-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Scaffold auth proxy #513
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mengqiy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
66670c0
to
b907a90
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for splitting the changes in separate commits. That was helpful. Change looks good. I have suggestions about using "auth_proxy" everywhere.
pkg/scaffold/manager/cmd.go
Outdated
@@ -57,6 +57,8 @@ import ( | |||
) | |||
|
|||
func main() { | |||
var metricsBindAddr string | |||
flag.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080", "The address the metric endpoint binds to.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: can we call the flag metrics-addr
? (internally we can use metricsBindAddr)
|
||
// KustomizeProxyPatch scaffolds the patch file for enabling | ||
// prometheus metrics for manager Pod. | ||
type KustomizeProxyPatch struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we call this AuthProxy instead of Proxy ?
pkg/scaffold/project/kustomize.go
Outdated
# Comment the following 3 lines if you want to disable | ||
# kube-rbac-proxy (https://github.com/brancz/kube-rbac-proxy) | ||
# which protects your /metrics endpoint. | ||
- ../rbac/kube-rbac-proxy-service.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we name this file auth_proxy_service.yaml
to keep it consistent with the roles file (also note the underscore ?
pkg/scaffold/project/kustomize.go
Outdated
# Protect the /metrics endpoint by putting it behind auth. | ||
# Only one of manager_kube_rbac_proxy_patch.yaml and | ||
# manager_prometheus_metrics_patch.yaml should be enabled. | ||
- manager_kube_rbac_proxy_patch.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rename this file to use manager_auth_proxy_patch.yaml ?
pkg/scaffold/project/kustomize.go
Outdated
# manager_prometheus_metrics_patch.yaml should be enabled. | ||
- manager_kube_rbac_proxy_patch.yaml | ||
# If you want your controller-manager to expose the /metrics | ||
# endpoint w/o any authorization, uncomment the following line and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
w/o any authn/authz ?
d0edba6
to
19150bf
Compare
PTAL |
19150bf
to
e0047ce
Compare
@droot The last 2 commits are incremental changes since your last review. |
4af3bbf
to
9818fef
Compare
@@ -5,6 +5,7 @@ required = [ | |||
"github.com/go-openapi/spec", | |||
"github.com/onsi/ginkgo", # for integration testing | |||
"github.com/spf13/pflag", | |||
"github.com/pkg/errors", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dep will drop it w/o this line even it's a dependency of sigs.k8s.io/controller-tools
Looks good to me. Pl. squash the commits and then we are good to do. |
9818fef
to
a227e64
Compare
Done |
The 1st commit update CR and CT to pickup latest changes that is necessary for this PR.