Remove kube-rbac-proxy from PSM

The PSM was using controller-runtime for health/metrics and using
kube-rbac-proxy for TLS support. This removes the kube-rbac-proxy
and implements the health/metrics servers using the same code
that the OLM and Catalog controllers use.

This also adds TLS configuration flags identical to those used for
OLM and Catalog operators.

This will make updating the PSM for OpenShift TLS Profiles
significantly easier, as code can be shared between all the operators.

Signed-off-by: Todd Short <todd.short@me.com>
Assisted-by: Claude code

Author: tmshort

cmd/package-server-manager/main.go

@@ -4,9 +4,11 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server"
 
 	"k8s.io/apimachinery/pkg/fields"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -17,7 +19,6 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -30,8 +31,8 @@ import (
 const (
 	defaultName                 = "packageserver"
 	defaultNamespace            = "openshift-operator-lifecycle-manager"
-	defaultMetricsPort          = "0"
-	defaultHealthCheckPort      = ":8080"
+	defaultMetricsPort          = "0" // Disable controller-runtime metrics (using pkg/lib/server instead)
+	defaultHealthCheckPort      = ""  // Disable controller-runtime health (using pkg/lib/server instead)
 	defaultPprofPort            = ":6060"
 	defaultInterval             = ""
 	leaderElectionConfigmapName = "packageserver-controller-lock"
@@ -75,11 +76,43 @@ func run(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+	tlsCertPath, err := cmd.Flags().GetString("tls-cert")
+	if err != nil {
+		return err
+	}
+	tlsKeyPath, err := cmd.Flags().GetString("tls-key")
+	if err != nil {
+		return err
+	}
+	clientCAPath, err := cmd.Flags().GetString("client-ca")
+	if err != nil {
+		return err
+	}
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 	setupLog := ctrl.Log.WithName("setup")
 
 	restConfig := ctrl.GetConfigOrDie()
+
+	// Create logrus logger for the server library
+	logger := logrus.New()
+
+	// Start HTTPS server with metrics/health endpoints
+	listenAndServe, err := server.GetListenAndServeFunc(
+		server.WithLogger(logger),
+		server.WithTLS(&tlsCertPath, &tlsKeyPath, &clientCAPath),
+		server.WithKubeConfig(restConfig),
+	)
+	if err != nil {
+		setupLog.Error(err, "failed to setup health/metric/pprof service")
+		return err
+	}
+
+	go func() {
+		if err := listenAndServe(); err != nil {
+			setupLog.Error(err, "server error")
+		}
+	}()
 	le := leaderelection.GetLeaderElectionConfig(setupLog, restConfig, !disableLeaderElection)
 
 	packageserverCSVFields := fields.Set{"metadata.name": name}
@@ -136,14 +169,7 @@ func run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if err := mgr.AddReadyzCheck("ping", healthz.Ping); err != nil {
-		setupLog.Error(err, "failed to establish a readyz check")
-		return err
-	}
-	if err := mgr.AddHealthzCheck("ping", healthz.Ping); err != nil {
-		setupLog.Error(err, "failed to establish a healthz check")
-		return err
-	}
+	// Health checks are now handled by pkg/lib/server (not controller-runtime)
 	// +kubebuilder:scaffold:builder
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {

cmd/package-server-manager/start.go

@@ -19,6 +19,9 @@ func newStartCmd() *cobra.Command {
 	cmd.Flags().String("interval", defaultInterval, "configures the wakeup interval for the packageserver csc resource")
 	cmd.Flags().String("metrics", defaultMetricsPort, "configures the metrics port that the process exposes")
 	cmd.Flags().Bool("disable-leader-election", false, "configures whether leader election will be disabled")
+	cmd.Flags().String("tls-cert", "", "path to use for certificate key (requires tls-key)")
+	cmd.Flags().String("tls-key", "", "path to use for private key (requires tls-cert)")
+	cmd.Flags().String("client-ca", "", "path to watch for client ca bundle")
 
 	return cmd
 }

manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml

@@ -31,33 +31,6 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
-        - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:9090/
-            - --tls-cert-file=/etc/tls/private/tls.crt
-            - --tls-private-key-file=/etc/tls/private/tls.key
-            - --logtostderr=true
-          image: quay.io/openshift/origin-kube-rbac-proxy:latest
-          imagePullPolicy: IfNotPresent
-          name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop: ["ALL"]
-          ports:
-            - containerPort: 8443
-              name: metrics
-              protocol: TCP
-          resources:
-            requests:
-              memory: 20Mi
-              cpu: 10m
-          terminationMessagePath: /dev/termination-log
-          terminationMessagePolicy: FallbackToLogsOnError
-          volumeMounts:
-            - mountPath: /etc/tls/private
-              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -72,7 +45,12 @@ spec:
             - $(PACKAGESERVER_NAME)
             - --namespace
             - $(PACKAGESERVER_NAMESPACE)
-            - "--metrics=:9090"
+            - --tls-cert
+            - /etc/tls/private/tls.crt
+            - --tls-key
+            - /etc/tls/private/tls.key
+            - --client-ca
+            - /etc/tls/private/tls.crt
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -92,17 +70,27 @@ spec:
             requests:
               cpu: 10m
               memory: 10Mi
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           readinessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - name: package-server-manager-serving-cert
+              mountPath: "/etc/tls/private"
+              readOnly: true
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:

manifests/0000_50_olm_06-psm-operator.deployment.yaml

@@ -31,33 +31,6 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
-        - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:9090/
-            - --tls-cert-file=/etc/tls/private/tls.crt
-            - --tls-private-key-file=/etc/tls/private/tls.key
-            - --logtostderr=true
-          image: quay.io/openshift/origin-kube-rbac-proxy:latest
-          imagePullPolicy: IfNotPresent
-          name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop: ["ALL"]
-          ports:
-            - containerPort: 8443
-              name: metrics
-              protocol: TCP
-          resources:
-            requests:
-              memory: 20Mi
-              cpu: 10m
-          terminationMessagePath: /dev/termination-log
-          terminationMessagePolicy: FallbackToLogsOnError
-          volumeMounts:
-            - mountPath: /etc/tls/private
-              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -72,7 +45,12 @@ spec:
             - $(PACKAGESERVER_NAME)
             - --namespace
             - $(PACKAGESERVER_NAMESPACE)
-            - "--metrics=:9090"
+            - --tls-cert
+            - /etc/tls/private/tls.crt
+            - --tls-key
+            - /etc/tls/private/tls.key
+            - --client-ca
+            - /etc/tls/private/tls.crt
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -92,17 +70,27 @@ spec:
             requests:
               cpu: 10m
               memory: 10Mi
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           readinessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - name: package-server-manager-serving-cert
+              mountPath: "/etc/tls/private"
+              readOnly: true
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""

microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml

@@ -31,33 +31,6 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
-        - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:9090/
-            - --tls-cert-file=/etc/tls/private/tls.crt
-            - --tls-private-key-file=/etc/tls/private/tls.key
-            - --logtostderr=true
-          image: quay.io/openshift/origin-kube-rbac-proxy:latest
-          imagePullPolicy: IfNotPresent
-          name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop: ["ALL"]
-          ports:
-            - containerPort: 8443
-              name: metrics
-              protocol: TCP
-          resources:
-            requests:
-              memory: 20Mi
-              cpu: 10m
-          terminationMessagePath: /dev/termination-log
-          terminationMessagePolicy: FallbackToLogsOnError
-          volumeMounts:
-            - mountPath: /etc/tls/private
-              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -72,7 +45,12 @@ spec:
             - $(PACKAGESERVER_NAME)
             - --namespace
             - $(PACKAGESERVER_NAMESPACE)
-            - "--metrics=:9090"
+            - --tls-cert
+            - /etc/tls/private/tls.crt
+            - --tls-key
+            - /etc/tls/private/tls.key
+            - --client-ca
+            - /etc/tls/private/tls.crt
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -92,17 +70,27 @@ spec:
             requests:
               cpu: 10m
               memory: 10Mi
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           readinessProbe:
             httpGet:
               path: /healthz
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 30
           terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - name: package-server-manager-serving-cert
+              mountPath: "/etc/tls/private"
+              readOnly: true
       nodeSelector:
         kubernetes.io/os: linux
       tolerations: