Using kubebuilder's built-it mechanizm to secure /metrics instead of using kube-rbac-proxy in helm-operator

Question

Using kubebuilder's built-it mechanizm to secure /metrics instead of using kube-rbac-proxy in helm-operator

dchirikov opened this issue 2 months ago · 2 comments

Feature Request

Describe the problem you need a feature to resolve.

Hi Team. In helm-operator code the /metrics endpoint is exposed and is using 3rd party component kube-rbac-proxy to secure access to it. The image is being used is being currently hosted on gcr.io. There is a plan to retire container registry on GCP so image will not be available from March 18, 2025

Describe the solution you'd like.

The proposed solution is to migrate to built-in authn/authz mechanism added to kubebuilder WithAuthenticationAndAuthorization. More details are described on the kubebuilder's page:
https://book.kubebuilder.io/reference/metrics

/language helm

Answer 1 · 2024-10-15T20:35:44.000Z

Hi @dchirikov With the below issue, we'll move to kubebuilder 4.1.1 and away from scaffolding the kube-rbac-proxy, there is nothing stopping you from moving your project to the latest controller runtime to pickup these changes if you need them before operator-sdk's work is finished.

#6730

Answer 2 · 2024-10-16T13:36:56.000Z

Hi @acornett21 Thanks for pointing this out. I was digging into helm-operator code and did not realize I should be looking operator-sdk/internal/helm/flags/flag.go file to find cli args for helm-operator run
So I guess I need to run with --metrics-addr=0.0.0.0:8443 --metrics-secure to mimic kube-rbac-proxy.