Remove kube-rbac-proxy in favor of WithAuthenticationAndAuthorization

charts/opensearch-operator/templates/opensearch-operator-controller-manager-deployment.yaml

@@ -22,33 +22,9 @@ spec:
       {{- end }}
     spec:
       containers:
-      {{- if or (.Values.kubeRbacProxy.enable) (eq (.Values.kubeRbacProxy.enable | toString) "<nil>") }}
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --proxy-endpoints-port=10443
-        - --logtostderr=true
-        - --v=10
-        image: "{{ .Values.kubeRbacProxy.image.repository }}:{{ .Values.kubeRbacProxy.image.tag}}"
-        name: kube-rbac-proxy
-        resources:
-{{- toYaml .Values.kubeRbacProxy.resources | nindent 10 }}
-        readinessProbe:
-{{- toYaml .Values.kubeRbacProxy.readinessProbe | nindent 10 }}
-        livenessProbe:
-{{- toYaml .Values.kubeRbacProxy.livenessProbe | nindent 10 }}
-        securityContext:
-{{- toYaml .Values.kubeRbacProxy.securityContext | nindent 10 }}
-        ports:
-        - containerPort: 8443
-          name: https
-        - containerPort: 10443
-          name: https-proxy
-          protocol: TCP
-      {{- end}}
       - args:
         - --health-probe-bind-address=:8081
-        - --metrics-bind-address=127.0.0.1:8080
+        - --metrics-bind-address=:8443
         - --leader-elect
         {{- if .Values.manager.watchNamespace }}
         - --watch-namespace={{ .Values.manager.watchNamespace }}
@@ -75,6 +51,10 @@ spec:
         {{- if .Values.manager.extraEnv }}
         {{- toYaml .Values.manager.extraEnv | nindent 8 }}
         {{- end }}
+        ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
         securityContext:
 {{- toYaml .Values.manager.securityContext | nindent 10 }}
       nodeSelector:

charts/opensearch-operator/templates/opensearch-operator-proxy-role-cr.yaml → charts/opensearch-operator/templates/opensearch-operator-metrics-auth-role-cr.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-role
+  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-metrics-auth
 rules:
 - apiGroups:
   - authentication.k8s.io

charts/opensearch-operator/templates/opensearch-operator-proxy-rolebinding.yaml → charts/opensearch-operator/templates/opensearch-operator-metrics-auth-rolebinding.yaml

@@ -2,11 +2,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-rolebinding
+  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-metrics-auth
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-role
+  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-metrics-auth
 subjects:
 - kind: ServiceAccount
   name: {{ include "opensearch-operator.serviceAccountName" . }}
@@ -15,11 +15,11 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-rolebinding
+  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-metrics-auth
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-role
+  name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-metrics-auth
 subjects:
 - kind: ServiceAccount
   name: {{ include "opensearch-operator.serviceAccountName" . }}

charts/opensearch-operator/values.yaml

@@ -74,47 +74,12 @@ serviceAccount:
   # Override the service account name. Defaults to opensearch-operator-controller-manager
   name: ""
 
-kubeRbacProxy:
-  enable: true
-  securityContext:
-    allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: true
-    capabilities:
-      drop:
-        - ALL
-  resources:
-    limits:
-      cpu: 50m
-      memory: 50Mi
-    requests:
-      cpu: 25m
-      memory: 25Mi
-
-  livenessProbe:
-    failureThreshold: 3
-    httpGet:
-      path: /healthz
-      port: 10443
-      scheme: HTTPS
-    periodSeconds: 15
-    successThreshold: 1
-    timeoutSeconds: 3
-    initialDelaySeconds: 10
-
-  readinessProbe:
-    failureThreshold: 3
-    httpGet:
-      path: /healthz
-      port: 10443
-      scheme: HTTPS
-    periodSeconds: 15
-    successThreshold: 1
-    timeoutSeconds: 3
-    initialDelaySeconds: 10
-
-  image:
-    repository: "gcr.io/kubebuilder/kube-rbac-proxy"
-    tag: "v0.15.0"
+# kubeRbacProxy has been replaced with controller-runtime's built-in
+# WithAuthenticationAndAuthorization for metrics endpoint protection.
+# This provides equivalent security functionality without external dependencies.
+# 
+# kubeRbacProxy:
+#   enable: false
 
 ## If this is set to true, RoleBindings will be used instead of ClusterRoleBindings, inorder to restrict ClusterRoles
 ## to the namespace where the operator and OpenSearch cluster are in. In that case, specify the namespace where they

opensearch-operator/config/rbac/kustomization.yaml

@@ -9,10 +9,10 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+# The following auth proxy resources have been removed
+# as we now use controller-runtime's built-in WithAuthenticationAndAuthorization
+# for metrics endpoint protection.
+# - auth_proxy_service.yaml
+# - auth_proxy_role.yaml
+# - auth_proxy_role_binding.yaml
+# - auth_proxy_client_clusterrole.yaml

opensearch-operator/go.mod

@@ -29,28 +29,37 @@ require (
 )
 
 require (
+	cel.dev/expr v0.19.1 // indirect
 	emperror.dev/errors v0.8.1 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/briandowns/spinner v1.23.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cppforlife/go-patch v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/fatih/color v1.17.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/cel-go v0.23.2 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect
 	github.com/iancoleman/orderedmap v0.3.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -66,26 +75,44 @@ require (
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/otel v1.33.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
+	go.opentelemetry.io/otel/metric v1.33.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.33.0 // indirect
+	go.opentelemetry.io/otel/trace v1.33.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.41.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect
+	golang.org/x/sync v0.15.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
 	golang.org/x/text v0.26.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	golang.org/x/tools v0.33.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/grpc v1.68.1 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apiserver v0.33.1 // indirect
+	k8s.io/component-base v0.33.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect