Remove kube-rbac-proxy and expose metrics on localhost:8080

Following the upstream cluster-api instruction, remove unneeded component kube-rbac-proxy.

Author: Fedosin

cmd/main.go

@@ -78,7 +78,7 @@ func init() {
 
 // InitFlags initializes the flags.
 func InitFlags(fs *pflag.FlagSet) {
-	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080",
+	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", "localhost:8080",
 		"The address the metric endpoint binds to.")
 
 	fs.BoolVar(&enableLeaderElection, "leader-elect", false,

config/default/kustomization.yaml

@@ -26,10 +26,6 @@ bases:
 - ../namespace
 
 patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
   # Provide customizable hook for make targets.
 - manager_image_patch.yaml
 - manager_pull_policy.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -3,10 +3,3 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -13961,40 +13961,6 @@ rules:
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-metrics-reader
-rules:
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-proxy-role
-rules:
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -14011,22 +13977,6 @@ subjects:
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-proxy-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: capi-operator-proxy-role
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: 'default'
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
@@ -14093,24 +14043,6 @@ subjects:
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: v1
 kind: Service
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-    control-plane: controller-manager
-  name: capi-operator-controller-manager-metrics-service
-  namespace: 'default'
-spec:
-  ports:
-  - name: https
-    port: 8443
-    targetPort: https
-  selector:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-    control-plane: controller-manager
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: v1
-kind: Service
 metadata:
   labels:
     clusterctl.cluster.x-k8s.io/core: capi-operator