From 4a35ab6be145e09d3e2592c59c08860e071016e7 Mon Sep 17 00:00:00 2001 From: Carly de Frondeville Date: Sat, 7 Mar 2026 22:26:26 -0800 Subject: [PATCH] Fix metrics-bind-address binding to localhost when auth proxy is disabled When metrics.disableAuth=true, no kube-rbac-proxy sidecar is injected, so the manager must bind metrics to 0.0.0.0 for Prometheus to scrape them. Previously the address was hardcoded to 127.0.0.1 regardless of this setting. Also improves values.yaml documentation to explain the two supported modes (auth-protected vs unauthenticated) and how authProxy.enabled and metrics.disableAuth should be set together. Co-Authored-By: Claude Sonnet 4.6 --- .../templates/manager.yaml | 4 ++ helm/temporal-worker-controller/values.yaml | 37 +++++++++++++++---- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/helm/temporal-worker-controller/templates/manager.yaml b/helm/temporal-worker-controller/templates/manager.yaml index 50f8d7b1..e1aaceea 100644 --- a/helm/temporal-worker-controller/templates/manager.yaml +++ b/helm/temporal-worker-controller/templates/manager.yaml @@ -67,8 +67,12 @@ spec: args: - --leader-elect {{- if .Values.metrics.enabled }} + {{- if .Values.metrics.disableAuth }} + - "--metrics-bind-address=:{{ .Values.metrics.port }}" + {{- else }} - "--metrics-bind-address=127.0.0.1:{{ .Values.metrics.port }}" {{- end }} + {{- end }} - "--health-probe-bind-address=:8081" {{- if .Values.webhook.enabled }} {{ fail "webhooks aren't supported yet" }} diff --git a/helm/temporal-worker-controller/values.yaml b/helm/temporal-worker-controller/values.yaml index 765321dd..930a6e39 100644 --- a/helm/temporal-worker-controller/values.yaml +++ b/helm/temporal-worker-controller/values.yaml @@ -57,19 +57,42 @@ affinity: {} # More than one replica is required for high availability. replicas: 2 -# Opt out of these resources if you want to disable the -# auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. +# authProxy and metrics.disableAuth together control how /metrics is exposed. +# They should be set consistently — see the two supported modes below. +# +# Mode 1 — Auth-protected metrics (default, recommended for production): +# authProxy.enabled: true +# metrics.disableAuth: false +# +# A kube-rbac-proxy sidecar (https://github.com/brancz/kube-rbac-proxy) is +# injected into the manager pod. It listens on HTTPS port 8443 and proxies to +# the manager's metrics endpoint on localhost, authorizing each request via +# Kubernetes SubjectAccessReviews. The manager binds metrics to 127.0.0.1 so +# it is only reachable through the proxy. +# +# Use this when: running in production, using Prometheus Operator with +# ServiceMonitor + RBAC bearer tokens, or in multi-tenant clusters where +# metrics should not be freely readable. +# +# Mode 2 — Unauthenticated metrics: +# authProxy.enabled: false +# metrics.disableAuth: true +# +# No proxy sidecar is injected. The manager binds metrics to 0.0.0.0:metrics.port +# so Prometheus can scrape it directly without credentials. +# +# Use this when: network-level controls already restrict access (NetworkPolicy, +# service mesh, same-namespace Prometheus), your scraper cannot present a +# bearer token, or simplicity is preferred (e.g. dev/staging). authProxy: enabled: true metrics: enabled: true port: 8080 - # Set to true if you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z. If false, creates an HTTP proxy sidecar container - # for the controller manager which performs RBAC authorization against the - # Kubernetes API using SubjectAccessReviews. + # See the authProxy comment above for how disableAuth interacts with authProxy.enabled. + # When false (default): metrics bind to 127.0.0.1 and are proxied through kube-rbac-proxy. + # When true: metrics bind to 0.0.0.0 and are exposed directly without authentication. disableAuth: false namespace: