Uploaded image for project: 'Cert Manager support for Red Hat OpenShift'
  1. Cert Manager support for Red Hat OpenShift
  2. CM-436

Cleanup kube-rbac-proxy sidecar

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • None
    • 3
    • False
    • Hide

      None

      Show
      None
    • False

      Moving forward kube-rbac-proxy sidecar container will be deprecated upstream.

      https://github.com/openshift/cert-manager-operator-release/issues/95

      Downstream we ship container images for kube-rbac-proxy to RH registry, but that's also not required once Operators start using WithAuthenticationAndAuthorization feature from controller-runtime. More cert-manager-operator specific details (as operator uses library-go): https://redhat-internal.slack.com/archives/C02J9SFS5RN/p1733394718477849?thread_ts=1733388226.325599&cid=C02J9SFS5RN

      Hence, we can cleanup the redundant sidecar as operator's 8443 server.In the past, we've disabled http2 on the kube-rbac-proxy container for certain CVEs and having to depend upon it as an external dependencies has it's own challenges, so better to get rid of it sooner than later given we already includes Authorization and Authentication via https://github.com/openshift/cert-manager-operator/blob/master/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go#L312-L337.

              swghosh@redhat.com Swarup Ghosh
              swghosh@redhat.com Swarup Ghosh
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: