Skip to content

fix : remove kube-rbac-proxy sidecar metric proxy container from Operator deployment #1437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

fix : remove kube-rbac-proxy sidecar metric proxy container from Operator deployment #1437

wants to merge 4 commits into from

Conversation

rohanKanojia
Copy link
Contributor

What does this PR do?

⚠️ Requires #1435 to be merged first

As mentioned in #1352 and #1343 (comment) , using kube-rbac-proxy sidecar container is deprecated and is causing issues in configuring Operator resource/limits via Operator subscription.

This PR removes this sidecar container and uses controller-runtime's inbuilt WithAuthenticationAndAuthorization. Now that we don't have a proxy, we can directly post metrics on 8443 and 9443 ports for devworkspace-controller-manager and devworkspace-webhook-server respectively.

Signed-off-by: Rohan Kumar [email protected]

What issues does this PR fix or reference?

#1343

Is it tested? How?

After making changes I made sure operator is running and metrics are accessible on 8443 and 9443 ports.

  • setup OpenShift cluster
  • set NAMESPACE=devworkspace-controller
  • set DWO_IMG to local docker image fork for development
  • Checkout branch and create+push docker image make docker
  • make install
  • Check operator pods, they'd have only one running container (previously all pods have 2 containers each) 
    devworkspace-operator : $ oc get pods
NAME                                               READY   STATUS    RESTARTS      AGE
devworkspace-controller-manager-56679dd464-lnh2g   1/1     Running   0             15m
devworkspace-webhook-server-5874545c5c-58n4s       1/1     Running   0             15m
devworkspace-webhook-server-5874545c5c-ntfmt       1/1     Running   1 (15m ago)   15m
  • Port forward metrics service and try to access metrics 
    kubectl  port-forward service/devworkspace-controller-metrics 8443:8443 &
kubectl port-forward service/devworkspace-webhookserver 9443:9443

# [In separate session]
 NAMESPACE=devworkspace-controller 
 kubectl create clusterrolebinding dw-metrics \
--clusterrole=devworkspace-controller-metrics-reader \
--serviceaccount=${NAMESPACE}:devworkspace-controller-serviceaccount
TOKEN=$(kubectl create token devworkspace-controller-serviceaccount -n ${NAMESPACE} --duration=1h)
curl -H "Authorization: Bearer ${TOKEN}"   http://localhost:9443/metrics
curl -k -H "Authorization: Bearer ${TOKEN}" https://localhost:8443/metrics

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

@rohanKanojia
chore (deps) : bump controller-runtime to v0.18.7
c203aab 
Signed-off-by: Rohan Kumar <[email protected]>
@rohanKanojia
chore (deploy) : Update manifests to reflect controller-runtime upgrade
d203b5e 
Updated CRD manifests in deploy/ directory to include new requirements
in controller-runtime upgrade

Signed-off-by: Rohan Kumar <[email protected]>
@rohanKanojia
fix : remove kube-rbac-proxy container from Operator deployment
a7285de 
Signed-off-by: Rohan Kumar <[email protected]>
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 22, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 22, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rohanKanojia rohanKanojia force-pushed the pr/issue1343 branch 2 times, most recently from 1757600 to 2a64641 Compare May 22, 2025 12:03
@rohanKanojia
Copy link
Contributor Author

/ok-to-test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dkwon17 dkwon17 Awaiting requested review from dkwon17 dkwon17 will be requested when the pull request is marked ready for review dkwon17 is a code owner

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk will be requested when the pull request is marked ready for review ibuziuk is a code owner

@akurinnoy akurinnoy Awaiting requested review from akurinnoy akurinnoy will be requested when the pull request is marked ready for review akurinnoy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
do-not-merge/work-in-progress ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rohanKanojia