-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization #460
Open
camilamacedo86
wants to merge
1
commit into
operator-framework:main
Choose a base branch
from
camilamacedo86:replace-kube-rbac-proxy
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
✨ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization #460
camilamacedo86
wants to merge
1
commit into
operator-framework:main
from
camilamacedo86:replace-kube-rbac-proxy
+79
−49
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Indicates that a PR should not merge because it is a work in progress.
label
Nov 18, 2024
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #460 +/- ##
==========================================
- Coverage 37.89% 37.44% -0.46%
==========================================
Files 15 15
Lines 1235 1250 +15
==========================================
Hits 468 468
- Misses 717 732 +15
Partials 50 50 ☔ View full report in Codecov by Sentry. |
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
3 times, most recently
from
November 18, 2024 12:38
befdef7
to
8ca7c1d
Compare
camilamacedo86
changed the title
WIP replace kube-rbac-proxy
⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
Nov 18, 2024
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Indicates that a PR should not merge because it is a work in progress.
label
Nov 18, 2024
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
from
November 18, 2024 13:43
0ee7199
to
3183153
Compare
camilamacedo86
changed the title
⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
WIP: ⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
Nov 18, 2024
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Indicates that a PR should not merge because it is a work in progress.
label
Nov 18, 2024
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
from
November 18, 2024 13:58
3183153
to
4ad7f35
Compare
camilamacedo86
changed the title
WIP: ⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
Nov 18, 2024
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Indicates that a PR should not merge because it is a work in progress.
label
Nov 18, 2024
camilamacedo86
changed the title
⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
(HOLD - WIP) ⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
Nov 18, 2024
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
from
November 26, 2024 00:11
4ad7f35
to
42147b6
Compare
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
Indicates that a PR should not merge because someone has issued a /hold command.
label
Nov 26, 2024
camilamacedo86
changed the title
(HOLD - WIP) ⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
Nov 26, 2024
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
from
November 26, 2024 00:15
42147b6
to
0d9cd88
Compare
camilamacedo86
changed the title
⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
WIP - ⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
Nov 26, 2024
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Indicates that a PR should not merge because it is a work in progress.
label
Nov 26, 2024
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
2 times, most recently
from
December 2, 2024 12:15
365aa93
to
5c04183
Compare
tmshort
reviewed
Dec 2, 2024
tmshort
reviewed
Dec 2, 2024
tmshort
reviewed
Dec 2, 2024
This comment was marked as resolved.
This comment was marked as resolved.
openshift-merge-robot
removed
the
needs-rebase
Indicates a PR cannot be merged because it has merge conflicts with HEAD.
label
Dec 12, 2024
camilamacedo86
changed the title
⚠️ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
✨ Replace kube-rbac-proxy with controller-runtime metrics authentication/authorization
Dec 12, 2024
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
2 times, most recently
from
December 12, 2024 22:54
abe9cea
to
e37c70e
Compare
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
3 times, most recently
from
December 13, 2024 00:38
4d3281f
to
e461013
Compare
tmshort
reviewed
Dec 13, 2024
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
2 times, most recently
from
December 13, 2024 20:11
3ce4ce6
to
03c51cf
Compare
Rebased with the tests to ensure backwords compatibility: #483 |
Hi @joelanford Can we uphold and move forward with this one? |
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
4 times, most recently
from
December 13, 2024 22:22
5f6b423
to
4f171d3
Compare
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
2 times, most recently
from
December 18, 2024 09:19
c186e9e
to
36c6797
Compare
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
Indicates that a PR should not merge because someone has issued a /hold command.
label
Dec 18, 2024
…n/authorization This commit removes the use of the kube-rbac-proxy image and replaces it with metrics authentication/authorization provided by controller-runtime. The kube-rbac-proxy image is deprecated and will no longer be maintained, which introduces risks to production environments. For more details, see: kubernetes-sigs/kubebuilder#3907
camilamacedo86
force-pushed
the
replace-kube-rbac-proxy
branch
from
December 18, 2024 18:28
36c6797
to
40bf352
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit removes the use of the kube-rbac-proxy image and replaces it with metrics authentication/authorization provided by controller-runtime. The kube-rbac-proxy image is deprecated and will no longer be maintained, which introduces risks to production environments. For more details, see: kubernetes-sigs/kubebuilder#3907
Motivation: operator-framework/operator-controller#1509
Local Tests
To check the metrics endpoint
To grant the required permissions for metrics access, run:
Generate the token for the catalogd-controller-manager service account:
Run a pod with a debug container to test the metrics endpoint:
Checking the metrics
Result
To validate the usage of certs within
Create the Pod with the secret
Jump in the curl
Run the curl calling the metrics
Result