feat: dont use kube-rbac-proxy and reinject properly

config/default/kustomization.yaml

@@ -34,7 +34,8 @@ bases:
   # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
   #- ../prometheus
 patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
+  # Configure the controller-manager to serve metrics securely using
+  # controller-runtime's built-in authentication and authorization.
   # If you want your controller-manager to expose the /metrics
   # endpoint w/o any authn/z, please comment the following line.
   - manager_auth_proxy_patch.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -11,8 +11,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch configures the controller manager to serve metrics securely
+# using controller-runtime's built-in authentication and authorization.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,31 +22,13 @@ spec:
   template:
     spec:
       containers:
-        - name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - "ALL"
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+        - name: manager
           args:
-            - "--secure-listen-address=0.0.0.0:8443"
-            - "--upstream=http://127.0.0.1:8080/"
-            - "--logtostderr=true"
-            - "--v=0"
+            - "--health-probe-bind-address=:8081"
+            - "--metrics-bind-address=:8443"
+            - "--metrics-secure=true"
+            - "--leader-elect"
           ports:
             - containerPort: 8443
               protocol: TCP
               name: https
-          resources:
-            limits:
-              cpu: 500m
-              memory: 128Mi
-            requests:
-              cpu: 5m
-              memory: 64Mi
-        - name: manager
-          args:
-            - "--health-probe-bind-address=:8081"
-            - "--metrics-bind-address=127.0.0.1:8080"
-            - "--leader-elect"

config/manager/kustomization.yaml

@@ -12,16 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 resources:
-  - manager.yaml
+- manager.yaml
 generatorOptions:
   disableNameSuffixHash: true
 configMapGenerator:
-  - files:
-      - controller_manager_config.yaml
-    name: manager-config
+- files:
+  - controller_manager_config.yaml
+  name: manager-config
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
-  - name: controller
-    newName: cloud-sql-proxy-operator
-    newTag: latest
+- name: controller
+  newName: cloud-sql-proxy-operator
+  newTag: latest

config/rbac/kustomization.yaml

@@ -22,9 +22,9 @@ resources:
   - role_binding.yaml
   - leader_election_role.yaml
   - leader_election_role_binding.yaml
-  # Comment the following 4 lines if you want to disable
-  # the Auth Proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
+  # The following resources are required for the controller-runtime's
+  # built-in metrics authentication and authorization.
+  # Comment these lines if you want to disable secure metrics.
   - auth_proxy_service.yaml
   - auth_proxy_role.yaml
   - auth_proxy_role_binding.yaml

docs/api.md

@@ -58,7 +58,7 @@ _Appears in:_
 | `maxSigtermDelay` _integer_ | MaxSigtermDelay is the maximum number of seconds to wait for connections to<br />close after receiving a TERM signal. This sets the proxy container's<br />CLI argument `--max-sigterm-delay` and<br />configures `terminationGracePeriodSeconds` on the workload's PodSpec. |  | Minimum: 0 <br />Optional: \{\} <br /> |
 | `minSigtermDelay` _integer_ | MinSigtermDelay is the minimum number of seconds to wait for connections to<br />close after receiving a TERM signal. This sets the proxy container's<br />CLI argument `--min-sigterm-delay` |  | Minimum: 0 <br />Optional: \{\} <br /> |
 | `sqlAdminAPIEndpoint` _string_ | SQLAdminAPIEndpoint is a debugging parameter that when specified will<br />change the Google Cloud api endpoint used by the proxy. |  | Optional: \{\} <br /> |
-| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator<br />will use the latest Cloud SQL Auth Proxy version as of the release of the<br />operator.<br /><br />The operator ensures that all workloads configured with the default proxy<br />image are upgraded automatically to use to the latest released proxy image.<br /><br />When the customer upgrades the operator, the operator upgrades all<br />workloads using the default proxy image to the latest proxy image. The<br />change to the proxy container image is applied in accordance with<br />the RolloutStrategy. |  | Optional: \{\} <br /> |
+| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator<br />will use the latest Cloud SQL Auth Proxy version as of the release of the<br />operator.<br />The operator ensures that all workloads configured with the default proxy<br />image are upgraded automatically to use to the latest released proxy image.<br />When the customer upgrades the operator, the operator upgrades all<br />workloads using the default proxy image to the latest proxy image. The<br />change to the proxy container image is applied in accordance with<br />the RolloutStrategy. |  | Optional: \{\} <br /> |
 | `rolloutStrategy` _string_ | RolloutStrategy indicates the strategy to use when rolling out changes to<br />the workloads affected by the results. When this is set to<br />`Workload`, changes to this resource will be automatically applied<br />to a running Deployment, StatefulSet, DaemonSet, or ReplicaSet in<br />accordance with the Strategy set on that workload. When this is set to<br />`None`, the operator will take no action to roll out changes to affected<br />workloads. `Workload` will be used by default if no value is set.<br />See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | Workload | Enum: [Workload None] <br />Optional: \{\} <br /> |
 | `refreshStrategy` _string_ | RefreshStrategy indicates which refresh strategy the proxy should use.<br />When this is set to `lazy`, the proxy will use a lazy refresh strategy,<br />and will be configured to run with the --lazy-refresh flag. When this<br />omitted or set to `background`, the proxy will use the default background<br />refresh strategy.<br />See: https://github.com/GoogleCloudPlatform/cloud-sql-proxy/?tab=readme-ov-file#configuring-a-lazy-refresh | background | Enum: [lazy background] <br />Optional: \{\} <br /> |
 | `quiet` _boolean_ | Quiet configures the proxy's --quiet flag to limit the amount of<br />logging generated by the proxy container. |  |  |
@@ -130,25 +130,21 @@ _Appears in:_
 InstanceSpec describes the configuration for how the proxy should expose
 a Cloud SQL database instance to a workload.
 
-
 In the minimum recommended configuration, the operator will choose
 a non-conflicting TCP port and set environment
 variables MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP port
 and hostname. The application can read these values to connect to the database
 through the proxy. For example:
 
-
 	`{
 			   "connectionString":"my-project:us-central1:my-db-server",
 			   "portEnvName":"MY_DB_SERVER_PORT"
 			   "hostEnvName":"MY_DB_SERVER_HOST"
 	}`
 
-
 If you want to assign a specific port number for a database, set the `port`
 field. For example:
 
-
 	`{ "connectionString":"my-project:us-central1:my-db-server", "port":5000 }`
 
 

go.mod

@@ -14,24 +14,34 @@ require (
 )
 
 require (
+	cel.dev/expr v0.24.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
+	github.com/google/cel-go v0.22.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -43,12 +53,22 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.10.0 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
@@ -57,14 +77,20 @@ require (
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a // indirect
+	google.golang.org/grpc v1.74.2 // indirect
 	google.golang.org/protobuf v1.36.7 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.32.1 // indirect
+	k8s.io/apiserver v0.32.1 // indirect
+	k8s.io/component-base v0.32.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 )