stackrox
diff --git a/‎go.mod‎
Lines changed: 10 additions & 0 deletions b/‎go.mod‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 19 additions & 0 deletions b/‎go.sum‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎operator/bundle/manifests/rhacs-operator-manager-config_v1_configmap.yaml‎
Lines changed: 1 addition & 1 deletion b/‎operator/bundle/manifests/rhacs-operator-manager-config_v1_configmap.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎operator/bundle/manifests/rhacs-operator.clusterserviceversion.yaml‎
Lines changed: 4 additions & 20 deletions b/‎operator/bundle/manifests/rhacs-operator.clusterserviceversion.yaml‎
Lines changed: 4 additions & 20 deletions
diff --git a/‎operator/bundle_helpers/patch-csv.py‎
Lines changed: 4 additions & 21 deletions b/‎operator/bundle_helpers/patch-csv.py‎
Lines changed: 4 additions & 21 deletions
diff --git a/‎operator/config/default/kustomization.yaml‎
Lines changed: 2 additions & 1 deletion b/‎operator/config/default/kustomization.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎operator/config/manager/controller_manager_config.yaml‎
Lines changed: 1 addition & 1 deletion b/‎operator/config/manager/controller_manager_config.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎operator/config/manager/manager.yaml‎
Lines changed: 6 additions & 0 deletions b/‎operator/config/manager/manager.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎operator/config/rbac/kustomization.yaml‎
Lines changed: 2 additions & 0 deletions b/‎operator/config/rbac/kustomization.yaml‎
Lines changed: 2 additions & 0 deletions
@@ -173,13 +173,15 @@ require (
 	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beevik/etree v1.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.12.0 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
@@ -247,6 +249,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
+	github.com/google/cel-go v0.17.7 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect
@@ -257,6 +260,7 @@ require (
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
@@ -354,6 +358,7 @@ require (
 	github.com/stackrox/dotnet-scraper v0.0.0-20201023051640-72ef543323dd // indirect
 	github.com/stackrox/istio-cves v0.0.0-20221007013142-0bde9b541ec8 // indirect
 	github.com/stackrox/k8s-cves v0.0.0-20220818200547-7d0d1420c58d // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
@@ -380,8 +385,12 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
 	go.opentelemetry.io/otel v1.22.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 // indirect
 	go.opentelemetry.io/otel/metric v1.22.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.21.0 // indirect
 	go.opentelemetry.io/otel/trace v1.22.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.starlark.net v0.0.0-20230612165344-9532f5667272 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.14.0 // indirect
@@ -411,6 +420,7 @@ require (
 	modernc.org/token v1.0.1 // indirect
 	nhooyr.io/websocket v1.8.10 // indirect
 	oras.land/oras-go v1.2.4 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 
@@ -23,18 +23,6 @@ def __str__(self):
         return f"{self.x}.{self.y}.{self.z}"
 
 
-def rbac_proxy_replace(updated_img):
-    def update_rbac_proxy_img(img):
-        """
-        Updates the reference to the kube-rbac-proxy image to match the OpenShift one.
-        """
-        if not isinstance(img, str) or not img.startswith('gcr.io/kubebuilder/kube-rbac-proxy:'):
-            return None
-        return updated_img
-
-    return update_rbac_proxy_img
-
-
 def related_image_passthrough(val):
     """
     Searches for environment variable definitions of the form RELATED_IMAGE_* and replaces them
@@ -61,8 +49,7 @@ def must_replace_suffix(str, suffix, replacement):
     return splits[0] + replacement
 
 
-def patch_csv(csv_doc, version, operator_image, first_version, no_related_images, extra_supported_arches,
-              rbac_proxy_replacement):
+def patch_csv(csv_doc, version, operator_image, first_version, no_related_images, extra_supported_arches):
     csv_doc['metadata']['annotations']['createdAt'] = datetime.now(timezone.utc).isoformat()
 
     placeholder_image = csv_doc['metadata']['annotations']['containerImage']
@@ -76,9 +63,6 @@ def patch_csv(csv_doc, version, operator_image, first_version, no_related_images
     if not no_related_images:
         rewrite(csv_doc, related_image_passthrough)
 
-    if rbac_proxy_replacement:
-        rewrite(csv_doc, rbac_proxy_replace(rbac_proxy_replacement))
-
     previous_y_stream = get_previous_y_stream(version)
 
     # An olm.skipRange doesn't hurt if it references non-existing versions.
@@ -169,8 +153,8 @@ def parse_args():
                         help='Which operator image to use in the patched CSV')
     parser.add_argument("--no-related-images", action='store_true',
                         help='Disable passthrough of related images')
-    parser.add_argument("--replace-rbac-proxy", required=False, metavar='replacement-image:tag',
-                        help='Replacement directives for the RBAC proxy image')
+    # TODO(ROX-22395): remove this option once downstream scripts don't pass the argument.
+    parser.add_argument("--replace-rbac-proxy", help='This option is deprecated and ignored.')
     parser.add_argument("--add-supported-arch", action='append', required=False,
                         help='Enable specified operator architecture via CSV labels (may be passed multiple times)',
                         default=[])
@@ -187,8 +171,7 @@ def main():
               version=args.use_version,
               first_version=args.first_version,
               no_related_images=args.no_related_images,
-              extra_supported_arches=args.add_supported_arch,
-              rbac_proxy_replacement=args.replace_rbac_proxy)
+              extra_supported_arches=args.add_supported_arch)
     print(yaml.safe_dump(doc))
 
 
 
@@ -27,7 +27,8 @@ patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+# The authentication is now done in-process, by controller-runtime.
+#- manager_auth_proxy_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type
 
@@ -3,7 +3,7 @@ kind: ControllerManagerConfig
 health:
   healthProbeBindAddress: :8081
 metrics:
-  bindAddress: 127.0.0.1:8080
+  bindAddress: 0.0.0.0:8443
 webhook:
   port: 9443
 leaderElection:
 
@@ -32,6 +32,8 @@ spec:
         runAsNonRoot: true
       containers:
       - args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=0.0.0.0:8443"
         - --leader-elect
         env:
         - name: RELATED_IMAGE_MAIN
@@ -52,6 +54,10 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+          name: https
         livenessProbe:
           httpGet:
             path: /healthz
 
@@ -12,6 +12,8 @@ resources:
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
+# The authentication is now done by controller-runtime in-process,
+# so these resources are still useful even though we do not use the proxy sidecar.
 - auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml