diff --git a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go index d0de46b592b..58fa2fd8fc0 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go @@ -56,9 +56,8 @@ Builtin types such as Job have their scheme added by `clientgoscheme`. */ var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") - certWatcher *certwatcher.CertWatcher + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") ) func init() { @@ -77,9 +76,7 @@ func main() { /* */ var metricsAddr string - var certPath string - var certName string - var certKey string + var metricsCertPath, metricsCertName, metricsCertKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -93,10 +90,9 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") - flag.StringVar(&certPath, "cert-path", "", - "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") - flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") - flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -122,6 +118,9 @@ func main() { tlsOpts = append(tlsOpts, disableHTTP2) } + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + webhookServer := webhook.NewServer(webhook.Options{ TLSOpts: tlsOpts, }) @@ -134,38 +133,38 @@ func main() { BindAddress: metricsAddr, SecureServing: secureMetrics, TLSOpts: tlsOpts, - } - - if secureMetrics { // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + FilterProvider: filters.WithAuthenticationAndAuthorization, + } - // If the certificate is not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - // - // TODO(user): If you enable certManager, uncomment the following lines: - // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates - // managed by cert-manager for the metrics server. - // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. - if len(certPath) > 0 { - setupLog.Info("metrics server is serving securely using the provided key and certificate", - "cert-path", certPath, "cert-name", certName, "cert-key", certKey) - - var err error - certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) - if err != nil { - setupLog.Error(err, "to initialize certificate watcher", "error", err) - os.Exit(1) - } - - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = certWatcher.GetCertificate - }) + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + certName := filepath.Join(metricsCertPath, metricsCertName) + certKey := filepath.Join(metricsCertPath, metricsCertKey) + + setupLog.Info("metrics server is serving securely using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) + + var err error + metricsCertWatcher, err = certwatcher.New(certName, certKey) + if err != nil { + setupLog.Error(err, "to initialize certificate watcher", "error", err) + os.Exit(1) } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -219,10 +218,10 @@ func main() { } // +kubebuilder:scaffold:builder - if secureMetrics && certWatcher != nil { - setupLog.Info("Adding certificate watcher to manager") - if err := mgr.Add(certWatcher); err != nil { - setupLog.Error(err, "unable to add certificate watcher to manager") + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") os.Exit(1) } } diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/cert_metrics_manager_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/cert_metrics_manager_patch.yaml index 36ef2c8f9c1..564da8469a2 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/cert_metrics_manager_patch.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/cert_metrics_manager_patch.yaml @@ -10,10 +10,10 @@ mountPath: /tmp/k8s-metrics-server/metrics-certs name: metrics-certs readOnly: true -# Add the cert-path argument +# Add the metrics-cert-path argument - op: add path: /spec/template/spec/containers/0/args/- - value: --cert-path=/tmp/k8s-metrics-server/metrics-certs + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs # Ensure the volumes field exists by creating it if missing - op: add path: /spec/template/spec/volumes diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml index cb51ea83a14..27dbb9bb5ab 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml @@ -4118,7 +4118,7 @@ spec: - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 - - --cert-path=/tmp/k8s-metrics-server/metrics-certs + - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs command: - /manager image: controller:latest diff --git a/docs/book/src/getting-started/testdata/project/cmd/main.go b/docs/book/src/getting-started/testdata/project/cmd/main.go index 09e5b363093..3cd126e887a 100644 --- a/docs/book/src/getting-started/testdata/project/cmd/main.go +++ b/docs/book/src/getting-started/testdata/project/cmd/main.go @@ -43,9 +43,8 @@ import ( ) var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") - certWatcher *certwatcher.CertWatcher + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") ) func init() { @@ -57,9 +56,7 @@ func init() { func main() { var metricsAddr string - var certPath string - var certName string - var certKey string + var metricsCertPath, metricsCertName, metricsCertKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -73,10 +70,9 