feat(config): refactor metrics to use Kustomize components and dynamic build directory

Signed-off-by: AvineshTripathi <[email protected]>

Author: AvineshTripathi

Makefile

@@ -62,6 +62,8 @@ CONTROLLER_GEN_PKG := sigs.k8s.io/controller-tools/cmd/controller-gen
 IMG_PREFIX ?= controller
 IMG_TAG ?= latest
 
+ENABLE_METRICS ?= false
+ENABLE_TLS ?= false
 
 # Default value for ignore-not-found flag in undeploy target
 ignore-not-found ?= true
@@ -208,10 +210,9 @@ docker-buildx-reporter: ## Build and push docker image for the reporter for cros
 	- $(CONTAINER_TOOL) buildx rm reporter-builder
 
 .PHONY: build-installer
-build-installer: manifests generate $(KUSTOMIZE) ## Generate a consolidated YAML with CRDs and deployment.
+build-installer: ## Generate a consolidated YAML with CRDs and deployment.
 	mkdir -p dist
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG_PREFIX}:${IMG_TAG}
-	$(KUSTOMIZE) build config/default > dist/install.yaml
+	$(MAKE) -s build-manifests-temp > dist/install.yaml
 
 ## --------------------------------------
 ## Deployment
@@ -223,6 +224,32 @@ ifndef ignore-not-found
   ignore-not-found = false
 endif
 
+# Temporary directory for building manifests
+BUILD_DIR := $(ROOT_DIR)/bin/build
+
+# Internal target to build manifests in a temporary directory to keep the source config clean.
+# This prevents 'kustomize edit' from modifying your local git state.
+# Features (Metrics, TLS) are enabled by adding Kustomize Components to the temporary copy.
+# TODO: we can do better for prometheus metrics ports that are added by manager_prometheus_metrics.yaml
+.PHONY: build-manifests-temp
+build-manifests-temp: manifests $(KUSTOMIZE)
+	@mkdir -p $(BUILD_DIR)
+	@rm -rf $(BUILD_DIR)/config
+	@cp -r config $(BUILD_DIR)/
+	@cd $(BUILD_DIR)/config/manager && $(KUSTOMIZE) edit set image controller=${IMG_PREFIX}:${IMG_TAG}
+	@if [ "$(ENABLE_METRICS)" = "true" ]; then \
+		cd $(BUILD_DIR)/config/default && $(KUSTOMIZE) edit add component ../prometheus; \
+		if [ "$(ENABLE_TLS)" = "true" ]; then \
+			cd $(BUILD_DIR)/config/default && $(KUSTOMIZE) edit add component ../certmanager && \
+			$(KUSTOMIZE) edit add component ../prometheus/tls; \
+		else \
+			cd $(BUILD_DIR)/config/prometheus && $(KUSTOMIZE) edit add patch --path manager_prometheus_metrics.yaml --kind Deployment --name controller-manager; \
+		fi; \
+	fi
+	@$(KUSTOMIZE) build $(BUILD_DIR)/config/default
+	@rm -rf $(BUILD_DIR)/config
+
+
 .PHONY: install
 install: manifests $(KUSTOMIZE) ## Install CRDs into the K8s cluster specified in ~/.kube/config.
 	@out="$$( $(KUSTOMIZE) build config/crd 2>/dev/null || true )"; \
@@ -234,13 +261,17 @@ uninstall: manifests $(KUSTOMIZE) ## Uninstall CRDs from the K8s cluster specifi
 	if [ -n "$$out" ]; then echo "$$out" | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -; else echo "No CRDs to delete; skipping."; fi
 
 .PHONY: deploy
-deploy: manifests $(KUSTOMIZE) ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG_PREFIX}:${IMG_TAG}
-	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
+deploy: ## Deploy controller to the K8s cluster. Use ENABLE_METRICS=true and ENABLE_TLS=true to enable features.
+	$(MAKE) -s build-manifests-temp | $(KUBECTL) apply -f -
 
 .PHONY: undeploy
-undeploy: $(KUSTOMIZE) ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
+undeploy: ## Undeploy controller from the K8s cluster. Use ENABLE_METRICS=true and ENABLE_TLS=true if they were enabled during deploy.
+	$(MAKE) -s build-manifests-temp | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
+
+.PHONY: debug-deploy
+debug-deploy: ## Build and save manifests to debug_manifests.yaml for inspection. Use ENABLE_METRICS=true and ENABLE_TLS=true to enable features.
+	$(MAKE) -s build-manifests-temp > debug_manifests.yaml
+	@echo "Manifests generated in debug_manifests.yaml"
 
 ## --------------------------------------
 ## Testing
@@ -345,7 +376,6 @@ docs-serve: ## Serve mdBook locally.
 .PHONY: crd-ref-docs
 crd-ref-docs:
 	crd-ref-docs \
-		--source-path=${PWD}/api/v1alpha1/ \
 		--config=crd-ref-docs.yaml \
 		--renderer=markdown \
 		--output-path=${PWD}/docs/book/src/reference/api-spec.md

config/certmanager/kustomization.yaml

@@ -1,3 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
 resources:
 - certificate.yaml
 

config/default/kustomization.yaml

@@ -17,97 +17,3 @@ namePrefix: nrr-
 resources:
 - ../rbac
 - ../manager
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-- ../prometheus
-# [METRICS] Expose the controller manager metrics service.
-- metrics_service.yaml
-# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy.
-# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics.
-# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
-# be able to communicate with the Webhook Server.
-#- ../network-policy
-- ../certmanager
-
-# Uncomment the patches line if you enable Metrics
-patches:
-# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
-# More info: https://book.kubebuilder.io/reference/metrics
-- path: manager_metrics_patch.yaml
-  target:
-    kind: Deployment
-
-# Uncomment the patches line if you enable Metrics and CertManager
-# [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line.
-# This patch will protect the metrics with certManager self-signed certs.
-- path: cert_metrics_manager_patch.yaml
-  target:
-    kind: Deployment
-
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-# - path: manager_webhook_patch.yaml
-#  target:
-#    kind: Deployment
-
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-# Uncomment the following replacements to add the cert-manager CA injection annotations
-replacements:
-- source: # Uncomment the following block to enable certificates for metrics
-    kind: Service
-    version: v1
-    name: controller-manager-metrics-service
-    fieldPath: metadata.name
-  targets:
-    - select:
-        kind: Certificate
-        group: cert-manager.io
-        version: v1
-        name: metrics-certs
-      fieldPaths:
-        - spec.dnsNames.0
-        - spec.dnsNames.1
-      options:
-        delimiter: '.'
-        index: 0
-        create: true
-    - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
-        kind: ServiceMonitor
-        group: monitoring.coreos.com
-        version: v1
-        name: controller-manager-metrics-monitor
-      fieldPaths:
-        - spec.endpoints.0.tlsConfig.serverName
-      options:
-        delimiter: '.'
-        index: 0
-        create: true
-
-- source:
-    kind: Service
-    version: v1
-    name: controller-manager-metrics-service
-    fieldPath: metadata.namespace
-  targets:
-    - select:
-        kind: Certificate
-        group: cert-manager.io
-        version: v1
-        name: metrics-certs
-      fieldPaths:
-        - spec.dnsNames.0
-        - spec.dnsNames.1
-      options:
-        delimiter: '.'
-        index: 1
-        create: true
-    - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
-        kind: ServiceMonitor
-        group: monitoring.coreos.com
-        version: v1
-        name: controller-manager-metrics-monitor
-      fieldPaths:
-        - spec.endpoints.0.tlsConfig.serverName
-      options:
-        delimiter: '.'
-        index: 1
-        create: true

config/prometheus/kustomization.yaml

@@ -1,11 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
 resources:
 - monitor.yaml
+- metrics_service.yaml
 
-# [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus
-# to securely reference certificates created and managed by cert-manager.
-# Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml
-# to mount the "metrics-server-cert" secret in the Manager Deployment.
 patches:
-  - path: monitor_tls_patch.yaml
-    target:
-      kind: ServiceMonitor
+# Bind metrics to port 8080 for HTTP. 
+# This matches the Service and ServiceMonitor configuration in this directory.
+# - path: manager_prometheus_metrics.yaml
+#   target:
+#     kind: Deployment
+#     name: controller-manager
+
+# By default, metrics are disabled in the manager (default : "0").
+# This component adds the Service and ServiceMonitor for Prometheus,
+# and applies the patch to bind the manager to port :8080(it is done in Makefile for now).
+
+# Patches for TLS are in the 'tls' component which will:
+# 1. Overlay the HTTPS args (:8443) and security flags
+# 2. Add ServiceMonitor TLS config
+# 3. Mount CertManager secrets

config/prometheus/manager_prometheus_metrics.yaml

@@ -0,0 +1,4 @@
+# This patch adds the args to allow exposing the metrics endpoint using HTTP
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: --metrics-bind-address=:8080

config/default/metrics_service.yaml config/prometheus/metrics_service.yamlconfig/default/metrics_service.yaml renamed to config/prometheus/metrics_service.yaml

@@ -9,10 +9,10 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: http
+    port: 8080
     protocol: TCP
-    targetPort: 8443
+    targetPort: 8080
   selector:
     control-plane: controller-manager
     app.kubernetes.io/name: nrrcontroller

config/prometheus/monitor.yaml

@@ -11,8 +11,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https # Ensure this is the name of the port that exposes HTTPS metrics
-      scheme: https
+      port: http # Ensure this is the name of the port that exposes HTTP metrics
+      scheme: http
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
         # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables

…/default/cert_metrics_manager_patch.yaml …heus/tls/cert_metrics_manager_patch.yamlconfig/default/cert_metrics_manager_patch.yaml renamed to config/prometheus/tls/cert_metrics_manager_patch.yaml config/default/cert_metrics_manager_patch.yaml renamed to config/prometheus/tls/cert_metrics_manager_patch.yaml

@@ -0,0 +1,80 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+# Enable HTTPS args in Deployment
+- path: manager_prometheus_metrics_tls.yaml
+  target:
+    kind: Deployment
+# Configure ServiceMonitor for TLS
+- path: monitor_tls_patch.yaml
+  target:
+    kind: ServiceMonitor
+# Mount CertManager secrets in Deployment
+- path: cert_metrics_manager_patch.yaml
+  target:
+    kind: Deployment
+# Switch Service to 8443 for TLS
+- path: metrics_service_tls_patch.yaml
+  target:
+    kind: Service
+
+replacements:
+  - source:
+      kind: Service
+      version: v1
+      name: controller-manager-metrics-service
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+          name: metrics-certs
+        fieldPaths:
+          - spec.dnsNames.0
+          - spec.dnsNames.1
+        options:
+          delimiter: '.'
+          index: 0
+          create: true
+      - select:
+          kind: ServiceMonitor
+          group: monitoring.coreos.com
+          version: v1
+          name: controller-manager-metrics-monitor
+        fieldPaths:
+          - spec.endpoints.0.tlsConfig.serverName
+        options:
+          delimiter: '.'
+          index: 0
+          create: true
+  - source:
+      kind: Service
+      version: v1
+      name: controller-manager-metrics-service
+      fieldPath: metadata.namespace
+    targets:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+          name: metrics-certs
+        fieldPaths:
+          - spec.dnsNames.0
+          - spec.dnsNames.1
+        options:
+          delimiter: '.'
+          index: 1
+          create: true
+      - select:
+          kind: ServiceMonitor
+          group: monitoring.coreos.com
+          version: v1
+          name: controller-manager-metrics-monitor
+        fieldPaths:
+          - spec.endpoints.0.tlsConfig.serverName
+        options:
+          delimiter: '.'
+          index: 1
+          create: true

config/prometheus/tls/kustomization.yaml

@@ -1,10 +1,10 @@
 # This patch adds the args to allow exposing the metrics endpoint using HTTPS
 - op: add
-  path: /spec/template/spec/containers/0/args/0
+  path: /spec/template/spec/containers/0/args/-
   value: --metrics-bind-address=:8443
 - op: add
-  path: /spec/template/spec/containers/0/args/1
+  path: /spec/template/spec/containers/0/args/-
   value: --metrics-secure
 - op: add
-  path: /spec/template/spec/containers/0/args/2
+  path: /spec/template/spec/containers/0/args/-
   value: --metrics-cert-dir=/tmp/k8s-metrics-server/metrics-certs