Merge pull request #27 from sapcc/deprecate-kube-rbac-proxy

adziauho · web-flow · commit 1262b449706c · 2026-03-02T11:15:55.000+01:00
Deprecate kube rbac proxy
diff --git a/cmd/main.go b/cmd/main.go
@@ -42,7 +42,7 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8443", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -5,8 +5,11 @@ resources:
 - bases/controlplane.cluster.x-k8s.io_kubernikuscontrolplanes.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
-commonLabels:
-  cluster.x-k8s.io/v1beta1: v1alpha1
+labels:
+  - includeSelectors: true
+    includeTemplates: true
+    pairs:
+      cluster.x-k8s.io/v1beta1: v1alpha1
 
 patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -14,8 +14,11 @@ namePrefix: capi-kks-
 #  pairs:
 #    someName: someValue
 
-commonLabels:
-  cluster.x-k8s.io/provider: kubernikus
+labels:
+  - includeSelectors: true
+    includeTemplates: true
+    pairs:
+      cluster.x-k8s.io/provider: kubernikus
 
 resources:
 - ../crd
@@ -29,12 +32,6 @@ resources:
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
-patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
-
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- path: manager_webhook_patch.yaml
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -1,2 +1,3 @@
 resources:
 - manager.yaml
+- metrics_service.yaml
diff --git a/config/manager/metrics_service.yaml b/config/manager/metrics_service.yaml
@@ -5,7 +5,6 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: service
     app.kubernetes.io/instance: controller-manager-metrics-service
-    app.kubernetes.io/component: kube-rbac-proxy
     app.kubernetes.io/created-by: cluster-api-control-plane-provider-kubernikus
     app.kubernetes.io/part-of: cluster-api-control-plane-provider-kubernikus
     app.kubernetes.io/managed-by: kustomize
@@ -16,6 +15,6 @@ spec:
   - name: https
     port: 8443
     protocol: TCP
-    targetPort: https
+    targetPort: 8443
   selector:
     control-plane: controller-manager
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -9,10 +9,6 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_auth_role.yaml
+- metrics_auth_role_binding.yaml
+- metrics_reader_role.yaml
diff --git a/config/rbac/metrics_auth_role.yaml b/config/rbac/metrics_auth_role.yaml
@@ -4,11 +4,10 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: proxy-role
-    app.kubernetes.io/component: kube-rbac-proxy
     app.kubernetes.io/created-by: cluster-api-control-plane-provider-kubernikus
     app.kubernetes.io/part-of: cluster-api-control-plane-provider-kubernikus
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-role
+  name: metrics-auth-role
 rules:
 - apiGroups:
   - authentication.k8s.io
diff --git a/config/rbac/metrics_auth_role_binding.yaml b/config/rbac/metrics_auth_role_binding.yaml
@@ -4,15 +4,14 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrolebinding
     app.kubernetes.io/instance: proxy-rolebinding
-    app.kubernetes.io/component: kube-rbac-proxy
     app.kubernetes.io/created-by: cluster-api-control-plane-provider-kubernikus
     app.kubernetes.io/part-of: cluster-api-control-plane-provider-kubernikus
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-rolebinding
+  name: metrics-auth-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: metrics-auth-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager
diff --git a/config/rbac/metrics_reader_role.yaml b/config/rbac/metrics_reader_role.yaml
@@ -4,7 +4,6 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: metrics-reader
-    app.kubernetes.io/component: kube-rbac-proxy
     app.kubernetes.io/created-by: cluster-api-control-plane-provider-kubernikus
     app.kubernetes.io/part-of: cluster-api-control-plane-provider-kubernikus
     app.kubernetes.io/managed-by: kustomize
diff --git a/main.go b/main.go
@@ -42,7 +42,7 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8443", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`resources:`
`2`	`2`	`- manager.yaml`
	`3`	`+- metrics_service.yaml`