WINC-1269: Expose WMCO /metrics endpoint via HTTPS

mansikulkarni96 commented 3 weeks ago

Use the new controller-runtime secureAccess flag and filters.WithAuthenticationAndAuthorization when exposing metrics endpoint. kube-rbac-proxy has been removed from controller-runtime scaffolding and its use is discouraged to drop the dependency on maintaining the image.

openshift-ci[bot] commented 3 weeks ago

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

mansikulkarni96 commented 3 weeks ago

/approve cancel

openshift-ci-robot commented 3 weeks ago

@mansikulkarni96: This pull request references WINC-1269 which is a valid jira issue.

In response to [this](https://github.com/openshift/windows-machine-config-operator/pull/2388): >Use secureAccess option when exposing metrics >endpoint and mount the TLS certs created >using TLS secret annotation to the WMCO pod. >The cert and the key will be used for >server authentication. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fwindows-machine-config-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

openshift-ci-robot commented 3 weeks ago

@mansikulkarni96: This pull request references WINC-1269 which is a valid jira issue.

In response to [this](https://github.com/openshift/windows-machine-config-operator/pull/2388): >Use the new controller-runtime secureAccess flag and [filters.WithAuthenticationAndAuthorization](https://github.com/kubernetes-sigs/controller-runtime/pull/2407) when exposing metrics endpoint. >kube-rbac-proxy has been removed from controller-runtime scaffolding and its use is discouraged to drop the dependency on maintaining the image. > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fwindows-machine-config-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

mansikulkarni96 commented 3 weeks ago

/test aws-e2e-operator

mansikulkarni96 commented 2 weeks ago

WMCO logs 2024-08-22T21:39:04Z INFO controller-runtime.metrics Serving metrics server {"bindAddress": "0.0.0.0:8443", "secure": true}

wgahnagl commented 2 weeks ago

I think you might've pushed some vendor changes. Should those be there?

mansikulkarni96 commented 2 weeks ago

I think you might've pushed some vendor changes. Should those be there?

@wgahnagl they are generated with make vendor for the import sigs.k8s.io/controller-runtime/pkg/metrics/filters

mansikulkarni96 commented 2 weeks ago

With this are we able to remove the kube-rbac-proxy deployment (manager_auth_proxy_patch.yaml config file)? I know it's not being used but not sure if it a generated file or a resource that we maintain

We are not using it, but we can consider removing it. It came with the Kubebuilder project scaffolding.

jrvaldes commented 2 weeks ago

With this are we able to remove the kube-rbac-proxy deployment (manager_auth_proxy_patch.yaml config file)? I know it's not being used but not sure if it a generated file or a resource that we maintain

We are not using it, but we can consider removing it. It came with the Kubebuilder project scaffolding.

+1 to removing it as part of this PR

jrvaldes commented 2 weeks ago

/lgtm

good work @mansikulkarni96 🎉

saifshaikh48 commented 2 weeks ago

/lgtm

mansikulkarni96 commented 2 weeks ago

/test remaing-required

openshift-ci[bot] commented 2 weeks ago

@mansikulkarni96: The specified target(s) for /test were not found. The following commands are available to trigger required jobs:

/test aws-e2e-operator
/test azure-e2e-operator
/test azure-e2e-upgrade
/test build
/test ci-bundle-wmco-bundle
/test gcp-e2e-operator
/test images
/test lint
/test nutanix-e2e-operator
/test platform-none-vsphere-e2e-operator
/test security
/test unit
/test vsphere-disconnected-e2e-operator
/test vsphere-e2e-operator
/test vsphere-proxy-e2e-operator
/test wicd-unit-vsphere

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-windows-machine-config-operator-master-build
pull-ci-openshift-windows-machine-config-operator-master-ci-bundle-wmco-bundle
pull-ci-openshift-windows-machine-config-operator-master-images
pull-ci-openshift-windows-machine-config-operator-master-lint
pull-ci-openshift-windows-machine-config-operator-master-security
pull-ci-openshift-windows-machine-config-operator-master-unit

In response to [this](https://github.com/openshift/windows-machine-config-operator/pull/2388#issuecomment-2315528832): >/test remaing-required Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

mansikulkarni96 commented 2 weeks ago

/test remaining-required

mansikulkarni96 commented 2 weeks ago

/approve self-approve after 2 lgtm's

openshift-ci[bot] commented 2 weeks ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mansikulkarni96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/windows-machine-config-operator/blob/master/OWNERS)~~ [mansikulkarni96] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment