⚠️ Discontinue Kube RBAC Proxy in Default Kubebuilder Scaffolding

.github/workflows/test-sample-go.yml

@@ -26,7 +26,7 @@ jobs:
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           sed -i '27s/^#//' $KUSTOMIZATION_FILE_PATH
           sed -i '42s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '46,143s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '46,142s/^#//' $KUSTOMIZATION_FILE_PATH
 
       - name: Test
         run: |

docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml

@@ -27,10 +27,10 @@ resources:
 #- ../prometheus
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.
+# More info: https://book.kubebuilder.io/reference/metrics
+# If you want to expose the metric endpoint of your controller-manager uncomment the following line.
+#- path: manager_metrics_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type

docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml

@@ -0,0 +1,13 @@
+# This patch adds the args to allow exposing the metrics endpoint securely
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--metrics-bind-address=0.0.0.0:8080"

docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml

@@ -11,11 +11,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
-      scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
+      port: http # Ensure this is the name of the port that exposes HTTP metrics
+      scheme: http
   selector:
     matchLabels:
       control-plane: controller-manager

docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -9,16 +9,11 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_service.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
 - projectconfig_editor_role.yaml
 - projectconfig_viewer_role.yaml
+

docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml → docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml

@@ -9,9 +9,9 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: http
+    port: 8080
     protocol: TCP
-    targetPort: https
+    targetPort: 8080
   selector:
     control-plane: controller-manager

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -27,10 +27,10 @@ resources:
 - ../prometheus
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.
+# More info: https://book.kubebuilder.io/reference/metrics
+# If you want to expose the metric endpoint of your controller-manager uncomment the following line.
+#- path: manager_metrics_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml

@@ -0,0 +1,13 @@
+# This patch adds the args to allow exposing the metrics endpoint securely
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--metrics-bind-address=0.0.0.0:8080"

docs/book/src/cronjob-tutorial/testdata/project/config/manager/manager.yaml

@@ -61,7 +61,9 @@ spec:
       - command:
         - /manager
         args:
-        - --leader-elect
+          - --leader-elect
+          - --health-probe-bind-address=:8081
+          - --metrics-bind-address=0
         image: controller:latest
         name: manager
         securityContext:

docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml

@@ -11,11 +11,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
-      scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
+      port: http # Ensure this is the name of the port that exposes HTTP metrics
+      scheme: http
   selector:
     matchLabels:
       control-plane: controller-manager

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -9,16 +9,11 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_service.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
 - cronjob_editor_role.yaml
 - cronjob_viewer_role.yaml
+

docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml → docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml

@@ -9,9 +9,9 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: http
+    port: 8080
     protocol: TCP
-    targetPort: https
+    targetPort: 8080
   selector:
     control-plane: controller-manager

docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml

@@ -27,10 +27,10 @@ resources:
 #- ../prometheus
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.
+# More info: https://book.kubebuilder.io/reference/metrics
+# If you want to expose the metric endpoint of your controller-manager uncomment the following line.
+#- path: manager_metrics_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml