The kube-rbac-proxy container is deployed as part of the cco operator pod, which is deployed via /manifests/02-deployment.yaml. As a result, the TLS configuration cannot be managed by CCO. Newer functionality has been added that will let us secure the metrics port on the controller-runtime manager (which CCO still uses). Plus, the metrics configuration has the ability to configure the TLS config. Combine both of these changes to enable the tls configuration as set on the API server.

• Remove kube-rbac-proxy container from cco operator
• Configure the networkPolicy for metrics to limit access to the monitoring operator
• Configure the operator metrics to have RBAC equal to what was provided by kube-rbac-proxy (filters.WithAuthenticationAndAuthorization)
• Configure the operator metrics to use TLS 8443, including certificates that were previously provided to kube-rbac-proxy
• Configure the cloud-credential-operator container to listen on 8443 (metrics)