fix: Replace deprecated kube-rbac-proxy with built-in metrics auth

[IrvingMg]

Changes

Replaced the kube-rbac-proxy sidecar (the image is no longer available) with controller-runtime's built-in metrics authentication and authorization (filters.WithAuthenticationAndAuthorization).

Key changes:

• main.go: The metrics endpoint is now served directly on :8443 with TLS and authn/authz; no sidecar is needed.
• config/default/manager_auth_proxy_patch.yaml: Deleted (this previously injected the sidecar).
• config/rbac/auth_proxy_role.yaml and auth_proxy_role_binding.yaml: Deleted (permissions moved to Kubebuilder markers and auto-generated into role.yaml).
• config/manager/manager.yaml: Added the metrics port and bind address (previously injected by the sidecar patch).

Verification:

# Deploy to kind cluster
make deploy IMAGE_REPO=kind.local
kubectl -n shipwright-operator get pods

# Port-forward metrics service
kubectl create token shipwright-operator -n shipwright-operator > /tmp/sa-token.txt
kubectl create clusterrolebinding metrics-test \
    --clusterrole=shipwright-operator-metrics-reader \
    --serviceaccount=shipwright-operator:shipwright-operator
kubectl port-forward -n shipwright-operator svc/shipwright-operator-metrics-service 8443:8443

# Without auth — should return "Unauthorized"
curl -k https://localhost:8443/metrics

# With auth — should return Prometheus metrics
curl -k -H "Authorization: Bearer $(cat /tmp/sa-token.txt)" https://localhost:8443/metrics

/kind bug
/kind cleanup

Fixes #284

Submitter Checklist

• Includes tests if functionality changed/was added
• Includes docs if changes are user-facing
• Set a kind label on this PR
• Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

NONE

[IrvingMg]

/cc @hasanawad94

[adambkaplan]

/hold

We are going to merge #283 first, since this swaps the rbac-proxy-image with its new location.

[PyDataBlog]

any update on this? @IrvingMg

[IrvingMg]

any update on this? @IrvingMg

This PR is on hold pending release 0.19, but it’s ready for review in the meantime. I’d appreciate any feedback.

[IrvingMg]

@adambkaplan, since v0.19 has already been released, can we move forward with this PR?

[adambkaplan]

/approve

I'd like to have some clarification on enabling HTTP2.

Unfortunately we don't have a "real" operator e2e test suite - we have at best a "smoke test" in our CI that vaidates we can deploy the operator. I'd love to see this refined further to validate Prometheus metrics actually work (and this change doesn't break current behavior).

[adambkaplan]

Shouldn't we default to HTTP2 enabled?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [adambkaplan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.