⚠ Introduce Metrics Options struct & secure metrics serving #2407
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
approved
sbueringer
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
@alvaroaleman @vincepri After that I'll add more documentation and add / fix unit tests. |
sbueringer
commented
Jul 15, 2023
sbueringer
commented
Jul 15, 2023
sbueringer
force-pushed
the
pr-auth-metrics
branch
from
96e77c5 to
0d05be8
Compare
sbueringer
changed the title
k8s-ci-robot
added
size/XXL
sbueringer
force-pushed
the
pr-auth-metrics
branch
2 times, most recently
from
1504d8f to
66ae79b
Compare
sbueringer
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
@alvaroaleman Thx for the review. Changed the defaulting behavior and added test coverage |
|
@vincepri PTAL when you have some time :) |
|
Refactored the implementation to avoid introducing a dependency to k8s.io/apiserver for folks who are not using the authentication/authorization |
sbueringer
force-pushed
the
pr-auth-metrics
branch
from
ef6074c to
f764e41
Compare
sbueringer
commented
Jul 22, 2023
sbueringer
force-pushed
the
pr-auth-metrics
branch
3 times, most recently
from
4b2e71f to
4aa927f
Compare
sbueringer
changed the title
k8s-ci-robot
added
the
needs-rebase
1 task
5 tasks
alebedev87
added a commit
to alebedev87/aws-load-balancer-operator
that referenced
this pull request
Dec 11, 2024
- Bumped golang to 1.22:
- Update go.mod
- Update Dockerfiles
- Bumped k8s.io/* modules to 0.30.3 and OpenShift API to 20240812094746-86145edb40cf.
- Bumped controller-runtime to 0.18.5:
- Manager's `Port` option removed, now using dedicated webhook server field (kubernetes-sigs/controller-runtime#2422).
- Manager's `MetricsBindAddress` option removed, now using dedicated metrics server field (kubernetes-sigs/controller-runtime#2407).
- Cache's `Namespaces` option replaced by `DefaultNamespaces` (kubernetes-sigs/controller-runtime#2421).
- Regenerated CRD and bundle manifests using `make bundle` command.
- Bumped `kustomize` to v5 to fix a conflict caused by k8s.io bumps:
- `kyaml` unable to use the bumped `github.com/google/gnostic-models/openapiv2` package.
alebedev87
added a commit
to alebedev87/aws-load-balancer-operator
that referenced
this pull request
Dec 11, 2024
- Bumped golang to 1.22:
- Update go.mod
- Update Dockerfiles
- Bumped k8s.io/* modules to 0.30.3 and OpenShift API to 20240812094746-86145edb40cf.
- Bumped controller-runtime to 0.18.5:
- Manager's `Port` option removed, now using dedicated webhook server field (kubernetes-sigs/controller-runtime#2422).
- Manager's `MetricsBindAddress` option removed, now using dedicated metrics server field (kubernetes-sigs/controller-runtime#2407).
- Cache's `Namespaces` option replaced by `DefaultNamespaces` (kubernetes-sigs/controller-runtime#2421).
- Regenerated CRD and bundle manifests using `make bundle` command.
- Bumped `kustomize` to v5 to fix a conflict caused by k8s.io bumps:
- `kyaml` unable to use the bumped `github.com/google/gnostic-models/openapiv2` package.
- Removed `TypeMeta` from expected deployment object when it's compared to
structured one retrieved from fake client (kubernetes-sigs/controller-runtime#2633).
alebedev87
added a commit
to alebedev87/aws-load-balancer-operator
that referenced
this pull request
Dec 16, 2024
- Bumped golang to 1.22:
- Update go.mod
- Update Dockerfiles
- Bumped k8s.io/* modules to 0.30.3 and OpenShift API to 20240812094746-86145edb40cf.
- Bumped controller-runtime to 0.18.5:
- Manager's `Port` option removed, now using dedicated webhook server field (kubernetes-sigs/controller-runtime#2422).
- Manager's `MetricsBindAddress` option removed, now using dedicated metrics server field (kubernetes-sigs/controller-runtime#2407).
- Cache's `Namespaces` option replaced by `DefaultNamespaces` (kubernetes-sigs/controller-runtime#2421).
- Bumped aws-load-balancer-controller to f39ae43121c3 to use latest CRD scheme in e2e tests.
- Regenerated CRD and bundle manifests using `make bundle` command.
- Bumped `kustomize` to v5 to fix a conflict caused by k8s.io bumps:
- `kyaml` unable to use the bumped `github.com/google/gnostic-models/openapiv2` package.
- Removed `TypeMeta` from expected deployment object when it's compared to
structured one retrieved from fake client (kubernetes-sigs/controller-runtime#2633).
alebedev87
added a commit
to alebedev87/aws-load-balancer-operator
that referenced
this pull request
Dec 16, 2024
- Bumped golang to 1.22:
- Update go.mod
- Update Dockerfiles
- Bumped k8s.io/* modules to 0.30.3 and OpenShift API to 20240812094746-86145edb40cf.
- Bumped controller-runtime to 0.18.5:
- Manager's `Port` option removed, now using dedicated webhook server field (kubernetes-sigs/controller-runtime#2422).
- Manager's `MetricsBindAddress` option removed, now using dedicated metrics server field (kubernetes-sigs/controller-runtime#2407).
- Cache's `Namespaces` option replaced by `DefaultNamespaces` (kubernetes-sigs/controller-runtime#2421).
- Bumped aws-load-balancer-controller to f39ae43121c3 to use latest CRD scheme in e2e tests.
- Regenerated CRD and bundle manifests using `make bundle` command.
- Bumped `kustomize` to v5 to fix a conflict caused by k8s.io bumps:
- `kyaml` unable to use the bumped `github.com/google/gnostic-models/openapiv2` package.
- Removed `TypeMeta` from expected deployment object when it's compared to
structured one retrieved from fake client (kubernetes-sigs/controller-runtime#2633).
- Migrated infrastructure CRD retrieval to the new package `zz_generated.crd-manifests`:
- Updated infrastructure CRD for unit tests using `make update-vendored-crds` command.
alebedev87
added a commit
to alebedev87/aws-load-balancer-operator
that referenced
this pull request
Dec 16, 2024
- Bumped golang to 1.22:
- Update go.mod
- Update Dockerfiles
- Bumped k8s.io/* modules to 0.30.3 and OpenShift API to 20240812094746-86145edb40cf.
- Bumped controller-runtime to 0.18.5:
- Manager's `Port` option removed, now using dedicated webhook server field (kubernetes-sigs/controller-runtime#2422).
- Manager's `MetricsBindAddress` option removed, now using dedicated metrics server field (kubernetes-sigs/controller-runtime#2407).
- Cache's `Namespaces` option replaced by `DefaultNamespaces` (kubernetes-sigs/controller-runtime#2421).
- Bumped aws-load-balancer-controller to f39ae43121c3 to use latest CRD scheme in e2e tests.
- Regenerated CRD and bundle manifests using `make bundle` command.
- Bumped `kustomize` to v5 to fix a conflict caused by k8s.io bumps:
- `kyaml` unable to use the bumped `github.com/google/gnostic-models/openapiv2` package.
- Removed `TypeMeta` from expected deployment object when it's compared to
structured one retrieved from fake client (kubernetes-sigs/controller-runtime#2633).
- Migrated infrastructure CRD retrieval to the new package `zz_generated.crd-manifests`:
- Updated infrastructure CRD for unit tests using `make update-vendored-crds` command.
alebedev87
added a commit
to alebedev87/aws-load-balancer-operator
that referenced
this pull request
Dec 17, 2024
- Bumped golang to 1.22:
- Update go.mod
- Update Dockerfiles
- Bumped k8s.io/* modules to 0.30.3 and OpenShift API to 20240812094746-86145edb40cf.
- Bumped controller-runtime to 0.18.5:
- Manager's `Port` option removed, now using dedicated webhook server field (kubernetes-sigs/controller-runtime#2422).
- Manager's `MetricsBindAddress` option removed, now using dedicated metrics server field (kubernetes-sigs/controller-runtime#2407).
- Cache's `Namespaces` option replaced by `DefaultNamespaces` (kubernetes-sigs/controller-runtime#2421).
- Bumped aws-load-balancer-controller to f39ae43121c3 to use latest CRD scheme in e2e tests.
- Regenerated CRD and bundle manifests using `make bundle` command.
- Bumped `kustomize` to v5 to fix a conflict caused by k8s.io bumps:
- `kyaml` unable to use the bumped `github.com/google/gnostic-models/openapiv2` package.
- Removed `TypeMeta` from expected deployment object when it's compared to
structured one retrieved from fake client (kubernetes-sigs/controller-runtime#2633).
- Migrated infrastructure CRD retrieval to the new package `zz_generated.crd-manifests`:
- Updated infrastructure CRD for unit tests using `make update-vendored-crds` command.
- Updated envtest setup to use the downstream index.
- Infrastructure CRD uses CEL functions backported from newer k8s API.
- Upstream `envtest` is not ready to use newer CEL function.
- Bumped `setup-envtest` to be able to use `--index` flag.
alebedev87
added a commit
to alebedev87/aws-load-balancer-operator
that referenced
this pull request
Dec 17, 2024
- Bumped golang to 1.22:
- Update go.mod
- Update Dockerfiles
- Bumped k8s.io/* modules to 0.30.3 and OpenShift API to 20240812094746-86145edb40cf.
- Bumped controller-runtime to 0.18.5:
- Manager's `Port` option removed, now using dedicated webhook server field (kubernetes-sigs/controller-runtime#2422).
- Manager's `MetricsBindAddress` option removed, now using dedicated metrics server field (kubernetes-sigs/controller-runtime#2407).
- Cache's `Namespaces` option replaced by `DefaultNamespaces` (kubernetes-sigs/controller-runtime#2421).
- Bumped aws-load-balancer-controller to f39ae43121c3 to use latest CRD scheme in e2e tests.
- Regenerated CRD and bundle manifests using `make bundle` command.
- Bumped `kustomize` to v5 to fix a conflict caused by k8s.io bumps:
- `kyaml` unable to use the bumped `github.com/google/gnostic-models/openapiv2` package.
- Removed `TypeMeta` from expected deployment object when it's compared to
structured one retrieved from fake client (kubernetes-sigs/controller-runtime#2633).
- Migrated infrastructure CRD retrieval to the new package `zz_generated.crd-manifests`:
- Updated infrastructure CRD for unit tests using `make update-vendored-crds` command.
- Updated envtest setup to use the downstream index.
- Infrastructure CRD uses CEL functions backported from newer k8s API.
- Upstream `envtest` is not ready to use newer CEL function.
- Bumped `setup-envtest` to be able to use `--index` flag.
openshift-merge-bot bot
pushed a commit
to openshift/aws-load-balancer-operator
that referenced
this pull request
Dec 18, 2024
#143) - Bumped golang to 1.22: - Update go.mod - Update Dockerfiles - Bumped k8s.io/* modules to 0.30.3 and OpenShift API to 20240812094746-86145edb40cf. - Bumped controller-runtime to 0.18.5: - Manager's `Port` option removed, now using dedicated webhook server field (kubernetes-sigs/controller-runtime#2422). - Manager's `MetricsBindAddress` option removed, now using dedicated metrics server field (kubernetes-sigs/controller-runtime#2407). - Cache's `Namespaces` option replaced by `DefaultNamespaces` (kubernetes-sigs/controller-runtime#2421). - Bumped aws-load-balancer-controller to f39ae43121c3 to use latest CRD scheme in e2e tests. - Regenerated CRD and bundle manifests using `make bundle` command. - Bumped `kustomize` to v5 to fix a conflict caused by k8s.io bumps: - `kyaml` unable to use the bumped `github.com/google/gnostic-models/openapiv2` package. - Removed `TypeMeta` from expected deployment object when it's compared to structured one retrieved from fake client (kubernetes-sigs/controller-runtime#2633). - Migrated infrastructure CRD retrieval to the new package `zz_generated.crd-manifests`: - Updated infrastructure CRD for unit tests using `make update-vendored-crds` command. - Updated envtest setup to use the downstream index. - Infrastructure CRD uses CEL functions backported from newer k8s API. - Upstream `envtest` is not ready to use newer CEL function. - Bumped `setup-envtest` to be able to use `--index` flag.
Acedus
added a commit
to Acedus/containerized-data-importer
that referenced
this pull request
Jul 14, 2025
As part of an effort to standardize metric exposure across KubeVirt components on port 8443, we are transitioning to HTTPS with TLS encryption for the metrics-server. To facilitate this, we leverage the controller-runtime's SecureServing option, which creates a self-signed certificate and configures it as the server certificate for the metrics endpoint when no external certificate is provided[1]. Subsequent PRs will replace this self-signed certificate with a CDI generated one to enable a fully trusted and secure connection between the Prometheus instance and the target metrics endpoints as specified by the CDI ServiceMonitor. Until that integration is complete, the ServiceMonitor will be configured with insecureSkipVerify to allow scraping despite the untrusted certificate. [1] kubernetes-sigs/controller-runtime#2407 Signed-off-by: Adi Aloni <aaloni@redhat.com>
Acedus
added a commit
to Acedus/containerized-data-importer
that referenced
this pull request
Jul 14, 2025
As part of an effort to standardize metric exposure across KubeVirt components on port 8443, we are transitioning to HTTPS with TLS encryption for the metrics-server. To facilitate this, we leverage the controller-runtime's SecureServing option, which creates a self-signed certificate and configures it as the server certificate for the metrics endpoint when no external certificate is provided[1]. Subsequent PRs will replace this self-signed certificate with a CDI generated one to enable a fully trusted and secure connection between the Prometheus instance and the target metrics endpoints as specified by the CDI ServiceMonitor. Until that integration is complete, the ServiceMonitor will be configured with insecureSkipVerify to allow scraping despite the untrusted certificate. [1] kubernetes-sigs/controller-runtime#2407 Signed-off-by: Adi Aloni <aaloni@redhat.com>
kubevirt-bot
pushed a commit
to kubevirt/containerized-data-importer
that referenced
this pull request
Jul 15, 2025
As part of an effort to standardize metric exposure across KubeVirt components on port 8443, we are transitioning to HTTPS with TLS encryption for the metrics-server. To facilitate this, we leverage the controller-runtime's SecureServing option, which creates a self-signed certificate and configures it as the server certificate for the metrics endpoint when no external certificate is provided[1]. Subsequent PRs will replace this self-signed certificate with a CDI generated one to enable a fully trusted and secure connection between the Prometheus instance and the target metrics endpoints as specified by the CDI ServiceMonitor. Until that integration is complete, the ServiceMonitor will be configured with insecureSkipVerify to allow scraping despite the untrusted certificate. [1] kubernetes-sigs/controller-runtime#2407 Signed-off-by: Adi Aloni <aaloni@redhat.com>
kubevirt-bot
pushed a commit
to kubevirt-bot/containerized-data-importer
that referenced
this pull request
Jul 15, 2025
As part of an effort to standardize metric exposure across KubeVirt components on port 8443, we are transitioning to HTTPS with TLS encryption for the metrics-server. To facilitate this, we leverage the controller-runtime's SecureServing option, which creates a self-signed certificate and configures it as the server certificate for the metrics endpoint when no external certificate is provided[1]. Subsequent PRs will replace this self-signed certificate with a CDI generated one to enable a fully trusted and secure connection between the Prometheus instance and the target metrics endpoints as specified by the CDI ServiceMonitor. Until that integration is complete, the ServiceMonitor will be configured with insecureSkipVerify to allow scraping despite the untrusted certificate. [1] kubernetes-sigs/controller-runtime#2407 Signed-off-by: Adi Aloni <aaloni@redhat.com>
kubevirt-bot
added a commit
to kubevirt/containerized-data-importer
that referenced
this pull request
Jul 15, 2025
As part of an effort to standardize metric exposure across KubeVirt components on port 8443, we are transitioning to HTTPS with TLS encryption for the metrics-server. To facilitate this, we leverage the controller-runtime's SecureServing option, which creates a self-signed certificate and configures it as the server certificate for the metrics endpoint when no external certificate is provided[1]. Subsequent PRs will replace this self-signed certificate with a CDI generated one to enable a fully trusted and secure connection between the Prometheus instance and the target metrics endpoints as specified by the CDI ServiceMonitor. Until that integration is complete, the ServiceMonitor will be configured with insecureSkipVerify to allow scraping despite the untrusted certificate. [1] kubernetes-sigs/controller-runtime#2407 Signed-off-by: Adi Aloni <aaloni@redhat.com> Co-authored-by: Adi Aloni <aaloni@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces metrics options on the manager options. Via the new metrics options it will now be possible to serve metrics via tls and to use authentication and authorization.
Fixes #2073