krestomatio · jobcespedes · Feb 6, 2025 · Feb 5, 2025 · Feb 6, 2025 · Feb 6, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Stage to install krestomatio collection
-FROM quay.io/operator-framework/ansible-operator:v1.33.0 AS collection
+FROM quay.io/operator-framework/ansible-operator:v1.37.1 AS collection
 
 ## Install krestomatio collection
 ARG COLLECTION_FILE="krestomatio-k8s-master.tar.gz"
@@ -9,7 +9,7 @@ COPY $COLLECTION_FILE /tmp/$COLLECTION_FILE
 RUN ansible-galaxy collection install /tmp/${COLLECTION_FILE}
 
 # Stage to build operator container
-FROM quay.io/operator-framework/ansible-operator:v1.33.0
+FROM quay.io/operator-framework/ansible-operator:v1.37.1
 
 ## Install kubectl
 ENV KUBECTL_VERSION="1.26.6"

diff --git a/Makefile-dist.mk b/Makefile-dist.mk
@@ -48,7 +48,7 @@ endif
 
 # Set the Operator SDK version to use. By default, what is installed on the system is used.
 # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit.
-OPERATOR_SDK_VERSION ?= v1.33.0
+OPERATOR_SDK_VERSION ?= v1.39.1
 
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
@@ -96,14 +96,11 @@ docker-push: ## Push docker image with the manager.
 # To properly provided solutions that supports more than one platform you should use this option.
 PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
 .PHONY: docker-buildx
-docker-buildx: test ## Build and push docker image for the manager for cross-platform support
-	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
-	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+docker-buildx: ## Build and push docker image for the manager for cross-platform support
 	- docker buildx create --name project-v3-builder
 	docker buildx use project-v3-builder
-	- docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
+	- docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile .
 	- docker buildx rm project-v3-builder
-	rm Dockerfile.cross
 
 ##@ Deployment
 
@@ -135,7 +132,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.0.1/kustomize_v5.0.1_$(OS)_$(ARCH).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.4.3/kustomize_v5.4.3_$(OS)_$(ARCH).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -151,7 +148,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.33.0/ansible-operator_$(OS)_$(ARCH) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.37.1/ansible-operator_$(OS)_$(ARCH) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -160,7 +157,7 @@ endif
 endif
 
 .PHONY: operator-sdk
-OPERATOR_SDK ?= ./bin/operator-sdk
+OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk
 operator-sdk: ## Download operator-sdk locally if necessary.
 ifeq (,$(wildcard $(OPERATOR_SDK)))
 ifeq (, $(shell which operator-sdk 2>/dev/null))
@@ -191,7 +188,7 @@ bundle-push: ## Push the bundle image.
 	$(MAKE) docker-push IMG=$(BUNDLE_IMG)
 
 .PHONY: opm
-OPM = ./bin/opm
+OPM = $(LOCALBIN)/opm
 opm: ## Download opm locally if necessary.
 ifeq (,$(wildcard $(OPM)))
 ifeq (,$(shell which opm 2>/dev/null))

diff --git a/bundle.Dockerfile b/bundle.Dockerfile
@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=moodle-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.33.0
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.39.1
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=ansible.sdk.operatorframework.io/v1
 

diff --git a/bundle/manifests/moodle-operator-controller-manager-metrics-service_v1_service.yaml b/bundle/manifests/moodle-operator-controller-manager-metrics-service_v1_service.yaml
@@ -3,12 +3,8 @@ kind: Service
 metadata:
   creationTimestamp: null
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: moodle-operator
-    app.kubernetes.io/instance: controller-manager-metrics-service
+    app.kubernetes.io/name: moodle-operator
     app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: service
-    app.kubernetes.io/part-of: moodle-operator
     control-plane: controller-manager
   name: moodle-operator-controller-manager-metrics-service
 spec:

diff --git a/...le/manifests/moodle-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/...le/manifests/moodle-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
@@ -3,12 +3,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: moodle-operator
-    app.kubernetes.io/instance: metrics-reader
     app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/part-of: moodle-operator
+    app.kubernetes.io/name: moodle-operator
   name: moodle-operator-metrics-reader
 rules:
 - nonResourceURLs:

