From ee21e6e5fe13ab4090fc5f364a442e5ba5efe412 Mon Sep 17 00:00:00 2001
From: Marc Sluiter <msluiter@redhat.com>
Date: Mon, 23 Oct 2023 18:14:25 +0200
Subject: [PATCH] Upgrade kube-rbac-proxy image to v0.15.0 and disable HTTP/2

The kube-rbac-proxy image was upgraded to version v0.15.0 in both manager_auth_proxy_patch.yaml and node-healthcheck-operator.clusterserviceversion.yaml. Additionally, a new argument was added to disable HTTP/2 to increase security levels following a recently discovered vulnerability.

Signed-off-by: Marc Sluiter <msluiter@redhat.com>
---
 .../node-healthcheck-operator.clusterserviceversion.yaml       | 3 ++-
 config/default/manager_auth_proxy_patch.yaml                   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/bundle/manifests/node-healthcheck-operator.clusterserviceversion.yaml b/bundle/manifests/node-healthcheck-operator.clusterserviceversion.yaml
index e39e1067..9b9475f8 100644
--- a/bundle/manifests/node-healthcheck-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/node-healthcheck-operator.clusterserviceversion.yaml
@@ -401,10 +401,11 @@ spec:
               containers:
               - args:
                 - --secure-listen-address=0.0.0.0:8443
+                - --http2-disable
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=10
-                image: quay.io/brancz/kube-rbac-proxy:v0.14.4
+                image: quay.io/brancz/kube-rbac-proxy:v0.15.0
                 name: kube-rbac-proxy
                 ports:
                 - containerPort: 8443
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 706bb8f2..838e2a2a 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -10,9 +10,10 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.14.4
+        image: quay.io/brancz/kube-rbac-proxy:v0.15.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
+        - "--http2-disable"
         - "--upstream=http://127.0.0.1:8080/"
         - "--logtostderr=true"
         - "--v=10"