Revert "Secure metrics endpoint with cntrlr-runtime metrics authz mechanics (#3660)"

This reverts commit 589a5d0.

Author: camilamacedo86

.github/workflows/e2e-tests.yml

@@ -86,7 +86,7 @@ jobs:
           for i in $(seq 1 ${E2E_NODES}); do
             KIND_CLUSTER_NAME="kind-olmv0-${i}" \
             KIND_CREATE_OPTS="--kubeconfig=${E2E_KUBECONFIG_ROOT}/kubeconfig-${i}" \
-            HELM_INSTALL_OPTS="--kubeconfig ${E2E_KUBECONFIG_ROOT}/kubeconfig-${i} --set certManager.enabled=false" \
+            HELM_INSTALL_OPTS="--kubeconfig ${E2E_KUBECONFIG_ROOT}/kubeconfig-${i}" \
             make kind-create deploy;
           done
 
@@ -173,7 +173,7 @@ jobs:
           for i in $(seq 1 ${E2E_NODES}); do
             KIND_CLUSTER_NAME="kind-olmv0-${i}" \
             KIND_CREATE_OPTS="--kubeconfig=${E2E_KUBECONFIG_ROOT}/kubeconfig-${i}" \
-            HELM_INSTALL_OPTS="--kubeconfig ${E2E_KUBECONFIG_ROOT}/kubeconfig-${i} --set certManager.enabled=false" \
+            HELM_INSTALL_OPTS="--kubeconfig ${E2E_KUBECONFIG_ROOT}/kubeconfig-${i}" \
             make kind-create deploy;
           done
 

Makefile

@@ -48,12 +48,6 @@ GINKGO := $(TOOL_EXEC) github.com/onsi/ginkgo/v2/ginkgo
 
 # Target environment and Dependencies #
 
-# Cert-manager version - update this for new releases
-CERT_MANAGER_VERSION ?= v1.18.2
-
-# Cert-manager deployment timeout
-CERT_MANAGER_TIMEOUT ?= 120s
-
 # Minor Kubernetes version to build against derived from the client-go dependency version
 KUBE_MINOR ?= $(shell go list -m k8s.io/client-go | cut -d" " -f2 | sed 's/^v0\.\([[:digit:]]\{1,\}\)\.[[:digit:]]\{1,\}$$/1.\1/')
 
@@ -163,29 +157,7 @@ local-build: IMAGE_TAG = local
 local-build: image
 
 .PHONY: run-local
-run-local: local-build kind-create cert-manager-install deploy
-
-.PHONY: cert-manager-install
-cert-manager-install: #HELP Install cert-manager $(CERT_MANAGER_VERSION)
-	@echo "Installing cert-manager $(CERT_MANAGER_VERSION)"
-	kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/$(CERT_MANAGER_VERSION)/cert-manager.yaml
-	@echo "Waiting for cert-manager to be ready..."
-	kubectl wait --for=condition=Available --namespace=cert-manager deployment/cert-manager --timeout=$(CERT_MANAGER_TIMEOUT)
-	kubectl wait --for=condition=Available --namespace=cert-manager deployment/cert-manager-cainjector --timeout=$(CERT_MANAGER_TIMEOUT)
-	kubectl wait --for=condition=Available --namespace=cert-manager deployment/cert-manager-webhook --timeout=$(CERT_MANAGER_TIMEOUT)
-	@echo "Waiting for cert-manager webhook to be ready..."
-	kubectl wait --for=condition=Ready --namespace=cert-manager pod -l app=webhook --timeout=$(CERT_MANAGER_TIMEOUT)
-	@echo "Waiting for cert-manager CRDs to be available..."
-	kubectl wait --for condition=established --timeout=$(CERT_MANAGER_TIMEOUT) crd/certificates.cert-manager.io
-	kubectl wait --for condition=established --timeout=$(CERT_MANAGER_TIMEOUT) crd/issuers.cert-manager.io
-	@echo "cert-manager $(CERT_MANAGER_VERSION) installed successfully"
-
-.PHONY: cert-manager-uninstall
-cert-manager-uninstall: #HELP Uninstall cert-manager
-	@echo "Uninstalling cert-manager..."
-	kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/$(CERT_MANAGER_VERSION)/cert-manager.yaml --ignore-not-found=true
-	@echo "cert-manager uninstalled"
-
+run-local: local-build kind-create deploy
 
