Helm Chart dependency kube-rbac-proxy deprecation warning

[darren-recentive]

The Helm Chart's usage of kube-rbac-proxy container outputs these logs during start-up.

==== Deprecation Warning ======================
Insecure listen address will be removed.
Using --insecure-listen-address won't be possible!
The ability to run kube-rbac-proxy without TLS certificates will be removed.
Not using --tls-cert-file and --tls-private-key-file won't be possible!
For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/187
===============================================

v1.5.0 recommended.yaml

      containers:
      - args:
        - --secure-listen-address=0.0.0.0:8443
        - --upstream=http://127.0.0.1:8080/
        - --logtostderr=true
        - --v=10
        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
        name: kube-rbac-proxy
        ports:
        - containerPort: 8443
          name: https

Snippet from the Github Issue brancz/kube-rbac-proxy#187

What

We are removing the option to run kube-rbac-proxy without configured TLS certificates.
This means that:

using insecure-listen-addresss won't work any more.
not setting tls-cert-file and tls-private-key-file won't work any more.

Upstream H2C should still work, but we might remove verified claims about an identity that are send to upstream in the future.

Why

We are aware that we create obstacles in running kube-rbac-proxy for testing or debugging purposes.
But we reduce the probability for an insecure set up of kube-rbac-proxy, which is a security relevant component.

Running kube-rbac-proxy without TLS certificates, makes it possible to impersonate kube-rbac-proxy.

The reason that we remove that capability is a pre-acceptance requirement for kube-rbac-proxy, before we can donate the project so sig-auth of k8s.

[nmanoogian]

Thanks for the heads up, @darren-recentive! I don't think we're using kube-rbac-proxy for very much so we're seeing if we can remove it from the chart.