Remove kube-rbac-proxy #8302
Remove kube-rbac-proxy #8302
Conversation
pebrc
requested review from
naemono,
thbkrkr,
barkbay,
rhr323 and
kvalliyurnatt
|
I'll look at this today @pebrc |
When testing with the following values config:
metrics:
port: 8443
secureMode:
enabled: true
image:
repository: docker.elastic.co/eck-ci/eck-operator-pr
tag: 8302-b2670646
installCRDs: true
managedNamespaces: []
webhook:
enabled: trueI see this working without issues: I'll have to test with more scenarios tomorrow and update. |
|
From my testing the option for providing your own certificate/key/ca is broken, as it was configured in the rbac-proxy in the previous implementation. I'm working through what the fix looks like for this and will update. |
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
I've pushed a commit that fixes the issue when using custom certificates: Using the following values: |
Good catch. I tested the custom certs only with the manual mode. I think there is a simpler fix though by just using the default path from controller-runtime in the volume mount. |
I'll take a look at this and update... thanks |
This reverts commit 42e0d56.
i sat down to finish this and saw you handled it. i will verify in the am. thanks |
There was a problem hiding this comment.
Nice work! I really like the additional fixes/improvements you included in this PR 👍
I ran a couple of tests, only with Helm, using both the ECK and the Prometheus operator charts, with a custom CA, enforcing (or not) TLS validation, and it worked as expected.
There was a problem hiding this comment.
Not from your PR, I noticed the metadata.labels of the Service and the spec.selector.matchLabels of the ServiceMonitor in configure-operator-metrics.asciidoc are not aligned with what is rendered using the Helm chart.
This removes the kube-auth-proxy from the ECK Helm charts and the ECK documentation. Instead if follows the recommendation from controller-runtime to use the built-in FilterProvider filters.WithAuthenticationAndAuthorization. This pulls in a bunch of k8s API server dependencies increasing the binary size by about 12MB IIRC. I have also tried to address some issues with our current Helm templating of the metrics server: - allow enabling the secure mode with TLS+auth while not forcing users to have Promotheus installed e.g. when using Elastic Agent (!) (service monitor is still generated by default for bwc) - mixing configuration properties for the service monitor with the configuration properties of the metrics server (I moved them to serviceMonitor.* while implementing a form of bwc layer in the template --------- Co-authored-by: Michael Montgomery <mmontg1@gmail.com> Co-authored-by: Michael Morello <michael.morello@elastic.co> (cherry picked from commit 032bff5) # Conflicts: # go.sum
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
This removes the kube-auth-proxy from the ECK Helm charts and the ECK documentation. Instead if follows the recommendation from controller-runtime to use the built-in FilterProvider filters.WithAuthenticationAndAuthorization. This pulls in a bunch of k8s API server dependencies increasing the binary size by about 12MB IIRC. I have also tried to address some issues with our current Helm templating of the metrics server: - allow enabling the secure mode with TLS+auth while not forcing users to have Promotheus installed e.g. when using Elastic Agent (!) (service monitor is still generated by default for bwc) - mixing configuration properties for the service monitor with the configuration properties of the metrics server (I moved them to serviceMonitor.* while implementing a form of bwc layer in the template --------- Co-authored-by: Michael Montgomery <mmontg1@gmail.com> Co-authored-by: Michael Morello <michael.morello@elastic.co> (cherry picked from commit 032bff5)
Fixes #8279
This removes the kube-auth-proxy from the ECK Helm charts and the ECK documentation. Instead if follows the recommendation from controller-runtime to use the built-in
FilterProviderfilters.WithAuthenticationAndAuthorization.This pulls in a bunch of k8s API server dependencies increasing the binary size by about 12MB IIRC.
I have also tried to address some issues with our current Helm templating of the metrics server:
serviceMonitor.*while implementing a form of bwc layer in the templateThings I did not address:
Tests I did (all with Prometheus operator):
insecureSkipVerify: trueinsecureSkipVerify: trueinsecureSkipVerify: falseReview
If you can test a few scenarios while reviewing this it would much appreciated to flush out any issues I have missed.