Merge branch 'main' into metrics

.github/workflows/golangci-lint.yaml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: '1.21'
           cache: false
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3

.github/workflows/run-vuln-check.yaml

@@ -0,0 +1,19 @@
+name: Run vuln check
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+permissions:
+  contents: read
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: vulncheck
+      uses: golang/govulncheck-action@v1
+      with:
+        go-version-input: 1.21.5
+        go-package: ./...

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.20 as builder
+FROM golang:1.21.5 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

Makefile

@@ -46,7 +46,7 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=infrastructure-manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

cmd/main.go

@@ -38,11 +38,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 )
 
-// The ratio determines what is the minimal time that needs to pass to rotate certificate.
-const minimalRotationTimeRatio = 0.6
-
 var (
 	scheme   = runtime.NewScheme()        //nolint:gochecknoglobals
 	setupLog = ctrl.Log.WithName("setup") //nolint:gochecknoglobals
@@ -55,6 +53,7 @@ func init() {
 	//+kubebuilder:scaffold:scheme
 }
 
+const defaultMinimalRotationTimeRatio = 0.6
 const defaultExpirationTime = 24 * time.Hour
 
 func main() {
@@ -63,6 +62,7 @@ func main() {
 	var probeAddr string
 	var gardenerKubeconfigPath string
 	var gardenerProjectName string
+	var minimalRotationTimeRatio float64
 	var expirationTime time.Duration
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
@@ -72,6 +72,7 @@ func main() {
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.StringVar(&gardenerKubeconfigPath, "gardener-kubeconfig-path", "/gardener/kubeconfig/kubeconfig", "Kubeconfig file for Gardener cluster")
 	flag.StringVar(&gardenerProjectName, "gardener-project-name", "gardener-project", "Name of the Gardener project")
+	flag.Float64Var(&minimalRotationTimeRatio, "minimal-rotation-time", defaultMinimalRotationTimeRatio, "The ratio determines what is the minimal time that needs to pass to rotate certificate.")
 	flag.DurationVar(&expirationTime, "kubeconfig-expiration-time", defaultExpirationTime, "Dynamic kubeconfig expiration time")
 
 	opts := zap.Options{
@@ -85,9 +86,11 @@ func main() {
 	ctrl.SetLogger(logger)
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+		Metrics: metricsserver.Options{
+			BindAddress: metricsAddr,
+		},
+
 		Scheme:                 scheme,
-		MetricsBindAddress:     metricsAddr,
-		Port:                   9443, //nolint:gomnd
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "f1c68560.kyma-project.io",

config/default/kustomization.yaml

@@ -28,7 +28,7 @@ resources:
 
 patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
+# If you want your infrastructure-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
 - manager_auth_proxy_patch.yaml
 - manager_gardener_secret_patch.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -3,7 +3,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
+  name: infrastructure-manager
   namespace: system
 spec:
   template:

config/default/manager_config_patch.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
+  name: infrastructure-manager
   namespace: system
 spec:
   template:

config/default/manager_gardener_secret_patch.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
+  name: infrastructure-manager
   namespace: system
 spec:
   template:
@@ -21,6 +21,7 @@ spec:
             - --gardener-kubeconfig-path=/gardener/credentials/kubeconfig
             - --gardener-project-name=kyma-dev
             - --kubeconfig-expiration-time=24h
+            - --minimal-rotation-time=0.6
           volumeMounts:
             - name: gardener-kubeconfig
               mountPath: /gardener/credentials

config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: custom-infrastructure-manager
-  newTag: 0.0.1
+  newName: custom-im
+  newTag: 2.2.7

config/manager/manager.yaml

@@ -5,7 +5,7 @@ metadata:
     control-plane: infrastructure-manager
     app.kubernetes.io/name: infrastructure-manager
     app.kubernetes.io/instance: system
-    app.kubernetes.io/component: manager
+    app.kubernetes.io/component: infrastructure-manager.kyma-project.io
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
@@ -14,7 +14,7 @@ metadata:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
+  name: infrastructure-manager
   namespace: system
   labels:
     control-plane: infrastructure-manager
@@ -27,14 +27,16 @@ metadata:
 spec:
   selector:
     matchLabels:
-      control-plane: controller-manager
+      control-plane: infrastructure-manager
+      app.kubernetes.io/component: infrastructure-manager.kyma-project.io
   replicas: 1
   template:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: manager
       labels:
-        control-plane: controller-manager
+        control-plane: infrastructure-manager
+        app.kubernetes.io/component: infrastructure-manager.kyma-project.io
     spec:
       # TODO(user): Uncomment the following code to configure the nodeAffinity expression
       # according to the platforms which are supported by your solution.
@@ -101,5 +103,5 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
-      serviceAccountName: controller-manager
+      serviceAccountName: infrastructure-manager
       terminationGracePeriodSeconds: 10

config/prometheus/monitor.yaml

@@ -11,7 +11,7 @@ metadata:
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
-  name: controller-manager-metrics-monitor
+  name: infrastructure-manager-metrics-monitor
   namespace: system
 spec:
   endpoints:

config/rbac/auth_proxy_role_binding.yaml

@@ -15,5 +15,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: infrastructure-manager
   namespace: system

config/rbac/auth_proxy_service.yaml

@@ -2,14 +2,14 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    control-plane: controller-manager
+    control-plane: infrastructure-manager
     app.kubernetes.io/name: service
-    app.kubernetes.io/instance: controller-manager-metrics-service
+    app.kubernetes.io/instance: infrastructure-manager-metrics-service
     app.kubernetes.io/component: kube-rbac-proxy
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
-  name: controller-manager-metrics-service
+  name: infrastructure-manager-metrics-service
   namespace: system
 spec:
   ports:
@@ -18,4 +18,4 @@ spec:
     protocol: TCP
     targetPort: https
   selector:
-    control-plane: controller-manager
+    control-plane: infrastructure-manager

config/rbac/leader_election_role_binding.yaml

@@ -3,17 +3,17 @@ kind: RoleBinding
 metadata:
   labels:
     app.kubernetes.io/name: rolebinding
-    app.kubernetes.io/instance: leader-election-rolebinding
+    app.kubernetes.io/instance: infrastructure-manager-le-rolebinding
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
-  name: leader-election-rolebinding
+  name: infrastructure-manager-le-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: infrastructure-manager
   namespace: system

config/rbac/role.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: manager-role
+  name: infrastructure-manager-role
 rules:
 - apiGroups:
   - ""

config/rbac/role_binding.yaml

@@ -3,17 +3,17 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/name: clusterrolebinding
-    app.kubernetes.io/instance: manager-rolebinding
+    app.kubernetes.io/instance: infrastructure-manager-rolebinding
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
-  name: manager-rolebinding
+  name: infrastructure-manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: manager-role
+  name: infrastructure-manager-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: infrastructure-manager
   namespace: system

config/rbac/service_account.yaml

@@ -3,10 +3,10 @@ kind: ServiceAccount
 metadata:
   labels:
     app.kubernetes.io/name: serviceaccount
-    app.kubernetes.io/instance: controller-manager-sa
+    app.kubernetes.io/instance: infrastructure-manager-sa
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
-  name: controller-manager
+  name: infrastructure-manager
   namespace: system

docs/README.md

@@ -13,7 +13,9 @@ Run `make test` to see if all tests are passing.
 You can configure the Infrastructure Manager deployment with the following arguments:
 1. `gardener-kubeconfig-path` - defines the path to the Gardener project kubeconfig used during API calls
 2. `gardener-project` - the name of the Gardener project where the infrastructure operations are performed
-3. `kubeconfig-expiration-time` - maximum time after which kubeconfig is rotated. The rotation happens between `0.6 * kubeconfig-expiration-time` and `kubeconfig-expiration-time`. 
+3. `minimal-rotation-time` - the ratio determines what is the minimal time that needs to pass to rotate the certificate
+4. `kubeconfig-expiration-time` - maximum time after which kubeconfig is rotated. The rotation happens between (`minimal-rotation-time` * `kubeconfig-expiration-time`) and `kubeconfig-expiration-time`. 
+
 
 See [manager_gardener_secret_patch.yaml](../config/default/manager_gardener_secret_patch.yaml) for default values.