Skip to content

remove rbac auth proxy from manifests #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 3, 2025
Merged

remove rbac auth proxy from manifests #123

merged 1 commit into from
Apr 3, 2025

Conversation

rccrdpccl
Copy link
Contributor

@rccrdpccl rccrdpccl commented Apr 3, 2025
edited by coderabbitai bot
Loading

RBAC auth proxy is deprecated in kubebuilder, and should be removed.
We do not care enough to replace it with in-controller replacement, so we'll just remove it

Summary by CodeRabbit

  • Refactor

    • Streamlined controller manager deployments by simplifying container parameters and updating image references.

  • Chores

    • Removed redundant monitoring endpoints and access rules to enhance security.
    • Cleaned up configuration files by deleting unused comments and options.

@rccrdpccl
remove rbac auth proxy from manifests
cff6775 
Signed-off-by: Riccardo Piccoli <rpiccoli@redhat.com>
@openshift-ci openshift-ci bot requested a review from eranco74 April 3, 2025 13:38
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Apr 3, 2025
edited
Loading

Walkthrough

The changes remove multiple Kubernetes RBAC definitions and service configurations while simplifying deployment specifications. Both the bootstrap and control plane projects had their auth proxy components removed: ClusterRoles, ClusterRoleBindings, and Services that provided metrics access and RBAC-enabled proxying were deleted. Additionally, corresponding patch files and extra commented configuration lines in kustomization files were eliminated, resulting in a streamlined deployment setup without the dedicated sidecar proxy for authorization.

Changes

File(s) Change Summary
bootstrap-components.yaml, controlplane-components.yaml Removed RBAC items (metrics-reader roles, proxy roles, and role bindings) and deleted services exposing controller manager metrics. Deployment configurations were updated by removing kube‑rbac‑proxy arguments and adjusting container images/parameters.
bootstrap/config/default/kustomization.yaml, controlplane/config/default/kustomization.yaml Cleaned up configuration by removing extraneous resource references (e.g., ../manager) and deleting commented-out sections for WEBHOOK, CERTMANAGER, PROMETHEUS, and CA injection patches.
bootstrap/config/default/manager_auth_proxy_patch.yaml, controlplane/config/default/manager_auth_proxy_patch.yaml Removed patch files that defined the auth proxy sidecar container responsible for RBAC authorization in the controller manager deployments.
bootstrap/…/rbac/*.yaml, controlplane/…/rbac/*.yaml Deleted auth proxy RBAC definitions—including ClusterRoles for metrics reading and proxy functions, ClusterRoleBindings, and Services exposing metrics—and removed corresponding kustomization references.

Sequence Diagram(s)

sequenceDiagram
    participant C as Client
    participant AP as Auth Proxy (old)
    participant CM as Controller Manager

    alt Old Flow
      C->>AP: Send metrics request
      AP->>CM: Forward request after RBAC check
      CM-->>AP: Return metrics
      AP-->>C: Forward metrics
    else New Flow
      C->>CM: Send metrics request directly
      CM-->>C: Return metrics
    end
Loading

Poem

I'm a bunny with a skip and a hop,
Seeing old RBAC rules finally stop.
The proxy has vanished, a clean, lighter way—
No extra hops now in my deployment day.
Carrots and code, a merry blend,
Leaping forward with a simpler trend! 🥕🐰

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai plan to trigger planning for file edits and PR creation.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 3, 2025
@rccrdpccl
Copy link
Contributor Author

/hold

testing this locally while we fix the e2e test

@openshift-ci openshift-ci bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Apr 3, 2025
@rccrdpccl rccrdpccl requested a review from carbonin April 3, 2025 13:39
coderabbitai[bot]
coderabbitai bot reviewed Apr 3, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
bootstrap/config/rbac/kustomization.yaml (1)

1-13: Confirm Removal of Deprecated RBAC Auth Proxy Resources

The modifications correctly remove references to the deprecated RBAC auth proxy. The resources list now excludes files such as auth_proxy_service.yaml, auth_proxy_role.yaml, auth_proxy_role_binding.yaml, and auth_proxy_client_clusterrole.yaml, in line with the PR objectives.

Please ensure that:

  • Any dependent configurations or documentation referring to these removed resources are updated.
  • The remaining RBAC definitions (e.g., service_account.yaml, role.yaml, etc.) are sufficient for the intended operational scope without the auth proxy.
bootstrap/config/default/kustomization.yaml (1)

4-4: YAML Formatting – Missing Newline at End of File
YAMLlint has flagged that there is no newline at the end of the file. Adding a newline is a recommended best practice to ensure compatibility with various tools.

Consider applying the following diff to fix the issue:

@@
-../manager
\ No newline at end of file
+../manager
+
🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 4-4: no new line character at the end of file

(new-line-at-end-of-file)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7985f56 and cff6775.

📒 Files selected for processing (16)
  • bootstrap-components.yaml (0 hunks)
  • bootstrap/config/default/kustomization.yaml (1 hunks)
  • bootstrap/config/default/manager_auth_proxy_patch.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_client_clusterrole.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_role.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_role_binding.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_service.yaml (0 hunks)
  • bootstrap/config/rbac/kustomization.yaml (1 hunks)
  • controlplane-components.yaml (0 hunks)
  • controlplane/config/default/kustomization.yaml (0 hunks)
  • controlplane/config/default/manager_auth_proxy_patch.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_client_clusterrole.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_role.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_role_binding.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_service.yaml (0 hunks)
  • controlplane/config/rbac/kustomization.yaml (0 hunks)
💤 Files with no reviewable changes (14)
  • bootstrap/config/rbac/auth_proxy_client_clusterrole.yaml
  • controlplane/config/rbac/auth_proxy_client_clusterrole.yaml
  • controlplane/config/default/kustomization.yaml
  • bootstrap/config/rbac/auth_proxy_role.yaml
  • controlplane/config/rbac/auth_proxy_service.yaml
  • controlplane/config/default/manager_auth_proxy_patch.yaml
  • bootstrap/config/rbac/auth_proxy_role_binding.yaml
  • bootstrap/config/default/manager_auth_proxy_patch.yaml
  • controlplane/config/rbac/kustomization.yaml
  • controlplane/config/rbac/auth_proxy_role_binding.yaml
  • bootstrap-components.yaml
  • controlplane-components.yaml
  • bootstrap/config/rbac/auth_proxy_service.yaml
  • controlplane/config/rbac/auth_proxy_role.yaml
🧰 Additional context used
🪛 YAMLlint (1.35.1)
bootstrap/config/default/kustomization.yaml

[error] 4-4: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (1)
bootstrap/config/default/kustomization.yaml (1)

1-4: Removal of Deprecated RBAC Auth Proxy Reference
The removal of the ../manager resource from the resources list is consistent with the PR objective of removing the deprecated RBAC auth proxy configuration. This change simplifies the manifest and eliminates unused references. Please double-check that no other parts of the configuration rely on this reference.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 4-4: no new line character at the end of file

(new-line-at-end-of-file)

coderabbitai[bot]
coderabbitai bot reviewed Apr 3, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
bootstrap/config/rbac/kustomization.yaml (1)

12-13: Add Newline at End of File.
Static analysis flagged that there is no new line character at the end of this file. Please add a newline at the end to adhere to YAML formatting standards.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7985f56 and cff6775.

📒 Files selected for processing (16)
  • bootstrap-components.yaml (0 hunks)
  • bootstrap/config/default/kustomization.yaml (1 hunks)
  • bootstrap/config/default/manager_auth_proxy_patch.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_client_clusterrole.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_role.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_role_binding.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_service.yaml (0 hunks)
  • bootstrap/config/rbac/kustomization.yaml (1 hunks)
  • controlplane-components.yaml (0 hunks)
  • controlplane/config/default/kustomization.yaml (0 hunks)
  • controlplane/config/default/manager_auth_proxy_patch.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_client_clusterrole.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_role.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_role_binding.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_service.yaml (0 hunks)
  • controlplane/config/rbac/kustomization.yaml (0 hunks)
💤 Files with no reviewable changes (14)
  • controlplane/config/rbac/auth_proxy_client_clusterrole.yaml
  • controlplane/config/rbac/auth_proxy_role.yaml
  • controlplane/config/rbac/auth_proxy_service.yaml
  • bootstrap/config/rbac/auth_proxy_client_clusterrole.yaml
  • bootstrap/config/rbac/auth_proxy_role_binding.yaml
  • controlplane/config/rbac/auth_proxy_role_binding.yaml
  • bootstrap/config/rbac/auth_proxy_role.yaml
  • bootstrap/config/rbac/auth_proxy_service.yaml
  • controlplane/config/default/kustomization.yaml
  • controlplane/config/rbac/kustomization.yaml
  • controlplane/config/default/manager_auth_proxy_patch.yaml
  • bootstrap/config/default/manager_auth_proxy_patch.yaml
  • controlplane-components.yaml
  • bootstrap-components.yaml
🧰 Additional context used
🪛 YAMLlint (1.35.1)
bootstrap/config/default/kustomization.yaml

[error] 4-4: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (2)
bootstrap/config/rbac/kustomization.yaml (1)

1-13: Removal of Deprecated Auth Proxy RBAC Configurations Confirmed.
The removal of references to the auth proxy (e.g., related to auth_proxy_service.yaml, auth_proxy_role.yaml, etc.) is in line with the PR objectives. The remaining RBAC resources (service account, role, role binding, and leader election resources) appear to be the only ones now applied, which simplifies the configuration as intended.

bootstrap/config/default/kustomization.yaml (1)

1-4: Manager Resource Reference Removal.
The reference to the manager resource (../manager) has been removed from the resources list, which aligns with the removal of deprecated components in this manifest. Please verify that no other parts of the configuration depend on the manager resource.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 4-4: no new line character at the end of file

(new-line-at-end-of-file)

coderabbitai[bot]
coderabbitai bot reviewed Apr 3, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
bootstrap/config/default/kustomization.yaml (1)

4-4: Formatting: Ensure Newline at End of File

The static analysis tool flagged that there is no newline character at the end of the file. Adding a newline will improve compatibility with various YAML parsers.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 4-4: no new line character at the end of file

(new-line-at-end-of-file)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7985f56 and cff6775.

📒 Files selected for processing (16)
  • bootstrap-components.yaml (0 hunks)
  • bootstrap/config/default/kustomization.yaml (1 hunks)
  • bootstrap/config/default/manager_auth_proxy_patch.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_client_clusterrole.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_role.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_role_binding.yaml (0 hunks)
  • bootstrap/config/rbac/auth_proxy_service.yaml (0 hunks)
  • bootstrap/config/rbac/kustomization.yaml (1 hunks)
  • controlplane-components.yaml (0 hunks)
  • controlplane/config/default/kustomization.yaml (0 hunks)
  • controlplane/config/default/manager_auth_proxy_patch.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_client_clusterrole.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_role.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_role_binding.yaml (0 hunks)
  • controlplane/config/rbac/auth_proxy_service.yaml (0 hunks)
  • controlplane/config/rbac/kustomization.yaml (0 hunks)
💤 Files with no reviewable changes (14)
  • controlplane/config/rbac/auth_proxy_client_clusterrole.yaml
  • controlplane/config/default/kustomization.yaml
  • controlplane/config/rbac/auth_proxy_role.yaml
  • bootstrap/config/rbac/auth_proxy_role.yaml
  • bootstrap/config/rbac/auth_proxy_client_clusterrole.yaml
  • bootstrap/config/rbac/auth_proxy_role_binding.yaml
  • bootstrap/config/default/manager_auth_proxy_patch.yaml
  • bootstrap/config/rbac/auth_proxy_service.yaml
  • controlplane/config/rbac/kustomization.yaml
  • controlplane/config/rbac/auth_proxy_role_binding.yaml
  • controlplane/config/rbac/auth_proxy_service.yaml
  • bootstrap-components.yaml
  • controlplane-components.yaml
  • controlplane/config/default/manager_auth_proxy_patch.yaml
🧰 Additional context used
🪛 YAMLlint (1.35.1)
bootstrap/config/default/kustomization.yaml

[error] 4-4: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (2)
bootstrap/config/rbac/kustomization.yaml (1)

1-13: Removal of Deprecated Auth Proxy Configurations

The changes correctly remove the deprecated auth proxy RBAC configurations. The kustomization file now cleanly lists only the necessary RBAC resources (i.e. service_account.yaml, role.yaml, role_binding.yaml, leader_election_role.yaml, and leader_election_role_binding.yaml), which aligns with the deprecation of the RBAC auth proxy in kubebuilder.

Please ensure that any documentation or additional configuration files that previously referenced the removed auth proxy resources are updated accordingly.

bootstrap/config/default/kustomization.yaml (1)

1-4: Confirm Removal of Auth Proxy Manager Reference

The removal of the manager reference (../manager) from the resources section is in line with the PR objective to deprecate the RBAC auth proxy. Please verify that no other components require this resource, and that its removal does not affect any dependent configurations.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 4-4: no new line character at the end of file

(new-line-at-end-of-file)

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 3, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 3, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: carbonin, rccrdpccl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rccrdpccl
Copy link
Contributor Author

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 3, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 961ae13 into openshift-assisted:master Apr 3, 2025
8 checks passed
@rccrdpccl rccrdpccl deleted the remove-rback-auth-proxy branch April 9, 2025 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@carbonin carbonin carbonin approved these changes

@eranco74 eranco74 Awaiting requested review from eranco74

@openshift-edge-bot openshift-edge-bot Awaiting requested review from openshift-edge-bot

Assignees

@carbonin carbonin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rccrdpccl @carbonin