Remove kube-rbac-proxy references and implement upgrade-sdk 1.38 changes

config/debug/kustomization-cluster.yaml

@@ -119,7 +119,7 @@ patches:
     name: controller-manager
   patch: |-
     - op: add
-      path: /spec/template/spec/containers/2/env
+      path: /spec/template/spec/containers/1/env
       value: 
       - name: WATCH_NAMESPACE
         value: WATCH_NAMESPACE_VALUE

config/debug/kustomization-namespace.yaml

@@ -119,7 +119,7 @@ patches:
     name: controller-manager
   patch: |-
     - op: add
-      path: /spec/template/spec/containers/2/env
+      path: /spec/template/spec/containers/1/env
       value: 
       - name: WATCH_NAMESPACE
         valueFrom:

config/debug/kustomization.yaml

@@ -25,12 +25,10 @@ bases:
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+# [METRICS] Expose the controller manager metrics service.
+- metrics_service.yaml
 
 patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
 - debug-sidecar-patch.yaml
 
 
@@ -121,7 +119,7 @@ patches:
     name: controller-manager
   patch: |-
     - op: add
-      path: /spec/template/spec/containers/2/env
+      path: /spec/template/spec/containers/1/env
       value: 
       - name: WATCH_NAMESPACE
         value: WATCH_NAMESPACE_VALUE
@@ -134,4 +132,9 @@ patches:
       - name: POD_NAME
         valueFrom:
           fieldRef:
-            fieldPath: metadata.name
+            fieldPath: metadata.name
+# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
+# More info: https://book.kubebuilder.io/reference/metrics
+- path: manager_metrics_patch.yaml
+  target:
+    kind: Deployment

config/debug/manager_metrics_patch.yaml

@@ -0,0 +1,4 @@
+# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/1/args/0
+  value: --metrics-bind-address=:8443

config/debug/metrics_service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: controller-manager
+    app.kubernetes.io/managed-by: kustomize
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+    - name: https
+      port: 8443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    control-plane: controller-manager

config/default/kustomization-cluster.yaml

@@ -119,7 +119,7 @@ patches:
     name: controller-manager
   patch: |-
     - op: add
-      path: /spec/template/spec/containers/2/env
+      path: /spec/template/spec/containers/0/env
       value: 
       - name: WATCH_NAMESPACE
         value: WATCH_NAMESPACE_VALUE

config/default/kustomization-namespace.yaml

@@ -119,7 +119,7 @@ patches:
     name: controller-manager
   patch: |-
     - op: add
-      path: /spec/template/spec/containers/2/env
+      path: /spec/template/spec/containers/0/env
       value: 
       - name: WATCH_NAMESPACE
         valueFrom:

config/default/kustomization.yaml

@@ -25,13 +25,11 @@ bases:
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+# [METRICS] Expose the controller manager metrics service.
+- metrics_service.yaml
 
-patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
 
+patchesStrategicMerge:
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type
 #- manager_config_patch.yaml
@@ -119,7 +117,7 @@ patches:
     name: controller-manager
   patch: |-
     - op: add
-      path: /spec/template/spec/containers/2/env
+      path: /spec/template/spec/containers/0/env
       value: 
       - name: WATCH_NAMESPACE
         value: WATCH_NAMESPACE_VALUE
@@ -132,4 +130,9 @@ patches:
       - name: POD_NAME
         valueFrom:
           fieldRef:
-            fieldPath: metadata.name
+            fieldPath: metadata.name
+# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
+# More info: https://book.kubebuilder.io/reference/metrics
+- path: manager_metrics_patch.yaml
+  target:
+    kind: Deployment

config/default/manager_metrics_patch.yaml

@@ -0,0 +1,4 @@
+# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-bind-address=:8443

config/default/metrics_service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: controller-manager
+    app.kubernetes.io/managed-by: kustomize
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+    - name: https
+      port: 8443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    control-plane: controller-manager

config/manager/manager.yaml

@@ -42,6 +42,7 @@ spec:
         - /manager
         args:
         - --leader-elect
+        - --health-probe-bind-address=:8081
         - --pprof
         image: controller:latest
         imagePullPolicy: Always

config/prometheus/monitor.yaml

@@ -10,10 +10,19 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
+      port: https # Ensure this is the name of the port that exposes HTTPS metrics
       scheme: https
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
+        # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
+        # certificate verification. This poses a significant security risk by making the system vulnerable to
+        # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between
+        # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data,
+        # compromising the integrity and confidentiality of the information.
+        # Please use the following options for secure configurations:
+        # caFile: /etc/metrics-certs/ca.crt
+        # certFile: /etc/metrics-certs/tls.crt
+        # keyFile: /etc/metrics-certs/tls.key
         insecureSkipVerify: true
   selector:
     matchLabels:

config/rbac/kustomization.yaml

@@ -9,10 +9,12 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- metrics_auth_role.yaml
+- metrics_auth_role_binding.yaml
+- metrics_reader_role.yaml

config/rbac/metrics_auth_role.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-auth-role
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create