⚠️ Deprecate metrics-bind-addr flag (#70)

**What is the purpose of this pull request/Why do we need it?**

See:
https://cluster-api.sigs.k8s.io/developer/providers/migrations/v1.5-to-v1.6
See: kubernetes-sigs/cluster-api#9264

**Checklist:**
- [x] Documentation updated
- [x] Includes
[emojis](https://github.com/kubernetes-sigs/kubebuilder-release-tools?tab=readme-ov-file#kubebuilder-project-versioning)

Author: gfariasalves-ionos

cmd/main.go

@@ -23,23 +23,25 @@ import (
 	"os"
 
 	"github.com/spf13/pflag"
-	"k8s.io/klog/v2"
-
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/klog/v2"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	"sigs.k8s.io/cluster-api/util/flags"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
-	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	infrav1 "github.com/ionos-cloud/cluster-api-provider-ionoscloud/api/v1alpha1"
 	"github.com/ionos-cloud/cluster-api-provider-ionoscloud/internal/controller"
 )
 
 var (
-	scheme   = runtime.NewScheme()
-	setupLog = ctrl.Log.WithName("setup")
+	scheme               = runtime.NewScheme()
+	setupLog             = ctrl.Log.WithName("setup")
+	healthProbeAddr      string
+	enableLeaderElection bool
+	diagnosticOptions    = flags.DiagnosticsOptions{}
 )
 
 func init() {
@@ -50,25 +52,19 @@ func init() {
 	//+kubebuilder:scaffold:scheme
 }
 
+// Add RBAC for the authorized diagnostics endpoint.
+// +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
+// +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
+
 func main() {
 	ctrl.SetLogger(klog.Background())
-	var metricsAddr string
-	var enableLeaderElection bool
-	var probeAddr string
-	klog.InitFlags(nil)
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
-	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
-		"Enable leader election for controller manager. "+
-			"Enabling this will ensure there is only one active controller manager.")
-
-	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+	initFlags()
 	pflag.Parse()
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
-		Metrics:                metricsserver.Options{BindAddress: metricsAddr},
-		HealthProbeBindAddress: probeAddr,
+		Metrics:                flags.GetDiagnosticsOptions(diagnosticOptions),
+		HealthProbeBindAddress: healthProbeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "15f3d3ca.cluster.x-k8s.io",
 		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
@@ -121,3 +117,15 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+// initFlags parses the command line flags.
+func initFlags() {
+	klog.InitFlags(nil)
+	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+	flags.AddDiagnosticsOptions(pflag.CommandLine, &diagnosticOptions)
+	pflag.StringVar(&healthProbeAddr, "health-probe-bind-address", ":8081",
+		"The address the probe endpoint binds to.")
+	pflag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+}

config/default/kustomization.yaml

@@ -19,10 +19,6 @@ resources:
 #- ../prometheus
 
 patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
 - manager_image_patch.yaml
 
 

config/default/manager_auth_proxy_patch.yaml

@@ -69,9 +69,13 @@ spec:
       - command:
         - /manager
         args:
-        - --leader-elect
+        - "--leader-elect"
         image: controller:latest
         name: manager
+        ports:
+          - containerPort: 8443
+            name: diagnostics
+            protocol: TCP
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
@@ -100,3 +104,27 @@ spec:
             memory: 64Mi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: system
+  name: controller-manager-diagnostics-service
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: diagnostics-service
+    app.kubernetes.io/instance: controller-manager-diagnostics-service
+    app.kubernetes.io/component: manager
+    app.kubernetes.io/created-by: cluster-api-provider-ionoscloud
+    app.kubernetes.io/part-of: cluster-api-provider-ionoscloud
+    app.kubernetes.io/managed-by: kustomize
+spec:
+  selector:
+    control-plane: controller-manager
+  ports:
+    - name: diagnostics-svc
+      protocol: TCP
+      port: 8443
+      targetPort: diagnostics
+
+

config/manager/manager.yaml

@@ -9,10 +9,3 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -23,6 +23,18 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
 - apiGroups:
   - cluster.x-k8s.io
   resources:

config/rbac/auth_proxy_role.yaml

@@ -1,15 +1,11 @@
 ## Usage
 
----
-
 This is a guide on how to use the Cluster API Provider for IONOS Cloud (CAPIC) to create a Kubernetes cluster 
 on IONOS Cloud. To learn more about the Cluster API, please refer 
 to the official [Cluster API book](https://cluster-api.sigs.k8s.io/).
 
 ## Table of Contents
 
----
-
 * [Usage](#usage)
   * [Prerequisites](#prerequisites)
   * [Quickstart](#quickstart)
@@ -23,8 +19,6 @@ to the official [Cluster API book](https://cluster-api.sigs.k8s.io/).
 
 ## Prerequisites
 
----
-
 Before you can use CAPIC, you need to have the following prerequisites:
 
 * A Kubernetes cluster which can run the required providers for CAPIC.
@@ -37,29 +31,21 @@ Before you can use CAPIC, you need to have the following prerequisites:
 
 ## Quickstart
 
----
-
 In order to install Cluster API Provider for IONOS Cloud (CAPIC), you need to have a Kubernetes cluster up and running,
 and `clusterctl` installed.
 
 ### Case 1: Using a local provider
 
----
-
 If the provider is not yet added to the list of providers in `clusterctl`, you can bootstrap the management cluster
 using a local provider. Refer to [local provider](./local-provider.md) for more information.
 
 ### Case 2: The provider is already available in clusterctl
 
----
-
 In this case you can simply follow the steps below. Make sure you are using a version of `clusterctl` which
 supports the `IONOS Cloud provider`.
 
 ### Configuring the management cluster
 
----
-
 Before you can create a Kubernetes cluster on IONOS Cloud, you need to configure the management cluster.
 Currently, the controller has no need of any special configuration, so you can just run the following command:
 
@@ -70,8 +56,6 @@ clusterctl init --infrastructure=ionoscloud
 
 ### Environment variables
 
----
-
 CAPIC requires several environment variables to be set in order to create a Kubernetes cluster on IONOS Cloud.
 
 ```env
@@ -98,8 +82,6 @@ IONOSCLOUD_MACHINE_SSH_KEYS                 # The SSH keys to be used.
 
 ### Credential Secret Structure
 
----
-
 The `IONOS_TOKEN` should be stored in a secret in the same namespace as the management cluster. 
 The secret should have the following structure:
 
@@ -118,8 +100,6 @@ stringData:
 
 ### Create a workload cluster
 
----
-
 In order to create a new cluster, you need to generate a cluster manifest.
 
 ```sh
@@ -138,12 +118,16 @@ $ kubectl apply -f cluster.yaml
 
 ### Next Steps
 
----
-
 TODO
 
+### Observability
+
+#### Diagnostics
+
+Access to metrics is secured by default. Before using it, it is necessary to create appropriate roles and role bindings.
+For more information, refer to [Cluster API documentation](https://main.cluster-api.sigs.k8s.io/tasks/diagnostics).
+
 ### Troubleshooting
 
----
 
 TODO