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") - flag.StringVar(&certPath, "cert-path", "", - "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") - flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") - flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -102,6 +98,9 @@ func main() { tlsOpts = append(tlsOpts, disableHTTP2) } + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + webhookServer := webhook.NewServer(webhook.Options{ TLSOpts: tlsOpts, }) @@ -114,38 +113,38 @@ func main() { BindAddress: metricsAddr, SecureServing: secureMetrics, TLSOpts: tlsOpts, - } - - if secureMetrics { // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + FilterProvider: filters.WithAuthenticationAndAuthorization, + } - // If the certificate is not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - // - // TODO(user): If you enable certManager, uncomment the following lines: - // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates - // managed by cert-manager for the metrics server. - // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. - if len(certPath) > 0 { - setupLog.Info("metrics server is serving securely using the provided key and certificate", - "cert-path", certPath, "cert-name", certName, "cert-key", certKey) - - var err error - certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) - if err != nil { - setupLog.Error(err, "to initialize certificate watcher", "error", err) - os.Exit(1) - } - - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = certWatcher.GetCertificate - }) + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + certName := filepath.Join(metricsCertPath, metricsCertName) + certKey := filepath.Join(metricsCertPath, metricsCertKey) + + setupLog.Info("metrics server is serving securely using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) + + var err error + metricsCertWatcher, err = certwatcher.New(certName, certKey) + if err != nil { + setupLog.Error(err, "to initialize certificate watcher", "error", err) + os.Exit(1) } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -181,10 +180,10 @@ func main() { } // +kubebuilder:scaffold:builder - if secureMetrics && certWatcher != nil { - setupLog.Info("Adding certificate watcher to manager") - if err := mgr.Add(certWatcher); err != nil { - setupLog.Error(err, "unable to add certificate watcher to manager") + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") os.Exit(1) } } diff --git a/docs/book/src/getting-started/testdata/project/config/default/cert_metrics_manager_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/cert_metrics_manager_patch.yaml index 36ef2c8f9c1..564da8469a2 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/cert_metrics_manager_patch.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/cert_metrics_manager_patch.yaml @@ -10,10 +10,10 @@ mountPath: /tmp/k8s-metrics-server/metrics-certs name: metrics-certs readOnly: true -# Add the cert-path argument +# Add the metrics-cert-path argument - op: add path: /spec/template/spec/containers/0/args/- - value: --cert-path=/tmp/k8s-metrics-server/metrics-certs + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs # Ensure the volumes field exists by creating it if missing - op: add path: /spec/template/spec/volumes diff --git a/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go b/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go index 83845ea0bcf..d56885473b2 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/multiversion-tutorial/testdata/project/cmd/main.go @@ -53,9 +53,8 @@ import ( */ var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") - certWatcher *certwatcher.CertWatcher + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") ) func init() { @@ -76,9 +75,7 @@ func main() { /* */ var metricsAddr string - var certPath string - var certName string - var certKey string + var metricsCertPath, metricsCertName, metricsCertKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -92,10 +89,9 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") - flag.StringVar(&certPath, "cert-path", "", - "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") - flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") - flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -121,6 +117,9 @@ func main() { tlsOpts = append(tlsOpts, disableHTTP2) } + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + webhookServer := webhook.NewServer(webhook.Options{ TLSOpts: tlsOpts, }) @@ -133,38 +132,38 @@ func main() { BindAddress: metricsAddr, SecureServing: secureMetrics, TLSOpts: tlsOpts, - } - - if secureMetrics { // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + FilterProvider: filters.WithAuthenticationAndAuthorization, + } - // If the certificate is not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - // - // TODO(user): If you enable certManager, uncomment the following lines: - // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates - // managed by cert-manager for the metrics server. - // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. - if len(certPath) > 0 { - setupLog.Info("metrics server is serving securely using the provided key and certificate", - "cert-path", certPath, "cert-name", certName, "cert-key", certKey) - - var err error - certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) - if err != nil { - setupLog.Error(err, "to initialize certificate watcher", "error", err) - os.Exit(1) - } - - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = certWatcher.GetCertificate - }) + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + certName := filepath.Join(metricsCertPath, metricsCertName) + certKey := filepath.Join(metricsCertPath, metricsCertKey) + + setupLog.Info("metrics server is serving securely using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) + + var err error + metricsCertWatcher, err = certwatcher.New(certName, certKey) + if err != nil { + setupLog.Error(err, "to initialize certificate watcher", "error", err) + os.Exit(1) } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -222,10 +221,10 @@ func main() { /* */ - if secureMetrics && certWatcher != nil { - setupLog.Info("Adding certificate watcher to manager") - if err := mgr.Add(certWatcher); err != nil { - setupLog.Error(err, "unable to add certificate watcher to manager") + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") os.Exit(1) } } diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/cert_metrics_manager_patch.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/cert_metrics_manager_patch.yaml index 36ef2c8f9c1..564da8469a2 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/cert_metrics_manager_patch.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/cert_metrics_manager_patch.yaml @@ -10,10 +10,10 @@ mountPath: /tmp/k8s-metrics-server/metrics-certs name: metrics-certs readOnly: true -# Add the cert-path argument +# Add the metrics-cert-path argument - op: add path: /spec/template/spec/containers/0/args/- - value: --cert-path=/tmp/k8s-metrics-server/metrics-certs + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs # Ensure the volumes field exists by creating it if missing - op: add path: /spec/template/spec/volumes diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml index 9faa89deee4..f3716ea8657 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml @@ -7929,7 +7929,7 @@ spec: - --metrics-bind-address=:8443 - --leader-elect - --health-probe-bind-address=:8081 - - --cert-path=/tmp/k8s-metrics-server/metrics-certs + - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs command: - /manager image: controller:latest diff --git a/docs/book/src/reference/metrics.md b/docs/book/src/reference/metrics.md index 49434ecd1a1..361c80d3967 100644 --- a/docs/book/src/reference/metrics.md +++ b/docs/book/src/reference/metrics.md @@ -228,41 +228,6 @@ project to use certificates managed by CertManager. kind: ServiceMonitor ``` -Now, that you properly enable this option check the `cmd/main.go` to see how it will be used:** - -```go - if secureMetrics { - // FilterProvider is used to protect the metrics endpoint with authn/authz. - // These configurations ensure that only authorized users and service accounts - // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: - // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - - // If the certificate is not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - // - // TODO(user): If you enable certManager, uncomment the following lines: - // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates - // managed by cert-manager for the metrics server. - // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. - if len(certDir) > 0 { - setupLog.Info("metrics server is serving securely using the provided key and certificate", - "cert-path", certDir, "cert-name", certName, "cert-key", certKey) - - var err error - certWatcher, err = certwatcher.New(filepath.Join(certDir, certName), filepath.Join(certDir, certKey)) - if err != nil { - setupLog.Error(err, "to initialize certificate watcher", "error", err) - os.Exit(1) - } - - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = certWatcher.GetCertificate - }) - } - } -``` ### **(Optional)** By using Network Policy (Disabled by default) diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/cert_metrics_manager_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/cert_metrics_manager_patch.go index ad9a3a04441..829aae41424 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/cert_metrics_manager_patch.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/cert_metrics_manager_patch.go @@ -63,10 +63,10 @@ const metricsManagerPatchTemplate = `# This patch adds the args and volumes to a mountPath: /tmp/k8s-metrics-server/metrics-certs name: metrics-certs readOnly: true -# Add the cert-path argument +# Add the metrics-cert-path argument - op: add path: /spec/template/spec/containers/0/args/- - value: --cert-path=/tmp/k8s-metrics-server/metrics-certs + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs # Ensure the volumes field exists by creating it if missing - op: add path: /spec/template/spec/volumes diff --git a/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go b/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go index ba052cc1b06..4100d6d14f5 100644 --- a/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go +++ b/pkg/plugins/golang/v4/scaffolds/internal/templates/cmd/main.go @@ -248,7 +248,6 @@ import ( var ( scheme = runtime.NewScheme() setupLog = ctrl.Log.WithName("setup") - certWatcher *certwatcher.CertWatcher ) func init() { @@ -259,9 +258,7 @@ func init() { func main() { var metricsAddr string - var certPath string - var certName string - var certKey string + var metricsCertPath, metricsCertName, metricsCertKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -275,10 +272,9 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") - flag.StringVar(&certPath, "cert-path", "", - "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") - flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") - flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -304,50 +300,53 @@ func main() { tlsOpts = append(tlsOpts, disableHTTP2) } + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + webhookServer := webhook.NewServer(webhook.Options{ TLSOpts: tlsOpts, }) // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. // More info: - // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@{{ .ControllerRuntimeVersion }}/pkg/metrics/server + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server // - https://book.kubebuilder.io/reference/metrics.html metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, SecureServing: secureMetrics, - TLSOpts: tlsOpts, - } - - if secureMetrics { + TLSOpts: tlsOpts, // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: - // https://pkg.go.dev/sigs.k8s.io/controller-runtime@{{ .ControllerRuntimeVersion }}/pkg/metrics/filters#WithAuthenticationAndAuthorization - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization + FilterProvider: filters.WithAuthenticationAndAuthorization, + } - // If the certificate is not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - // - // TODO(user): If you enable certManager, uncomment the following lines: - // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates - // managed by cert-manager for the metrics server. - // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. - if len(certPath) > 0 { - setupLog.Info("metrics server is serving securely using the provided key and certificate", - "cert-path", certPath, "cert-name", certName, "cert-key", certKey) - - var err error - certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) - if err != nil { - setupLog.Error(err, "to initialize certificate watcher", "error", err) - os.Exit(1) - } - - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = certWatcher.GetCertificate - }) + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + certName := filepath.Join(metricsCertPath, metricsCertName) + certKey := filepath.Join(metricsCertPath, metricsCertKey) + + setupLog.Info("metrics server is serving securely using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) + + var err error + metricsCertWatcher, err = certwatcher.New(certName, certKey) + if err != nil { + setupLog.Error(err, "to initialize certificate watcher", "error", err) + os.Exit(1) } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -380,10 +379,10 @@ func main() { %s - if secureMetrics && certWatcher != nil { - setupLog.Info("Adding certificate watcher to manager") - if err := mgr.Add(certWatcher); err != nil { - setupLog.Error(err, "unable to add certificate watcher to manager") + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") os.Exit(1) } } diff --git a/testdata/project-v4-multigroup/cmd/main.go b/testdata/project-v4-multigroup/cmd/main.go index a1c62106ea6..f453acd426d 100644 --- a/testdata/project-v4-multigroup/cmd/main.go +++ b/testdata/project-v4-multigroup/cmd/main.go @@ -72,9 +72,8 @@ import ( ) var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") - certWatcher *certwatcher.CertWatcher + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") ) func init() { @@ -98,9 +97,7 @@ func init() { func main() { var metricsAddr string - var certPath string - var certName string - var certKey string + var metricsCertPath, metricsCertName, metricsCertKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -114,10 +111,9 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") - flag.StringVar(&certPath, "cert-path", "", - "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") - flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") - flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -143,6 +139,9 @@ func main() { tlsOpts = append(tlsOpts, disableHTTP2) } + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + webhookServer := webhook.NewServer(webhook.Options{ TLSOpts: tlsOpts, }) @@ -155,38 +154,38 @@ func main() { BindAddress: metricsAddr, SecureServing: secureMetrics, TLSOpts: tlsOpts, - } - - if secureMetrics { // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + FilterProvider: filters.WithAuthenticationAndAuthorization, + } - // If the certificate is not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - // - // TODO(user): If you enable certManager, uncomment the following lines: - // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates - // managed by cert-manager for the metrics server. - // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. - if len(certPath) > 0 { - setupLog.Info("metrics server is serving securely using the provided key and certificate", - "cert-path", certPath, "cert-name", certName, "cert-key", certKey) + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + certName := filepath.Join(metricsCertPath, metricsCertName) + certKey := filepath.Join(metricsCertPath, metricsCertKey) - var err error - certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) - if err != nil { - setupLog.Error(err, "to initialize certificate watcher", "error", err) - os.Exit(1) - } + setupLog.Info("metrics server is serving securely using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = certWatcher.GetCertificate - }) + var err error + metricsCertWatcher, err = certwatcher.New(certName, certKey) + if err != nil { + setupLog.Error(err, "to initialize certificate watcher", "error", err) + os.Exit(1) } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -371,10 +370,10 @@ func main() { } // +kubebuilder:scaffold:builder - if secureMetrics && certWatcher != nil { - setupLog.Info("Adding certificate watcher to manager") - if err := mgr.Add(certWatcher); err != nil { - setupLog.Error(err, "unable to add certificate watcher to manager") + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") os.Exit(1) } } diff --git a/testdata/project-v4-multigroup/config/default/cert_metrics_manager_patch.yaml b/testdata/project-v4-multigroup/config/default/cert_metrics_manager_patch.yaml index 36ef2c8f9c1..564da8469a2 100644 --- a/testdata/project-v4-multigroup/config/default/cert_metrics_manager_patch.yaml +++ b/testdata/project-v4-multigroup/config/default/cert_metrics_manager_patch.yaml @@ -10,10 +10,10 @@ mountPath: /tmp/k8s-metrics-server/metrics-certs name: metrics-certs readOnly: true -# Add the cert-path argument +# Add the metrics-cert-path argument - op: add path: /spec/template/spec/containers/0/args/- - value: --cert-path=/tmp/k8s-metrics-server/metrics-certs + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs # Ensure the volumes field exists by creating it if missing - op: add path: /spec/template/spec/volumes diff --git a/testdata/project-v4-with-plugins/cmd/main.go b/testdata/project-v4-with-plugins/cmd/main.go index 0d65ef186a0..7d4943094c6 100644 --- a/testdata/project-v4-with-plugins/cmd/main.go +++ b/testdata/project-v4-with-plugins/cmd/main.go @@ -47,9 +47,8 @@ import ( ) var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") - certWatcher *certwatcher.CertWatcher + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") ) func init() { @@ -63,9 +62,7 @@ func init() { func main() { var metricsAddr string - var certPath string - var certName string - var certKey string + var metricsCertPath, metricsCertName, metricsCertKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -79,10 +76,9 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") - flag.StringVar(&certPath, "cert-path", "", - "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") - flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") - flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -108,6 +104,9 @@ func main() { tlsOpts = append(tlsOpts, disableHTTP2) } + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + webhookServer := webhook.NewServer(webhook.Options{ TLSOpts: tlsOpts, }) @@ -120,38 +119,38 @@ func main() { BindAddress: metricsAddr, SecureServing: secureMetrics, TLSOpts: tlsOpts, - } - - if secureMetrics { // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + FilterProvider: filters.WithAuthenticationAndAuthorization, + } - // If the certificate is not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - // - // TODO(user): If you enable certManager, uncomment the following lines: - // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates - // managed by cert-manager for the metrics server. - // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. - if len(certPath) > 0 { - setupLog.Info("metrics server is serving securely using the provided key and certificate", - "cert-path", certPath, "cert-name", certName, "cert-key", certKey) - - var err error - certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) - if err != nil { - setupLog.Error(err, "to initialize certificate watcher", "error", err) - os.Exit(1) - } - - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = certWatcher.GetCertificate - }) + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + certName := filepath.Join(metricsCertPath, metricsCertName) + certKey := filepath.Join(metricsCertPath, metricsCertKey) + + setupLog.Info("metrics server is serving securely using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) + + var err error + metricsCertWatcher, err = certwatcher.New(certName, certKey) + if err != nil { + setupLog.Error(err, "to initialize certificate watcher", "error", err) + os.Exit(1) } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -217,10 +216,10 @@ func main() { } // +kubebuilder:scaffold:builder - if secureMetrics && certWatcher != nil { - setupLog.Info("Adding certificate watcher to manager") - if err := mgr.Add(certWatcher); err != nil { - setupLog.Error(err, "unable to add certificate watcher to manager") + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") os.Exit(1) } } diff --git a/testdata/project-v4-with-plugins/config/default/cert_metrics_manager_patch.yaml b/testdata/project-v4-with-plugins/config/default/cert_metrics_manager_patch.yaml index 36ef2c8f9c1..564da8469a2 100644 --- a/testdata/project-v4-with-plugins/config/default/cert_metrics_manager_patch.yaml +++ b/testdata/project-v4-with-plugins/config/default/cert_metrics_manager_patch.yaml @@ -10,10 +10,10 @@ mountPath: /tmp/k8s-metrics-server/metrics-certs name: metrics-certs readOnly: true -# Add the cert-path argument +# Add the metrics-cert-path argument - op: add path: /spec/template/spec/containers/0/args/- - value: --cert-path=/tmp/k8s-metrics-server/metrics-certs + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs # Ensure the volumes field exists by creating it if missing - op: add path: /spec/template/spec/volumes diff --git a/testdata/project-v4/cmd/main.go b/testdata/project-v4/cmd/main.go index 7ba0af90cf2..f3b74461813 100644 --- a/testdata/project-v4/cmd/main.go +++ b/testdata/project-v4/cmd/main.go @@ -50,9 +50,8 @@ import ( ) var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") - certWatcher *certwatcher.CertWatcher + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") ) func init() { @@ -66,9 +65,7 @@ func init() { func main() { var metricsAddr string - var certPath string - var certName string - var certKey string + var metricsCertPath, metricsCertName, metricsCertKey string var enableLeaderElection bool var probeAddr string var secureMetrics bool @@ -82,10 +79,9 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") - flag.StringVar(&certPath, "cert-path", "", - "The directory that contains the server key and certificate. If set, the metrics server will serve using the provided key and certificate.") - flag.StringVar(&certName, "cert-name", "tls.crt", "CertName is the server certificate name. Defaults to tls.crt") - flag.StringVar(&certKey, "cert-key", "tls.key", "KeyName is the server key name. Defaults to tls.key") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ @@ -111,6 +107,9 @@ func main() { tlsOpts = append(tlsOpts, disableHTTP2) } + // Create watchers for metrics certificates + var metricsCertWatcher *certwatcher.CertWatcher + webhookServer := webhook.NewServer(webhook.Options{ TLSOpts: tlsOpts, }) @@ -123,38 +122,38 @@ func main() { BindAddress: metricsAddr, SecureServing: secureMetrics, TLSOpts: tlsOpts, - } - - if secureMetrics { // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + FilterProvider: filters.WithAuthenticationAndAuthorization, + } - // If the certificate is not specified, controller-runtime will automatically - // generate self-signed certificates for the metrics server. While convenient for development and testing, - // this setup is not recommended for production. - // - // TODO(user): If you enable certManager, uncomment the following lines: - // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates - // managed by cert-manager for the metrics server. - // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. - if len(certPath) > 0 { - setupLog.Info("metrics server is serving securely using the provided key and certificate", - "cert-path", certPath, "cert-name", certName, "cert-key", certKey) + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + certName := filepath.Join(metricsCertPath, metricsCertName) + certKey := filepath.Join(metricsCertPath, metricsCertKey) - var err error - certWatcher, err = certwatcher.New(filepath.Join(certPath, certName), filepath.Join(certPath, certKey)) - if err != nil { - setupLog.Error(err, "to initialize certificate watcher", "error", err) - os.Exit(1) - } + setupLog.Info("metrics server is serving securely using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", certName, "metrics-cert-key", certKey) - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = certWatcher.GetCertificate - }) + var err error + metricsCertWatcher, err = certwatcher.New(certName, certKey) + if err != nil { + setupLog.Error(err, "to initialize certificate watcher", "error", err) + os.Exit(1) } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) } mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -253,10 +252,10 @@ func main() { } // +kubebuilder:scaffold:builder - if secureMetrics && certWatcher != nil { - setupLog.Info("Adding certificate watcher to manager") - if err := mgr.Add(certWatcher); err != nil { - setupLog.Error(err, "unable to add certificate watcher to manager") + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") os.Exit(1) } } diff --git a/testdata/project-v4/config/default/cert_metrics_manager_patch.yaml b/testdata/project-v4/config/default/cert_metrics_manager_patch.yaml index 36ef2c8f9c1..564da8469a2 100644 --- a/testdata/project-v4/config/default/cert_metrics_manager_patch.yaml +++ b/testdata/project-v4/config/default/cert_metrics_manager_patch.yaml @@ -10,10 +10,10 @@ mountPath: /tmp/k8s-metrics-server/metrics-certs name: metrics-certs readOnly: true -# Add the cert-path argument +# Add the metrics-cert-path argument - op: add path: /spec/template/spec/containers/0/args/- - value: --cert-path=/tmp/k8s-metrics-server/metrics-certs + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs # Ensure the volumes field exists by creating it if missing - op: add path: /spec/template/spec/volumes