From f5e0046599ef16ae8ce3eec7bacf4809b94a7d5f Mon Sep 17 00:00:00 2001 From: akhil nittala Date: Wed, 8 Apr 2026 11:12:11 +0530 Subject: [PATCH 1/6] Migration of kube-rbac-proxy in gitops-operator Signed-off-by: akhil nittala --- cmd/main.go | 6 ++-- config/default/manager_auth_proxy_patch.yaml | 30 ------------------- go.mod | 12 ++++++++ go.sum | 22 ++++++++++++++ .../install-gitops-operator.sh | 10 ------- 5 files changed, 38 insertions(+), 42 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 45145c54710..2fa5ae42524 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -70,6 +70,7 @@ import ( "github.com/redhat-developer/gitops-operator/controllers/argocd/openshift" "github.com/redhat-developer/gitops-operator/controllers/util" k8sruntime "k8s.io/apimachinery/pkg/runtime" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" //+kubebuilder:scaffold:imports ) @@ -148,8 +149,9 @@ func main() { webhookServer := webhook.NewServer(webhookServerOptions) metricsServerOptions := metricsserver.Options{ - BindAddress: metricsAddr, - TLSOpts: []func(*tls.Config){disableHTTP2}, + BindAddress: metricsAddr, + TLSOpts: []func(*tls.Config){disableHTTP2}, + FilterProvider: filters.WithAuthenticationAndAuthorization, } // Set default manager options diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 2e59d771aef..b94fa0e193e 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -12,36 +12,6 @@ spec: template: spec: containers: - - name: kube-rbac-proxy - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.15 - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080 - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --logtostderr=true - - --allow-paths=/metrics - - --http2-disable - ports: - - containerPort: 8443 - protocol: TCP - name: metrics - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 1m - memory: 15Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - volumeMounts: - - mountPath: /etc/tls/private - name: kube-rbac-proxy-tls - readOnly: true - name: manager args: - "--health-probe-bind-address=:8081" diff --git a/go.mod b/go.mod index f8c7f516d7f..fec4c7886e8 100644 --- a/go.mod +++ b/go.mod @@ -32,6 +32,7 @@ require ( ) require ( + cel.dev/expr v0.24.0 // indirect cloud.google.com/go/compute/metadata v0.9.0 // indirect cyphar.com/go-pathrs v0.2.1 // indirect dario.cat/mergo v1.0.2 // indirect @@ -44,6 +45,7 @@ require ( github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/ProtonMail/go-crypto v1.1.6 // indirect + github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/argoproj/pkg v0.13.7-0.20250305113207-cbc37dc61de5 // indirect github.com/argoproj/pkg/v2 v2.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect @@ -93,6 +95,7 @@ require ( github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/btree v1.1.3 // indirect + github.com/google/cel-go v0.26.0 // indirect github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-github/v69 v69.2.0 // indirect github.com/google/go-github/v75 v75.0.0 // indirect @@ -102,6 +105,7 @@ require ( github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-retryablehttp v0.7.8 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -145,6 +149,7 @@ require ( github.com/skeema/knownhosts v1.3.1 // indirect github.com/spf13/cobra v1.10.2 // indirect github.com/spf13/pflag v1.0.10 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect github.com/vmihailenco/go-tinylfu v0.2.2 // indirect github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect @@ -153,13 +158,19 @@ require ( github.com/xlab/treeprint v1.2.0 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect go.opentelemetry.io/otel v1.38.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect go.opentelemetry.io/otel/metric v1.38.0 // indirect + go.opentelemetry.io/otel/sdk v1.38.0 // indirect go.opentelemetry.io/otel/trace v1.38.0 // indirect + go.opentelemetry.io/proto/otlp v1.7.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.47.0 // indirect + golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect golang.org/x/net v0.49.0 // indirect golang.org/x/oauth2 v0.34.0 // indirect golang.org/x/sync v0.19.0 // indirect @@ -189,6 +200,7 @@ require ( k8s.io/kubectl v0.34.0 // indirect k8s.io/kubernetes v1.34.2 // indirect oras.land/oras-go/v2 v2.6.0 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect sigs.k8s.io/gateway-api v1.1.0 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/kustomize/api v0.21.0 // indirect diff --git a/go.sum b/go.sum index 8862bbcc0ff..5d6a5e9d21a 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= +cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= @@ -35,6 +37,8 @@ github.com/alicebob/miniredis/v2 v2.35.0/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= +github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= github.com/argoproj-labs/argo-rollouts-manager v0.0.8-0.20260224121037-1824164aac67 h1:gFasfvlbOfrwzd7JaVTlnRgE7pDMFC+lQwt07gGGrbY= github.com/argoproj-labs/argo-rollouts-manager v0.0.8-0.20260224121037-1824164aac67/go.mod h1:WPyZkNHZjir/OTt8mrRwcUZKe1euHrHPJsRv1Wp/F/0= github.com/argoproj-labs/argocd-image-updater v1.1.1 h1:7YDaR3WX2NMsDKp0wN7TRaRRHaVHQ94tSybi2P99MGk= @@ -205,6 +209,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= +github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -239,6 +245,8 @@ github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 h1:B+8ClL/kCQkRiU82d9xajR github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3/go.mod h1:NbCUVmiS4foBGBHOYlCT25+YmGpJ32dZPi75pGEUpj4= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= @@ -406,6 +414,8 @@ github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiT github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -453,8 +463,14 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I= go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk= go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= @@ -463,6 +479,8 @@ go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6 go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= +go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= +go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko= @@ -484,6 +502,8 @@ golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -686,6 +706,8 @@ k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= diff --git a/hack/non-olm-install/install-gitops-operator.sh b/hack/non-olm-install/install-gitops-operator.sh index af0f543e0cd..e9370a8db4e 100755 --- a/hack/non-olm-install/install-gitops-operator.sh +++ b/hack/non-olm-install/install-gitops-operator.sh @@ -253,16 +253,6 @@ spec: openshift.io/scc: restricted-v2 spec: containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - name: manager securityContext: allowPrivilegeEscalation: false From 8d87f60878cbf13e6b5951d4bb13f6fbd3adab50 Mon Sep 17 00:00:00 2001 From: akhil nittala Date: Wed, 8 Apr 2026 11:27:48 +0530 Subject: [PATCH 2/6] Migration of kube-rbac-proxy in gitops-operator Signed-off-by: akhil nittala --- ...gitops-operator.clusterserviceversion.yaml | 34 ++----------------- 1 file changed, 2 insertions(+), 32 deletions(-) diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml index 1ba87788aaa..4376f5e1615 100644 --- a/bundle/manifests/gitops-operator.clusterserviceversion.yaml +++ b/bundle/manifests/gitops-operator.clusterserviceversion.yaml @@ -190,7 +190,7 @@ metadata: capabilities: Deep Insights console.openshift.io/plugins: '["gitops-plugin"]' containerImage: quay.io/redhat-developer/gitops-operator - createdAt: "2026-04-01T16:54:16Z" + createdAt: "2026-04-08T05:55:24Z" description: Enables teams to adopt GitOps principles for managing cluster configurations and application delivery across hybrid multi-cluster Kubernetes environments. features.operators.openshift.io/disconnected: "true" @@ -873,7 +873,7 @@ spec: - name: LABEL_SELECTOR - name: ENABLE_CONVERSION_WEBHOOK value: "true" - image: quay.io/redhat-developer/gitops-operator:latest + image: quay.io/nittalaakhil/openshift-gitops-operator:v0.0.3 livenessProbe: httpGet: path: /healthz @@ -899,36 +899,6 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080 - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --logtostderr=true - - --allow-paths=/metrics - - --http2-disable - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.15 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: metrics - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 1m - memory: 15Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - volumeMounts: - - mountPath: /etc/tls/private - name: kube-rbac-proxy-tls - readOnly: true securityContext: runAsNonRoot: true serviceAccountName: openshift-gitops-operator-controller-manager From 6dfdfcf67bc6acbcb4352e54d5feb3ba03632bb2 Mon Sep 17 00:00:00 2001 From: akhil nittala Date: Wed, 8 Apr 2026 11:31:39 +0530 Subject: [PATCH 3/6] Migration of kube-rbac-proxy in gitops-operator Signed-off-by: akhil nittala --- bundle/manifests/gitops-operator.clusterserviceversion.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml index 4376f5e1615..e010f899388 100644 --- a/bundle/manifests/gitops-operator.clusterserviceversion.yaml +++ b/bundle/manifests/gitops-operator.clusterserviceversion.yaml @@ -873,7 +873,7 @@ spec: - name: LABEL_SELECTOR - name: ENABLE_CONVERSION_WEBHOOK value: "true" - image: quay.io/nittalaakhil/openshift-gitops-operator:v0.0.3 + image: quay.io/redhat-developer/gitops-operator:latest livenessProbe: httpGet: path: /healthz From 9938bfd3a4f425ea291a41343012c34668bc3b03 Mon Sep 17 00:00:00 2001 From: akhil nittala Date: Thu, 9 Apr 2026 13:53:59 +0530 Subject: [PATCH 4/6] Migration of kube-rbac-proxy in gitops-operator Signed-off-by: akhil nittala --- .../gitops-operator.clusterserviceversion.yaml | 8 ++++++-- config/default/kustomization.yaml | 10 ++++++---- ...roxy_patch.yaml => manager_metrics_patch.yaml} | 5 +++-- config/rbac/kustomization.yaml | 15 ++++++++------- ...rrole.yaml => metrics_reader_clusterrole.yaml} | 0 .../{auth_proxy_role.yaml => metrics_role.yaml} | 2 +- ...ole_binding.yaml => metrics_role_binding.yaml} | 4 ++-- ...th_proxy_service.yaml => metrics_service.yaml} | 0 8 files changed, 26 insertions(+), 18 deletions(-) rename config/default/{manager_auth_proxy_patch.yaml => manager_metrics_patch.yaml} (80%) rename config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_reader_clusterrole.yaml} (100%) rename config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (93%) rename config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (81%) rename config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml index e010f899388..47e0d51f955 100644 --- a/bundle/manifests/gitops-operator.clusterserviceversion.yaml +++ b/bundle/manifests/gitops-operator.clusterserviceversion.yaml @@ -190,7 +190,7 @@ metadata: capabilities: Deep Insights console.openshift.io/plugins: '["gitops-plugin"]' containerImage: quay.io/redhat-developer/gitops-operator - createdAt: "2026-04-08T05:55:24Z" + createdAt: "2026-04-09T07:23:41Z" description: Enables teams to adopt GitOps principles for managing cluster configurations and application delivery across hybrid multi-cluster Kubernetes environments. features.operators.openshift.io/disconnected: "true" @@ -859,7 +859,8 @@ spec: containers: - args: - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --metrics-bind-address=:8443 + - --metrics-secure - --leader-elect command: - /usr/local/bin/manager @@ -885,6 +886,9 @@ spec: - containerPort: 9443 name: webhook-server protocol: TCP + - containerPort: 8443 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 4002b7d0828..f6a456a8bed 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -25,10 +25,12 @@ bases: - ../prometheus patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml +# Protect the /metrics endpoint with controller-runtime authn/authz. +# If you comment out manager_metrics_patch.yaml, also comment out metrics_service.yaml, +# metrics_role.yaml, metrics_role_binding.yaml, and metrics_reader_clusterrole.yaml +# in ../rbac/kustomization.yaml so the metrics Service is disabled as well. +patchesStrategicMerge: +- manager_metrics_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_metrics_patch.yaml similarity index 80% rename from config/default/manager_auth_proxy_patch.yaml rename to config/default/manager_metrics_patch.yaml index b94fa0e193e..c814f53ce1c 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_metrics_patch.yaml @@ -1,5 +1,6 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +# This patch configures the manager to serve metrics securely using +# controller-runtime's built-in authn/authz (replacing the deprecated +# kube-rbac-proxy sidecar). apiVersion: apps/v1 kind: Deployment metadata: diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 1798d0f8e83..caf6b6eee78 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,10 +9,11 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -# - auth_proxy_client_clusterrole.yaml +# These resources expose /metrics over HTTPS on port 8443 and grant the +# controller-runtime authn/authz permissions required by manager_metrics_patch.yaml. +# Comment these lines together with manager_metrics_patch.yaml if you want to +# disable secure metrics for the controller-manager. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +# - metrics_reader_clusterrole.yaml diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/metrics_reader_clusterrole.yaml similarity index 100% rename from config/rbac/auth_proxy_client_clusterrole.yaml rename to config/rbac/metrics_reader_clusterrole.yaml diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/metrics_role.yaml similarity index 93% rename from config/rbac/auth_proxy_role.yaml rename to config/rbac/metrics_role.yaml index 2c5e7955655..1db66f0abac 100644 --- a/config/rbac/auth_proxy_role.yaml +++ b/config/rbac/metrics_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: proxy-role + name: metrics-role rules: - nonResourceURLs: - "/metrics" diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/metrics_role_binding.yaml similarity index 81% rename from config/rbac/auth_proxy_role_binding.yaml rename to config/rbac/metrics_role_binding.yaml index ec7acc0a1b7..88ede78fe67 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/metrics_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/metrics_service.yaml similarity index 100% rename from config/rbac/auth_proxy_service.yaml rename to config/rbac/metrics_service.yaml From 4e2b70e957ab5a66c6750ac604bd8b1cea794fdc Mon Sep 17 00:00:00 2001 From: akhil nittala Date: Thu, 9 Apr 2026 13:55:13 +0530 Subject: [PATCH 5/6] Migration of kube-rbac-proxy in gitops-operator Signed-off-by: akhil nittala --- .../manifests/gitops-operator.clusterserviceversion.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml index 47e0d51f955..12f7e452042 100644 --- a/bundle/manifests/gitops-operator.clusterserviceversion.yaml +++ b/bundle/manifests/gitops-operator.clusterserviceversion.yaml @@ -190,7 +190,7 @@ metadata: capabilities: Deep Insights console.openshift.io/plugins: '["gitops-plugin"]' containerImage: quay.io/redhat-developer/gitops-operator - createdAt: "2026-04-09T07:23:41Z" + createdAt: "2026-04-09T08:24:52Z" description: Enables teams to adopt GitOps principles for managing cluster configurations and application delivery across hybrid multi-cluster Kubernetes environments. features.operators.openshift.io/disconnected: "true" @@ -859,8 +859,7 @@ spec: containers: - args: - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --metrics-secure + - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /usr/local/bin/manager @@ -886,9 +885,6 @@ spec: - containerPort: 9443 name: webhook-server protocol: TCP - - containerPort: 8443 - name: metrics - protocol: TCP readinessProbe: httpGet: path: /readyz From 7a32cc8949fbd98a2ef7b257bd3fc46a17c5d024 Mon Sep 17 00:00:00 2001 From: akhil nittala Date: Thu, 9 Apr 2026 14:34:43 +0530 Subject: [PATCH 6/6] Migration of kube-rbac-proxy in gitops-operator Signed-off-by: akhil nittala --- bundle/manifests/gitops-operator.clusterserviceversion.yaml | 2 +- config/default/kustomization.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml index 12f7e452042..548fb7cb430 100644 --- a/bundle/manifests/gitops-operator.clusterserviceversion.yaml +++ b/bundle/manifests/gitops-operator.clusterserviceversion.yaml @@ -190,7 +190,7 @@ metadata: capabilities: Deep Insights console.openshift.io/plugins: '["gitops-plugin"]' containerImage: quay.io/redhat-developer/gitops-operator - createdAt: "2026-04-09T08:24:52Z" + createdAt: "2026-04-09T09:03:42Z" description: Enables teams to adopt GitOps principles for managing cluster configurations and application delivery across hybrid multi-cluster Kubernetes environments. features.operators.openshift.io/disconnected: "true" diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index f6a456a8bed..5e95ce2f276 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -24,7 +24,6 @@ bases: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. - ../prometheus -patchesStrategicMerge: # Protect the /metrics endpoint with controller-runtime authn/authz. # If you comment out manager_metrics_patch.yaml, also comment out metrics_service.yaml, # metrics_role.yaml, metrics_role_binding.yaml, and metrics_reader_clusterrole.yaml