kube-logging · csatib02 · Dec 16, 2024 · Dec 1, 2024 · Dec 1, 2024 · Dec 15, 2024
diff --git a/charts/telemetry-controller/templates/deployment.yaml b/charts/telemetry-controller/templates/deployment.yaml
@@ -2,20 +2,23 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
+    control-plane: controller-manager
 {{ include "telemetry-controller.labels" . | indent 4 }}
   name: '{{ include "telemetry-controller.fullname" . }}'
   namespace: '{{ include "telemetry-controller.namespace" . }}'
 spec:
   replicas: 1
   selector:
     matchLabels:
+      control-plane: controller-manager
       app.kubernetes.io/name: {{ include "telemetry-controller.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
   template:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: manager
       labels:
+        control-plane: controller-manager
         app.kubernetes.io/name: {{ include "telemetry-controller.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
       {{- with .Values.podLabels }}
@@ -24,32 +27,9 @@ spec:
     spec:
       containers:
         - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:8080/
-            - --logtostderr=true
-            - --v=0
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
-          name: kube-rbac-proxy
-          ports:
-            - containerPort: 8443
-              name: https
-              protocol: TCP
-          resources:
-            limits:
-              cpu: 500m
-              memory: 128Mi
-            requests:
-              cpu: 5m
-              memory: 64Mi
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
-        - args:
-            - --health-probe-bind-address=:8081
-            - --metrics-bind-address=127.0.0.1:8080
-            - --leader-elect
+          {{- range .Values.extraArgs }}
+            - {{ . }}
+          {{- end }}
           command:
             - /manager
           image:

diff --git a/charts/telemetry-controller/templates/service.yaml b/charts/telemetry-controller/templates/service.yaml
@@ -2,15 +2,24 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
+    control-plane: controller-manager
 {{ include "telemetry-controller.labels" . | indent 4 }}
-  name: '{{ include "telemetry-controller.fullname" . }}-metrics-service'
-  namespace: "{{.Release.Namespace}}"
+  name: {{ include "telemetry-controller.fullname" . }}-metrics-service
+  namespace: {{ .Release.Namespace }}
 spec:
   ports:
+    {{- if .Values.monitoring.secure }}
     - name: https
       port: 8443
       protocol: TCP
-      targetPort: https
+      targetPort: 8443
+    {{- else }}
+    - name: http
+      port: 8080
+      protocol: TCP
+      targetPort: 8080
+    {{- end }}
   selector:
+    control-plane: controller-manager
     app.kubernetes.io/name: {{ include "telemetry-controller.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/charts/telemetry-controller/templates/servicemonitor.yaml b/charts/telemetry-controller/templates/servicemonitor.yaml
@@ -0,0 +1,42 @@
+{{ if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.monitoring.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "telemetry-controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    control-plane: controller-manager
+{{ include "telemetry-controller.labels" . | nindent 4 }}
+{{- with .Values.monitoring.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+{{ include "telemetry-controller.labels" . | indent 6 }}
+  endpoints:
+    {{- if .Values.monitoring.secure }}
+    - path: /metrics
+      port: https
+      scheme: https
+      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      tlsConfig:
+        insecureSkipVerify: true
+    {{- else }}
+    - path: /metrics
+      port: http
+      scheme: http
+    {{- end }}
+    {{- with .Values.monitoring.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.monitoring.serviceMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/telemetry-controller/values.yaml b/charts/telemetry-controller/values.yaml
@@ -10,6 +10,9 @@ image:
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
+extraArgs:
+  - --leader-elect=true
+
 imagePullSecrets: []
 nameOverride: ""
 namespaceOverride: ""
@@ -51,3 +54,14 @@ opentelemetry-operator:
   manager:
     collectorImage:
       repository: otel/opentelemetry-collector-k8s
+
+monitoring:
+  secure: true
+
+  serviceMonitor:
+    # -- Create a Prometheus Operator ServiceMonitor object.
+    enabled: false
+
+    additionalLabels: {}
+    metricRelabelings: []
+    relabelings: []
diff --git a/cmd/main.go b/cmd/main.go
@@ -15,6 +15,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"os"
 
@@ -28,7 +29,9 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	rbacv1 "k8s.io/api/rbac/v1"
 
@@ -59,11 +62,18 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8443", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -72,13 +82,54 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
-		Metrics:                metricsserver.Options{BindAddress: metricsAddr},
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
-		LeaderElectionID:       "87a80094.kube-logging.dev",
-
+		LeaderElectionID:       "ee888a7e.kube-logging.dev",
 		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
 		// when the Manager ends. This requires the binary to immediately end when the
 		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly

diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -7,29 +7,18 @@ resources:
 - bases/telemetry.kube-logging.dev_tenants.yaml
 - bases/telemetry.kube-logging.dev_outputs.yaml
 - bases/telemetry.kube-logging.dev_bridges.yaml
-#+kubebuilder:scaffold:crdkustomizeresource
+# +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-#- path: patches/webhook_in_telemetry_collectors.yaml
-#- path: patches/webhook_in_telemetry_subscriptions.yaml
-#- path: patches/webhook_in_telemetry_tenants.yaml
-#- path: patches/webhook_in_telemetry_outputs.yaml
-#- path: patches/webhook_in_telemetry_bridges.yaml
-#+kubebuilder:scaffold:crdkustomizewebhookpatch
+# +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_telemetry_collectors.yaml
-#- path: patches/cainjection_in_telemetry_subscriptions.yaml
-#- path: patches/cainjection_in_telemetry_tenants.yaml
-#- path: patches/cainjection_in_telemetry_outputs.yaml
-#- path: patches/cainjection_in_telemetry_bridges.yaml
-#+kubebuilder:scaffold:crdkustomizecainjectionpatch
+# +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
-
 #configurations:
 #- kustomizeconfig.yaml