Discontinue kube-rbac-proxy and disable metrics service

[black-dragon74]

This patch drops support for kube-rbac-proxy
and uses controller manager's
WithAuthenticationAndAuthorization.

Closes: #643

For more details please refer here

In addition to migration, some of the resources have been re-categorized for better placement and the metrics service is now disabled by default as it did not contain any significant information specific to csi-addons. It can be re-enabled by following the steps outlined in #721 (comment)

[black-dragon74]

Testing

1. Access /metrics endpoint as controller-manager's SA

❯ oc auth can-i get /metrics --as=system:serviceaccount:csi-addons-system:csi-addons-controller-manager
yes

2. Get the metrics using valid SA token

❯ oc exec -it po/metrics-consumer -- sh
$ curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://csi-addons-controller-manager-metrics-service.csi-addons-system.svc.cluster.local:8443/metrics
# HELP certwatcher_read_certificate_errors_total Total number of certificate read errors
# TYPE certwatcher_read_certificate_errors_total counter
certwatcher_read_certificate_errors_total 0
# HELP certwatcher_read_certificate_total Total number of certificate reads
...
...
...
stripped....

3. Get the metrics using invalid SA token

$ curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/INVALID)" https://csi-addons-controller-manager-metrics-service.csi-addons-system.svc.cluster.local:8443/metrics
Unauthorized

4. Check POD's containers (no kube-rbac-proxy-container)

❯ oc get po/csi-addons-controller-manager-7886c6d5c9-f2vwh -o jsonpath='{.spec.containers[*].name}'
manager

Regards

[Madhu-1]

why someone will use insecure metrics, cant we always use secureMetircs?

[black-dragon74]

It is enabled by default. The reason why it is controlled by a flag of its own is, in prod env it is recommended to setup proper certs and keys before opting in for secure metrics.

If someone does not want to do that and just wants to check something, they may disable it.

[nixpanic]

can you document the steps to provide certificates, so that production deployments may replace automatic generated ones?

[black-dragon74]

Done

[Madhu-1]

Is this one for test clusters or means for production clusters also?

[black-dragon74]

Production clusters as well. As of now, curl misses support for HTTP2 on some distros. We can enable it by default once we are sure that all the clients support HTTP2.

Kubebuilder's default scaffolding also follows the same procedure as of now.

[nixpanic]

looks good overall, just a few nits regarding comments and documentation

[nixpanic]

please leave a comment in the code why it is disabled by default

[black-dragon74]

Done

[nixpanic]

can you document the steps to provide certificates, so that production deployments may replace automatic generated ones?

[Madhu-1]

on other thought, Do we need the metrics? if not lets disable it?

[black-dragon74]

on other thought, Do we need the metrics? if not lets disable it?

It is enabled in all of the other projects by default. Still, we could disable it if not needed. Thoughts @nixpanic ?

[nixpanic]

on other thought, Do we need the metrics? if not lets disable it?

It is enabled in all of the other projects by default. Still, we could disable it if not needed. Thoughts @nixpanic ?

Metrics enabled by default is fine, I think.

However, the metrics should be useful though. Not sure what the metrics contain, and if there is anything related to the CSI-Addons procedures. If it is only minor things, calling it "metrics for kubernetes-csi-addons" would not really be correct. In that case, the usefulness for the project is little, and disabling sets more appropriate expectations for users.

[black-dragon74]

However, the metrics should be useful though. Not sure what the metrics contain, and if there is anything related to the CSI-Addons procedures.

It includes these metrics and also the metrics for all the CRs that are reconciled by the controllers.

[nixpanic]

However, the metrics should be useful though. Not sure what the metrics contain, and if there is anything related to the CSI-Addons procedures.

It includes these metrics and also the metrics for all the CRs that are reconciled by the controllers.

In that case, disable it by default. These are not metrics about CSI-Addons procedures, it is too incomplete for that. Once we add metrics about the different CSI-Addons procedures, it can be enabled by default.

[black-dragon74]

The metrics service is now disabled by default (by setting its bind address to 0). In order to enable it,

• Set metrics-bind-address=:8443 flag for csi-addons controller pod.
• Modify config/manager/kustomization.yaml and uncomment the lines 13-18:

#- metrics_service.yaml

#patches:
#- path: manager_metrics_patch.yaml
#  target:
#    kind: Deployment

• For necessary RBACs uncomment the lines 27-30 in config/rbac/kustomization.yaml

  # The following RBAC configurations are used to protect
  # the metrics endpoint with authn/authz. These configurations
  # ensure that only authorized users and service accounts
  # can access the metrics endpoint.
  # - metrics_auth_role.yaml
  # - metrics_auth_role_binding.yaml
  # - metrics_reader_role.yaml
  # - metrics_reader_role_binding.yaml

cc @nixpanic @Madhu-1

[Madhu-1]

we might not need webhook server as well, lets check and address this in followup as well.