Merge branch 'main' into chore-github-auth-for-e2e

Author: hessjcg

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [1.7.6](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/compare/v1.7.5...v1.7.6) (2026-03-11)
+
+
+### Bug Fixes
+
+* migrate away from kube-rbac-proxy (critical) ([#747](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/747)) ([9718f37](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/9718f37bf41af42ba88bd70ada61f1036bcee26c))
+
 ## [1.7.5](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/compare/v1.7.4...v1.7.5) (2026-02-20)
 
 

Dockerfile

@@ -14,7 +14,7 @@
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot@sha256:f43f134f5d60bf7afb3db92f865db42514913f01a53b08cd59a1ac6534671077
+FROM gcr.io/distroless/static:nonroot@sha256:88a46f645e304fc0dcfbdacdfa338ce02d9890df5f936872243d553278deae92
 
 # For multi-arch builds, use automatic platform build arguments
 # see https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope

Dockerfile-operator

@@ -28,7 +28,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot@sha256:f43f134f5d60bf7afb3db92f865db42514913f01a53b08cd59a1ac6534671077
+FROM gcr.io/distroless/static:nonroot@sha256:88a46f645e304fc0dcfbdacdfa338ce02d9890df5f936872243d553278deae92
 
 # For multi-arch builds, use automatic platform build arguments
 # see https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope

README.md

@@ -44,7 +44,7 @@ your kubernetes cluster:
 <!-- {x-release-please-start-version} -->
 
 ```shell
-kubectl apply -f https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v1.7.5/cloud-sql-proxy-operator.yaml
+kubectl apply -f https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v1.7.6/cloud-sql-proxy-operator.yaml
 ```
 
 <!-- {x-release-please-end} -->

build.sh

@@ -161,7 +161,7 @@ function dockerfile_from_deps() {
   else
     echo "Updating docker image to $file to $digest"
     set -x
-    sed -i "" "s/$oldDigest/$digest/g" "$file"
+    sed -i '' "s/$oldDigest/$digest/g" "$file"
   fi
 
 }

config/default/kustomization.yaml

@@ -35,6 +35,8 @@ bases:
   #- ../prometheus
 patchesStrategicMerge:
   # Protect the /metrics endpoint by putting it behind auth.
+  # Configure the controller-manager to serve metrics securely using
+  # controller-runtime's built-in authentication and authorization.
   # If you want your controller-manager to expose the /metrics
   # endpoint w/o any authn/z, please comment the following line.
   - manager_auth_proxy_patch.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -11,8 +11,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch configures the controller manager to expose metrics on port 8443.
+# Access is controlled via Kubernetes RBAC on the metrics service.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,31 +22,12 @@ spec:
   template:
     spec:
       containers:
-        - name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - "ALL"
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+        - name: manager
           args:
-            - "--secure-listen-address=0.0.0.0:8443"
-            - "--upstream=http://127.0.0.1:8080/"
-            - "--logtostderr=true"
-            - "--v=0"
+            - "--health-probe-bind-address=:8081"
+            - "--metrics-bind-address=:8443"
+            - "--leader-elect"
           ports:
             - containerPort: 8443
               protocol: TCP
               name: https
-          resources:
-            limits:
-              cpu: 500m
-              memory: 128Mi
-            requests:
-              cpu: 5m
-              memory: 64Mi
-        - name: manager
-          args:
-            - "--health-probe-bind-address=:8081"
-            - "--metrics-bind-address=127.0.0.1:8080"
-            - "--leader-elect"

config/rbac/kustomization.yaml

@@ -22,9 +22,9 @@ resources:
   - role_binding.yaml
   - leader_election_role.yaml
   - leader_election_role_binding.yaml
-  # Comment the following 4 lines if you want to disable
-  # the Auth Proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
+  # The following resources are required for the controller-runtime's
+  # built-in metrics authentication and authorization.
+  # Comment these lines if you want to disable secure metrics.
   - auth_proxy_service.yaml
   - auth_proxy_role.yaml
   - auth_proxy_role_binding.yaml

docs/api.md

@@ -58,7 +58,7 @@ _Appears in:_
 | `maxSigtermDelay` _integer_ | MaxSigtermDelay is the maximum number of seconds to wait for connections to<br />close after receiving a TERM signal. This sets the proxy container's<br />CLI argument `--max-sigterm-delay` and<br />configures `terminationGracePeriodSeconds` on the workload's PodSpec. |  | Minimum: 0 <br />Optional: \{\} <br /> |
 | `minSigtermDelay` _integer_ | MinSigtermDelay is the minimum number of seconds to wait for connections to<br />close after receiving a TERM signal. This sets the proxy container's<br />CLI argument `--min-sigterm-delay` |  | Minimum: 0 <br />Optional: \{\} <br /> |
 | `sqlAdminAPIEndpoint` _string_ | SQLAdminAPIEndpoint is a debugging parameter that when specified will<br />change the Google Cloud api endpoint used by the proxy. |  | Optional: \{\} <br /> |
-| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator<br />will use the latest Cloud SQL Auth Proxy version as of the release of the<br />operator.<br /><br />The operator ensures that all workloads configured with the default proxy<br />image are upgraded automatically to use to the latest released proxy image.<br /><br />When the customer upgrades the operator, the operator upgrades all<br />workloads using the default proxy image to the latest proxy image. The<br />change to the proxy container image is applied in accordance with<br />the RolloutStrategy. |  | Optional: \{\} <br /> |
+| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator<br />will use the latest Cloud SQL Auth Proxy version as of the release of the<br />operator.<br />The operator ensures that all workloads configured with the default proxy<br />image are upgraded automatically to use to the latest released proxy image.<br />When the customer upgrades the operator, the operator upgrades all<br />workloads using the default proxy image to the latest proxy image. The<br />change to the proxy container image is applied in accordance with<br />the RolloutStrategy. |  | Optional: \{\} <br /> |
 | `rolloutStrategy` _string_ | RolloutStrategy indicates the strategy to use when rolling out changes to<br />the workloads affected by the results. When this is set to<br />`Workload`, changes to this resource will be automatically applied<br />to a running Deployment, StatefulSet, DaemonSet, or ReplicaSet in<br />accordance with the Strategy set on that workload. When this is set to<br />`None`, the operator will take no action to roll out changes to affected<br />workloads. `Workload` will be used by default if no value is set.<br />See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | Workload | Enum: [Workload None] <br />Optional: \{\} <br /> |
 | `refreshStrategy` _string_ | RefreshStrategy indicates which refresh strategy the proxy should use.<br />When this is set to `lazy`, the proxy will use a lazy refresh strategy,<br />and will be configured to run with the --lazy-refresh flag. When this<br />omitted or set to `background`, the proxy will use the default background<br />refresh strategy.<br />See: https://github.com/GoogleCloudPlatform/cloud-sql-proxy/?tab=readme-ov-file#configuring-a-lazy-refresh | background | Enum: [lazy background] <br />Optional: \{\} <br /> |
 | `quiet` _boolean_ | Quiet configures the proxy's --quiet flag to limit the amount of<br />logging generated by the proxy container. |  |  |
@@ -130,25 +130,21 @@ _Appears in:_
 InstanceSpec describes the configuration for how the proxy should expose
 a Cloud SQL database instance to a workload.
 
-
 In the minimum recommended configuration, the operator will choose
 a non-conflicting TCP port and set environment
 variables MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP port
 and hostname. The application can read these values to connect to the database
 through the proxy. For example:
 
-
 	`{
 			   "connectionString":"my-project:us-central1:my-db-server",
 			   "portEnvName":"MY_DB_SERVER_PORT"
 			   "hostEnvName":"MY_DB_SERVER_HOST"
 	}`
 
-
 If you want to assign a specific port number for a database, set the `port`
 field. For example:
 
-
 	`{ "connectionString":"my-project:us-central1:my-db-server", "port":5000 }`
 
 

docs/quick-start.md

@@ -21,7 +21,7 @@ your kubernetes cluster:
 
 <!-- {x-release-please-start-version} -->
 ```shell
-curl https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v1.7.5/install.sh | bash
+curl https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v1.7.6/install.sh | bash
 ```
 <!-- {x-release-please-end} -->