From f699a6249016b8447255f965e5dee4378313a139 Mon Sep 17 00:00:00 2001
From: razo7 <oraz@redhat.com>
Date: Mon, 29 May 2023 15:22:21 +0300
Subject: [PATCH] Set TLS certificate for kube-rbac-proxy container

Deprecation warnings by #187 for insecure connection without TLS
---
 ...fence-agents-remediation.clusterserviceversion.yaml | 10 ++++++++++
 config/default/manager_auth_proxy_patch.yaml           | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml b/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml
index 0d44a857..c4b6dc1e 100644
--- a/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml
+++ b/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml
@@ -202,6 +202,8 @@ spec:
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=0
+                - --tls-cert-file=/etc/tls/tls.crt
+                - --tls-private-key-file=/etc/tls/tls.key
                 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
                 name: kube-rbac-proxy
                 ports:
@@ -220,6 +222,10 @@ spec:
                   capabilities:
                     drop:
                     - ALL
+                volumeMounts:
+                - mountPath: /etc/tls
+                  name: tls-secret
+                  readOnly: true
               - args:
                 - --health-probe-bind-address=:8081
                 - --metrics-bind-address=127.0.0.1:8080
@@ -263,6 +269,10 @@ spec:
                   type: RuntimeDefault
               serviceAccountName: fence-agents-remediation-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: tls-secret
+                secret:
+                  secretName: far-rbac-container-secret
       permissions:
       - rules:
         - apiGroups:
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 82556265..0d6a360f 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -8,6 +8,10 @@ metadata:
 spec:
   template:
     spec:
+      volumes:
+      - name: tls-secret
+        secret:
+          secretName: far-rbac-container-secret
       containers:
       - name: kube-rbac-proxy
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
@@ -16,6 +20,12 @@ spec:
         - "--upstream=http://127.0.0.1:8080/"
         - "--logtostderr=true"
         - "--v=0"
+        - "--tls-cert-file=/etc/tls/tls.crt"
+        - "--tls-private-key-file=/etc/tls/tls.key"
+        volumeMounts:
+        - name: tls-secret
+          mountPath: /etc/tls
+          readOnly: true
         ports:
         - containerPort: 8443
           protocol: TCP