bundle: remove usage of kube-rbac-proxy image

kube-rbac-proxy image is deprecated. We wont be able to pull it from early 2025 as gcr.io/kubebuilder will be unavailable. Protect metrics endpoint with WithAuthenticationAndAuthorization method. Ref: kubernetes-sigs/kubebuilder#3907 red-hat-storage/ocs-operator#2912 Signed-off-by: Nitin Goyal <[email protected]>
iamniting · Dec 4, 2024 · b348073 · b348073
1 parent 7897655
commit b348073
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 36 deletions.
diff --git a/Makefile b/Makefile
@@ -159,7 +159,6 @@ install-odf: operator-sdk ## install odf using the hack/install-odf.sh script
 
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	cd config/default && $(KUSTOMIZE) edit set image rbac-proxy=$(RBAC_PROXY_IMG)
 	cd config/console && $(KUSTOMIZE) edit set image odf-console=$(ODF_CONSOLE_IMG)
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
@@ -195,7 +194,6 @@ bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metada
 	# Main odf-operator bundle
 	$(OPERATOR_SDK) generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
-	cd config/default && $(KUSTOMIZE) edit set image rbac-proxy=$(RBAC_PROXY_IMG)
 	cd config/console && $(KUSTOMIZE) edit set image odf-console=$(ODF_CONSOLE_IMG)
 	cd config/manifests/bases && $(KUSTOMIZE) edit add annotation --force \
 		'olm.skipRange':"$(SKIP_RANGE)" \

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -47,7 +47,3 @@ resources:
 - ../rbac
 - ../manager
 - ../prometheus
-images:
-- name: rbac-proxy
-  newName: registry.redhat.io/openshift4/ose-kube-rbac-proxy
-  newTag: v4.11.0
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -9,25 +9,9 @@ spec:
   template:
     spec:
       containers:
-      - name: kube-rbac-proxy
-        image: rbac-proxy:latest
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=0"
-        ports:
-        - containerPort: 8443
-          name: https
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
       - name: manager
         args:
         - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--metrics-bind-address=:8443"
         - "--leader-elect"
         - "--odf-console-port=9001"
diff --git a/hack/make-bundle-vars.mk b/hack/make-bundle-vars.mk
@@ -226,14 +226,3 @@ RECIPE_SUBSCRIPTION_CATALOGSOURCE_NAMESPACE ?= $(OPERATOR_CATALOGSOURCE_NAMESPAC
 STARTING_CSVS ?= "$(IMAGE_NAME).v$(VERSION) $(ODF_DEPS_SUBSCRIPTION_STARTINGCSV) $(OCS_SUBSCRIPTION_STARTINGCSV) $(ROOK_SUBSCRIPTION_STARTINGCSV) \
 			$(NOOBAA_SUBSCRIPTION_STARTINGCSV) $(CSIADDONS_SUBSCRIPTION_STARTINGCSV) $(CEPHCSI_SUBSCRIPTION_STARTINGCSV) \
 			$(OCS_CLIENT_SUBSCRIPTION_STARTINGCSV) $(PROMETHEUS_SUBSCRIPTION_STARTINGCSV) $(RECIPE_SUBSCRIPTION_STARTINGCSV)"
-
-# kube rbac proxy image variables
-CLUSTER_ENV ?= openshift
-KUBE_RBAC_PROXY_IMG ?= gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
-OSE_KUBE_RBAC_PROXY_IMG ?= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.11.0
-
-ifeq ($(CLUSTER_ENV), openshift)
-	RBAC_PROXY_IMG ?= $(OSE_KUBE_RBAC_PROXY_IMG)
-else ifeq ($(CLUSTER_ENV), kubernetes)
-	RBAC_PROXY_IMG ?= $(KUBE_RBAC_PROXY_IMG)
-endif
diff --git a/main.go b/main.go
@@ -31,6 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 
 	operatorv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	operatorv2 "github.com/operator-framework/api/pkg/operators/v2"
@@ -102,8 +103,12 @@ func main() {
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:                  scheme,
-		Metrics:                 metrics.Options{BindAddress: metricsAddr},
+		Scheme: scheme,
+		Metrics: metrics.Options{
+			BindAddress:    metricsAddr,
+			SecureServing:  true,
+			FilterProvider: filters.WithAuthenticationAndAuthorization,
+		},
 		HealthProbeBindAddress:  probeAddr,
 		LeaderElection:          enableLeaderElection,
 		LeaderElectionID:        "4fd470de.openshift.io",