METAL-1606: Remove kube-rbac-proxy and add regression tests#79
Open
elfosardo wants to merge 1 commit into
Open
METAL-1606: Remove kube-rbac-proxy and add regression tests#79elfosardo wants to merge 1 commit into
elfosardo wants to merge 1 commit into
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: elfosardo The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
elfosardo
force-pushed
the
remove-kube-rbac-proxy-release
branch
from
ed62ee6 to
269a158
Compare
andfasano
reviewed
Oct 24, 2025
| // Create a new HTTP client with the custom transport | ||
| client := &http.Client{Transport: tr} | ||
| // Create a standard HTTP client (no TLS needed for HTTP) | ||
| client := &http.Client{} |
Contributor
There was a problem hiding this comment.
What was the requirement to change the protocol here to http?
Contributor
Author
There was a problem hiding this comment.
I should've probably put a WIP here!
this is just for the sake of e2e tests, since the api are actually exposed with no TLS
the problem is actually more complex
before the change we used port 8443 on the proxy to expose both metrics (port 8080) and api (port 8087) redirecting based on the url, and provide TLS termination
I wonder if we should implement TLS for api endpoint first
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
openshift-ci
Bot
added
the
needs-rebase
elfosardo
force-pushed
the
remove-kube-rbac-proxy-release
branch
from
269a158 to
d96a43f
Compare
openshift-ci
Bot
removed
the
needs-rebase
elfosardo
changed the title
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
elfosardo
force-pushed
the
remove-kube-rbac-proxy-release
branch
from
d96a43f to
0feb871
Compare
elfosardo
changed the title
Contributor
Author
elfosardo
force-pushed
the
remove-kube-rbac-proxy-release
branch
2 times, most recently
from
69a0467 to
c0c7e75
Compare
Replace the kube-rbac-proxy sidecar with controller-runtime's WithAuthenticationAndAuthorization filter on the metrics server. Route ofcir-service to the API on port 8087 and keep a separate https port for authenticated metrics scraping. Remove auth proxy kustomize patches and RBAC. Update e2e to call the API over HTTP via NodePort. Add manifest tests (kustomize output) and e2e tests for deployment shape, API status/release lifecycle, and metrics endpoint auth. Test plan: - make kustomize && go test ./config/ - go test ./tests/e2e/... # requires kind/docker
elfosardo
force-pushed
the
remove-kube-rbac-proxy-release
branch
from
c0c7e75 to
660569e
Compare
Contributor
Author
|
/hold |
openshift-ci
Bot
added
the
do-not-merge/hold
Contributor
|
/lgtm |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the kube-rbac-proxy sidecar with controller-runtime's
WithAuthenticationAndAuthorization filter on the metrics server.
Route ofcir-service to the API on port 8087 and keep a separate
https port for authenticated metrics scraping.
Remove auth proxy kustomize patches and RBAC. Update e2e to call the
API over HTTP via NodePort. Add manifest tests (kustomize output) and
e2e tests for deployment shape, API status/release lifecycle, and
metrics endpoint auth.
Test plan: