Remove dependency on kube-rbac-proxy.

2026-06-14 03:01:44 +00:00 · 2025-12-17 23:06:21 +00:00
parent fee9f74aad
commit 794e2d487a
11 changed files with 130 additions and 79 deletions
@@ -30,6 +30,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"

 	jobsmanagerv1beta1 "raczylo.com/jobs-manager-operator/api/v1beta1"
@@ -55,8 +56,9 @@ func main() {
 	var probeAddr string
 	var leaderElectionID string
 	var devMode bool
+	var secureMetrics bool

-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. Use :8443 for HTTPS with authentication, or 0 to disable.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
@@ -65,6 +67,8 @@ func main() {
 		"The name of the leader election resource.")
 	flag.BoolVar(&devMode, "dev-mode", false,
 		"Enable development mode with verbose logging (console format).")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS with authentication.")

 	opts := zap.Options{
 		Development: devMode,
@@ -80,12 +84,20 @@ func main() {

 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

+	// Configure metrics options
+	metricsOpts := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+	}
+
+	// If secure metrics are enabled, use authentication and authorization filters
+	if secureMetrics {
+		metricsOpts.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme: scheme,
-		Metrics: metricsserver.Options{
-			BindAddress: metricsAddr,
-		},
-		// Port:                   9443,
+		Scheme:                 scheme,
+		Metrics:                metricsOpts,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       leaderElectionID,