Remove kube-rbac-proxy image (#1551)

* Remove kube-rbac-proxy image

* Run verify-licenses

LICENSE-3rdparty.csv

@@ -25,19 +25,25 @@ core,github.com/DataDog/viper,MIT
 core,github.com/DataDog/zstd,BSD-3-Clause
 core,github.com/Masterminds/semver,MIT
 core,github.com/Masterminds/semver/v3,MIT
+core,github.com/antlr4-go/antlr/v4,BSD-3-Clause
+core,github.com/asaskevich/govalidator,MIT
 core,github.com/benbjohnson/clock,MIT
 core,github.com/beorn7/perks/quantile,MIT
+core,github.com/blang/semver/v4,MIT
 core,github.com/cenkalti/backoff,MIT
+core,github.com/cenkalti/backoff/v4,MIT
 core,github.com/cespare/xxhash/v2,MIT
 core,github.com/cihub/seelog,BSD-3-Clause
 core,github.com/davecgh/go-spew/spew,ISC
 core,github.com/dustin/go-humanize,MIT
 core,github.com/ebitengine/purego,Apache-2.0
 core,github.com/emicklei/go-restful/v3,MIT
 core,github.com/evanphx/json-patch/v5,BSD-3-Clause
+core,github.com/felixge/httpsnoop,MIT
 core,github.com/fsnotify/fsnotify,BSD-3-Clause
 core,github.com/fxamacker/cbor/v2,MIT
 core,github.com/go-logr/logr,Apache-2.0
+core,github.com/go-logr/stdr,Apache-2.0
 core,github.com/go-logr/zapr,Apache-2.0
 core,github.com/go-openapi/jsonpointer,Apache-2.0
 core,github.com/go-openapi/jsonreference,Apache-2.0
@@ -46,13 +52,15 @@ core,github.com/gobwas/glob,MIT
 core,github.com/gogo/protobuf,BSD-3-Clause
 core,github.com/golang/groupcache/lru,Apache-2.0
 core,github.com/golang/protobuf,BSD-3-Clause
+core,github.com/google/cel-go,Apache-2.0
 core,github.com/google/gnostic-models,Apache-2.0
 core,github.com/google/go-cmp/cmp,BSD-3-Clause
 core,github.com/google/gofuzz,Apache-2.0
 core,github.com/google/pprof/profile,Apache-2.0
 core,github.com/google/uuid,BSD-3-Clause
 core,github.com/grpc-ecosystem/go-grpc-middleware,Apache-2.0
 core,github.com/grpc-ecosystem/grpc-gateway,BSD-3-Clause
+core,github.com/grpc-ecosystem/grpc-gateway/v2,BSD-3-Clause
 core,github.com/hashicorp/hcl,MPL-2.0
 core,github.com/imdario/mergo,BSD-3-Clause
 core,github.com/josharian/intern,MIT
@@ -83,29 +91,40 @@ core,github.com/shirou/gopsutil/v3,BSD-3-Clause
 core,github.com/spaolacci/murmur3,BSD-3-Clause
 core,github.com/spf13/afero,Apache-2.0
 core,github.com/spf13/cast,MIT
+core,github.com/spf13/cobra,Apache-2.0
 core,github.com/spf13/jwalterweatherman,MIT
 core,github.com/spf13/pflag,BSD-3-Clause
+core,github.com/stoewer/go-strcase,MIT
 core,github.com/stretchr/objx,MIT
 core,github.com/stretchr/testify,MIT
 core,github.com/tinylib/msgp/msgp,MIT
 core,github.com/x448/float16,MIT
