert
- name: profile-collector-cert
secret:
secretName: package-server-manager-serving-cert
56 changes: 25 additions & 31 deletions microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,33 +31,6 @@ spec:
serviceAccountName: olm-operator-serviceaccount
priorityClassName: "system-cluster-critical"
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:9090/
- --tls-cert-file=/etc/tls/private/tls.crt
- --tls-private-key-file=/etc/tls/private/tls.key
- --logtostderr=true
image: quay.io/openshift/origin-kube-rbac-proxy:latest
imagePullPolicy: IfNotPresent
name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
ports:
- containerPort: 8443
name: metrics
protocol: TCP
resources:
requests:
memory: 20Mi
cpu: 10m
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/tls/private
name: package-server-manager-serving-cert
- name: package-server-manager
securityContext:
allowPrivilegeEscalation: false
Expand All @@ -72,7 +45,12 @@ spec:
- $(PACKAGESERVER_NAME)
- --namespace
- $(PACKAGESERVER_NAMESPACE)
- "--metrics=:9090"
- --tls-cert
- /srv-cert/tls.crt
- --tls-key
- /srv-cert/tls.key
- --client-ca
- /profile-collector-cert/tls.crt
image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
imagePullPolicy: IfNotPresent
env:
Expand All @@ -92,17 +70,30 @@ spec:
requests:
cpu: 10m
memory: 10Mi
ports:
- containerPort: 8443
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8080
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: 8080
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: srv-cert
mountPath: "/srv-cert"
readOnly: true
- name: profile-collector-cert
mountPath: "/profile-collector-cert"
readOnly: true
nodeSelector:
kubernetes.io/os: linux
tolerations:
Expand All @@ -118,6 +109,9 @@ spec:
operator: Exists
tolerationSeconds: 120
volumes:
- name: package-server-manager-serving-cert
- name: srv-cert
secret:
secretName: package-server-manager-serving-cert
- name: profile-collector-cert
secret:
secretName: package-server-manager-serving-cert
Loading