fixing generation issues

Signed-off-by: Adam D. Cornett <[email protected]>

Author: acornett21

Diff for: hack/generate/samples/ansible/advanced_molecule.go

@@ -84,46 +84,47 @@ func ImplementAdvancedMolecule(sample sample.Sample, image string) {
 }
 
 func updateConfig(dir string) {
-	log.Info("adding customized roles")
-	const cmRolesFragment = `  ##
-  ## Base operator rules
-  ##
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - namespaces
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - apps
-    resources:
-      - configmaps
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-#+kubebuilder:scaffold:rules`
-	err := kbutil.ReplaceInFile(
-		filepath.Join(dir, "config", "rbac", "role.yaml"),
-		"#+kubebuilder:scaffold:rules",
-		cmRolesFragment)
-	pkg.CheckError("adding customized roles", err)
+	//TODO: This currently fails, unsure if we still need this, seems the role file already has this
+	//log.Info("adding customized roles")
+	//	const cmRolesFragment = `  ##
+	//  ## Base operator rules
+	//  ##
+	//  - apiGroups:
+	//      - ""
+	//    resources:
+	//      - configmaps
+	//      - namespaces
+	//    verbs:
+	//      - create
+	//      - delete
+	//      - get
+	//      - list
+	//      - patch
+	//      - update
+	//      - watch
+	//  - apiGroups:
+	//      - apps
+	//    resources:
+	//      - configmaps
+	//    verbs:
+	//      - create
+	//      - delete
+	//      - get
+	//      - list
+	//      - patch
+	//      - update
+	//      - watch
+	//#+kubebuilder:scaffold:rules`
+	//err := kbutil.ReplaceInFile(
+	//	filepath.Join(dir, "config", "rbac", "role.yaml"),
+	//	"#+kubebuilder:scaffold:rules",
+	//	cmRolesFragment)
+	//pkg.CheckError("adding customized roles", err)
 
 	log.Info("adding manager arg")
 	const ansibleVaultArg = `
           - --ansible-args='--vault-password-file /opt/ansible/pwd.yml'`
-	err = kbutil.InsertCode(
+	err := kbutil.InsertCode(
 		filepath.Join(dir, "config", "manager", "manager.yaml"),
 		"- --leader-election-id=advanced-molecule-operator",
 		ansibleVaultArg)
@@ -145,8 +146,8 @@ func updateConfig(dir string) {
 	const managerAuthArgs = `
         - "--ansible-args='--vault-password-file /opt/ansible/pwd.yml'"`
 	err = kbutil.InsertCode(
-		filepath.Join(dir, "config", "default", "manager_metrics_patch.yaml"),
-		"- \"--leader-elect\"",
+		filepath.Join(dir, "config", "manager", "manager.yaml"),
+		"- --leader-elect",
 		managerAuthArgs)
 	pkg.CheckError("adding vaulting args to the proxy auth", err)
 

Diff for: hack/generate/samples/ansible/constants.go

@@ -531,7 +531,7 @@ const customMetricsTest = `
     namespace: default
     container: manager
     pod: "{{ output.resources[0].metadata.name }}"
-    command: curl localhost:8080/metrics
+    command: curl localhost:8443/metrics
   register: metrics_output
 
 - name: Assert sanity metrics were created

Diff for: hack/generate/samples/ansible/memcached_molecule.go

@@ -80,7 +80,7 @@ func ImplementMemcachedMolecule(sample sample.Sample, image string) {
 
 	log.Info("adding RBAC permissions")
 	err = kbutil.ReplaceInFile(filepath.Join(sample.Dir(), "config", "rbac", "role.yaml"),
-		"#+kubebuilder:scaffold:rules", rolesForBaseOperator)
+		"# +kubebuilder:scaffold:rules", rolesForBaseOperator)
 	pkg.CheckError("replacing in role.yml", err)
 
 	log.Info("adding task to delete config map")
@@ -127,6 +127,6 @@ func ImplementMemcachedMolecule(sample sample.Sample, image string) {
 	log.Info("enabling metrics in the manager")
 	err = kbutil.UncommentCode(
 		filepath.Join(sample.Dir(), "config", "default", "kustomization.yaml"),
-		"#- path: manager_metrics_patch.yaml", "#")
+		"- path: manager_metrics_patch.yaml", "#")
 	pkg.CheckError("enabling metrics endpoint", err)
 }

Diff for: internal/ansible/flags/flag.go

@@ -111,13 +111,13 @@ func (f *Flags) AddTo(flagSet *pflag.FlagSet) {
 	// TODO(2.0.0): remove
 	flagSet.StringVar(&f.MetricsBindAddress,
 		"metrics-addr",
-		":8080",
+		":8443",
 		"The address the metric endpoint binds to",
 	)
 	_ = flagSet.MarkDeprecated("metrics-addr", "use --metrics-bind-address instead")
 	flagSet.StringVar(&f.MetricsBindAddress,
 		"metrics-bind-address",
-		":8080",
+		":8443",
 		"The address the metric endpoint binds to",
 	)
 	// TODO(2.0.0): for Go/Helm the port used is: 8081

Diff for: internal/ansible/flags/flag_test.go

@@ -52,7 +52,7 @@ var _ = Describe("Flags", func() {
 		})
 		When("the flag is not set", func() {
 			It("uses the default flag value when corresponding option value is empty", func() {
-				expOptionValue := ":8080"
+				expOptionValue := ":8443"
 				options.Metrics.BindAddress = ""
 				parseArgs(flagSet)
 				Expect(f.ToManagerOptions(options).Metrics.BindAddress).To(Equal(expOptionValue))

Diff for: internal/ansible/handler/logging_enqueue_annotation_test.go

@@ -25,6 +25,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllertest"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -60,7 +61,7 @@ var _ = Describe("LoggingEnqueueRequestForAnnotation", func() {
 
 		Expect(handler.SetOwnerAnnotations(podOwner, pod)).To(Succeed())
 		instance = LoggingEnqueueRequestForAnnotation{
-			handler.EnqueueRequestForAnnotation{
+			handler.EnqueueRequestForAnnotation[client.Object]{
 				Type: schema.GroupKind{
 					Group: "",
 					Kind:  "Pod",
@@ -220,7 +221,11 @@ var _ = Describe("LoggingEnqueueRequestForAnnotation", func() {
 			}
 			nd.SetGroupVersionKind(schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Node"})
 
-			instance = LoggingEnqueueRequestForAnnotation{handler.EnqueueRequestForAnnotation{Type: schema.GroupKind{Group: "apps", Kind: "ReplicaSet"}}}
+			instance = LoggingEnqueueRequestForAnnotation{
+				handler.EnqueueRequestForAnnotation[client.Object]{
+					Type: schema.GroupKind{Group: "apps", Kind: "ReplicaSet"},
+				},
+			}
 
 			evt := event.CreateEvent{
 				Object: nd,
@@ -243,7 +248,11 @@ var _ = Describe("LoggingEnqueueRequestForAnnotation", func() {
 			}
 			nd.SetGroupVersionKind(schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Node"})
 
-			instance = LoggingEnqueueRequestForAnnotation{handler.EnqueueRequestForAnnotation{Type: nd.GetObjectKind().GroupVersionKind().GroupKind()}}
+			instance = LoggingEnqueueRequestForAnnotation{
+				handler.EnqueueRequestForAnnotation[client.Object]{
+					Type: nd.GetObjectKind().GroupVersionKind().GroupKind(),
+				},
+			}
 			evt := event.CreateEvent{
 				Object: nd,
 			}
@@ -341,11 +350,13 @@ var _ = Describe("LoggingEnqueueRequestForAnnotation", func() {
 			repl.SetGroupVersionKind(schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "ReplicaSet"})
 
 			instance = LoggingEnqueueRequestForAnnotation{
-				handler.EnqueueRequestForAnnotation{
+				handler.EnqueueRequestForAnnotation[client.Object]{
 					Type: schema.GroupKind{
 						Group: "apps",
 						Kind:  "ReplicaSet",
-					}}}
+					},
+				},
+			}
 
 			evt := event.CreateEvent{
 				Object: repl,
@@ -366,11 +377,13 @@ var _ = Describe("LoggingEnqueueRequestForAnnotation", func() {
 			}
 
 			instance2 := LoggingEnqueueRequestForAnnotation{
-				handler.EnqueueRequestForAnnotation{
+				handler.EnqueueRequestForAnnotation[client.Object]{
 					Type: schema.GroupKind{
 						Group: "apps",
 						Kind:  "ReplicaSet",
-					}}}
+					},
+				},
+			}
 
 			evt2 := event.UpdateEvent{
 				ObjectOld: repl,

Diff for: internal/ansible/proxy/kubectl.go

@@ -130,7 +130,7 @@ func (f *FilterServer) HandlerFor(delegate http.Handler) *FilterServer {
 	return &f2
 }
 
-// Get host from a host header value like "localhost" or "localhost:8080"
+// Get host from a host header value like "localhost" or "localhost:8443"
 func extractHost(header string) (host string) {
 	host, _, err := net.SplitHostPort(header)
 	if err != nil {

Diff for: pkg/plugins/ansible/v1/init.go

@@ -160,7 +160,6 @@ func addInitCustomizations(projectName string) error {
 	}
 
 	managerFile := filepath.Join("config", "manager", "manager.yaml")
-	managerMetricsPatchFile := filepath.Join("config", "default", "manager_metrics_patch.yaml")
 
 	// todo: we ought to use afero instead. Replace this methods to insert/update
 	// by https://github.com/kubernetes-sigs/kubebuilder/pull/2119
@@ -174,13 +173,6 @@ func addInitCustomizations(projectName string) error {
 		return err
 	}
 
-	err = util.InsertCode(managerMetricsPatchFile,
-		"- \"--metrics-bind-address=0.0.0.0:8080\"",
-		fmt.Sprintf("\n        - \"--leader-elect\"\n        - \"--leader-election-id=%s\"\n        - \"--health-probe-bind-address=:6789\"", projectName))
-	if err != nil {
-		return err
-	}
-
 	// update default resource request and limits with bigger values
 	const resourcesLimitsFragment = `  resources:
           limits:

Diff for: pkg/testutils/e2e/metrics/helpers.go

@@ -17,7 +17,7 @@ func GetMetrics(sample sample.Sample, kubectl kubernetes.Kubectl, metricsCluster
 	cmdOpts := []string{
 		"run", "curl", "--image=curlimages/curl:7.68.0", "--restart=OnFailure", "--",
 		"curl", "-v",
-		fmt.Sprintf("http://%s-controller-manager-metrics-service.%s.svc:8080/metrics", sample.Name(), kubectl.Namespace()),
+		fmt.Sprintf("http://%s-controller-manager-metrics-service.%s.svc:8443/metrics", sample.Name(), kubectl.Namespace()),
 	}
 	out, err := kubectl.CommandInNamespace(cmdOpts...)
 	fmt.Println("OUT --", out)

Diff for: test/e2e/ansible/suite_test.go

@@ -27,15 +27,14 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
-	kbutil "sigs.k8s.io/kubebuilder/v4/pkg/plugin/util"
-
 	"github.com/operator-framework/ansible-operator-plugins/hack/generate/samples/ansible"
 	"github.com/operator-framework/ansible-operator-plugins/pkg/testutils/command"
 	"github.com/operator-framework/ansible-operator-plugins/pkg/testutils/e2e/kind"
 	"github.com/operator-framework/ansible-operator-plugins/pkg/testutils/e2e/operator"
 	"github.com/operator-framework/ansible-operator-plugins/pkg/testutils/e2e/prometheus"
 	"github.com/operator-framework/ansible-operator-plugins/pkg/testutils/kubernetes"
 	"github.com/operator-framework/ansible-operator-plugins/pkg/testutils/sample"
+	kbutil "sigs.k8s.io/kubebuilder/v4/pkg/plugin/util"
 )
 
 //TODO: update this to use the new PoC api
@@ -79,8 +78,8 @@ var _ = BeforeSuite(func() {
 	// ---------------------------------------------------
 
 	By("enabling debug logging in the manager")
-	err = kbutil.ReplaceInFile(filepath.Join(ansibleSample.Dir(), "config", "default", "manager_metrics_patch.yaml"),
-		"- \"--leader-elect\"", "- \"--zap-log-level=2\"\n        - \"--leader-elect\"")
+	err = kbutil.InsertCode(filepath.Join(ansibleSample.Dir(), "config", "manager", "manager.yaml"),
+		"--health-probe-bind-address=:6789", "\n          - --zap-log-level=2")
 	Expect(err).NotTo(HaveOccurred())
 
 	// ---------------------------------------------------

Diff for: testdata/memcached-molecule-operator/Makefile

@@ -81,7 +81,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.3.0/kustomize_v5.3.0_$(OS)_$(ARCH).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.4.2/kustomize_v5.4.2_$(OS)_$(ARCH).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else

Diff for: testdata/memcached-molecule-operator/config/crd/kustomization.yaml

@@ -6,4 +6,4 @@ resources:
 - bases/cache.example.com_foos.yaml
 - bases/cache.example.com_memfins.yaml
 - bases/ignore.example.com_secrets.yaml
-#+kubebuilder:scaffold:crdkustomizeresource
+# +kubebuilder:scaffold:crdkustomizeresource

Diff for: testdata/memcached-molecule-operator/config/default/kustomization.yaml

@@ -20,9 +20,13 @@ resources:
 - ../manager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 - ../prometheus
+# [METRICS] Expose the controller manager metrics service.
+- metrics_service.yaml
 
+# Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager
 patches:
-# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.
+# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
 # More info: https://book.kubebuilder.io/reference/metrics
-# If you want to expose the metric endpoint of your controller-manager uncomment the following line.
 - path: manager_metrics_patch.yaml
+  target:
+    kind: Deployment

Diff for: testdata/memcached-molecule-operator/config/default/manager_config_patch.yaml

@@ -1,16 +1,4 @@
-# This patch adds the args to allow exposing the metrics endpoint securely
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: manager
-        args:
-        - "--metrics-bind-address=0.0.0.0:8080"
-        - "--leader-elect"
-        - "--leader-election-id=memcached-molecule-operator"
-        - "--health-probe-bind-address=:6789"
+# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-bind-address=:8443

Diff for: testdata/memcached-molecule-operator/config/default/manager_metrics_patch.yaml

@@ -62,7 +62,6 @@ spec:
           - --leader-elect
           - --leader-election-id=memcached-molecule-operator
           - --health-probe-bind-address=:6789
-          - --metrics-bind-address=0
         image: controller:latest
         name: manager
         env:

Diff for: testdata/memcached-molecule-operator/config/manager/manager.yaml

@@ -11,8 +11,20 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: http # Ensure this is the name of the port that exposes HTTP metrics
-      scheme: http
+      port: https # Ensure this is the name of the port that exposes HTTPS metrics
+      scheme: https
+      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      tlsConfig:
+        # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
+        # certificate verification. This poses a significant security risk by making the system vulnerable to
+        # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between
+        # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data,
+        # compromising the integrity and confidentiality of the information.
+        # Please use the following options for secure configurations:
+        # caFile: /etc/metrics-certs/ca.crt
+        # certFile: /etc/metrics-certs/tls.crt
+        # keyFile: /etc/metrics-certs/tls.key
+        insecureSkipVerify: true
   selector:
     matchLabels:
       control-plane: controller-manager

Diff for: testdata/memcached-molecule-operator/config/prometheus/monitor.yaml

@@ -9,7 +9,15 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-- metrics_service.yaml
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- metrics_auth_role.yaml
+- metrics_auth_role_binding.yaml
+- metrics_reader_role.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines