ccm: disable unused secure-serving port and webhook

Author: chrischdi

pkg/cloud/aws/assets/deployment.yaml

@@ -43,17 +43,14 @@ spec:
           --leader-elect-renew-deadline=107s \
           --leader-elect-retry-period=26s \
           --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+          --secure-port=0 \
           -v=2
         env:
         - name: CLOUD_CONFIG
           value: /etc/kubernetes-cloud-config/cloud.conf
         image: {{ .images.CloudControllerManager }}
         imagePullPolicy: IfNotPresent
         name: cloud-controller-manager
-        ports:
-        - containerPort: 10258
-          name: https
-          protocol: TCP
         resources:
           requests:
             cpu: 200m

pkg/cloud/azure/assets/cloud-controller-manager-deployment.yaml

@@ -94,10 +94,6 @@ spec:
             requests:
               cpu: 200m
               memory: 50Mi
-          ports:
-          - containerPort: 10258
-            name: https
-            protocol: TCP
           command:
             - /bin/bash
             - -c
@@ -121,7 +117,8 @@ spec:
                 --leader-elect-lease-duration=137s \
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
-                --leader-elect-resource-namespace=openshift-cloud-controller-manager
+                --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - name: host-etc-kube

pkg/cloud/azurestack/assets/cloud-controller-manager-deployment.yaml

@@ -88,9 +88,6 @@ spec:
               cpu: 200m
               memory: 50Mi
           ports:
-          - containerPort: 10258
-            name: https
-            protocol: TCP
           command:
             - /bin/bash
             - -c
@@ -113,7 +110,8 @@ spec:
                 --leader-elect-lease-duration=137s \
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
-                --leader-elect-resource-namespace=openshift-cloud-controller-manager
+                --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - name: host-etc-kube

pkg/cloud/gcp/assets/cloud-controller-manager.yaml

@@ -68,10 +68,6 @@ spec:
             requests:
               cpu: 200m
               memory: 128Mi
-          ports:
-          - containerPort: 10258
-            name: https
-            protocol: TCP
           command:
             - /bin/bash
             - -c
@@ -95,7 +91,8 @@ spec:
                 --leader-elect-lease-duration=137s \
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
-                --leader-elect-resource-namespace=openshift-cloud-controller-manager
+                --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - name: host-etc-kube

pkg/cloud/nutanix/assets/cloud-controller-manager-deployment.yaml

@@ -72,10 +72,6 @@ spec:
             requests:
               cpu: 200m
               memory: 128Mi
-          ports:
-          - containerPort: 10258
-            name: https
-            protocol: TCP
           command:
             - /bin/bash
             - -c
@@ -98,7 +94,8 @@ spec:
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
-                --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+                --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
+                --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - name: nutanix-config

pkg/cloud/openstack/assets/deployment.yaml

@@ -78,11 +78,8 @@ spec:
             --leader-elect-renew-deadline=107s \
             --leader-elect-retry-period=26s \
             --leader-elect-resource-namespace=openshift-cloud-controller-manager \
-            --feature-gates={{ .featureGates }}
-          ports:
-          - containerPort: 10258
-            name: https
-            protocol: TCP
+            --feature-gates={{ .featureGates }} \
+            --secure-port=0
           resources:
             requests:
               cpu: 200m

pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml

@@ -72,10 +72,6 @@ spec:
             requests:
               cpu: 200m
               memory: 128Mi
-          ports:
-          - containerPort: 10258
-            name: https
-            protocol: TCP
           command:
             - /bin/bash
             - -c
@@ -99,7 +95,8 @@ spec:
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
                 --feature-gates={{ .featureGates }} \
-                --use-service-account-credentials=true
+                --use-service-account-credentials=true \
+                --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - name: host-etc-kube

pkg/controllers/clusteroperator_controller_test.go

@@ -420,11 +420,10 @@ var _ = Describe("Apply resources should", func() {
 
 		// Checking that the port has been reverted back and there is only one item in the list
 		Expect(cl.Get(context.Background(), client.ObjectKeyFromObject(dep), dep)).To(Succeed())
-		Expect(len(dep.Spec.Template.Spec.Containers[0].Ports)).To(Equal(1))
-		Expect(dep.Spec.Template.Spec.Containers[0].Ports[0].ContainerPort).To(Equal(int32(10258)))
+		Expect(len(dep.Spec.Template.Spec.Containers[0].Ports)).To(Equal(0))
 	})
 
-	It("Expect to have just one item in the port list after user added another one", func() {
+	It("Expect to have no item in the port list after user added another one", func() {
 		var dep *appsv1.Deployment
 		operatorConfig := getConfigForPlatform(&configv1.PlatformStatus{Type: configv1.AWSPlatformType})
 
@@ -457,9 +456,8 @@ var _ = Describe("Apply resources should", func() {
 
 		// Checking that the port has been added and there are two items in the list
 		Expect(cl.Get(context.Background(), client.ObjectKeyFromObject(dep), dep)).To(Succeed())
-		Expect(len(dep.Spec.Template.Spec.Containers[0].Ports)).To(Equal(2))
-		Expect(dep.Spec.Template.Spec.Containers[0].Ports[0].ContainerPort).To(Equal(int32(10258)))
-		Expect(dep.Spec.Template.Spec.Containers[0].Ports[1].ContainerPort).To(Equal(int32(11258)))
+		Expect(len(dep.Spec.Template.Spec.Containers[0].Ports)).To(Equal(1))
+		Expect(dep.Spec.Template.Spec.Containers[0].Ports[0].ContainerPort).To(Equal(int32(11258)))
 
 		// Apply resources again
 		freshResources, err = cloud.GetResources(operatorConfig)
@@ -479,8 +477,7 @@ var _ = Describe("Apply resources should", func() {
 
 		// Checking that the port list has been reverted back and there is only one item in the list
 		Expect(cl.Get(context.Background(), client.ObjectKeyFromObject(dep), dep)).To(Succeed())
-		Expect(len(dep.Spec.Template.Spec.Containers[0].Ports)).To(Equal(1))
-		Expect(dep.Spec.Template.Spec.Containers[0].Ports[0].ContainerPort).To(Equal(int32(10258)))
+		Expect(len(dep.Spec.Template.Spec.Containers[0].Ports)).To(Equal(0))
 	})
 
 	It("Expect to have deployment labels merged with user ones", func() {