Merge pull request #695 from 3scale/backport-692-remove-metrics-rbac-…

…auth-proxy

[Backport 692] remove metrics rbac auth proxy

Makefile

@@ -199,7 +199,7 @@ bundle-custom-updates: $(YQ)
 	sed -E -i 's/(operators\.operatorframework\.io\.bundle\.package\.v1=).+/\1$(BUNDLE_PREFIX)-3scale-operator/' $(PROJECT_PATH)/bundle.Dockerfile
 	@echo "Update operator image reference URL"
 	$(YQ) w --inplace $(PROJECT_PATH)/bundle/manifests/3scale-operator.clusterserviceversion.yaml metadata.annotations.containerImage $(IMG)
-	$(YQ) w --inplace $(PROJECT_PATH)/bundle/manifests/3scale-operator.clusterserviceversion.yaml spec.install.spec.deployments[0].spec.template.spec.containers[1].image $(IMG)
+	$(YQ) w --inplace $(PROJECT_PATH)/bundle/manifests/3scale-operator.clusterserviceversion.yaml spec.install.spec.deployments[0].spec.template.spec.containers[0].image $(IMG)
 
 .PHONY: bundle-restore
 bundle-restore:

bundle/manifests/3scale-operator.clusterserviceversion.yaml

@@ -316,18 +316,6 @@ spec:
           - delete
           - get
           - update
-        - apiGroups:
-          - authentication.k8s.io
-          resources:
-          - tokenreviews
-          verbs:
-          - create
-        - apiGroups:
-          - authorization.k8s.io
-          resources:
-          - subjectaccessreviews
-          verbs:
-          - create
         serviceAccountName: 3scale-operator
       deployments:
       - name: threescale-operator-controller-manager
@@ -351,18 +339,7 @@ spec:
             spec:
               containers:
               - args:
-                - --secure-listen-address=0.0.0.0:8443
-                - --upstream=http://127.0.0.1:8080/
-                - --logtostderr=true
-                - --v=10
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: https
-                resources: {}
-              - args:
-                - --metrics-addr=127.0.0.1:8080
+                - --metrics-addr=0.0.0.0:8080
                 - --enable-leader-election
                 command:
                 - /manager
@@ -395,6 +372,9 @@ spec:
                   value: quay.io/openshift/origin-cli:4.2
                 image: quay.io/3scale/3scale-operator:master
                 name: manager
+                ports:
+                - containerPort: 8080
+                  name: metrics
                 resources:
                   limits:
                     cpu: 100m

bundle/manifests/threescale-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   endpoints:
   - path: /metrics
-    port: https
+    port: metrics
   selector:
     matchLabels:
       control-plane: controller-manager

bundle/manifests/threescale-operator-controller-manager-metrics-service_v1_service.yaml

@@ -8,9 +8,9 @@ metadata:
   name: threescale-operator-controller-manager-metrics-service
 spec:
   ports:
-  - name: https
-    port: 8443
-    targetPort: https
+  - name: metrics
+    port: 8080
+    targetPort: metrics
   selector:
     app: 3scale-api-management
     control-plane: controller-manager

config/default/kustomization.yaml

@@ -28,7 +28,7 @@ patchesStrategicMerge:
   # Protect the /metrics endpoint by putting it behind auth.
   # If you want your controller-manager to expose the /metrics
   # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+#- manager_auth_proxy_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
@@ -38,6 +38,7 @@ patchesStrategicMerge:
 # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
 # 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml
+- manager_metrics_patch.yaml
 
 # the following config is for teaching kustomize how to do var substitution
 vars:

config/default/manager_metrics_patch.yaml

@@ -0,0 +1,18 @@
+# This patch exposes metrics endpoint in plain HTTP 8080 port
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--metrics-addr=0.0.0.0:8080"
+        - "--enable-leader-election"
+        ports:
+        - containerPort: 8080
+          name: metrics

config/manager/kustomization.yaml

@@ -1,5 +1,6 @@
 resources:
 - manager.yaml
+- metrics_service.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:

config/manager/metrics_service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: metrics
+    port: 8080
+    targetPort: metrics
+  selector:
+    control-plane: controller-manager

config/prometheus/monitor.yaml

@@ -1,5 +1,5 @@
-
 # Prometheus Monitor Service (Metrics)
+---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -10,7 +10,7 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
+      port: metrics
   selector:
     matchLabels:
       control-plane: controller-manager

config/rbac/kustomization.yaml

@@ -7,7 +7,7 @@ resources:
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml 
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+#- auth_proxy_service.yaml
+#- auth_proxy_role.yaml
+#- auth_proxy_role_binding.yaml
+#- auth_proxy_client_clusterrole.yaml