Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove usage of kube-rbac-proxy and switch to the built-in WithAuthenticationAndAuthorization filter instead #338

Merged
merged 4 commits into from
Oct 17, 2024
Merged

Remove usage of kube-rbac-proxy and switch to the built-in WithAuthenticationAndAuthorization filter instead #338

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
dd74ab2
Add test highlighting the expectations
rm3l Oct 16, 2024
11951f3
Remove all usage of `kube-rbac-proxy`
rm3l Oct 16, 2024
7683657
Protect the metrics endpoint using the built-in `WithAuthenticationAn…
rm3l Oct 16, 2024
430941d
Fix E2E test
rm3l Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 9 additions & 26 deletions .rhdh/bundle/manifests/rhdh-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,32 +222,10 @@ spec:
- linux
automountServiceAccountToken: true
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
image: registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9:v4.16
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --metrics-bind-address=:8443
- --metrics-secure=true
- --leader-elect
command:
- /manager
Expand All @@ -263,17 +241,22 @@ spec:
- name: RELATED_IMAGE_backstage
value: registry.redhat.io/rhdh/rhdh-hub-rhel9:1.4
image: registry.redhat.io/rhdh/rhdh-rhel9-operator:1.4
ports:
- name: health
containerPort: 8081
- name: metrics
containerPort: 8443
livenessProbe:
httpGet:
path: /healthz
port: 8081
port: health
initialDelaySeconds: 15
periodSeconds: 20
name: manager
readinessProbe:
httpGet:
path: /readyz
port: 8081
port: health
initialDelaySeconds: 5
periodSeconds: 10
resources:
Expand Down
6 changes: 3 additions & 3 deletions bundle/backstage.io/manifests/backstage-controller-manager-metrics-service_v1_service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: Service
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/component: metrics
app.kubernetes.io/created-by: backstage-operator
app.kubernetes.io/instance: controller-manager-metrics-service
app.kubernetes.io/managed-by: kustomize
Expand All @@ -13,10 +13,10 @@ metadata:
name: backstage-controller-manager-metrics-service
spec:
ports:
- name: https
- name: metrics
port: 8443
protocol: TCP
targetPort: https
targetPort: metrics
selector:
control-plane: controller-manager
status:
Expand Down
2 changes: 1 addition & 1 deletion ...stage.io/manifests/backstage-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/component: metrics-rbac
app.kubernetes.io/created-by: backstage-operator
app.kubernetes.io/instance: metrics-reader
app.kubernetes.io/managed-by: kustomize
Expand Down
40 changes: 10 additions & 30 deletions bundle/backstage.io/manifests/backstage-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ metadata:
}
}
]
createdAt: "2024-10-14T11:21:00Z"
createdAt: "2024-10-16T20:54:13Z"
description: Backstage Operator
operators.operatorframework.io/builder: operator-sdk-v1.36.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
Expand Down Expand Up @@ -172,56 +172,36 @@ spec:
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
automountServiceAccountToken: true
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --metrics-bind-address=:8443
- --metrics-secure=true
- --leader-elect
command:
- /manager
image: quay.io/rhdh-community/operator:0.4.0
livenessProbe:
httpGet:
path: /healthz
port: 8081
port: health
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 8081
name: health
- containerPort: 8443
name: metrics
readinessProbe:
httpGet:
path: /readyz
port: 8081
port: health
initialDelaySeconds: 5
periodSeconds: 10
resources:
Expand Down
40 changes: 10 additions & 30 deletions bundle/rhdh/manifests/backstage-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ metadata:
categories: Developer Tools
certified: "true"
containerImage: registry-proxy.engineering.redhat.com/rh-osbs/rhdh-rhdh-rhel9-operator:1.3
createdAt: "2024-10-16T16:51:27Z"
createdAt: "2024-10-16T20:54:18Z"
description: Red Hat Developer Hub is a Red Hat supported version of Backstage.
It comes with pre-built plug-ins and configuration settings, supports use of
an external database, and can help streamline the process of setting up a self-managed
Expand Down Expand Up @@ -211,56 +211,36 @@ spec:
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
automountServiceAccountToken: true
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --metrics-bind-address=:8443
- --metrics-secure=true
- --leader-elect
command:
- /manager
image: quay.io/rhdh-community/operator:0.4.0
livenessProbe:
httpGet:
path: /healthz
port: 8081
port: health
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 8081
name: health
- containerPort: 8443
name: metrics
readinessProbe:
httpGet:
path: /readyz
port: 8081
port: health
initialDelaySeconds: 5
periodSeconds: 10
resources:
Expand Down
6 changes: 3 additions & 3 deletions bundle/rhdh/manifests/rhdh-controller-manager-metrics-service_v1_service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: Service
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/component: metrics
app.kubernetes.io/created-by: backstage-operator
app.kubernetes.io/instance: controller-manager-metrics-service
app.kubernetes.io/managed-by: kustomize
Expand All @@ -13,10 +13,10 @@ metadata:
name: rhdh-controller-manager-metrics-service
spec:
ports:
- name: https
- name: metrics
port: 8443
protocol: TCP
targetPort: https
targetPort: metrics
selector:
control-plane: controller-manager
status:
Expand Down
2 changes: 1 addition & 1 deletion bundle/rhdh/manifests/rhdh-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/component: metrics-rbac
app.kubernetes.io/created-by: backstage-operator
app.kubernetes.io/instance: metrics-reader
app.kubernetes.io/managed-by: kustomize
Expand Down
10 changes: 0 additions & 10 deletions config/profile/backstage.io/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,6 @@ resources:
- ../../rbac
- manager.yaml

patches:
- path: manager_auth_proxy_patch.yaml
target:
group: apps
kind: Deployment
name: controller-manager
version: v1
# name: controller-manager
# namespace: system

images:
- name: controller
newName: quay.io/rhdh-community/operator
Expand Down
48 changes: 28 additions & 20 deletions config/profile/backstage.io/manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,26 +38,26 @@ spec:
spec:
# Required because the operator does not work without a Service Account Token
automountServiceAccountToken: true # NOSONAR
# (user): Uncomment the following code to configure the nodeAffinity expression
# Configure the nodeAffinity expression
# according to the platforms which are supported by your solution.
# It is considered best practice to support multiple architectures. You can
# build your manager image using the makefile target docker-buildx.
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/arch
# operator: In
# values:
# - amd64
# - arm64
# - ppc64le
# - s390x
# - key: kubernetes.io/os
# operator: In
# values:
# - linux
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
# - arm64
# - ppc64le
# - s390x
- key: kubernetes.io/os
operator: In
values:
- linux
securityContext:
runAsNonRoot: true
# (user): For common cases that do not require escalating privileges
Expand All @@ -71,24 +71,32 @@ spec:
- command:
- /manager
args:
- --leader-elect
- --health-probe-bind-address=:8081
- --metrics-bind-address=:8443
- --metrics-secure=true
- --leader-elect
image: controller:latest
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
ports:
- name: health
containerPort: 8081
- name: metrics
containerPort: 8443
livenessProbe:
httpGet:
path: /healthz
port: 8081
port: health
gazarenkov marked this conversation as resolved.
Show resolved Hide resolved
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
port: health
initialDelaySeconds: 5
periodSeconds: 10
resources:
Expand Down
Loading