From b0fc150e6b96b58f351ad27bea3c6f3dc599ba7e Mon Sep 17 00:00:00 2001 From: Kajeepan Kandeepan Date: Wed, 18 Mar 2026 12:39:03 +0100 Subject: [PATCH 1/2] refactor: remove kube-rbac-proxy and update metrics service configuration --- Dockerfile | 2 +- .../src/assets/service_monitor.yaml | 7 ++---- chirpstack-operator/src/bin/controller.rs | 2 +- config/manager/kustomization.yaml | 2 +- config/manager/manager.yaml | 23 ++---------------- ...roxy-service.yaml => metrics-service.yaml} | 8 +++---- .../rbac/auth_proxy_client_clusterrole.yaml | 16 ------------- config/rbac/auth_proxy_role.yaml | 24 ------------------- config/rbac/auth_proxy_role_binding.yaml | 19 --------------- config/rbac/kustomization.yaml | 3 --- 10 files changed, 11 insertions(+), 95 deletions(-) rename config/manager/{auth-proxy-service.yaml => metrics-service.yaml} (82%) delete mode 100644 config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 config/rbac/auth_proxy_role.yaml delete mode 100644 config/rbac/auth_proxy_role_binding.yaml diff --git a/Dockerfile b/Dockerfile index 26f1ef8..08fcb0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:1.82 AS builder +FROM rust:1.88 AS builder ENV CARGO_HOME=/usr/local/cargo ENV RUSTUP_HOME=/usr/local/rustup diff --git a/chirpstack-operator/src/assets/service_monitor.yaml b/chirpstack-operator/src/assets/service_monitor.yaml index 9dbcb7b..2f38240 100644 --- a/chirpstack-operator/src/assets/service_monitor.yaml +++ b/chirpstack-operator/src/assets/service_monitor.yaml @@ -14,11 +14,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/chirpstack-operator/src/bin/controller.rs b/chirpstack-operator/src/bin/controller.rs index 00328f9..aa7cfbd 100644 --- a/chirpstack-operator/src/bin/controller.rs +++ b/chirpstack-operator/src/bin/controller.rs @@ -291,7 +291,7 @@ async fn main() -> Result<(), Box> { .expect("Failed to install rustls crypto provider"); PrometheusBuilder::new() - .with_http_listener(([127, 0, 0, 1], 8383)) + .with_http_listener(([0, 0, 0, 0], 8383)) .set_buckets(&[0.1, 0.5, 1.0, 3.0])? .install()?; diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 8b6bd0c..207a92a 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization resources: - ./manager.yaml -- ./auth-proxy-service.yaml +- ./metrics-service.yaml images: - name: chirpstack-operator newName: ghcr.io/deepshore/chirpstack-operator diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index aac083b..1ddc35e 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -49,28 +49,9 @@ spec: fieldPath: metadata.namespace - name: RUST_LOG value: info - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8383/" - - "--logtostderr=true" - - "--v=0" ports: - - containerPort: 8443 + - containerPort: 8383 protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi + name: metrics serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/manager/auth-proxy-service.yaml b/config/manager/metrics-service.yaml similarity index 82% rename from config/manager/auth-proxy-service.yaml rename to config/manager/metrics-service.yaml index d497659..8f6076c 100644 --- a/config/manager/auth-proxy-service.yaml +++ b/config/manager/metrics-service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: manager app.kubernetes.io/created-by: chirpstack-operator app.kubernetes.io/part-of: chirpstack-operator app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: metrics + port: 8383 protocol: TCP - targetPort: https + targetPort: metrics selector: control-plane: controller-manager diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index abd646f..0000000 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: chirpstack-operator - app.kubernetes.io/part-of: chirpstack-operator - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 797c535..0000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: chirpstack-operator - app.kubernetes.io/part-of: chirpstack-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 849e737..0000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: chirpstack-operator - app.kubernetes.io/part-of: chirpstack-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 2fd27e5..b4808f1 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -5,6 +5,3 @@ resources: - service_account.yaml - role.yaml - role_binding.yaml - - auth_proxy_client_clusterrole.yaml - - auth_proxy_role_binding.yaml - - auth_proxy_role.yaml From 825869e87a4e5486e4e02c2fcfca87a87fa7a2b9 Mon Sep 17 00:00:00 2001 From: Kajeepan Kandeepan Date: Wed, 18 Mar 2026 12:45:28 +0100 Subject: [PATCH 2/2] chore: update minikube and kubernetes versions in CI workflow --- .github/workflows/ci.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a03c32f..c0c139b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -33,11 +33,11 @@ jobs: profile: minimal components: rustfmt, clippy - - uses: manusa/actions-setup-minikube@v2.13.0 + - uses: manusa/actions-setup-minikube@v2.16.1 with: - minikube version: 'v1.34.0' + minikube version: 'v1.38.1' driver: docker - kubernetes version: 'v1.31.0' + kubernetes version: 'v1.35.2' github token: ${{ secrets.GITHUB_TOKEN }} start args: "--addons registry --cpus=$MINIKUBE_CPUS --memory=$MINKUBE_MEM"