 core,github.com/zorkian/go-datadog-api,BSD-3-Clause
 core,go.etcd.io/bbolt,MIT
+core,go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,Apache-2.0
+core,go.opentelemetry.io/otel,Apache-2.0
+core,go.opentelemetry.io/otel/exporters/otlp/otlptrace,Apache-2.0
+core,go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc,Apache-2.0
+core,go.opentelemetry.io/otel/metric,Apache-2.0
+core,go.opentelemetry.io/otel/sdk,Apache-2.0
+core,go.opentelemetry.io/otel/trace,Apache-2.0
+core,go.opentelemetry.io/proto/otlp,Apache-2.0
 core,go.uber.org/atomic,MIT
 core,go.uber.org/multierr,MIT
 core,go.uber.org/zap,MIT
 core,golang.org/x/exp,BSD-3-Clause
 core,golang.org/x/mod/semver,BSD-3-Clause
 core,golang.org/x/net,BSD-3-Clause
 core,golang.org/x/oauth2,BSD-3-Clause
+core,golang.org/x/sync/singleflight,BSD-3-Clause
 core,golang.org/x/sys/unix,BSD-3-Clause
 core,golang.org/x/term,BSD-3-Clause
 core,golang.org/x/text,BSD-3-Clause
 core,golang.org/x/time/rate,BSD-3-Clause
 core,golang.org/x/xerrors,BSD-3-Clause
 core,gomodules.xyz/jsonpatch/v2,Apache-2.0
 core,google.golang.org/genproto/googleapis/api,Apache-2.0
-core,google.golang.org/genproto/googleapis/rpc/status,Apache-2.0
+core,google.golang.org/genproto/googleapis/rpc,Apache-2.0
 core,google.golang.org/genproto/protobuf/field_mask,Apache-2.0
 core,google.golang.org/grpc,Apache-2.0
 core,google.golang.org/protobuf,BSD-3-Clause
@@ -117,14 +136,19 @@ core,k8s.io/api,Apache-2.0
 core,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions,Apache-2.0
 core,k8s.io/apimachinery/pkg,Apache-2.0
 core,k8s.io/apimachinery/third_party/forked/golang,BSD-3-Clause
+core,k8s.io/apiserver,Apache-2.0
 core,k8s.io/client-go,Apache-2.0
+core,k8s.io/component-base,Apache-2.0
 core,k8s.io/klog/v2,Apache-2.0
 core,k8s.io/kube-aggregator/pkg/apis/apiregistration,Apache-2.0
 core,k8s.io/kube-openapi/pkg,Apache-2.0
 core,k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json,BSD-3-Clause
+core,k8s.io/kube-openapi/pkg/validation/errors,Apache-2.0
 core,k8s.io/kube-openapi/pkg/validation/spec,Apache-2.0
+core,k8s.io/kube-openapi/pkg/validation/strfmt,Apache-2.0
 core,k8s.io/utils,Apache-2.0
-core,k8s.io/utils/internal/third_party/forked/golang/net,BSD-3-Clause
+core,k8s.io/utils/internal/third_party/forked/golang,BSD-3-Clause
+core,sigs.k8s.io/apiserver-network-proxy/konnectivity-client,Apache-2.0
 core,sigs.k8s.io/controller-runtime,Apache-2.0
 core,sigs.k8s.io/json,Apache-2.0
 core,sigs.k8s.io/structured-merge-diff/v4,Apache-2.0

