From e223dabf203923f86a241a6e19f1815886771d24 Mon Sep 17 00:00:00 2001
From: jpaodev <hello@jpao.dev>
Date: Sat, 7 Mar 2026 18:00:02 +0100
Subject: [PATCH 1/2] fix: migrate away from kube-rbac-proxy (critical)

---
 config/default/kustomization.yaml            |  2 ++
 config/default/manager_auth_proxy_patch.yaml | 32 +++++---------------
 config/rbac/kustomization.yaml               |  6 ++--
 3 files changed, 12 insertions(+), 28 deletions(-)

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index 782a32ce..9790b193 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -35,6 +35,8 @@ bases:
   #- ../prometheus
 patchesStrategicMerge:
   # Protect the /metrics endpoint by putting it behind auth.
+  # Configure the controller-manager to serve metrics securely using
+  # controller-runtime's built-in authentication and authorization.
   # If you want your controller-manager to expose the /metrics
   # endpoint w/o any authn/z, please comment the following line.
   - manager_auth_proxy_patch.yaml
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 2366eb6b..761a8936 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -11,8 +11,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch configures the controller manager to serve metrics securely
+# using controller-runtime's built-in authentication and authorization.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,31 +22,13 @@ spec:
   template:
     spec:
       containers:
-        - name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - "ALL"
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+        - name: manager
           args:
-            - "--secure-listen-address=0.0.0.0:8443"
-            - "--upstream=http://127.0.0.1:8080/"
-            - "--logtostderr=true"
-            - "--v=0"
+            - "--health-probe-bind-address=:8081"
+            - "--metrics-bind-address=:8443"
+            - "--metrics-secure=true"
+            - "--leader-elect"
           ports:
             - containerPort: 8443
               protocol: TCP
               name: https
-          resources:
-            limits:
-              cpu: 500m
-              memory: 128Mi
-            requests:
-              cpu: 5m
-              memory: 64Mi
-        - name: manager
-          args:
-            - "--health-probe-bind-address=:8081"
-            - "--metrics-bind-address=127.0.0.1:8080"
-            - "--leader-elect"
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index fdeeb9d3..fed2d66b 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -22,9 +22,9 @@ resources:
   - role_binding.yaml
   - leader_election_role.yaml
   - leader_election_role_binding.yaml
-  # Comment the following 4 lines if you want to disable
-  # the Auth Proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
+  # The following resources are required for the controller-runtime's
+  # built-in metrics authentication and authorization.
+  # Comment these lines if you want to disable secure metrics.
   - auth_proxy_service.yaml
   - auth_proxy_role.yaml
   - auth_proxy_role_binding.yaml

From b32aba1d3e6cda4ad899bc988a727a06c674bf2f Mon Sep 17 00:00:00 2001
From: jpaodev <hello@jpao.dev>
Date: Sat, 7 Mar 2026 18:17:27 +0100
Subject: [PATCH 2/2] fix: remove metrics-secure flag

---
 config/default/manager_auth_proxy_patch.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 761a8936..fadc1d0c 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -11,8 +11,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# This patch configures the controller manager to serve metrics securely
-# using controller-runtime's built-in authentication and authorization.
+# This patch configures the controller manager to expose metrics on port 8443.
+# Access is controlled via Kubernetes RBAC on the metrics service.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -26,7 +26,6 @@ spec:
           args:
             - "--health-probe-bind-address=:8081"
             - "--metrics-bind-address=:8443"
-            - "--metrics-secure=true"
             - "--leader-elect"
           ports:
             - containerPort: 8443