Conditionally enable FilterProvider in mainTemplate

* Enable `filters.WithAuthenticationAndAuthorization` only when `secureMetrics` is true

Signed-off-by: Alex Johnson <hello@alex-johnson.net>

Author: Alex Johnson

docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go

@@ -115,28 +115,33 @@ func main() {
 		TLSOpts: tlsOpts,
 	})
 
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
+		// not provided, self-signed certificates will be generated by default. This option is not recommended for
+		// production environments as self-signed certificates do not offer the same level of trust and security
+		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
+		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
+		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
+		TLSOpts: tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme: scheme,
-		// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
-		// More info:
-		// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
-		// - https://book.kubebuilder.io/reference/metrics.html
-		Metrics: metricsserver.Options{
-			BindAddress:   metricsAddr,
-			SecureServing: secureMetrics,
-			// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
-			// not provided, self-signed certificates will be generated by default. This option is not recommended for
-			// production environments as self-signed certificates do not offer the same level of trust and security
-			// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
-			// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
-			// to provide certificates, ensuring the server communicates using trusted and secure certificates.
-			TLSOpts: tlsOpts,
-			// FilterProvider is used to protect the metrics endpoint with authn/authz.
-			// These configurations ensure that only authorized users and service accounts
-			// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-			// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
-			FilterProvider: filters.WithAuthenticationAndAuthorization,
-		},
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
 		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,

docs/book/src/getting-started/testdata/project/cmd/main.go

@@ -96,28 +96,33 @@ func main() {
 		TLSOpts: tlsOpts,
 	})
 
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
+		// not provided, self-signed certificates will be generated by default. This option is not recommended for
+		// production environments as self-signed certificates do not offer the same level of trust and security
+		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
+		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
+		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
+		TLSOpts: tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme: scheme,
-		// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
-		// More info:
-		// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
-		// - https://book.kubebuilder.io/reference/metrics.html
-		Metrics: metricsserver.Options{
-			BindAddress:   metricsAddr,
-			SecureServing: secureMetrics,
-			// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
-			// not provided, self-signed certificates will be generated by default. This option is not recommended for
-			// production environments as self-signed certificates do not offer the same level of trust and security
-			// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
-			// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
-			// to provide certificates, ensuring the server communicates using trusted and secure certificates.
-			TLSOpts: tlsOpts,
-			// FilterProvider is used to protect the metrics endpoint with authn/authz.
-			// These configurations ensure that only authorized users and service accounts
-			// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-			// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
-			FilterProvider: filters.WithAuthenticationAndAuthorization,
-		},
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
 		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,

docs/book/src/reference/metrics.md

@@ -86,10 +86,9 @@ Therefore, you will find the following configuration:
 - In the `cmd/main.go`:
 
 ```go
-Metrics: metricsserver.Options{
-   ...
-   FilterProvider: filters.WithAuthenticationAndAuthorization,
-   ...
+if secureMetrics {
+  ...
+  metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
 }
 ```
 

pkg/plugins/golang/v4/scaffolds/internal/templates/main.go

@@ -232,9 +232,9 @@ func main() {
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. " +
 		"Enabling this will ensure there is only one active controller manager.")
-	flag.BoolVar(&secureMetrics, "metrics-secure", true, 
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
-	flag.BoolVar(&enableHTTP2, "enable-http2", false, 
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
 		Development: true,
@@ -264,29 +264,34 @@ func main() {
 		TLSOpts: tlsOpts,
 	})
 
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@{{ .ControllerRuntimeVersion }}/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
+		// not provided, self-signed certificates will be generated by default. This option is not recommended for
+		// production environments as self-signed certificates do not offer the same level of trust and security
+		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
+		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
+		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
+		TLSOpts: tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@{{ .ControllerRuntimeVersion }}/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:                 scheme,
-		// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
-		// More info: 
-		// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@{{ .ControllerRuntimeVersion }}/pkg/metrics/server
-		// - https://book.kubebuilder.io/reference/metrics.html
-		Metrics:                metricsserver.Options{
-			BindAddress: metricsAddr,
-			SecureServing: secureMetrics,
-			// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are 
-			// not provided, self-signed certificates will be generated by default. This option is not recommended for 
-			// production environments as self-signed certificates do not offer the same level of trust and security 
-			// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing 
-			// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName 
-			// to provide certificates, ensuring the server communicates using trusted and secure certificates.			
-			TLSOpts: tlsOpts, 
-			// FilterProvider is used to protect the metrics endpoint with authn/authz.
-			// These configurations ensure that only authorized users and service accounts
-			// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-			// https://pkg.go.dev/sigs.k8s.io/controller-runtime@{{ .ControllerRuntimeVersion }}/pkg/metrics/filters#WithAuthenticationAndAuthorization
-			FilterProvider: filters.WithAuthenticationAndAuthorization,
-		},
-		WebhookServer: webhookServer,
+		Scheme: scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		{{- if not .Domain }}
@@ -300,9 +305,9 @@ func main() {
 		// speeds up voluntary leader transitions as the new leader don't have to wait
 		// LeaseDuration time first.
 		//
-		// In the default scaffold provided, the program ends immediately after 
-		// the manager stops, so would be fine to enable this option. However, 
-		// if you are doing or is intended to do any operation such as perform cleanups 
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
 		// after the manager stops then its usage might be unsafe.
 		// LeaderElectionReleaseOnCancel: true,
 	})

testdata/project-v4-multigroup-with-deploy-image/cmd/main.go

@@ -121,28 +121,33 @@ func main() {
 		TLSOpts: tlsOpts,
 	})
 
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
+		// not provided, self-signed certificates will be generated by default. This option is not recommended for
+		// production environments as self-signed certificates do not offer the same level of trust and security
+		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
+		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
+		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
+		TLSOpts: tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme: scheme,
-		// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
-		// More info:
-		// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
-		// - https://book.kubebuilder.io/reference/metrics.html
-		Metrics: metricsserver.Options{
-			BindAddress:   metricsAddr,
-			SecureServing: secureMetrics,
-			// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
-			// not provided, self-signed certificates will be generated by default. This option is not recommended for
-			// production environments as self-signed certificates do not offer the same level of trust and security
-			// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
-			// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
-			// to provide certificates, ensuring the server communicates using trusted and secure certificates.
-			TLSOpts: tlsOpts,
-			// FilterProvider is used to protect the metrics endpoint with authn/authz.
-			// These configurations ensure that only authorized users and service accounts
-			// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-			// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
-			FilterProvider: filters.WithAuthenticationAndAuthorization,
-		},
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
 		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,

testdata/project-v4-multigroup/cmd/main.go

@@ -121,28 +121,33 @@ func main() {
 		TLSOpts: tlsOpts,
 	})
 
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
+		// not provided, self-signed certificates will be generated by default. This option is not recommended for
+		// production environments as self-signed certificates do not offer the same level of trust and security
+		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
+		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
+		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
+		TLSOpts: tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme: scheme,
-		// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
-		// More info:
-		// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
-		// - https://book.kubebuilder.io/reference/metrics.html
-		Metrics: metricsserver.Options{
-			BindAddress:   metricsAddr,
-			SecureServing: secureMetrics,
-			// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
-			// not provided, self-signed certificates will be generated by default. This option is not recommended for
-			// production environments as self-signed certificates do not offer the same level of trust and security
-			// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
-			// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
-			// to provide certificates, ensuring the server communicates using trusted and secure certificates.
-			TLSOpts: tlsOpts,
-			// FilterProvider is used to protect the metrics endpoint with authn/authz.
-			// These configurations ensure that only authorized users and service accounts
-			// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-			// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
-			FilterProvider: filters.WithAuthenticationAndAuthorization,
-		},
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
 		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,