From 6c27ca56e7008024bbc8a80c7872ef2fa5bbbf96 Mon Sep 17 00:00:00 2001
From: Martin Schuppert <mschuppert@redhat.com>
Date: Fri, 28 Nov 2025 10:44:45 +0100
Subject: [PATCH] Remove KubeRbacProxy references

With the bump to operator-sdk the kube-rbac-proxy is gone. This
is a cleanup of references/deployment information for it.

Jira: OSPRH-22552

Signed-off-by: Martin Schuppert <mschuppert@redhat.com>
---
 Makefile                                      |  1 -
 api/operator/v1beta1/openstack_types.go       |  8 -------
 bindata/operator/managers.yaml                | 22 -------------------
 config/operator/default_images.yaml           |  5 -----
 config/operator/managers.yaml                 | 22 -------------------
 .../operator/openstack_controller.go          | 19 +---------------
 internal/operator/override.go                 |  7 +++---
 7 files changed, 4 insertions(+), 80 deletions(-)

diff --git a/Makefile b/Makefile
index 69e631166..c7886102f 100644
--- a/Makefile
+++ b/Makefile
@@ -157,7 +157,6 @@ bindata: kustomize yq ## Call sync bindata script
 	sed -i bindata/operator/operator.yaml -e "/envCustom/c\\{{- range .OpenStackOperator.Deployment.Manager.Env }}\n        - name: '{{ .Name }}'\n          value: '{{ .Value }}'\n{{- end }}"
 	sed -i bindata/operator/operator.yaml -e "/customLimits/c\\            cpu: {{ .OpenStackOperator.Deployment.Manager.Resources.Limits.CPU }}\n            memory: {{ .OpenStackOperator.Deployment.Manager.Resources.Limits.Memory }}"
 	sed -i bindata/operator/operator.yaml -e "/customRequests/c\\            cpu: {{ .OpenStackOperator.Deployment.Manager.Resources.Requests.CPU }}\n            memory: {{ .OpenStackOperator.Deployment.Manager.Resources.Requests.Memory }}"
-	sed -i bindata/operator/operator.yaml -e "s|kube-rbac-proxy:replace_me.*|'{{ .OpenStackOperator.Deployment.KubeRbacProxy.Image }}'|"
 	sed -i bindata/operator/operator.yaml -e "/customTolerations/c\\      tolerations:\n{{- range .OpenStackOperator.Deployment.Tolerations }}\n      - key: \"{{ .Key }}\"\n{{- if .Operator }}\n        operator: \"{{ .Operator }}\"\n{{- end }}\n{{- if .Value }}\n        value: \"{{ .Value }}\"\n{{- end }}\n{{- if .Effect }}\n        effect: \"{{ .Effect }}\"\n{{- end }}\n{{- if .TolerationSeconds }}\n        tolerationSeconds: {{ .TolerationSeconds }}\n{{- end }}\n{{- end }}"
 	cp config/operator/managers.yaml bindata/operator/
 	cp config/operator/rabbit.yaml bindata/operator/
diff --git a/api/operator/v1beta1/openstack_types.go b/api/operator/v1beta1/openstack_types.go
index 9fd1508c4..b8833a8b5 100644
--- a/api/operator/v1beta1/openstack_types.go
+++ b/api/operator/v1beta1/openstack_types.go
@@ -64,14 +64,6 @@ var (
 	DefaultManagerMemoryLimit resource.Quantity = resource.MustParse("512Mi")
 	// DefaultManagerMemoryRequests - Default controller manager container memory requests
 	DefaultManagerMemoryRequests resource.Quantity = resource.MustParse("256Mi")
-	// DefaultRbacProxyCPULimit - Default kube rbac proxy container CPU limit
-	DefaultRbacProxyCPULimit resource.Quantity = resource.MustParse("500m")
-	// DefaultRbacProxyCPURequests - Default kube rbac proxy container CPU requests
-	DefaultRbacProxyCPURequests resource.Quantity = resource.MustParse("5m")
-	// DefaultRbacProxyMemoryLimit - Default kube rbac proxy container memory limit
-	DefaultRbacProxyMemoryLimit resource.Quantity = resource.MustParse("128Mi")
-	// DefaultRbacProxyMemoryRequests - Default kube rbac proxy container memory requests
-	DefaultRbacProxyMemoryRequests resource.Quantity = resource.MustParse("64Mi")
 
