Migration of kube-rbac-proxy in gitops-operator

Signed-off-by: akhil nittala <nakhil@redhat.com>

Author: akhilnittala

bundle/manifests/gitops-operator.clusterserviceversion.yaml

@@ -190,7 +190,7 @@ metadata:
     capabilities: Deep Insights
     console.openshift.io/plugins: '["gitops-plugin"]'
     containerImage: quay.io/redhat-developer/gitops-operator
-    createdAt: "2026-04-08T05:55:24Z"
+    createdAt: "2026-04-09T07:23:41Z"
     description: Enables teams to adopt GitOps principles for managing cluster configurations
       and application delivery across hybrid multi-cluster Kubernetes environments.
     features.operators.openshift.io/disconnected: "true"
@@ -859,7 +859,8 @@ spec:
               containers:
               - args:
                 - --health-probe-bind-address=:8081
-                - --metrics-bind-address=127.0.0.1:8080
+                - --metrics-bind-address=:8443
+                - --metrics-secure
                 - --leader-elect
                 command:
                 - /usr/local/bin/manager
@@ -885,6 +886,9 @@ spec:
                 - containerPort: 9443
                   name: webhook-server
                   protocol: TCP
+                - containerPort: 8443
+                  name: metrics
+                  protocol: TCP
                 readinessProbe:
                   httpGet:
                     path: /readyz

config/default/kustomization.yaml

@@ -25,10 +25,12 @@ bases:
 - ../prometheus
 
 patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+# Protect the /metrics endpoint with controller-runtime authn/authz.
+# If you comment out manager_metrics_patch.yaml, also comment out metrics_service.yaml,
+# metrics_role.yaml, metrics_role_binding.yaml, and metrics_reader_clusterrole.yaml
+# in ../rbac/kustomization.yaml so the metrics Service is disabled as well.
+patchesStrategicMerge:
+- manager_metrics_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type

…ig/default/manager_auth_proxy_patch.yaml config/default/manager_metrics_patch.yamlconfig/default/manager_auth_proxy_patch.yaml renamed to config/default/manager_metrics_patch.yaml config/default/manager_auth_proxy_patch.yaml renamed to config/default/manager_metrics_patch.yaml

@@ -1,5 +1,6 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch configures the manager to serve metrics securely using
+# controller-runtime's built-in authn/authz (replacing the deprecated
+# kube-rbac-proxy sidecar).
 apiVersion: apps/v1
 kind: Deployment
 metadata:

config/rbac/kustomization.yaml

@@ -9,10 +9,11 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-# - auth_proxy_client_clusterrole.yaml
+# These resources expose /metrics over HTTPS on port 8443 and grant the
+# controller-runtime authn/authz permissions required by manager_metrics_patch.yaml.
+# Comment these lines together with manager_metrics_patch.yaml if you want to
+# disable secure metrics for the controller-manager.
+- metrics_service.yaml
+- metrics_role.yaml
+- metrics_role_binding.yaml
+# - metrics_reader_clusterrole.yaml

…/rbac/auth_proxy_client_clusterrole.yaml …fig/rbac/metrics_reader_clusterrole.yamlconfig/rbac/auth_proxy_client_clusterrole.yaml renamed to config/rbac/metrics_reader_clusterrole.yaml config/rbac/auth_proxy_client_clusterrole.yaml renamed to config/rbac/metrics_reader_clusterrole.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: proxy-role
+  name: metrics-role
 rules:
 - nonResourceURLs:
   - "/metrics"

config/rbac/auth_proxy_role.yaml config/rbac/metrics_role.yamlconfig/rbac/auth_proxy_role.yaml renamed to config/rbac/metrics_role.yaml

@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: proxy-rolebinding
+  name: metrics-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: metrics-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager