Drop `kube-rbac-proxy` container usage in `config` by Rohit-0505 · Pull Request #243 · ironcore-dev/metal-operator

Rohit-0505 · 2025-02-19T04:35:48Z

Overview

The PR removes the soon-to-be deprecated kube-rbac-proxy container dependency and replaces it with Controller-Runtime's built-in authn/authz for securing the metrics endpoint. This simplifies setup, enhances security, and follows the latest Kubebuilder best practices.

Key Changes

Modified the docker-build target to build multi-stage docker images, for ex: controller-manager and metalprobe docker images
Removed kube-rbac-proxy dependency.
Enabled Controller-Runtime's built-in authentication & authorization for metrics.
Enhanced cert-manager integration to secure metrics with TLS encryption.
Added e2e tests to validate the metrics endpoint

Fixes #209

Ref:
kubernetes-sigs/kubebuilder#3907
kubernetes-sigs/controller-runtime#2407
kubernetes-sigs/kubebuilder#4400
kubernetes-sigs/kubebuilder/docs/reference/metrics (v4.5.0)

…authn/authz for metrics

…tion

Nuckal777

Thanks. 👍

github-actions Bot added size/XXL enhancement New feature or request labels Feb 19, 2025

Rohit-0505 self-assigned this Feb 19, 2025

Rohit-0505 marked this pull request as draft February 19, 2025 04:36

lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch 11 times, most recently from 01146ca to 618a1fc Compare February 26, 2025 03:42

Rohit-0505 marked this pull request as ready for review February 26, 2025 04:13

afritzler requested review from Nuckal777, afritzler and damyan March 3, 2025 09:06

Drop kube-rbac-proxy container and adopt controller-runtime native …

3c35b43

…authn/authz for metrics

lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch from 618a1fc to c520545 Compare April 3, 2025 11:59

Rohit-0505 marked this pull request as draft April 3, 2025 12:28

add Makefile target to deploy the manager for metrics endpoint valida…

9be6bc9

…tion

lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch from c520545 to 9be6bc9 Compare April 3, 2025 12:54

update test-chart.yaml with updated docker-build command

75871b8

lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch from b2ddaf7 to 75871b8 Compare April 3, 2025 13:44

fix check-codegen failing workflow

e7dea9e

lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch from e925843 to e7dea9e Compare April 3, 2025 15:56

Rohit-0505 marked this pull request as ready for review April 3, 2025 16:02

afritzler requested changes Apr 4, 2025

View reviewed changes

Comment thread Makefile

Comment thread Makefile Outdated

Comment thread config/default/kustomization.yaml

Comment thread config/manager/manager.yaml Outdated

Nuckal777 reviewed Apr 8, 2025

View reviewed changes

opensovereigncloud-user force-pushed the osc/enh/replace-kube-rbac-proxy branch from 3d0990a to c552e93 Compare April 9, 2025 09:13

Rohit-0505 marked this pull request as draft April 9, 2025 09:13

opensovereigncloud-user force-pushed the osc/enh/replace-kube-rbac-proxy branch 2 times, most recently from c4b847c to 9804673 Compare April 9, 2025 09:47

github-actions Bot added size/XL api-change and removed size/XXL labels Apr 9, 2025

opensovereigncloud-user force-pushed the osc/enh/replace-kube-rbac-proxy branch 2 times, most recently from b3d86d5 to 1620c7d Compare April 9, 2025 12:08

Rohit-0505 marked this pull request as ready for review April 9, 2025 12:25

Rohit-0505 marked this pull request as draft April 9, 2025 13:03

address review comments

a6052d1

opensovereigncloud-user force-pushed the osc/enh/replace-kube-rbac-proxy branch from 1620c7d to a6052d1 Compare April 9, 2025 14:38

Rohit-0505 marked this pull request as ready for review April 9, 2025 14:50

Nuckal777 reviewed Apr 10, 2025

View reviewed changes

Comment thread dist/chart/templates/manager/manager.yaml

remove older test-e2e target from the Makefile

d020b1e

opensovereigncloud-user force-pushed the osc/enh/replace-kube-rbac-proxy branch from f1ed0ed to d020b1e Compare April 11, 2025 06:52

Rohit-0505 requested a review from Nuckal777 April 11, 2025 07:08

Nuckal777 approved these changes Apr 14, 2025

View reviewed changes

afritzler approved these changes Apr 14, 2025

View reviewed changes

afritzler changed the title ~~Drop kube-rbac-proxy container and adopt controller-runtime native …~~ Drop kube-rbac-proxy container Apr 14, 2025

github-project-automation Bot added this to Roadmap Apr 14, 2025

afritzler changed the title ~~Drop kube-rbac-proxy container~~ Drop kube-rbac-proxy container usage in config Apr 14, 2025

afritzler merged commit 607e5db into ironcore-dev:main Apr 14, 2025
13 checks passed

github-project-automation Bot moved this to Done in Roadmap Apr 14, 2025

nagadeesh-nagaraja reviewed Apr 14, 2025

View reviewed changes

Comment thread config/crd/kustomization.yaml

Rohit-0505 mentioned this pull request Apr 28, 2025

Drop kube-rbac-proxy container config for metrics ironcore-dev/boot-operator#177

Merged

afritzler mentioned this pull request Apr 28, 2025

Add Helm chart publishing workflow #281

Merged

hardikdr added the area/metal-automation label Jun 25, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Drop `kube-rbac-proxy` container usage in `config`#243

Drop `kube-rbac-proxy` container usage in `config`#243
afritzler merged 6 commits intoironcore-dev:mainfrom
opensovereigncloud:osc/enh/replace-kube-rbac-proxy

Rohit-0505 commented Feb 19, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Nuckal777 left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

Rohit-0505 commented Feb 19, 2025

Overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Nuckal777 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants