Add Required kustomize changes to remove kube-rbac-proxy

Signed-off-by: Furkat gofurov <furkat.gofurov@suse.com>

config/default/kustomization.yaml

@@ -26,11 +26,6 @@ bases:
 - ../namespace
 
 patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
-  # Provide customizable hook for make targets.
 - manager_image_patch.yaml
 - manager_pull_policy.yaml
 

config/manager/manager.yaml

@@ -18,8 +18,16 @@ spec:
       containers:
       - command:
         - /manager
+        args:
+          - "--leader-elect"
+          - "--diagnostics-address=${CAPI_OPERATOR_DIAGNOSTICS_ADDRESS:=:8443}"
+          - "--insecure-diagnostics=${CAPI_OPERATOR_INSECURE_DIAGNOSTICS:=false}"
         image: controller:latest
         name: manager
+        ports:
+          - containerPort: 8443
+            name: metrics
+            protocol: TCP
         resources:
           limits:
             cpu: 100m

config/rbac/kustomization.yaml

@@ -2,11 +2,4 @@ resources:
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml
-- leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- leader_election_role_binding.yaml

docs/README.md

@@ -149,9 +149,10 @@ spec:
       containers:
       - name: manager
         args:
-        - --metrics-bind-addr=:8080
         - --leader-elect
         - --leader-elect-retry-period=5s
+        - "--diagnostics-address=${CAPI_OPERATOR_DIAGNOSTICS_ADDRESS:=:8443}"
+        - "--insecure-diagnostics=${CAPI_OPERATOR_INSECURE_DIAGNOSTICS:=false}"
         - --v=5
         env:...
 ```

hack/charts/cluster-api-operator/templates/deployment.yaml

@@ -63,9 +63,6 @@ spec:
         {{- if .Values.healthAddr }}
         - --health-addr={{ .Values.healthAddr }}
         {{- end }}
-        {{- if .Values.metricsBindAddr }}
-        - --metrics-bind-addr={{ .Values.metricsBindAddr }}
-        {{- end }}
         {{- with .Values.leaderElection }}
         - --leader-elect={{ .enabled }}
         {{- if .leaseDuration }}
@@ -101,30 +98,6 @@ spec:
         volumeMounts:
         {{- toYaml . | nindent 12 }}
         {{- end }}
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        {{- if .Values.logLevel }}
-        - --v={{ .Values.logLevel }}
-        {{- end }}
-        {{- with .Values.image.kubeRBACProxy }}
-        image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-        {{- end }}
-        imagePullPolicy: {{ .Values.image.kubeRBACProxy.pullPolicy }}
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        {{- with .Values.resources.kubeRBACProxy }}
-        resources:
-        {{- toYaml . | nindent 12 }}
-        {{- end }}
-        {{- with .Values.containerSecurityContext.kubeRBACProxy }}
-        securityContext:
-        {{- toYaml . | nindent 12 }}
-        {{- end }}
       terminationGracePeriodSeconds: 10
       {{- with .Values.volumes }}
       volumes:

hack/charts/cluster-api-operator/values.yaml

@@ -26,12 +26,7 @@ image:
     repository: gcr.io/k8s-staging-capi-operator/cluster-api-operator
     tag: dev
     pullPolicy: IfNotPresent
-  kubeRBACProxy:
-    repository: gcr.io/kubebuilder/kube-rbac-proxy
-    tag: v0.14.1
-    pullPolicy: IfNotPresent
 healthAddr: ":8081"
-metricsBindAddr: "127.0.0.1:8080"
 imagePullSecrets: {}
 resources:
   manager:

test/e2e/resources/full-chart-install.yaml

@@ -13966,40 +13966,6 @@ rules:
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-metrics-reader
-rules:
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-proxy-role
-rules:
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -14016,22 +13982,6 @@ subjects:
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-proxy-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: capi-operator-proxy-role
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: 'default'
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
@@ -14098,24 +14048,6 @@ subjects:
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: v1
 kind: Service
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-    control-plane: controller-manager
-  name: capi-operator-controller-manager-metrics-service
-  namespace: 'default'
-spec:
-  ports:
-  - name: https
-    port: 8443
-    targetPort: https
-  selector:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-    control-plane: controller-manager
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: v1
-kind: Service
 metadata:
   labels:
     clusterctl.cluster.x-k8s.io/core: capi-operator
@@ -14165,7 +14097,6 @@ spec:
       - args:
         - --v=2
         - --health-addr=:8081
-        - --metrics-bind-addr=127.0.0.1:8080
         - --leader-elect=true
         command:
         - /manager
@@ -14187,30 +14118,6 @@ spec:
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert
               readOnly: true
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=2
-        image: "gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1"
-        imagePullPolicy: IfNotPresent
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-            limits:
-              cpu: 500m
-              memory: 128Mi
-            requests:
-              cpu: 5m
-              memory: 64Mi
-        securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
       terminationGracePeriodSeconds: 10
       volumes:
         - name: cert