Upgrade to controller-runtime v0.16.3

Remove the kube-rbac-proxy container in the operator Deployment as the controller's metrics server can now authenticate and authorize clients on its own. Serve metrics over TLS on port 8443; disable HTTP/2 by default. Upstream-Commit: de6e33e
rh-ecosystem-edge · Nov 16, 2023 · e49cf34 · e49cf34
1 parent ea06b0f
commit e49cf34
Show file tree

Hide file tree

Showing 2,277 changed files with 397,392 additions and 8,998 deletions.
diff --git a/Makefile b/Makefile
@@ -143,7 +143,7 @@ lint: golangci-lint ## Run golangci-lint against code.
 		gofmt -l $(GOFILES_NO_VENDOR); \
 		exit 1; \
 	fi
-	$(GOLANGCI_LINT) run -v --timeout 5m0s
+	$(GOLANGCI_LINT) run -v --timeout 10m
 
 ##@ Build
 

diff --git a/bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml b/bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml
@@ -32,7 +32,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2023-11-15T16:36:56Z"
+    createdAt: "2023-11-16T10:48:49Z"
     operatorframework.io/suggested-namespace: openshift-kmm-hub
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -223,6 +223,9 @@ spec:
                 - containerPort: 9443
                   name: webhook-server
                   protocol: TCP
+                - containerPort: 8443
+                  name: metrics
+                  protocol: TCP
                 readinessProbe:
                   httpGet:
                     path: /readyz
@@ -251,29 +254,6 @@ spec:
                 - mountPath: /controller_config.yaml
                   name: manager-config
                   subPath: controller_config.yaml
-              - args:
-                - --secure-listen-address=0.0.0.0:8443
-                - --upstream=http://127.0.0.1:8080/
-                - --logtostderr=true
-                - --v=0
-                image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.13
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: https
-                  protocol: TCP
-                resources:
-                  limits:
-                    cpu: 500m
-                    memory: 128Mi
-                  requests:
-                    cpu: 5m
-                    memory: 64Mi
-                securityContext:
-                  allowPrivilegeEscalation: false
-                  capabilities:
-                    drop:
-                    - ALL
               nodeSelector:
                 node-role.kubernetes.io/master: ""
               securityContext:

diff --git a/bundle-hub/manifests/kmm-operator-hub-manager-config_v1_configmap.yaml b/bundle-hub/manifests/kmm-operator-hub-manager-config_v1_configmap.yaml
@@ -7,6 +7,11 @@ data:
     leaderElection:
       enabled: true
       resourceID: kmm-hub.sigs.x-k8s.io
+    metrics:
+      enableAuthnAuthz: true
+      disableHTTP2: true
+      bindAddress: 0.0.0.0:8443
+      secureServing: true
 kind: ConfigMap
 metadata:
   labels:

diff --git a/bundle/manifests/kernel-module-management.clusterserviceversion.yaml b/bundle/manifests/kernel-module-management.clusterserviceversion.yaml
@@ -48,7 +48,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2023-11-15T16:36:55Z"
+    createdAt: "2023-11-16T10:48:48Z"
     operatorframework.io/suggested-namespace: openshift-kmm
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -360,6 +360,9 @@ spec:
                 - containerPort: 9443
                   name: webhook-server
                   protocol: TCP
+                - containerPort: 8443
+                  name: metrics
+                  protocol: TCP
                 readinessProbe:
                   httpGet:
                     path: /readyz
@@ -388,29 +391,6 @@ spec:
                 - mountPath: /controller_config.yaml
                   name: manager-config
                   subPath: controller_config.yaml
-              - args:
-                - --secure-listen-address=0.0.0.0:8443
-                - --upstream=http://127.0.0.1:8080/
-                - --logtostderr=true
-                - --v=0
-                image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.13
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: https
-                  protocol: TCP
-                resources:
-                  limits:
-                    cpu: 500m
-                    memory: 128Mi
-                  requests:
-                    cpu: 5m
-                    memory: 64Mi
-                securityContext:
-                  allowPrivilegeEscalation: false
-                  capabilities:
-                    drop:
-                    - ALL
               nodeSelector:
                 node-role.kubernetes.io/master: ""
               securityContext:

diff --git a/bundle/manifests/kmm-operator-manager-config_v1_configmap.yaml b/bundle/manifests/kmm-operator-manager-config_v1_configmap.yaml
@@ -9,6 +9,11 @@ data:
     webhook:
       disableHTTP2: true  # CVE-2023-44487
       port: 9443
+    metrics:
+      enableAuthnAuthz: true
+      disableHTTP2: true  # CVE-2023-44487
+      bindAddress: 0.0.0.0:8443
+      secureServing: true
     worker:
       runAsUser: 0
       seLinuxType: spc_t

diff --git a/config/manager-base/kustomization.yaml b/config/manager-base/kustomization.yaml
@@ -7,7 +7,6 @@ resources:
 - configmap-service-ca.yaml
 
 patches:
-- path: manager_auth_proxy_patch.yaml
 - path: manager_config_patch.yaml
 - path: ocp.patch.yaml
 

diff --git a/config/manager-base/manager.yaml b/config/manager-base/manager.yaml
@@ -59,6 +59,10 @@ spec:
             port: 8081
           initialDelaySeconds: 15
           periodSeconds: 20
+        ports:
+          - name: metrics
+            containerPort: 8443
+            protocol: TCP
         readinessProbe:
           httpGet:
             path: /readyz

diff --git a/config/manager-base/manager_auth_proxy_patch.yaml b/config/manager-base/manager_auth_proxy_patch.yaml
diff --git a/config/manager-hub/controller_config.yaml b/config/manager-hub/controller_config.yaml
@@ -4,3 +4,8 @@ webhookPort: 9443
 leaderElection:
   enabled: true
   resourceID: kmm-hub.sigs.x-k8s.io
+metrics:
+  enableAuthnAuthz: true
+  disableHTTP2: true
+  bindAddress: 0.0.0.0:8443
+  secureServing: true
diff --git a/config/manager/controller_config.yaml b/config/manager/controller_config.yaml
@@ -6,6 +6,11 @@ leaderElection:
 webhook:
   disableHTTP2: true  # CVE-2023-44487
   port: 9443
+metrics:
+  enableAuthnAuthz: true
+  disableHTTP2: true  # CVE-2023-44487
+  bindAddress: 0.0.0.0:8443
+  secureServing: true
 worker:
   runAsUser: 0
   seLinuxType: spc_t
diff --git a/config/rbac-base/kustomization.yaml b/config/rbac-base/kustomization.yaml
@@ -14,8 +14,8 @@ resources:
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
+# authorization and authentication for the controller's
+# /metrics endpoint.
 - auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml

diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.20
 require (
 	github.com/a8m/envsubst v1.4.2
 	github.com/budougumi0617/cmpmock v0.0.4
-	github.com/containers/image/v5 v5.28.0
+	github.com/containers/image/v5 v5.21.0
 	github.com/go-logr/logr v1.3.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.16.1
@@ -21,33 +21,42 @@ require (
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
 	golang.org/x/text v0.14.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.27.7
-	k8s.io/apimachinery v0.27.7
-	k8s.io/client-go v0.27.7
+	k8s.io/api v0.28.3
+	k8s.io/apimachinery v0.28.3
+	k8s.io/client-go v0.28.3
 	k8s.io/klog/v2 v2.110.1
 	k8s.io/kubectl v0.27.7
 	k8s.io/utils v0.0.0-20230505201702-9f6742963106
 	open-cluster-management.io/api v0.12.0
-	sigs.k8s.io/controller-runtime v0.15.1
+	sigs.k8s.io/controller-runtime v0.16.3
 	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
 	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/containers/storage v1.50.1 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/cli v24.0.0+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.7+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
@@ -56,10 +65,13 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/gnostic v0.6.9 // indirect
+	github.com/google/cel-go v0.16.1 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
 	github.com/google/uuid v1.3.1 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -82,23 +94,48 @@ require (
 	github.com/prometheus/procfs v0.11.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.9 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.9 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 // indirect
+	go.opentelemetry.io/otel v1.10.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0 // indirect
+	go.opentelemetry.io/otel/metric v0.32.2 // indirect
+	go.opentelemetry.io/otel/sdk v1.10.0 // indirect
+	go.opentelemetry.io/otel/trace v1.10.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.25.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.12.0 // indirect
 	golang.org/x/sync v0.4.0 // indirect
 	golang.org/x/sys v0.14.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.14.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230629202037-9506855d4529 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/grpc v1.57.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.27.2 // indirect
-	k8s.io/component-base v0.27.7 // indirect
-	k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 // indirect
+	k8s.io/apiextensions-apiserver v0.28.3 // indirect
+	k8s.io/apiserver v0.28.3 // indirect
+	k8s.io/component-base v0.28.3 // indirect
+	k8s.io/kms v0.28.3 // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )