From 361bb898ad205d52e7f3fb6fd80049b4d84f20b5 Mon Sep 17 00:00:00 2001 From: "Adam D. Cornett" Date: Tue, 19 Nov 2024 11:41:34 -0700 Subject: [PATCH] Release v1.38.0 Signed-off-by: Adam D. Cornett --- Makefile | 2 +- changelog/fragments/01-olm-scorecard-fix.yaml | 28 -- .../02-document-k8s-1-30-changes.yaml | 351 ------------------ .../fragments/fix-run-bundle-yaml-split.yaml | 5 - changelog/generated/v1.38.0.md | 11 + .../bundle/tests/scorecard/config.yaml | 12 +- .../scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 +- .../bundle/tests/scorecard/config.yaml | 12 +- .../scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 +- testdata/helm/memcached-operator/Dockerfile | 2 +- testdata/helm/memcached-operator/Makefile | 2 +- .../bundle/tests/scorecard/config.yaml | 12 +- .../scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 +- website/config.toml | 14 +- .../content/en/docs/installation/_index.md | 2 +- .../en/docs/upgrading-sdk-version/v1.38.0.md | 314 ++++++++++++++++ 19 files changed, 375 insertions(+), 428 deletions(-) delete mode 100644 changelog/fragments/01-olm-scorecard-fix.yaml delete mode 100644 changelog/fragments/02-document-k8s-1-30-changes.yaml delete mode 100644 changelog/fragments/fix-run-bundle-yaml-split.yaml create mode 100644 changelog/generated/v1.38.0.md create mode 100644 website/content/en/docs/upgrading-sdk-version/v1.38.0.md diff --git a/Makefile b/Makefile index c52abc23501..f5501d08ef2 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ SHELL = /bin/bash # This value must be updated to the release tag of the most recent release, a change that must # occur in the release commit. IMAGE_VERSION will be removed once each subproject that uses this # version is moved to a separate repo and release process. -export IMAGE_VERSION = v1.37.0 +export IMAGE_VERSION = v1.38.0 # Build-time variables to inject into binaries export SIMPLE_VERSION = $(shell (test "$(shell git describe --tags)" = "$(shell git describe --tags --abbrev=0)" && echo $(shell git describe --tags)) || echo $(shell git describe --tags --abbrev=0)+git) export GIT_VERSION = $(shell git describe --dirty --tags --always) diff --git a/changelog/fragments/01-olm-scorecard-fix.yaml b/changelog/fragments/01-olm-scorecard-fix.yaml deleted file mode 100644 index 685eb642a52..00000000000 --- a/changelog/fragments/01-olm-scorecard-fix.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# entries is a list of entries to include in -# release notes and/or the migration guide -entries: - - description: > - An additional condition is included for matching `apiVersion` of example CRs with CRD `version` when searching for the CRD in the CSV. - Previously, The `olm-spec-descriptors` scorecard test failed when multiple versions of CRD is included in the CSV. - The CR specified in `alm-examples` annotations are validated only against the first matched CRD (by name), which is incorrect. - This ensures the correct CRD version is selected for validations. - - # kind is one of: - # - addition - # - change - # - deprecation - # - removal - # - bugfix - kind: "bugfix" - - # Is this a breaking change? - breaking: false - - # NOTE: ONLY USE `pull_request_override` WHEN ADDING THIS - # FILE FOR A PREVIOUSLY MERGED PULL_REQUEST! - # - # The generator auto-detects the PR number from the commit - # message in which this file was originally added. - # - # What is the pull request number (without the "#")? - # pull_request_override: 0 diff --git a/changelog/fragments/02-document-k8s-1-30-changes.yaml b/changelog/fragments/02-document-k8s-1-30-changes.yaml deleted file mode 100644 index 64b860a821b..00000000000 --- a/changelog/fragments/02-document-k8s-1-30-changes.yaml +++ /dev/null @@ -1,351 +0,0 @@ -# entries is a list of entries to include in -# release notes and/or the migration guide -entries: - - description: > - For Go-based, Helm-based and Ansible-based operators this release moves to Kubernetes 1.30 API's and Kubebuilder - v4 Scaffolding, specifically utilizing the v4.1.1 version. The update to Kubebuiler results in some scaffolding - changes which more information can be found below: - - Discontinue usage of [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) in the default - scaffolding of new projects. For further information, - see: [Action Required: Ensure that you no longer use gcr.io/kubebuilder images](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907) - - The `go/v2` or `go/v3` layouts have been removed, you must upgrade to `go/v4` to be compatible with this release and future updates. - To know how to upgrade,check the [migration documentation](https://book.kubebuilder.io/migration/v3vsv4). - - Re-introduces authn/authz protection for the metrics endpoint using [`WithAuthenticationAndAuthorization`](https://github.com/kubernetes-sigs/controller-runtime/blob/v0.18.4/pkg/metrics/filters/filters.go#L35) - provided by controller-runtime instead of kube-rbac-proxy; which usage was [discontinued in the project](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907). - Please, ensure that you no longer use the image `gcr.io/kubebuilder/kube-rbac-proxy`. Images provided under `gcr.io/kubebuilder/` will be unavailable from **March 18, 2025**. - To learn more about any of the metrics changes please look at the Kubebuilder book [metrics](https://book.kubebuilder.io/reference/metrics) page. - - For `Helm-based` and `Ansible-based` operators, a new flag called `metrics-require-rbac` was introduced into the runtime/binary, to control adding - [`WithAuthenticationAndAuthorization`](https://github.com/kubernetes-sigs/controller-runtime/blob/v0.18.4/pkg/metrics/filters/filters.go#L35) - to `Metrics.FilterProvider` of controller-runtime. This was done to ensure forwards and backwards compatibility of the binary and images with any scaffolded content. - - # kind is one of: - # - addition - # - change - # - deprecation - # - removal - # - bugfix - kind: "change" - - # Is this a breaking change? - breaking: false - - # NOTE: ONLY USE `pull_request_override` WHEN ADDING THIS - # FILE FOR A PREVIOUSLY MERGED PULL_REQUEST! - # - # The generator auto-detects the PR number from the commit - # message in which this file was originally added. - # - # What is the pull request number (without the "#")? - # pull_request_override: 0 - - - # Migration can be defined to automatically add a section to - # the migration guide. This is required for breaking changes. - migration: - header: Upgrade K8s versions to use 1.30 and Kubebuilder v4 - body: | - This update has a lot of scaffolding changes due to the removal of [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy), - if these migrations become difficult to follow, it might be beneficial to scaffold a net new sample project to compare. - - 1) [helm/v1, ansible/v1] Update the kustomize version in your Makefile - ```diff - - curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.3.0/kustomize_v5.3.0_$(OS)_$(ARCH).tar.gz | \ - + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.4.2/kustomize_v5.4.2_$(OS)_$(ARCH).tar.gz | \ - ``` - - 2) [go/v4] Update your `go.mod` file to upgrade the dependencies and run `go mod tidy` to download them - ```go - go 1.22.0 - - github.com/onsi/ginkgo/v2 v2.17.1 - github.com/onsi/gomega v1.32.0 - k8s.io/api v0.30.1 - k8s.io/apimachinery v0.30.1 - k8s.io/client-go v0.30.1 - sigs.k8s.io/controller-runtime v0.18.4 - ``` - 3) [go/v4] Update your `Makefile` with the below changes: - ```diff - - ENVTEST_K8S_VERSION = 1.29.0 - + ENVTEST_K8S_VERSION = 1.30.0 - ``` - - ```diff - - KUSTOMIZE ?= $(LOCALBIN)/kustomize-$(KUSTOMIZE_VERSION) - - CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen-$(CONTROLLER_TOOLS_VERSION) - - ENVTEST ?= $(LOCALBIN)/setup-envtest-$(ENVTEST_VERSION) - - GOLANGCI_LINT = $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION) - + KUSTOMIZE ?= $(LOCALBIN)/kustomize - + CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen - + ENVTEST ?= $(LOCALBIN)/setup-envtest - + GOLANGCI_LINT = $(LOCALBIN)/golangci-lint - ``` - - ```diff - - KUSTOMIZE_VERSION ?= v5.3.0 - - CONTROLLER_TOOLS_VERSION ?= v0.14.0 - - ENVTEST_VERSION ?= release-0.17 - - GOLANGCI_LINT_VERSION ?= v1.57.2 - + KUSTOMIZE_VERSION ?= v5.4.2 - + CONTROLLER_TOOLS_VERSION ?= v0.15.0 - + ENVTEST_VERSION ?= release-0.18 - + GOLANGCI_LINT_VERSION ?= v1.59.1 - ``` - - ```diff - - $(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,${GOLANGCI_LINT_VERSION}) - + $(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION)) - ``` - - ```diff - - @[ -f $(1) ] || { \ - + @[ -f "$(1)-$(3)" ] || { \ - echo "Downloading $${package}" ;\ - + rm -f $(1) || true ;\ - - mv "$$(echo "$(1)" | sed "s/-$(3)$$//")" $(1) ;\ - - } - + mv $(1) $(1)-$(3) ;\ - + } ;\ - + ln -sf $(1)-$(3) $(1) - ``` - - 4) [go/v4] Update your `.golangci.yml` with the below changes: - ```diff - - exportloopref - + - ginkgolinter - - prealloc - + - revive - + - +linters-settings: - + revive: - + rules: - + - name: comment-spacings - ``` - - 5) [go/v4] Update your `Dockerfile` file with the below changes: - ```diff - - FROM golang:1.21 AS builder - + FROM golang:1.22 AS builder - ``` - - 6) [go/v4] Update your `main.go` file with the below changes: - ```diff - "sigs.k8s.io/controller-runtime/pkg/log/zap" - + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" - - var enableHTTP2 bool - - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") - + var tlsOpts []func(*tls.Config) - + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ - + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") - flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.BoolVar(&enableLeaderElection, "leader-elect", false, - "Enable leader election for controller manager. "+ - "Enabling this will ensure there is only one active controller manager.") - - flag.BoolVar(&secureMetrics, "metrics-secure", false, - - "If set the metrics endpoint is served securely") - + flag.BoolVar(&secureMetrics, "metrics-secure", true, - + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") - - - tlsOpts := []func(*tls.Config){} - - + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. - + // More info: - + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server - + // - https://book.kubebuilder.io/reference/metrics.html - + metricsServerOptions := metricsserver.Options{ - + BindAddress: metricsAddr, - + SecureServing: secureMetrics, - + // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are - + // not provided, self-signed certificates will be generated by default. This option is not recommended for - + // production environments as self-signed certificates do not offer the same level of trust and security - + // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing - + // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName - + // to provide certificates, ensuring the server communicates using trusted and secure certificates. - + TLSOpts: tlsOpts, - + } - + - + if secureMetrics { - + // FilterProvider is used to protect the metrics endpoint with authn/authz. - + // These configurations ensure that only authorized users and service accounts - + // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: - + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization - + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization - + } - + - mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - - Scheme: scheme, - - Metrics: metricsserver.Options{ - - BindAddress: metricsAddr, - - SecureServing: secureMetrics, - - TLSOpts: tlsOpts, - - }, - + Scheme: scheme, - + Metrics: metricsServerOptions, - ``` - 7) [go/v4, helm/v1, ansible/v1] Update your `/config/default/kustomization.yaml` file with the below changes: - ```diff - # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. - #- ../prometheus - +# [METRICS] Expose the controller manager metrics service. - +- metrics_service.yaml - - +# Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager - patches: - -# Protect the /metrics endpoint by putting it behind auth. - -# If you want your controller-manager to expose the /metrics - -# endpoint w/o any authn/z, please comment the following line. - -- path: manager_auth_proxy_patch.yaml - +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. - +# More info: https://book.kubebuilder.io/reference/metrics - +- path: manager_metrics_patch.yaml - + target: - + kind: Deployment - ``` - - 8) [go/v4, helm/v1, ansible/v1] Remove `/config/default/manager_auth_proxy_patch.yaml` and `/config/default/manager_config_patch.yaml` files. - - 9) [go/v4, helm/v1, ansible/v1] Add `/config/default/manager_metrics_patch.yaml` file with the below changes: - ```diff - # This patch adds the args to allow exposing the metrics endpoint using HTTPS - - op: add - path: /spec/template/spec/containers/0/args/0 - value: --metrics-bind-address=:8443 - ``` - - 10) [helm/v1, ansible/v1] Update `/config/default/manager_metrics_patch.yaml` file with the below changes: - ```diff - # This patch adds the args to allow securing the metrics endpoint - - op: add - path: /spec/template/spec/containers/0/args/0 - value: --metrics-secure - # This patch adds the args to allow RBAC-based authn/authz the metrics endpoint - - op: add - path: /spec/template/spec/containers/0/args/0 - value: --metrics-require-rbac - ``` - - 11) [go/v4, helm/v1, ansible/v1] Add `/config/default/metrics_service.yaml` file with the below changes: - ```diff - apiVersion: v1 - kind: Service - metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: - app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-service - namespace: system - spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - control-plane: controller-manager - ``` - - 12) [go/v4, helm/v1, ansible/v1] Update your `/config/manager/manager.yaml` file with the below changes (**Note: The port for ansible is 6789**): - ```diff - - --leader-elect - + - --health-probe-bind-address=:8081 - ``` - - 13) [go/v4, helm/v1, ansible/v1] Update your `/config/prometheus/monitor/yaml` file with the below changes: - ```diff - - path: /metrics - - port: https - + port: https # Ensure this is the name of the port that exposes HTTPS metrics - tlsConfig: - + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables - + # certificate verification. This poses a significant security risk by making the system vulnerable to - + # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between - + # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, - + # compromising the integrity and confidentiality of the information. - + # Please use the following options for secure configurations: - + # caFile: /etc/metrics-certs/ca.crt - + # certFile: /etc/metrics-certs/tls.crt - + # keyFile: /etc/metrics-certs/tls.key - insecureSkipVerify: true - ``` - - 14) [go/v4, helm/v1, ansible/v1] Remove the following files from `/config/rbac` - ```diff - - auth_proxy_client_clusterrole.yaml - - auth_proxy_role.yaml - - auth_proxy_role_binding.yaml - - auth_proxy_service.yaml - ``` - - 15) [go/v4, helm/v1, ansible/v1] Update your `/config/rbac/kustomization.yaml` file with the below changes: - ```diff - - leader_election_role_binding.yaml - - # Comment the following 4 lines if you want to disable - - # the auth proxy (https://github.com/brancz/kube-rbac-proxy) - - # which protects your /metrics endpoint. - - - auth_proxy_service.yaml - - - auth_proxy_role.yaml - - - auth_proxy_role_binding.yaml - - - auth_proxy_client_clusterrole.yaml - + # The following RBAC configurations are used to protect - + # the metrics endpoint with authn/authz. These configurations - + # ensure that only authorized users and service accounts - + # can access the metrics endpoint. Comment the following - + # permissions if you want to disable this protection. - + # More info: https://book.kubebuilder.io/reference/metrics.html - + - metrics_auth_role.yaml - + - metrics_auth_role_binding.yaml - + - metrics_reader_role.yaml - ``` - - 16) [go/v4, helm/v1, ansible/v1] Add `/config/rbac/metrics_auth_role.yaml` file with the below changes: - ```diff - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: metrics-auth-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - ``` - - 17) [go/v4, helm/v1, ansible/v1] Add `/config/rbac/metrics_auth_role_binding.yaml` file with the below changes: - ```diff - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: metrics-auth-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metrics-auth-role - subjects: - - kind: ServiceAccount - name: controller-manager - namespace: system - ``` - - 18) [go/v4, helm/v1, ansible/v1] Add `/config/rbac/metrics_reader_role.yaml` file with the below changes: - ```diff - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: metrics-reader - rules: - - nonResourceURLs: - - "/metrics" - verbs: - - get - ``` diff --git a/changelog/fragments/fix-run-bundle-yaml-split.yaml b/changelog/fragments/fix-run-bundle-yaml-split.yaml deleted file mode 100644 index e3edd3b7b4c..00000000000 --- a/changelog/fragments/fix-run-bundle-yaml-split.yaml +++ /dev/null @@ -1,5 +0,0 @@ -entries: - - description: > - Fix naive YAML split in `run bundle` command. - kind: "bugfix" - breaking: false diff --git a/changelog/generated/v1.38.0.md b/changelog/generated/v1.38.0.md new file mode 100644 index 00000000000..514b60df4f3 --- /dev/null +++ b/changelog/generated/v1.38.0.md @@ -0,0 +1,11 @@ +## v1.38.0 + +### Changes + +- For Go-based, Helm-based and Ansible-based operators this release moves to Kubernetes 1.30 API's and Kubebuilder v4 Scaffolding, specifically utilizing the v4.1.1 version. The update to Kubebuiler results in some scaffolding changes which more information can be found below: - Discontinue usage of [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) in the default scaffolding of new projects. For further information, see: [Action Required: Ensure that you no longer use gcr.io/kubebuilder images](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907) - The `go/v2` or `go/v3` layouts have been removed, you must upgrade to `go/v4` to be compatible with this release and future updates. To know how to upgrade,check the [migration documentation](https://book.kubebuilder.io/migration/v3vsv4). - Re-introduces authn/authz protection for the metrics endpoint using [`WithAuthenticationAndAuthorization`](https://github.com/kubernetes-sigs/controller-runtime/blob/v0.18.4/pkg/metrics/filters/filters.go#L35) provided by controller-runtime instead of kube-rbac-proxy; which usage was [discontinued in the project](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907). Please, ensure that you no longer use the image `gcr.io/kubebuilder/kube-rbac-proxy`. Images provided under `gcr.io/kubebuilder/` will be unavailable from **March 18, 2025**. To learn more about any of the metrics changes please look at the Kubebuilder book [metrics](https://book.kubebuilder.io/reference/metrics) page. +For `Helm-based` and `Ansible-based` operators, a new flag called `metrics-require-rbac` was introduced into the runtime/binary, to control adding [`WithAuthenticationAndAuthorization`](https://github.com/kubernetes-sigs/controller-runtime/blob/v0.18.4/pkg/metrics/filters/filters.go#L35) to `Metrics.FilterProvider` of controller-runtime. This was done to ensure forwards and backwards compatibility of the binary and images with any scaffolded content. ([#6862](https://github.com/operator-framework/operator-sdk/pull/6862)) + +### Bug Fixes + +- An additional condition is included for matching `apiVersion` of example CRs with CRD `version` when searching for the CRD in the CSV. Previously, The `olm-spec-descriptors` scorecard test failed when multiple versions of CRD is included in the CSV. The CR specified in `alm-examples` annotations are validated only against the first matched CRD (by name), which is incorrect. This ensures the correct CRD version is selected for validations. ([#6784](https://github.com/operator-framework/operator-sdk/pull/6784)) +- Fix naive YAML split in `run bundle` command. ([#6829](https://github.com/operator-framework/operator-sdk/pull/6829)) diff --git a/testdata/go/v4/memcached-operator/bundle/tests/scorecard/config.yaml b/testdata/go/v4/memcached-operator/bundle/tests/scorecard/config.yaml index aaf374d37d7..ea6b807940d 100644 --- a/testdata/go/v4/memcached-operator/bundle/tests/scorecard/config.yaml +++ b/testdata/go/v4/memcached-operator/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-resources-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-spec-descriptors-test @@ -58,7 +58,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/go/v4/memcached-operator/config/scorecard/patches/basic.config.yaml b/testdata/go/v4/memcached-operator/config/scorecard/patches/basic.config.yaml index fd6200ae975..84683cf8d7b 100644 --- a/testdata/go/v4/memcached-operator/config/scorecard/patches/basic.config.yaml +++ b/testdata/go/v4/memcached-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: basic test: basic-check-spec-test diff --git a/testdata/go/v4/memcached-operator/config/scorecard/patches/olm.config.yaml b/testdata/go/v4/memcached-operator/config/scorecard/patches/olm.config.yaml index a547ce213df..43f40a8b3f1 100644 --- a/testdata/go/v4/memcached-operator/config/scorecard/patches/olm.config.yaml +++ b/testdata/go/v4/memcached-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/go/v4/monitoring/memcached-operator/bundle/tests/scorecard/config.yaml b/testdata/go/v4/monitoring/memcached-operator/bundle/tests/scorecard/config.yaml index aaf374d37d7..ea6b807940d 100644 --- a/testdata/go/v4/monitoring/memcached-operator/bundle/tests/scorecard/config.yaml +++ b/testdata/go/v4/monitoring/memcached-operator/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-resources-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-spec-descriptors-test @@ -58,7 +58,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/basic.config.yaml b/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/basic.config.yaml index fd6200ae975..84683cf8d7b 100644 --- a/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/basic.config.yaml +++ b/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: basic test: basic-check-spec-test diff --git a/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/olm.config.yaml b/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/olm.config.yaml index a547ce213df..43f40a8b3f1 100644 --- a/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/olm.config.yaml +++ b/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/helm/memcached-operator/Dockerfile b/testdata/helm/memcached-operator/Dockerfile index 9abcc9d8af9..ec384f7b47c 100644 --- a/testdata/helm/memcached-operator/Dockerfile +++ b/testdata/helm/memcached-operator/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM quay.io/operator-framework/helm-operator:v1.37.0 +FROM quay.io/operator-framework/helm-operator:v1.38.0 ENV HOME=/opt/helm COPY watches.yaml ${HOME}/watches.yaml diff --git a/testdata/helm/memcached-operator/Makefile b/testdata/helm/memcached-operator/Makefile index c0b5884bc10..d0ad765f602 100644 --- a/testdata/helm/memcached-operator/Makefile +++ b/testdata/helm/memcached-operator/Makefile @@ -147,7 +147,7 @@ ifeq (,$(shell which helm-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(HELM_OPERATOR)) ;\ - curl -sSLo $(HELM_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.37.0/helm-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(HELM_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.38.0/helm-operator_$(OS)_$(ARCH) ;\ chmod +x $(HELM_OPERATOR) ;\ } else diff --git a/testdata/helm/memcached-operator/bundle/tests/scorecard/config.yaml b/testdata/helm/memcached-operator/bundle/tests/scorecard/config.yaml index aaf374d37d7..ea6b807940d 100644 --- a/testdata/helm/memcached-operator/bundle/tests/scorecard/config.yaml +++ b/testdata/helm/memcached-operator/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-resources-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-spec-descriptors-test @@ -58,7 +58,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/helm/memcached-operator/config/scorecard/patches/basic.config.yaml b/testdata/helm/memcached-operator/config/scorecard/patches/basic.config.yaml index fd6200ae975..84683cf8d7b 100644 --- a/testdata/helm/memcached-operator/config/scorecard/patches/basic.config.yaml +++ b/testdata/helm/memcached-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: basic test: basic-check-spec-test diff --git a/testdata/helm/memcached-operator/config/scorecard/patches/olm.config.yaml b/testdata/helm/memcached-operator/config/scorecard/patches/olm.config.yaml index a547ce213df..43f40a8b3f1 100644 --- a/testdata/helm/memcached-operator/config/scorecard/patches/olm.config.yaml +++ b/testdata/helm/memcached-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.37.0 + image: quay.io/operator-framework/scorecard-test:v1.38.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/website/config.toml b/website/config.toml index 9fe6e336651..08489fa26f7 100644 --- a/website/config.toml +++ b/website/config.toml @@ -93,20 +93,26 @@ url_latest_version = "https://sdk.operatorframework.io" version = "master" url = "https://master.sdk.operatorframework.io" ##LATEST_RELEASE_KUBE_VERSION## - kube_version = "1.29.0" + kube_version = "1.30.0" ##LATEST_RELEASE_CLIENT_GO_VERSION## - client_go_version = "v0.29.3" + client_go_version = "v0.30.5" [[params.versions]] version = "Latest Release" url = "https://sdk.operatorframework.io" ##LATEST_RELEASE_KUBE_VERSION## - kube_version = "1.29.0" + kube_version = "1.30.0" ##LATEST_RELEASE_CLIENT_GO_VERSION## - client_go_version = "v0.29.3" + client_go_version = "v0.30.5" ##RELEASE_ADDME## +[[params.versions]] + version = "v1.38" + url = "https://v1-38-x.sdk.operatorframework.io" + kube_version = "1.30.0" + client_go_version = "v0.30.5" + [[params.versions]] version = "v1.37" url = "https://v1-37-x.sdk.operatorframework.io" diff --git a/website/content/en/docs/installation/_index.md b/website/content/en/docs/installation/_index.md index bfea3815d69..cfb4669694e 100644 --- a/website/content/en/docs/installation/_index.md +++ b/website/content/en/docs/installation/_index.md @@ -36,7 +36,7 @@ export OS=$(uname | awk '{print tolower($0)}') Download the binary for your platform: ```sh -export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/v1.37.0 +export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/v1.38.0 curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} ``` diff --git a/website/content/en/docs/upgrading-sdk-version/v1.38.0.md b/website/content/en/docs/upgrading-sdk-version/v1.38.0.md new file mode 100644 index 00000000000..db0edfa0d67 --- /dev/null +++ b/website/content/en/docs/upgrading-sdk-version/v1.38.0.md @@ -0,0 +1,314 @@ +--- +title: v1.38.0 +weight: 998962000 +--- + +## Upgrade K8s versions to use 1.30 and Kubebuilder v4 + +This update has a lot of scaffolding changes due to the removal of [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy), +if these migrations become difficult to follow, it might be beneficial to scaffold a net new sample project to compare. + +1) [helm/v1, ansible/v1] Update the kustomize version in your Makefile + ```diff + - curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.3.0/kustomize_v5.3.0_$(OS)_$(ARCH).tar.gz | \ + + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.4.2/kustomize_v5.4.2_$(OS)_$(ARCH).tar.gz | \ + ``` + +2) [go/v4] Update your `go.mod` file to upgrade the dependencies and run `go mod tidy` to download them + ```go + go 1.22.0 + + github.com/onsi/ginkgo/v2 v2.17.1 + github.com/onsi/gomega v1.32.0 + k8s.io/api v0.30.1 + k8s.io/apimachinery v0.30.1 + k8s.io/client-go v0.30.1 + sigs.k8s.io/controller-runtime v0.18.4 + ``` +3) [go/v4] Update your `Makefile` with the below changes: + ```diff + - ENVTEST_K8S_VERSION = 1.29.0 + + ENVTEST_K8S_VERSION = 1.30.0 + ``` + + ```diff + - KUSTOMIZE ?= $(LOCALBIN)/kustomize-$(KUSTOMIZE_VERSION) + - CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen-$(CONTROLLER_TOOLS_VERSION) + - ENVTEST ?= $(LOCALBIN)/setup-envtest-$(ENVTEST_VERSION) + - GOLANGCI_LINT = $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION) + + KUSTOMIZE ?= $(LOCALBIN)/kustomize + + CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen + + ENVTEST ?= $(LOCALBIN)/setup-envtest + + GOLANGCI_LINT = $(LOCALBIN)/golangci-lint + ``` + + ```diff + - KUSTOMIZE_VERSION ?= v5.3.0 + - CONTROLLER_TOOLS_VERSION ?= v0.14.0 + - ENVTEST_VERSION ?= release-0.17 + - GOLANGCI_LINT_VERSION ?= v1.57.2 + + KUSTOMIZE_VERSION ?= v5.4.2 + + CONTROLLER_TOOLS_VERSION ?= v0.15.0 + + ENVTEST_VERSION ?= release-0.18 + + GOLANGCI_LINT_VERSION ?= v1.59.1 + ``` + + ```diff + - $(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,${GOLANGCI_LINT_VERSION}) + + $(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION)) + ``` + + ```diff + - @[ -f $(1) ] || { \ + + @[ -f "$(1)-$(3)" ] || { \ + echo "Downloading $${package}" ;\ + + rm -f $(1) || true ;\ + - mv "$$(echo "$(1)" | sed "s/-$(3)$$//")" $(1) ;\ + - } + + mv $(1) $(1)-$(3) ;\ + + } ;\ + + ln -sf $(1)-$(3) $(1) + ``` + +4) [go/v4] Update your `.golangci.yml` with the below changes: + ```diff + - exportloopref + + - ginkgolinter + - prealloc + + - revive + + + + linters-settings: + + revive: + + rules: + + - name: comment-spacings + ``` + +5) [go/v4] Update your `Dockerfile` file with the below changes: + ```diff + - FROM golang:1.21 AS builder + + FROM golang:1.22 AS builder + ``` + +6) [go/v4] Update your `main.go` file with the below changes: + ```diff + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" + + var enableHTTP2 bool + - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + + var tlsOpts []func(*tls.Config) + + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") + flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.BoolVar(&enableLeaderElection, "leader-elect", false, + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") + - flag.BoolVar(&secureMetrics, "metrics-secure", false, + - "If set the metrics endpoint is served securely") + + flag.BoolVar(&secureMetrics, "metrics-secure", true, + + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + + - tlsOpts := []func(*tls.Config){} + + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + + // More info: + + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server + + // - https://book.kubebuilder.io/reference/metrics.html + + metricsServerOptions := metricsserver.Options{ + + BindAddress: metricsAddr, + + SecureServing: secureMetrics, + + // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are + + // not provided, self-signed certificates will be generated by default. This option is not recommended for + + // production environments as self-signed certificates do not offer the same level of trust and security + + // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing + + // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName + + // to provide certificates, ensuring the server communicates using trusted and secure certificates. + + TLSOpts: tlsOpts, + + } + + + + if secureMetrics { + + // FilterProvider is used to protect the metrics endpoint with authn/authz. + + // These configurations ensure that only authorized users and service accounts + + // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: + + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization + + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + + } + + + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ + - Scheme: scheme, + - Metrics: metricsserver.Options{ + - BindAddress: metricsAddr, + - SecureServing: secureMetrics, + - TLSOpts: tlsOpts, + - }, + + Scheme: scheme, + + Metrics: metricsServerOptions, + ``` + +7) [go/v4, helm/v1, ansible/v1] Update your `/config/default/kustomization.yaml` file with the below changes: + ```diff + # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. + #- ../prometheus + + # [METRICS] Expose the controller manager metrics service. + + - metrics_service.yaml + + + # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager + patches: + - # Protect the /metrics endpoint by putting it behind auth. + - # If you want your controller-manager to expose the /metrics + - # endpoint w/o any authn/z, please comment the following line. + - - path: manager_auth_proxy_patch.yaml + + # [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. + + # More info: https://book.kubebuilder.io/reference/metrics + + - path: manager_metrics_patch.yaml + + target: + + kind: Deployment + ``` + +8) [go/v4, helm/v1, ansible/v1] Remove `/config/default/manager_auth_proxy_patch.yaml` and `/config/default/manager_config_patch.yaml` files. + +9) [go/v4, helm/v1, ansible/v1] Add `/config/default/manager_metrics_patch.yaml` file with the below changes: + ```diff + # This patch adds the args to allow exposing the metrics endpoint using HTTPS + - op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 + ``` + +10) [helm/v1, ansible/v1] Update `/config/default/manager_metrics_patch.yaml` file with the below changes: + ```diff + # This patch adds the args to allow securing the metrics endpoint + - op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure + # This patch adds the args to allow RBAC-based authn/authz the metrics endpoint + - op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-require-rbac + ``` + +11) [go/v4, helm/v1, ansible/v1] Add `/config/default/metrics_service.yaml` file with the below changes: + ```diff + apiVersion: v1 + kind: Service + metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system + spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + control-plane: controller-manager + ``` + +12) [go/v4, helm/v1, ansible/v1] Update your `/config/manager/manager.yaml` file with the below changes (**Note: The port for ansible is 6789**): + ```diff + - --leader-elect + + - --health-probe-bind-address=:8081 + ``` + +13) [go/v4, helm/v1, ansible/v1] Update your `/config/prometheus/monitor/yaml` file with the below changes: + ```diff + - path: /metrics + - port: https + + port: https # Ensure this is the name of the port that exposes HTTPS metrics + tlsConfig: + + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + + # certificate verification. This poses a significant security risk by making the system vulnerable to + + # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between + + # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, + + # compromising the integrity and confidentiality of the information. + + # Please use the following options for secure configurations: + + # caFile: /etc/metrics-certs/ca.crt + + # certFile: /etc/metrics-certs/tls.crt + + # keyFile: /etc/metrics-certs/tls.key + insecureSkipVerify: true + ``` + +14) [go/v4, helm/v1, ansible/v1] Remove the following files from `/config/rbac` + ```diff + - auth_proxy_client_clusterrole.yaml + - auth_proxy_role.yaml + - auth_proxy_role_binding.yaml + - auth_proxy_service.yaml + ``` + +15) [go/v4, helm/v1, ansible/v1] Update your `/config/rbac/kustomization.yaml` file with the below changes: + ```diff + - leader_election_role_binding.yaml + - # Comment the following 4 lines if you want to disable + - # the auth proxy (https://github.com/brancz/kube-rbac-proxy) + - # which protects your /metrics endpoint. + - - auth_proxy_service.yaml + - - auth_proxy_role.yaml + - - auth_proxy_role_binding.yaml + - - auth_proxy_client_clusterrole.yaml + + # The following RBAC configurations are used to protect + + # the metrics endpoint with authn/authz. These configurations + + # ensure that only authorized users and service accounts + + # can access the metrics endpoint. Comment the following + + # permissions if you want to disable this protection. + + # More info: https://book.kubebuilder.io/reference/metrics.html + + - metrics_auth_role.yaml + + - metrics_auth_role_binding.yaml + + - metrics_reader_role.yaml + ``` + +16) [go/v4, helm/v1, ansible/v1] Add `/config/rbac/metrics_auth_role.yaml` file with the below changes: + ```diff + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: metrics-auth-role + rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + ``` + +17) [go/v4, helm/v1, ansible/v1] Add `/config/rbac/metrics_auth_role_binding.yaml` file with the below changes: + ```diff + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: metrics-auth-rolebinding + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-auth-role + subjects: + - kind: ServiceAccount + name: controller-manager + namespace: system + ``` + +18) [go/v4, helm/v1, ansible/v1] Add `/config/rbac/metrics_reader_role.yaml` file with the below changes: + ```diff + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: metrics-reader + rules: + - nonResourceURLs: + - "/metrics" + verbs: + - get + ``` + +_See [#6862](https://github.com/operator-framework/operator-sdk/pull/6862) for more details._