 	// DefaultTolerations - Default tolerations for all operators
 	DefaultTolerations = []corev1.Toleration{
diff --git a/bindata/operator/managers.yaml b/bindata/operator/managers.yaml
index ad130652a..e892da757 100644
--- a/bindata/operator/managers.yaml
+++ b/bindata/operator/managers.yaml
@@ -77,28 +77,6 @@ spec:
         - mountPath: /tmp/k8s-metrics-server/metrics-certs
           name: metrics-certs
           readOnly: true
-{{- end }}
-{{- if isEnvVarFalse .Deployment.Manager.Env "METRICS_CERTS" }}
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=0
-        image: {{ .Deployment.KubeRbacProxy.Image }}
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          limits:
-            cpu: {{ .Deployment.KubeRbacProxy.Resources.Limits.CPU }}
-            memory: {{ .Deployment.KubeRbacProxy.Resources.Limits.Memory }}
-          requests:
-            cpu: {{ .Deployment.KubeRbacProxy.Resources.Requests.CPU }}
-            memory: {{ .Deployment.KubeRbacProxy.Resources.Requests.Memory }}
-        securityContext:
-          allowPrivilegeEscalation: false
 {{- end }}
       securityContext:
         runAsNonRoot: true
diff --git a/config/operator/default_images.yaml b/config/operator/default_images.yaml
index bfbbe114b..46597950e 100644
--- a/config/operator/default_images.yaml
+++ b/config/operator/default_images.yaml
@@ -200,8 +200,3 @@ spec:
           value: quay.io/podified-antelope-centos9/openstack-horizontest:current-podified
         - name: RELATED_IMAGE_OPENSTACK_MUST_GATHER_DEFAULT
           value: quay.io/openstack-k8s-operators/openstack-must-gather:latest
-          # will already be part of relatedImages as it is also directly set in the deployment in the
-          # bundle CSV. We also need an environment variable here to propagate this to the
-          # controller-manager and to other operators that require the same image to be set
-        - name: KUBE_RBAC_PROXY
-          value: quay.io/openstack-k8s-operators/kube-rbac-proxy:v0.16.0
diff --git a/config/operator/managers.yaml b/config/operator/managers.yaml
index ad130652a..e892da757 100644
--- a/config/operator/managers.yaml
+++ b/config/operator/managers.yaml
@@ -77,28 +77,6 @@ spec:
         - mountPath: /tmp/k8s-metrics-server/metrics-certs
           name: metrics-certs
           readOnly: true
-{{- end }}
-{{- if isEnvVarFalse .Deployment.Manager.Env "METRICS_CERTS" }}
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=0
-        image: {{ .Deployment.KubeRbacProxy.Image }}
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          limits:
-            cpu: {{ .Deployment.KubeRbacProxy.Resources.Limits.CPU }}
-            memory: {{ .Deployment.KubeRbacProxy.Resources.Limits.Memory }}
-          requests:
-            cpu: {{ .Deployment.KubeRbacProxy.Resources.Requests.CPU }}
-            memory: {{ .Deployment.KubeRbacProxy.Resources.Requests.Memory }}
-        securityContext:
-          allowPrivilegeEscalation: false
 {{- end }}
       securityContext:
         runAsNonRoot: true
diff --git a/internal/controller/operator/openstack_controller.go b/internal/controller/operator/openstack_controller.go
index 69220e9e1..52708237a 100644
--- a/internal/controller/operator/openstack_controller.go
+++ b/internal/controller/operator/openstack_controller.go
@@ -69,7 +69,6 @@ var (
 	envRelatedOperatorImages         (map[string]*string) // operatorName -> image
 	envRelatedOpenStackServiceImages (map[string]*string) // full_related_image_name -> image
 	operatorImage                    string
-	kubeRbacProxyImage               string
 	openstackReleaseVersion          string
 	leaseDuration                    string
 	renewDeadline                    string
@@ -92,8 +91,6 @@ func SetupEnv() {
 			log.Log.Info("Found operator related image", "operator", operatorName, "image", envArr[1])
 		} else if strings.HasPrefix(envArr[0], "RELATED_IMAGE_") {
 			envRelatedOpenStackServiceImages[envArr[0]] = &envArr[1]
-		} else if envArr[0] == "KUBE_RBAC_PROXY" {
-			kubeRbacProxyImage = envArr[1]
 		} else if envArr[0] == "OPERATOR_IMAGE_URL" {
 			operatorImage = envArr[1]
 			envRelatedOperatorImages[operatorv1beta1.OpenStackOperatorName] = &operatorImage
@@ -495,19 +492,6 @@ func (r *OpenStackReconciler) applyRBAC(ctx context.Context, instance *operatorv
 }
 
 func (r *OpenStackReconciler) applyOperator(ctx context.Context, instance *operatorv1beta1.OpenStack) error {
-	kubeRbacProxyContainer := operator.Container{
-		Image: kubeRbacProxyImage,
-		Resources: operator.Resource{
-			Limits: &operator.ResourceList{
-				CPU:    operatorv1beta1.DefaultRbacProxyCPULimit.String(),
-				Memory: operatorv1beta1.DefaultRbacProxyMemoryLimit.String(),
-			},
-			Requests: &operator.ResourceList{
-				CPU:    operatorv1beta1.DefaultRbacProxyCPURequests.String(),
-				Memory: operatorv1beta1.DefaultRbacProxyMemoryRequests.String(),
-			},
-		},
-	}
 	defaultEnv := []corev1.EnvVar{
 		{
 			Name:  "LEASE_DURATION",
@@ -566,8 +550,7 @@ func (r *OpenStackReconciler) applyOperator(ctx context.Context, instance *opera
 							},
 						},
 					},
-					KubeRbacProxy: kubeRbacProxyContainer,
-					Tolerations:   operatorv1beta1.DefaultTolerations,
+					Tolerations: operatorv1beta1.DefaultTolerations,
 				},
 			}
 
diff --git a/internal/operator/override.go b/internal/operator/override.go
index c7330dd9b..8f68e2aa8 100644
--- a/internal/operator/override.go
+++ b/internal/operator/override.go
@@ -36,10 +36,9 @@ type Operator struct {
 
 // Deployment -
 type Deployment struct {
-	Replicas      *int32
-	Manager       Container
-	KubeRbacProxy Container
-	Tolerations   []corev1.Toleration
+	Replicas    *int32
+	Manager     Container
+	Tolerations []corev1.Toleration
 }
 
 // Container -