WIP: Remove kube-rbac-proxy

Signed-off-by: Todd Short <todd.short@me.com>

Author: tmshort

cmd/package-server-manager/main.go

@@ -4,9 +4,11 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server"
 
 	"k8s.io/apimachinery/pkg/fields"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -17,7 +19,6 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -30,8 +31,8 @@ import (
 const (
 	defaultName                 = "packageserver"
 	defaultNamespace            = "openshift-operator-lifecycle-manager"
-	defaultMetricsPort          = "0"
-	defaultHealthCheckPort      = ":8080"
+	defaultMetricsPort          = "0" // Disable controller-runtime metrics (using pkg/lib/server instead)
+	defaultHealthCheckPort      = ""  // Disable controller-runtime health (using pkg/lib/server instead)
 	defaultPprofPort            = ":6060"
 	defaultInterval             = ""
 	leaderElectionConfigmapName = "packageserver-controller-lock"
@@ -75,11 +76,51 @@ func run(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+	tlsCertPath, err := cmd.Flags().GetString("tls-cert")
+	if err != nil {
+		return err
+	}
+	tlsKeyPath, err := cmd.Flags().GetString("tls-key")
+	if err != nil {
+		return err
+	}
+	clientCAPath, err := cmd.Flags().GetString("client-ca")
+	if err != nil {
+		return err
+	}
+	debug, err := cmd.Flags().GetBool("debug")
+	if err != nil {
+		return err
+	}
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 	setupLog := ctrl.Log.WithName("setup")
 
 	restConfig := ctrl.GetConfigOrDie()
+
+	// Create logrus logger for the server library
+	logger := logrus.New()
+	if debug {
+		logger.SetLevel(logrus.DebugLevel)
+	}
+
+	// Start HTTPS server with metrics/health endpoints
+	listenAndServe, err := server.GetListenAndServeFunc(
+		server.WithLogger(logger),
+		server.WithTLS(&tlsCertPath, &tlsKeyPath, &clientCAPath),
+		server.WithKubeConfig(restConfig),
+		server.WithDebug(debug),
+	)
+	if err != nil {
+		setupLog.Error(err, "failed to setup health/metric/pprof service")
+		return err
+	}
+
+	go func() {
+		if err := listenAndServe(); err != nil {
+			setupLog.Error(err, "server error")
+		}
+	}()
 	le := leaderelection.GetLeaderElectionConfig(setupLog, restConfig, !disableLeaderElection)
 
 	packageserverCSVFields := fields.Set{"metadata.name": name}
@@ -136,14 +177,7 @@ func run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if err := mgr.AddReadyzCheck("ping", healthz.Ping); err != nil {
-		setupLog.Error(err, "failed to establish a readyz check")
-		return err
-	}
-	if err := mgr.AddHealthzCheck("ping", healthz.Ping); err != nil {
-		setupLog.Error(err, "failed to establish a healthz check")
-		return err
-	}
+	// Health checks are now handled by pkg/lib/server (not controller-runtime)
 	// +kubebuilder:scaffold:builder
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {

cmd/package-server-manager/start.go

@@ -19,6 +19,10 @@ func newStartCmd() *cobra.Command {
 	cmd.Flags().String("interval", defaultInterval, "configures the wakeup interval for the packageserver csc resource")
 	cmd.Flags().String("metrics", defaultMetricsPort, "configures the metrics port that the process exposes")
 	cmd.Flags().Bool("disable-leader-election", false, "configures whether leader election will be disabled")
+	cmd.Flags().String("tls-cert", "", "path to use for certificate key (requires tls-key)")
+	cmd.Flags().String("tls-key", "", "path to use for private key (requires tls-cert)")
+	cmd.Flags().String("client-ca", "", "path to watch for client ca bundle")
+	cmd.Flags().Bool("debug", false, "enable debug logging")
 
 	return cmd
 }

manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml

@@ -31,33 +31,6 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
-        - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:9090/
-            - --tls-cert-file=/etc/tls/private/tls.crt
-            - --tls-private-key-file=/etc/tls/private/tls.key
-            - --logtostderr=true
-          image: quay.io/openshift/origin-kube-rbac-proxy:latest
-          imagePullPolicy: IfNotPresent
-          name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop: ["ALL"]
-          ports:
-            - containerPort: 8443
-              name: metrics
-              protocol: TCP
-          resources:
-            requests:
-              memory: 20Mi
-              cpu: 10m
-          terminationMessagePath: /dev/termination-log
-          terminationMessagePolicy: FallbackToLogsOnError
-          volumeMounts:
-            - mountPath: /etc/tls/private
-              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -72,7 +45,12 @@ spec:
             - $(PACKAGESERVER_NAME)
             - --namespace
             - $(PACKAGESERVER_NAMESPACE)
-            - "--metrics=:9090"
+            - --tls-cert
+            - /srv-cert/tls.crt
+            - --tls-key
+            - /srv-cert/tls.key
+            - --client-ca
+            - /profile-collector-cert/tls.crt
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -92,17 +70,30 @@ spec:
             requests:
               cpu: 10m
               memory: 10Mi
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           readinessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - name: srv-cert
+              mountPath: "/srv-cert"
+              readOnly: true
+            - name: profile-collector-cert
+              mountPath: "/profile-collector-cert"
+              readOnly: true
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -118,6 +109,9 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       volumes:
-        - name: package-server-manager-serving-cert
+        - name: srv-cert
+          secret:
+            secretName: package-server-manager-serving-cert
+        - name: profile-collector-cert
           secret:
             secretName: package-server-manager-serving-cert

manifests/0000_50_olm_06-psm-operator.deployment.yaml

@@ -31,33 +31,6 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
-        - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:9090/
-            - --tls-cert-file=/etc/tls/private/tls.crt
-            - --tls-private-key-file=/etc/tls/private/tls.key
-            - --logtostderr=true
-          image: quay.io/openshift/origin-kube-rbac-proxy:latest
-          imagePullPolicy: IfNotPresent
-          name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop: ["ALL"]
-          ports:
-            - containerPort: 8443
-              name: metrics
-              protocol: TCP
-          resources:
-            requests:
-              memory: 20Mi
-              cpu: 10m
-          terminationMessagePath: /dev/termination-log
-          terminationMessagePolicy: FallbackToLogsOnError
-          volumeMounts:
-            - mountPath: /etc/tls/private
-              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -72,7 +45,12 @@ spec:
             - $(PACKAGESERVER_NAME)
             - --namespace
             - $(PACKAGESERVER_NAMESPACE)
-            - "--metrics=:9090"
+            - --tls-cert
+            - /srv-cert/tls.crt
+            - --tls-key
+            - /srv-cert/tls.key
+            - --client-ca
+            - /profile-collector-cert/tls.crt
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -92,17 +70,30 @@ spec:
             requests:
               cpu: 10m
               memory: 10Mi
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           readinessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - name: srv-cert
+              mountPath: "/srv-cert"
+              readOnly: true
+            - name: profile-collector-cert
+              mountPath: "/profile-collector-cert"
+              readOnly: true
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
@@ -119,6 +110,9 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       volumes:
-        - name: package-server-manager-serving-cert
+        - name: srv-cert
+          secret:
+            secretName: package-server-manager-serving-cert
+        - name: profile-collector-cert
           secret:
             secretName: package-server-manager-serving-cert