Skip to content

fix: Replace deprecated kube-rbac-proxy with built-in metrics auth#285

Open
IrvingMg wants to merge 1 commit intoshipwright-io:mainfrom
IrvingMg:fix/replace-kube-rbac-prox
Open

fix: Replace deprecated kube-rbac-proxy with built-in metrics auth#285
IrvingMg wants to merge 1 commit intoshipwright-io:mainfrom
IrvingMg:fix/replace-kube-rbac-prox

Conversation

@IrvingMg
Copy link
Copy Markdown
Member

@IrvingMg IrvingMg commented Mar 8, 2026
edited
Loading

Changes

Replaced the kube-rbac-proxy sidecar (the image is no longer available) with controller-runtime's built-in metrics authentication and authorization (filters.WithAuthenticationAndAuthorization).

Key changes:

  • main.go: The metrics endpoint is now served directly on :8443 with TLS and authn/authz; no sidecar is needed.
  • config/default/manager_auth_proxy_patch.yaml: Deleted (this previously injected the sidecar).
  • config/rbac/auth_proxy_role.yaml and auth_proxy_role_binding.yaml: Deleted (permissions moved to Kubebuilder markers and auto-generated into role.yaml).
  • config/manager/manager.yaml: Added the metrics port and bind address (previously injected by the sidecar patch).

Verification:

# Deploy to kind cluster
make deploy IMAGE_REPO=kind.local
kubectl -n shipwright-operator get pods

# Port-forward metrics service
kubectl create token shipwright-operator -n shipwright-operator > /tmp/sa-token.txt
kubectl create clusterrolebinding metrics-test \
    --clusterrole=shipwright-operator-metrics-reader \
    --serviceaccount=shipwright-operator:shipwright-operator
kubectl port-forward -n shipwright-operator svc/shipwright-operator-metrics-service 8443:8443

# Without auth — should return "Unauthorized"
curl -k https://localhost:8443/metrics

# With auth — should return Prometheus metrics
curl -k -H "Authorization: Bearer $(cat /tmp/sa-token.txt)" https://localhost:8443/metrics

/kind bug
/kind cleanup

Fixes #284

Submitter Checklist

  • Includes tests if functionality changed/was added
  • Includes docs if changes are user-facing
  • Set a kind label on this PR
  • Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

NONE

@openshift-ci openshift-ci bot added release-note-none kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Mar 8, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Mar 8, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign qu1queee for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@IrvingMg IrvingMg force-pushed the fix/replace-kube-rbac-prox branch from 0f4687a to f14cd66 Compare March 8, 2026 12:29
@IrvingMg
Copy link
Copy Markdown
Member Author

IrvingMg commented Mar 8, 2026

/cc @hasanawad94

@openshift-ci openshift-ci bot requested a review from hasanawad94 March 8, 2026 12:41
@adambkaplan
Copy link
Copy Markdown
Member

adambkaplan commented Mar 9, 2026

/hold

We are going to merge #283 first, since this swaps the rbac-proxy-image with its new location.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 9, 2026
@adambkaplan adambkaplan added this to the release-v0.20.0 milestone Mar 9, 2026
@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 18, 2026
@PyDataBlog
Copy link
Copy Markdown

PyDataBlog commented Mar 19, 2026

any update on this? @IrvingMg

@IrvingMg
fix: Replace deprecated kube-rbac-proxy with built-in metrics auth
275582a 
Signed-off-by: Irving Mondragón <mirvingr@gmail.com>
@IrvingMg IrvingMg force-pushed the fix/replace-kube-rbac-prox branch from f14cd66 to 275582a Compare March 20, 2026 09:02
@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 20, 2026
@IrvingMg
Copy link
Copy Markdown
Member Author

IrvingMg commented Mar 20, 2026

any update on this? @IrvingMg

This PR is on hold pending release 0.19, but it’s ready for review in the meantime. I’d appreciate any feedback.

@IrvingMg
Copy link
Copy Markdown
Member Author

IrvingMg commented Apr 8, 2026

@adambkaplan, since v0.19 has already been released, can we move forward with this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adambkaplan adambkaplan Awaiting requested review from adambkaplan

@ayushsatyam146 ayushsatyam146 Awaiting requested review from ayushsatyam146

@hasanawad94 hasanawad94 Awaiting requested review from hasanawad94

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note-none

Projects

Issues
Status: No status

Milestone

release-v0.20.0

Development

Successfully merging this pull request may close these issues.

[BUG] gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 is outdated causing e2e tests to fail

4 participants

@IrvingMg @adambkaplan @PyDataBlog @shipwright-ci-bot