-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
89e7ab3
commit 8556f21
Showing
17 changed files
with
286 additions
and
328 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -56,9 +56,8 @@ Builtin types such as Job have their scheme added by `clientgoscheme`. | |
| */ | ||
|
|
||
| var ( | ||
| scheme = runtime.NewScheme() | ||
| setupLog = ctrl.Log.WithName("setup") | ||
| certWatcher *certwatcher.CertWatcher | ||
| scheme = runtime.NewScheme() | ||
| setupLog = ctrl.Log.WithName("setup") | ||
| ) | ||
|
|
||
| func init() { | ||
|
|
@@ -77,9 +76,7 @@ func main() { | |
| /* | ||
| */ | ||
| var metricsAddr string | ||
| var certPath string | ||
| var certName string | ||
| var certKey string | ||
| var metricsCertPath, metricsCertName, metricsCertKey string | ||
| var enableLeaderElection bool | ||
| var probeAddr string | ||
| var secureMetrics bool | ||
|
|
@@ -93,10 +90,9 @@ func main() { | |
| "Enabling this will ensure there is only one active controller manager.") | ||
| flag.BoolVar(&secureMetrics, "metrics-secure", true, | ||
| "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") | ||
| flag.StringVar(&certPath, "cert-path", "", | ||
| "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") | ||
| flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") | ||
| flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") | ||
| flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") | ||
| flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") | ||
| flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") | ||
| flag.BoolVar(&enableHTTP2, "enable-http2", false, | ||
| "If set, HTTP/2 will be enabled for the metrics and webhook servers") | ||
| opts := zap.Options{ | ||
|
|
@@ -122,6 +118,9 @@ func main() { | |
| tlsOpts = append(tlsOpts, disableHTTP2) | ||
| } | ||
|
|
||
| // Create watchers for metrics certificates | ||
| var metricsCertWatcher *certwatcher.CertWatcher | ||
|
|
||
| webhookServer := webhook.NewServer(webhook.Options{ | ||
| TLSOpts: tlsOpts, | ||
| }) | ||
|
|
@@ -134,38 +133,38 @@ func main() { | |
| BindAddress: metricsAddr, | ||
| SecureServing: secureMetrics, | ||
| TLSOpts: tlsOpts, | ||
| } | ||
|
|
||
| if secureMetrics { | ||
| // FilterProvider is used to protect the metrics endpoint with authn/authz. | ||
| // These configurations ensure that only authorized users and service accounts | ||
| // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: | ||
| // https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization | ||
| metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization | ||
| FilterProvider: filters.WithAuthenticationAndAuthorization, | ||
| } | ||
|
|
||
| // If the certificate is not specified, controller-runtime will automatically | ||
| // generate self-signed certificates for the metrics server. While convenient for development and testing, | ||
| // this setup is not recommended for production. | ||
| // | ||
| // TODO(user): If you enable certManager, uncomment the following lines: | ||
| // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates | ||
| // managed by cert-manager for the metrics server. | ||
| // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. | ||
| if len(certPath) > 0 { | ||
| setupLog.Info("metrics server is serving securely using the provided key and certificate", | ||
| "cert-path", certPath, "cert-name", certName, "cert-key", certKey) | ||
|
|
||
| var err error | ||
| certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) | ||
| if err != nil { | ||
| setupLog.Error(err, "to initialize certificate watcher", "error", err) | ||
| os.Exit(1) | ||
| } | ||
|
|
||
| metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { | ||
| config.GetCertificate = certWatcher.GetCertificate | ||
| }) | ||
| // If the certificate is not specified, controller-runtime will automatically | ||
| // generate self-signed certificates for the metrics server. While convenient for development and testing, | ||
| // this setup is not recommended for production. | ||
| // | ||
| // TODO(user): If you enable certManager, uncomment the following lines: | ||
| // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates | ||
| // managed by cert-manager for the metrics server. | ||
| // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. | ||
| if len(metricsCertPath) > 0 { | ||
| certName := filepath.Join(metricsCertPath, metricsCertName) | ||
| certKey := filepath.Join(metricsCertPath, metricsCertKey) | ||
|
|
||
| setupLog.Info("metrics server is serving securely using provided certificates", | ||
| "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) | ||
|
|
||
| var err error | ||
| metricsCertWatcher, err = certwatcher.New(certName, certKey) | ||
| if err != nil { | ||
| setupLog.Error(err, "to initialize certificate watcher", "error", err) | ||
| os.Exit(1) | ||
| } | ||
|
|
||
| metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { | ||
| config.GetCertificate = metricsCertWatcher.GetCertificate | ||
| }) | ||
| } | ||
|
|
||
| mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ | ||
|
|
@@ -219,10 +218,10 @@ func main() { | |
| } | ||
| // +kubebuilder:scaffold:builder | ||
|
|
||
| if secureMetrics && certWatcher != nil { | ||
| setupLog.Info("Adding certificate watcher to manager") | ||
| if err := mgr.Add(certWatcher); err != nil { | ||
| setupLog.Error(err, "unable to add certificate watcher to manager") | ||
| if metricsCertWatcher != nil { | ||
| setupLog.Info("Adding metrics certificate watcher to manager") | ||
| if err := mgr.Add(metricsCertWatcher); err != nil { | ||
| setupLog.Error(err, "unable to add metrics certificate watcher to manager") | ||
| os.Exit(1) | ||
| } | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -43,9 +43,8 @@ import ( | |
| ) | ||
|
|
||
| var ( | ||
| scheme = runtime.NewScheme() | ||
| setupLog = ctrl.Log.WithName("setup") | ||
| certWatcher *certwatcher.CertWatcher | ||
| scheme = runtime.NewScheme() | ||
| setupLog = ctrl.Log.WithName("setup") | ||
| ) | ||
|
|
||
| func init() { | ||
|
|
@@ -57,9 +56,7 @@ func init() { | |
|
|
||
| func main() { | ||
| var metricsAddr string | ||
| var certPath string | ||
| var certName string | ||
| var certKey string | ||
| var metricsCertPath, metricsCertName, metricsCertKey string | ||
| var enableLeaderElection bool | ||
| var probeAddr string | ||
| var secureMetrics bool | ||
|
|
@@ -73,10 +70,9 @@ func main() { | |
| "Enabling this will ensure there is only one active controller manager.") | ||
| flag.BoolVar(&secureMetrics, "metrics-secure", true, | ||
| "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") | ||
| flag.StringVar(&certPath, "cert-path", "", | ||
| "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") | ||
| flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") | ||
| flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") | ||
| flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") | ||
| flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") | ||
| flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") | ||
| flag.BoolVar(&enableHTTP2, "enable-http2", false, | ||
| "If set, HTTP/2 will be enabled for the metrics and webhook servers") | ||
| opts := zap.Options{ | ||
|
|
@@ -102,6 +98,9 @@ func main() { | |
| tlsOpts = append(tlsOpts, disableHTTP2) | ||
| } | ||
|
|
||
| // Create watchers for metrics certificates | ||
| var metricsCertWatcher *certwatcher.CertWatcher | ||
|
|
||
| webhookServer := webhook.NewServer(webhook.Options{ | ||
| TLSOpts: tlsOpts, | ||
| }) | ||
|
|
@@ -114,38 +113,38 @@ func main() { | |
| BindAddress: metricsAddr, | ||
| SecureServing: secureMetrics, | ||
| TLSOpts: tlsOpts, | ||
| } | ||
|
|
||
| if secureMetrics { | ||
| // FilterProvider is used to protect the metrics endpoint with authn/authz. | ||
| // These configurations ensure that only authorized users and service accounts | ||
| // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: | ||
| // https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization | ||
| metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization | ||
| FilterProvider: filters.WithAuthenticationAndAuthorization, | ||
| } | ||
|
|
||
| // If the certificate is not specified, controller-runtime will automatically | ||
| // generate self-signed certificates for the metrics server. While convenient for development and testing, | ||
| // this setup is not recommended for production. | ||
| // | ||
| // TODO(user): If you enable certManager, uncomment the following lines: | ||
| // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates | ||
| // managed by cert-manager for the metrics server. | ||
| // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. | ||
| if len(certPath) > 0 { | ||
| setupLog.Info("metrics server is serving securely using the provided key and certificate", | ||
| "cert-path", certPath, "cert-name", certName, "cert-key", certKey) | ||
|
|
||
| var err error | ||
| certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) | ||
| if err != nil { | ||
| setupLog.Error(err, "to initialize certificate watcher", "error", err) | ||
| os.Exit(1) | ||
| } | ||
|
|
||
| metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { | ||
| config.GetCertificate = certWatcher.GetCertificate | ||
| }) | ||
| // If the certificate is not specified, controller-runtime will automatically | ||
| // generate self-signed certificates for the metrics server. While convenient for development and testing, | ||
| // this setup is not recommended for production. | ||
| // | ||
| // TODO(user): If you enable certManager, uncomment the following lines: | ||
| // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates | ||
| // managed by cert-manager for the metrics server. | ||
| // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. | ||
| if len(metricsCertPath) > 0 { | ||
| certName := filepath.Join(metricsCertPath, metricsCertName) | ||
| certKey := filepath.Join(metricsCertPath, metricsCertKey) | ||
|
|
||
| setupLog.Info("metrics server is serving securely using provided certificates", | ||
| "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) | ||
|
|
||
| var err error | ||
| metricsCertWatcher, err = certwatcher.New(certName, certKey) | ||
| if err != nil { | ||
| setupLog.Error(err, "to initialize certificate watcher", "error", err) | ||
| os.Exit(1) | ||
| } | ||
|
|
||
| metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { | ||
| config.GetCertificate = metricsCertWatcher.GetCertificate | ||
| }) | ||
| } | ||
|
|
||
| mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ | ||
|
|
@@ -181,10 +180,10 @@ func main() { | |
| } | ||
| // +kubebuilder:scaffold:builder | ||
|
|
||
| if secureMetrics && certWatcher != nil { | ||
| setupLog.Info("Adding certificate watcher to manager") | ||
| if err := mgr.Add(certWatcher); err != nil { | ||
| setupLog.Error(err, "unable to add certificate watcher to manager") | ||
| if metricsCertWatcher != nil { | ||
| setupLog.Info("Adding metrics certificate watcher to manager") | ||
| if err := mgr.Add(metricsCertWatcher); err != nil { | ||
| setupLog.Error(err, "unable to add metrics certificate watcher to manager") | ||
| os.Exit(1) | ||
| } | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.