diff --git a/cmd/main.go b/cmd/main.go index 344a7047c..c5a45b3ac 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -18,6 +18,7 @@ package main import ( "crypto/md5" + "crypto/tls" "flag" "fmt" "os" @@ -41,6 +42,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1" @@ -81,13 +83,21 @@ func init() { func main() { var metricsAddr string var enableLeaderElection bool + var secureMetrics bool + var enableHTTP2 bool var probeAddr string var enabledController string - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&metricsAddr, "metrics-bind-address", ":8443", "The address the metric endpoint binds to. "+ + "Use :8080 for http and :8443 for https. Setting to 0 will disable the metrics endpoint.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") + flag.StringVar(&enabledController, "enable-controller", "", "The controller to enable. Default: all") opts := zap.Options{ Development: true, @@ -103,11 +113,28 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + var tlsOpts []func(*tls.Config) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + metricsOpts := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + metricsOpts.FilterProvider = filters.WithAuthenticationAndAuthorization + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - }, + Scheme: scheme, + Metrics: metricsOpts, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: fmt.Sprintf("%x.k0smotron.io", md5.Sum([]byte(enabledController))), diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 752cd27aa..80c277eb0 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -25,29 +25,6 @@ spec: values: - linux containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - name: manager args: - "--health-probe-bind-address=:8081"