cmd/main.go

@@ -24,6 +24,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	ctrlzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -93,6 +94,7 @@ const (
 type options struct {
 	// Observability options
 	metricsAddr      string
+	secureMetrics    bool
 	profilingEnabled bool
 	logLevel         *zapcore.Level
 	logEncoder       string
@@ -133,6 +135,7 @@ type options struct {
 func (opts *options) Parse() {
 	// Observability flags
 	flag.StringVar(&opts.metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
+	flag.BoolVar(&opts.secureMetrics, "metrics-secure", false, "If true, the metrics endpoint is served securely via HTTPS. Use false to use HTTP instead.")
 	flag.BoolVar(&opts.profilingEnabled, "profiling-enabled", false, "Enable Datadog profile in the Datadog Operator process.")
 	opts.logLevel = zap.LevelFlag("loglevel", zapcore.InfoLevel, "Set log level")
 	flag.StringVar(&opts.logEncoder, "logEncoder", "json", "log encoding ('json' or 'console')")
@@ -228,14 +231,23 @@ func run(opts *options) error {
 	renewDeadline := opts.leaderElectionLeaseDuration / 2
 	retryPeriod := opts.leaderElectionLeaseDuration / 4
 
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   opts.metricsAddr,
+		SecureServing: opts.secureMetrics,
+		ExtraHandlers: debug.GetExtraMetricHandlers(),
+	}
+
+	if opts.secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
 	restConfig := ctrl.GetConfigOrDie()
 	restConfig.UserAgent = "datadog-operator"
 	mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
-		Scheme: scheme,
-		Metrics: metricsserver.Options{
-			BindAddress:   opts.metricsAddr,
-			ExtraHandlers: debug.GetExtraMetricHandlers(),
-		}, HealthProbeBindAddress: ":8081",
+		Scheme:                     scheme,
+		Metrics:                    metricsServerOptions,
+		HealthProbeBindAddress:     ":8081",
 		LeaderElection:             opts.enableLeaderElection,
 		LeaderElectionID:           "datadog-operator-lock",
 		LeaderElectionResourceLock: resourcelock.LeasesResourceLock,

config/default/kustomization.yaml

@@ -24,12 +24,15 @@ resources:
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+# [METRICS] Expose the controller manager metrics service.
+#- metrics_service.yaml
 
 #patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-#- path: manager_auth_proxy_patch.yaml
+# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
+# More info: https://book.kubebuilder.io/reference/metrics
+#- path: manager_metrics_patch.yaml
+#  target:
+#    kind: Deployment
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- path: manager_webhook_patch.yaml

config/default/manager_metrics_patch.yaml

@@ -0,0 +1,4 @@
+# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-addr=:8443

config/rbac/auth_proxy_service.yaml → config/default/metrics_service.yaml

@@ -9,6 +9,7 @@ spec:
   ports:
   - name: https
     port: 8443
-    targetPort: https
+    protocol: TCP
+    targetPort: 8443
   selector:
     control-plane: controller-manager

config/manager/manager.yaml

@@ -22,6 +22,7 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: datadog-operator
+        control-plane: controller-manager
       annotations:
         ad.datadoghq.com/manager.check_names: '["openmetrics"]'
         ad.datadoghq.com/manager.init_configs: '[{}]'

config/rbac/kustomization.yaml

@@ -4,12 +4,12 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-#- auth_proxy_service.yaml
-#- auth_proxy_role.yaml
-#- auth_proxy_role_binding.yaml
-#- auth_proxy_client_clusterrole.yaml
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint.
+# - metrics_auth_role.yaml
+# - metrics_auth_role_binding.yaml
+# - metrics_reader_role.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

config/rbac/auth_proxy_role.yaml → config/rbac/metrics_auth_role.yaml

@@ -1,13 +1,17 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: proxy-role
+  name: metrics-auth-role
 rules:
-- apiGroups: ["authentication.k8s.io"]
+- apiGroups:
+  - authentication.k8s.io
   resources:
   - tokenreviews
-  verbs: ["create"]
-- apiGroups: ["authorization.k8s.io"]
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
   resources:
   - subjectaccessreviews
-  verbs: ["create"]
+  verbs:
+  - create

config/rbac/auth_proxy_role_binding.yaml → config/rbac/metrics_auth_role_binding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: proxy-rolebinding
+  name: metrics-auth-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: metrics-auth-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

config/rbac/metrics_reader_role.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-reader
+rules:
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get

config/test-v1/kustomization.yaml

@@ -43,11 +43,6 @@ resources:
 #    namespace: system
 #    version: v1
 
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-#- path: manager_auth_proxy_patch.yaml
-
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- path: manager_webhook_patch.yaml