 .PHONY: clean
 clean: #HELP Clean up build artifacts
@@ -259,7 +231,6 @@ deploy: $(KIND) $(HELM) #HELP Deploy OLM to kind cluster $KIND_CLUSTER_NAME (def
 	$(KIND) load docker-image $(OLM_IMAGE) --name $(KIND_CLUSTER_NAME); \
 	$(HELM) upgrade --install olm deploy/chart \
 		--set debug=true \
-		--set certManager.enabled=true \
 		--set olm.image.ref=$(OLM_IMAGE) \
 		--set olm.image.pullPolicy=IfNotPresent \
 		--set catalog.image.ref=$(OLM_IMAGE) \
@@ -283,9 +254,6 @@ undeploy: $(KIND) $(HELM) #HELP Uninstall OLM from kind cluster $KIND_CLUSTER_NA
 	$(HELM) uninstall olm
 	kubectl delete -f deploy/chart/crds
 
-	# Uninstall cert-manager
-	$(MAKE) cert-manager-uninstall
-
 #SECTION e2e
 
 # E2E test configuration
@@ -301,24 +269,7 @@ e2e: #HELP Run e2e tests against a cluster running OLM (params: $E2E_TEST_NS (op
 	$(GO_TEST_ENV) $(GINKGO) -timeout $(E2E_TIMEOUT) $(GINKGO_OPTS) $(E2E_GINKGO_OPTS) ./test/e2e -- -namespace=$(E2E_TEST_NS) -olmNamespace=$(E2E_INSTALL_NS) -catalogNamespace=$(E2E_CATALOG_NS) $(E2E_OPTS)
 
 .PHONY: e2e-local
-e2e-local: e2e-build kind-create e2e-local-deploy e2e
-
-.PHONY: e2e-local-deploy
-e2e-local-deploy: $(KIND) $(HELM) #HELP Deploy OLM for e2e testing (without cert-manager)
-	$(KIND) load docker-image $(OLM_IMAGE) --name $(KIND_CLUSTER_NAME); \
-	$(HELM) upgrade --install olm deploy/chart \
-		--set debug=true \
-		--set certManager.enabled=false \
-		--set olm.image.ref=$(OLM_IMAGE) \
-		--set olm.image.pullPolicy=IfNotPresent \
-		--set catalog.image.ref=$(OLM_IMAGE) \
-		--set catalog.image.pullPolicy=IfNotPresent \
-		--set catalog.commandArgs=--configmapServerImage=$(CONFIGMAP_SERVER_IMAGE) \
-		--set catalog.opmImageArgs=--opmImage=$(OPERATOR_REGISTRY_IMAGE) \
-		--set package.image.ref=$(OLM_IMAGE) \
-		--set package.image.pullPolicy=IfNotPresent \
-		$(HELM_INSTALL_OPTS) \
-		--wait;
+e2e-local: e2e-build kind-create deploy e2e
 
 #SECTION Code Generation
 

cmd/catalog/main.go

@@ -57,16 +57,9 @@ func (o *options) run(ctx context.Context, logger *logrus.Logger) error {
 		o.catalogNamespace = catalogNamespaceEnvVarValue
 	}
 
-	// create a config client for operator status
-	config, err := clientcmd.BuildConfigFromFlags("", o.kubeconfig)
-	if err != nil {
-		return fmt.Errorf("error configuring client: %s", err.Error())
-	}
-
 	listenAndServe, err := server.GetListenAndServeFunc(
 		server.WithLogger(logger),
 		server.WithTLS(&o.tlsCertPath, &o.tlsKeyPath, &o.clientCAPath),
-		server.WithKubeConfig(config),
 		server.WithDebug(o.debug),
 	)
 	if err != nil {
@@ -79,6 +72,11 @@ func (o *options) run(ctx context.Context, logger *logrus.Logger) error {
 		}
 	}()
 
+	// create a config client for operator status
+	config, err := clientcmd.BuildConfigFromFlags("", o.kubeconfig)
+	if err != nil {
+		return fmt.Errorf("error configuring client: %s", err.Error())
+	}
 	configClient, err := configv1client.NewForConfig(config)
 	if err != nil {
 		return fmt.Errorf("error configuring client: %s", err.Error())

cmd/olm/main.go

@@ -123,18 +123,7 @@ func main() {
 	}
 	logger.Infof("log level %s", logger.Level)
 
-	mgr, err := Manager(ctx, *debug)
-	if err != nil {
-		logger.WithError(err).Fatal("error configuring controller manager")
-	}
-	config := mgr.GetConfig()
-
-	listenAndServe, err := server.GetListenAndServeFunc(
-		server.WithLogger(logger),
-		server.WithTLS(tlsCertPath, tlsKeyPath, clientCAPath),
-		server.WithKubeConfig(config),
-		server.WithDebug(*debug),
-	)
+	listenAndServe, err := server.GetListenAndServeFunc(server.WithLogger(logger), server.WithTLS(tlsCertPath, tlsKeyPath, clientCAPath), server.WithDebug(*debug))
 	if err != nil {
 		logger.Fatalf("Error setting up health/metric/pprof service: %v", err)
 	}
@@ -145,6 +134,12 @@ func main() {
 		}
 	}()
 
+	mgr, err := Manager(ctx, *debug)
+	if err != nil {
+		logger.WithError(err).Fatal("error configuring controller manager")
+	}
+	config := mgr.GetConfig()
+
 	// create a config that validates we're creating objects with labels
 	validatingConfig := validatingroundtripper.Wrap(config, mgr.GetScheme())
 

deploy/chart/templates/0000_50_olm_04-cert-manager.yaml

@@ -22,14 +22,16 @@ spec:
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
-      volumes:
-      {{- if .Values.certManager.enabled }}
+      volumes: 
+      {{- if .Values.olm.tlsSecret }}
       - name: srv-cert
         secret:
-          secretName: {{ .Values.certManager.certificate.secretName }}
+          secretName: {{ .Values.olm.tlsSecret }}
+      {{- end }}
+      {{- if .Values.olm.clientCASecret }}
       - name: profile-collector-cert
         secret:
-          secretName: {{ .Values.certManager.certificate.secretName }}
+          secretName: {{ .Values.olm.clientCASecret }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -41,10 +43,12 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if .Values.certManager.enabled }}
+          {{- if .Values.olm.tlsSecret }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
+          {{- end }}
+          {{- if .Values.olm.clientCASecret }}
           - name: profile-collector-cert
             mountPath: "/profile-collector-cert"
             readOnly: true
@@ -74,29 +78,31 @@ spec:
           - --writePackageServerStatusName
           - {{ .Values.writePackageServerStatusName }}
           {{- end }}
-         {{- if .Values.certManager.enabled }}
+         {{- if .Values.olm.tlsSecret }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
           - /srv-cert/tls.key
+          {{- end }}
+          {{- if .Values.olm.clientCASecret }}
           - --client-ca
           - /profile-collector-cert/tls.crt
           {{- end }}
           image: {{ .Values.olm.image.ref }}
           imagePullPolicy: {{ .Values.olm.image.pullPolicy }}
           ports:
-            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+            - containerPort: {{ .Values.olm.service.internalPort }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ .Values.olm.service.internalPort }}
+              scheme: {{ if .Values.olm.tlsSecret }}HTTPS{{ else }}HTTP{{end}}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ .Values.olm.service.internalPort }}
+              scheme: {{ if .Values.olm.tlsSecret }}HTTPS{{ else }}HTTP{{end}}
           terminationMessagePolicy: FallbackToLogsOnError
           env:
           - name: OPERATOR_NAMESPACE

deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml

@@ -23,13 +23,15 @@ spec:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
-      {{- if .Values.certManager.enabled }}
+      {{- if .Values.catalog.tlsSecret }}
       - name: srv-cert
         secret:
-          secretName: {{ .Values.certManager.certificate.secretName }}
+          secretName: {{ .Values.catalog.tlsSecret }}
+      {{- end }}
+      {{- if .Values.catalog.clientCASecret }}
       - name: profile-collector-cert
         secret:
-          secretName: {{ .Values.certManager.certificate.secretName }}
+          secretName: {{ .Values.catalog.clientCASecret }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -41,10 +43,12 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if .Values.certManager.enabled }}
+          {{- if .Values.catalog.tlsSecret }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
+          {{- end }}
+          {{- if .Values.catalog.clientCASecret }}
           - name: profile-collector-cert
             mountPath: "/profile-collector-cert"
             readOnly: true
@@ -71,11 +75,13 @@ spec:
           - --writeStatusName
           - {{ .Values.writeStatusNameCatalog }}
           {{- end }}
-          {{- if .Values.certManager.enabled }}
+          {{- if .Values.catalog.tlsSecret }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
           - /srv-cert/tls.key
+          {{- end }}
+          {{- if .Values.catalog.clientCASecret }}
           - --client-ca
           - /profile-collector-cert/tls.crt
           {{- end }}
@@ -92,18 +98,18 @@ spec:
           {{- end }}
           imagePullPolicy: {{ .Values.catalog.image.pullPolicy }}
           ports:
-            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+            - containerPort: {{ .Values.olm.service.internalPort }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ .Values.catalog.service.internalPort }}
+              scheme: {{ if .Values.catalog.tlsSecret }}HTTPS{{ else }}HTTP{{end}}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ .Values.catalog.service.internalPort }}
+              scheme: {{ if .Values.catalog.tlsSecret }}HTTPS{{ else }}HTTP{{end}}
           terminationMessagePolicy: FallbackToLogsOnError
           {{- if .Values.catalog.resources }}
           resources:

deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml

@@ -13,4 +13,4 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- define "fullname" -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- end -}}