diff --git a/bundle/manifests/moodle-operator.clusterserviceversion.yaml b/bundle/manifests/moodle-operator.clusterserviceversion.yaml
@@ -284,12 +284,8 @@ spec:
         serviceAccountName: moodle-operator-controller-manager
       deployments:
       - label:
-          app.kubernetes.io/component: manager
-          app.kubernetes.io/created-by: moodle-operator
-          app.kubernetes.io/instance: controller-manager
+          app.kubernetes.io/name: moodle-operator
           app.kubernetes.io/managed-by: kustomize
-          app.kubernetes.io/name: deployment
-          app.kubernetes.io/part-of: moodle-operator
           control-plane: controller-manager
         name: moodle-operator-controller-manager
         spec:

diff --git a/bundle/tests/scorecard/config.yaml b/bundle/tests/scorecard/config.yaml
@@ -8,7 +8,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.33.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: basic
       test: basic-check-spec-test
@@ -18,7 +18,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.33.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -28,7 +28,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.33.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -38,7 +38,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-crds-have-resources
-    image: quay.io/operator-framework/scorecard-test:v1.33.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-crds-have-resources-test
@@ -48,7 +48,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.33.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -58,7 +58,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.33.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-status-descriptors-test

diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -6,4 +6,4 @@ resources:
 - bases/m4e.krestomat.io_routines.yaml
 - bases/m4e.krestomat.io_nginxes.yaml
 - bases/m4e.krestomat.io_phpfpms.yaml
-#+kubebuilder:scaffold:crdkustomizeresource
+# +kubebuilder:scaffold:crdkustomizeresource
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -20,11 +20,18 @@ resources:
 - ../manager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+# [METRICS] Expose the controller manager metrics service.
+- metrics_service.yaml
+# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy.
+# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics.
+# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
+# be able to communicate with the Webhook Server.
+#- ../network-policy
 
-patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
-
-
+# Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager
+patches:
+# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
+# More info: https://book.kubebuilder.io/reference/metrics
+- path: manager_metrics_patch.yaml
+  target:
+    kind: Deployment
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml
@@ -0,0 +1,12 @@
+# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-bind-address=:8443
+# This patch adds the args to allow securing the metrics endpoint
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-secure
+# This patch adds the args to allow RBAC-based authn/authz the metrics endpoint
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-require-rbac
diff --git a/config/rbac/auth_proxy_service.yaml → config/default/metrics_service.yaml b/config/rbac/auth_proxy_service.yaml → config/default/metrics_service.yaml
@@ -3,11 +3,7 @@ kind: Service
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: service
-    app.kubernetes.io/instance: controller-manager-metrics-service
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: moodle-operator
-    app.kubernetes.io/part-of: moodle-operator
+    app.kubernetes.io/name: moodle-operator
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-service
   namespace: system
@@ -16,6 +12,6 @@ spec:
   - name: https
     port: 8443
     protocol: TCP
-    targetPort: https
+    targetPort: 8443
   selector:
     control-plane: controller-manager
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -3,11 +3,7 @@ kind: Namespace
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: namespace
-    app.kubernetes.io/instance: system
-    app.kubernetes.io/component: manager
-    app.kubernetes.io/created-by: moodle-operator
-    app.kubernetes.io/part-of: moodle-operator
+    app.kubernetes.io/name: moodle-operator
     app.kubernetes.io/managed-by: kustomize
   name: system
 ---
@@ -18,11 +14,7 @@ metadata:
   namespace: system
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: deployment
-    app.kubernetes.io/instance: controller-manager
-    app.kubernetes.io/component: manager
-    app.kubernetes.io/created-by: moodle-operator
-    app.kubernetes.io/part-of: moodle-operator
+    app.kubernetes.io/name: moodle-operator
     app.kubernetes.io/managed-by: kustomize
 spec:
   selector:
@@ -67,8 +59,9 @@ spec:
         #   type: RuntimeDefault
       containers:
       - args:
-        - --leader-elect
-        - --leader-election-id=moodle-operator
+          - --leader-elect
+          - --leader-election-id=moodle-operator
+          - --health-probe-bind-address=:6789
         image: controller:latest
         name: manager
         env:
@@ -78,7 +71,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-              - "ALL"
+            - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/config/network-policy/allow-metrics-traffic.yaml b/config/network-policy/allow-metrics-traffic.yaml
@@ -0,0 +1,26 @@
+# This NetworkPolicy allows ingress traffic
+# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those
+# namespaces are able to gathering data from the metrics endpoint.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: moodle-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: allow-metrics-traffic
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Ingress
+  ingress:
+    # This allows ingress traffic from any namespace with the label metrics: enabled
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            metrics: enabled  # Only from namespaces with this label
+      ports:
+        - port: 8443
+          protocol: TCP
diff --git a/config/network-policy/kustomization.yaml b/config/network-policy/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- allow-metrics-traffic.yaml