redhat-developer
diff --git a/‎bundle/manifests/gitops-operator.clusterserviceversion.yaml‎
Lines changed: 8 additions & 36 deletions b/‎bundle/manifests/gitops-operator.clusterserviceversion.yaml‎
Lines changed: 8 additions & 36 deletions
diff --git a/‎cmd/main.go‎
Lines changed: 4 additions & 2 deletions b/‎cmd/main.go‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎config/default/kustomization.yaml‎
Lines changed: 5 additions & 4 deletions b/‎config/default/kustomization.yaml‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎config/default/manager_auth_proxy_patch.yaml‎
Lines changed: 0 additions & 57 deletions b/‎config/default/manager_auth_proxy_patch.yaml‎
Lines changed: 0 additions & 57 deletions
diff --git a/‎config/default/manager_metrics_patch.yaml‎
Lines changed: 24 additions & 0 deletions b/‎config/default/manager_metrics_patch.yaml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎config/rbac/kustomization.yaml‎
Lines changed: 8 additions & 7 deletions b/‎config/rbac/kustomization.yaml‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎…/rbac/auth_proxy_client_clusterrole.yaml‎ ‎…fig/rbac/metrics_reader_clusterrole.yaml‎config/rbac/auth_proxy_client_clusterrole.yaml renamed to config/rbac/metrics_reader_clusterrole.yaml b/‎…/rbac/auth_proxy_client_clusterrole.yaml‎ ‎…fig/rbac/metrics_reader_clusterrole.yaml‎config/rbac/auth_proxy_client_clusterrole.yaml renamed to config/rbac/metrics_reader_clusterrole.yaml
diff --git a/‎config/rbac/auth_proxy_role.yaml‎ ‎config/rbac/metrics_role.yaml‎config/rbac/auth_proxy_role.yaml renamed to config/rbac/metrics_role.yaml
Lines changed: 1 addition & 1 deletion b/‎config/rbac/auth_proxy_role.yaml‎ ‎config/rbac/metrics_role.yaml‎config/rbac/auth_proxy_role.yaml renamed to config/rbac/metrics_role.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/rbac/auth_proxy_role_binding.yaml‎ ‎config/rbac/metrics_role_binding.yaml‎config/rbac/auth_proxy_role_binding.yaml renamed to config/rbac/metrics_role_binding.yaml
Lines changed: 2 additions & 2 deletions b/‎config/rbac/auth_proxy_role_binding.yaml‎ ‎config/rbac/metrics_role_binding.yaml‎config/rbac/auth_proxy_role_binding.yaml renamed to config/rbac/metrics_role_binding.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/rbac/auth_proxy_service.yaml‎ ‎config/rbac/metrics_service.yaml‎config/rbac/auth_proxy_service.yaml renamed to config/rbac/metrics_service.yaml b/‎config/rbac/auth_proxy_service.yaml‎ ‎config/rbac/metrics_service.yaml‎config/rbac/auth_proxy_service.yaml renamed to config/rbac/metrics_service.yaml
@@ -190,7 +190,7 @@ metadata:
     capabilities: Deep Insights
     console.openshift.io/plugins: '["gitops-plugin"]'
     containerImage: quay.io/redhat-developer/gitops-operator
-    createdAt: "2026-04-09T19:32:55Z"
+    createdAt: "2026-04-21T13:41:53Z"
     description: Enables teams to adopt GitOps principles for managing cluster configurations
       and application delivery across hybrid multi-cluster Kubernetes environments.
     features.operators.openshift.io/disconnected: "true"
@@ -859,7 +859,7 @@ spec:
               containers:
               - args:
                 - --health-probe-bind-address=:8081
-                - --metrics-bind-address=127.0.0.1:8080
+                - --metrics-bind-address=:8443
                 - --leader-elect
                 command:
                 - /usr/local/bin/manager
@@ -885,6 +885,12 @@ spec:
                 - containerPort: 9443
                   name: webhook-server
                   protocol: TCP
+                - containerPort: 8443
+                  name: metrics
+                  protocol: TCP
+                - containerPort: 8081
+                  name: health
+                  protocol: TCP
                 readinessProbe:
                   httpGet:
                     path: /readyz
@@ -899,44 +905,10 @@ spec:
                     - ALL
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
-              - args:
-                - --secure-listen-address=0.0.0.0:8443
-                - --upstream=http://127.0.0.1:8080
-                - --tls-cert-file=/etc/tls/private/tls.crt
-                - --tls-private-key-file=/etc/tls/private/tls.key
-                - --logtostderr=true
-                - --allow-paths=/metrics
-                - --http2-disable
-                image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.15
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: metrics
-                  protocol: TCP
-                resources:
-                  limits:
-                    cpu: 500m
-                    memory: 128Mi
-                  requests:
-                    cpu: 1m
-                    memory: 15Mi
-                securityContext:
-                  allowPrivilegeEscalation: false
-                  capabilities:
-                    drop:
-                    - ALL
-                volumeMounts:
-                - mountPath: /etc/tls/private
-                  name: kube-rbac-proxy-tls
-                  readOnly: true
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: openshift-gitops-operator-controller-manager
               terminationGracePeriodSeconds: 10
-              volumes:
-              - name: kube-rbac-proxy-tls
-                secret:
-                  secretName: kube-rbac-proxy-tls
       permissions:
       - rules:
         - apiGroups:
 
@@ -70,6 +70,7 @@ import (
 	"github.com/redhat-developer/gitops-operator/controllers/argocd/openshift"
 	"github.com/redhat-developer/gitops-operator/controllers/util"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	//+kubebuilder:scaffold:imports
 )
@@ -148,8 +149,9 @@ func main() {
 	webhookServer := webhook.NewServer(webhookServerOptions)
 
 	metricsServerOptions := metricsserver.Options{
-		BindAddress: metricsAddr,
-		TLSOpts:     []func(*tls.Config){disableHTTP2},
+		BindAddress:    metricsAddr,
+		TLSOpts:        []func(*tls.Config){disableHTTP2},
+		FilterProvider: filters.WithAuthenticationAndAuthorization,
 	}
 
 	// Set default manager options
 
@@ -24,11 +24,12 @@ bases:
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 - ../prometheus
 
+# Protect the /metrics endpoint with controller-runtime authn/authz.
+# If you comment out manager_metrics_patch.yaml, also comment out metrics_service.yaml,
+# metrics_role.yaml, metrics_role_binding.yaml, and metrics_reader_clusterrole.yaml
+# in ../rbac/kustomization.yaml so the metrics Service is disabled as well.
 patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+- manager_metrics_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type
 
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  selector:
+    matchLabels:
+      control-plane: gitops-operator
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=:8443"
+        - "--leader-elect"
+        ports:
+        - name: metrics
+          containerPort: 8443
+          protocol: TCP
+        - name: health
+          containerPort: 8081
+          protocol: TCP
@@ -9,10 +9,11 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-# - auth_proxy_client_clusterrole.yaml
+# These resources expose /metrics over HTTPS on port 8443 and grant the
+# controller-runtime authn/authz permissions required by manager_metrics_patch.yaml.
+# Comment these lines together with manager_metrics_patch.yaml if you want to
+# disable secure metrics for the controller-manager.
+- metrics_service.yaml
+- metrics_role.yaml
+- metrics_role_binding.yaml
+# - metrics_reader_clusterrole.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: proxy-role
+  name: metrics-role
 rules:
 - nonResourceURLs:
   - "/metrics"
 
@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: proxy-rolebinding
+  name: metrics-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: metrics-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager