From b3480739f8ee095c7adc3370dcb4cc5716f0a9da Mon Sep 17 00:00:00 2001
From: Nitin Goyal <nigoyal@redhat.com>
Date: Wed, 4 Dec 2024 12:27:11 +0530
Subject: [PATCH] bundle: remove usage of kube-rbac-proxy image

kube-rbac-proxy image is deprecated. We wont be able to pull it from
early 2025 as gcr.io/kubebuilder will be unavailable.

Protect metrics endpoint with WithAuthenticationAndAuthorization method.

Ref:
https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
https://github.com/red-hat-storage/ocs-operator/issues/2912

Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
---
 Makefile                                     |  2 --
 config/default/kustomization.yaml            |  4 ----
 config/default/manager_auth_proxy_patch.yaml | 18 +-----------------
 hack/make-bundle-vars.mk                     | 11 -----------
 main.go                                      |  9 +++++++--
 5 files changed, 8 insertions(+), 36 deletions(-)

diff --git a/Makefile b/Makefile
index 92030ec4e..9cd117934 100644
--- a/Makefile
+++ b/Makefile
@@ -159,7 +159,6 @@ install-odf: operator-sdk ## install odf using the hack/install-odf.sh script
 
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	cd config/default && $(KUSTOMIZE) edit set image rbac-proxy=$(RBAC_PROXY_IMG)
 	cd config/console && $(KUSTOMIZE) edit set image odf-console=$(ODF_CONSOLE_IMG)
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
@@ -195,7 +194,6 @@ bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metada
 	# Main odf-operator bundle
 	$(OPERATOR_SDK) generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
-	cd config/default && $(KUSTOMIZE) edit set image rbac-proxy=$(RBAC_PROXY_IMG)
 	cd config/console && $(KUSTOMIZE) edit set image odf-console=$(ODF_CONSOLE_IMG)
 	cd config/manifests/bases && $(KUSTOMIZE) edit add annotation --force \
 		'olm.skipRange':"$(SKIP_RANGE)" \
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index df395ee9d..487826f9c 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -47,7 +47,3 @@ resources:
 - ../rbac
 - ../manager
 - ../prometheus
-images:
-- name: rbac-proxy
-  newName: registry.redhat.io/openshift4/ose-kube-rbac-proxy
-  newTag: v4.11.0
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 16fe0d9ce..e613085cd 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -9,25 +9,9 @@ spec:
   template:
     spec:
       containers:
-      - name: kube-rbac-proxy
-        image: rbac-proxy:latest
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=0"
-        ports:
-        - containerPort: 8443
-          name: https
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
       - name: manager
         args:
         - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--metrics-bind-address=:8443"
         - "--leader-elect"
         - "--odf-console-port=9001"
diff --git a/hack/make-bundle-vars.mk b/hack/make-bundle-vars.mk
index 7f1521a4a..959ca2034 100644
--- a/hack/make-bundle-vars.mk
+++ b/hack/make-bundle-vars.mk
@@ -226,14 +226,3 @@ RECIPE_SUBSCRIPTION_CATALOGSOURCE_NAMESPACE ?= $(OPERATOR_CATALOGSOURCE_NAMESPAC
 STARTING_CSVS ?= "$(IMAGE_NAME).v$(VERSION) $(ODF_DEPS_SUBSCRIPTION_STARTINGCSV) $(OCS_SUBSCRIPTION_STARTINGCSV) $(ROOK_SUBSCRIPTION_STARTINGCSV) \
 			$(NOOBAA_SUBSCRIPTION_STARTINGCSV) $(CSIADDONS_SUBSCRIPTION_STARTINGCSV) $(CEPHCSI_SUBSCRIPTION_STARTINGCSV) \
 			$(OCS_CLIENT_SUBSCRIPTION_STARTINGCSV) $(PROMETHEUS_SUBSCRIPTION_STARTINGCSV) $(RECIPE_SUBSCRIPTION_STARTINGCSV)"
-
-# kube rbac proxy image variables
-CLUSTER_ENV ?= openshift
-KUBE_RBAC_PROXY_IMG ?= gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
-OSE_KUBE_RBAC_PROXY_IMG ?= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.11.0
-
-ifeq ($(CLUSTER_ENV), openshift)
-	RBAC_PROXY_IMG ?= $(OSE_KUBE_RBAC_PROXY_IMG)
-else ifeq ($(CLUSTER_ENV), kubernetes)
-	RBAC_PROXY_IMG ?= $(KUBE_RBAC_PROXY_IMG)
-endif
diff --git a/main.go b/main.go
index 7079ffe60..3a9c4451f 100644
--- a/main.go
+++ b/main.go
@@ -31,6 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 
 	operatorv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	operatorv2 "github.com/operator-framework/api/pkg/operators/v2"
@@ -102,8 +103,12 @@ func main() {
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:                  scheme,
-		Metrics:                 metrics.Options{BindAddress: metricsAddr},
+		Scheme: scheme,
+		Metrics: metrics.Options{
+			BindAddress:    metricsAddr,
+			SecureServing:  true,
+			FilterProvider: filters.WithAuthenticationAndAuthorization,
+		},
 		HealthProbeBindAddress:  probeAddr,
 		LeaderElection:          enableLeaderElection,
 		LeaderElectionID:        "4fd470de.openshift.io",