Fix kube rbac proxy (#4498)

**Description of the change:** - For Ansible/Helm based-operators, upgrade the `kube-rbac-proxy` image version from `0.5.0` to `0.8.0` to address security concerns. More info [#kubernetes-sigs/kubebuilder#1955](kubernetes-sigs/kubebuilder#1955). **Motivation for the change:** - Closes: #3925
operator-framework · Feb 10, 2021 · d1c14c4 · d1c14c4
1 parent 007f7e0
commit d1c14c4
Show file tree

Hide file tree

Showing 10 changed files with 21 additions and 9 deletions.
diff --git a/changelog/fragments/kube-rbac-proxy.yaml b/changelog/fragments/kube-rbac-proxy.yaml
@@ -0,0 +1,12 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      (ansible/v1, helm/v1) Upgraded the `gcr.io/kubebuilder/kube-rbac-proxy` image version from `0.5.0` to `0.8.0` to support rootless run mode.
+    kind: "bugfix"
+    breaking: false
+    header: (ansible/v1, helm/v1) Upgrade the `gcr.io/kubebuilder/kube-rbac-proxy` image version from `0.5.0` to `0.8.0`
+    body: >
+      The 0.8.0 version of kube-rbac-proxy supports rootless run mode.
+      To take advantage of this and other features, replace `gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0`
+      with `gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0` in your `config/default/manager_auth_proxy_patch.yaml` file.
diff --git a/...rate/testdata/clusterserviceversions/output/memcached-operator.clusterserviceversion.yaml b/...rate/testdata/clusterserviceversions/output/memcached-operator.clusterserviceversion.yaml
@@ -81,7 +81,7 @@ spec:
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=10
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
                 name: kube-rbac-proxy
                 ports:
                 - containerPort: 8443

diff --git a/...nerate/testdata/clusterserviceversions/output/with-ui-metadata.clusterserviceversion.yaml b/...nerate/testdata/clusterserviceversions/output/with-ui-metadata.clusterserviceversion.yaml
@@ -125,7 +125,7 @@ spec:
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=10
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
                 name: kube-rbac-proxy
                 ports:
                 - containerPort: 8443

diff --git a/internal/generate/testdata/go/static/basic.operator.yaml b/internal/generate/testdata/go/static/basic.operator.yaml
@@ -266,7 +266,7 @@ spec:
         - --upstream=http://127.0.0.1:8080/
         - --logtostderr=true
         - --v=10
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
         name: kube-rbac-proxy
         ports:
         - containerPort: 8443

diff --git a/internal/plugins/ansible/v1/scaffolds/internal/templates/config/kdefault/auth_proxy_patch.go b/internal/plugins/ansible/v1/scaffolds/internal/templates/config/kdefault/auth_proxy_patch.go
@@ -57,7 +57,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

diff --git a/internal/plugins/helm/v1/scaffolds/internal/templates/config/kdefault/auth_proxy_patch.go b/internal/plugins/helm/v1/scaffolds/internal/templates/config/kdefault/auth_proxy_patch.go
@@ -57,7 +57,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

diff --git a/...ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/...ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
@@ -110,7 +110,7 @@ spec:
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=10
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
                 name: kube-rbac-proxy
                 ports:
                 - containerPort: 8443

diff --git a/testdata/ansible/memcached-operator/config/default/manager_auth_proxy_patch.yaml b/testdata/ansible/memcached-operator/config/default/manager_auth_proxy_patch.yaml
@@ -10,7 +10,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

diff --git a/...ta/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/...ta/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
@@ -198,7 +198,7 @@ spec:
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=10
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
                 name: kube-rbac-proxy
                 ports:
                 - containerPort: 8443

diff --git a/testdata/helm/memcached-operator/config/default/manager_auth_proxy_patch.yaml b/testdata/helm/memcached-operator/config/default/manager_auth_proxy_patch.yaml
@@ -10,7 +10,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"