fix(etcd-operator): replace deprecated kube-rbac-proxy image#2181
Conversation
The gcr.io/kubebuilder/kube-rbac-proxy image is no longer available since GCR was deprecated. Replace it with quay.io/brancz/kube-rbac-proxy from the original upstream author. Co-Authored-By: Claude <[email protected]> Signed-off-by: Andrei Kvapil <[email protected]>
📝 WalkthroughWalkthroughThe etcd-operator Helm chart's kube-rbac-proxy container image configuration is updated across two files. The image repository is changed from a Google Container Registry source to Quay.io, and the version is bumped from v0.16.0 to v0.18.1. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
kvaps
requested review from
IvanHunters,
androndo,
lexfrei,
lllamnyp and
sircthulhu
as code owners
dosubot
bot
added
size:XS
kvaps
added
backport
dosubot
bot
added
the
size:XS
![coderabbitai[bot]](proxy.php?url=https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/system/etcd-operator/charts/etcd-operator/values.yaml`:
- Around line 101-107: The change to the image (repository/pullPolicy/tag in
values.yaml) was made in a generated vendored chart and will be overwritten by
"make update"; instead, apply the image override in the umbrella chart's Helm
values (add an override for the etcd-operator chart setting repository and tag),
or update the chart source used by the vendoring process (open an issue/PR to
the upstream etcd-operator chart at https://github.com/aenix-io/charts to update
the image), and then re-run the vendor regeneration so the change persists.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: fee8e5a2-6c17-458a-b929-fea633c7930c
📒 Files selected for processing (2)
packages/system/etcd-operator/charts/etcd-operator/README.mdpackages/system/etcd-operator/charts/etcd-operator/values.yaml
| repository: quay.io/brancz/kube-rbac-proxy | ||
|
|
||
| # -- Image pull policy | ||
| pullPolicy: IfNotPresent | ||
|
|
||
| # -- Version of image | ||
| tag: v0.16.0 | ||
| tag: v0.18.1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the image replacement is tracked somewhere outside the vendored chart output.
rg -n -C2 \
--glob '!packages/system/etcd-operator/charts/etcd-operator/**' \
'quay\.io/brancz/kube-rbac-proxy|v0\.18\.1|gcr\.io/kubebuilder/kube-rbac-proxy|v0\.16\.0'Repository: cozystack/cozystack
Length of output: 11226
🏁 Script executed:
#!/bin/bash
# Check if etcd-operator charts are vendored upstream
head -20 packages/system/etcd-operator/charts/etcd-operator/Chart.yaml
echo "---"
# Check for vendoring metadata or references
ls -la packages/system/etcd-operator/charts/
echo "---"
# Check Makefile for vendoring mechanism
if [ -f packages/system/etcd-operator/Makefile ]; then
grep -n "vendor\|update\|chart" packages/system/etcd-operator/Makefile | head -20
fiRepository: cozystack/cozystack
Length of output: 438
🏁 Script executed:
#!/bin/bash
# Check for overlay, patch, or kustomization mechanisms for etcd-operator
find packages/system/etcd-operator -type f \( -name "*.patch" -o -name "kustomization.yaml" -o -name "*.yaml" \) ! -path "*/charts/*" | head -20
echo "---"
# Check parent directory structure for patches
ls -la packages/system/etcd-operator/
echo "---"
# Check if there's a values override mechanism outside charts
find packages/system/etcd-operator -type f -name "values*.yaml" ! -path "*/charts/*"Repository: cozystack/cozystack
Length of output: 470
🏁 Script executed:
#!/bin/bash
# Check the parent Chart.yaml to understand the umbrella structure
cat packages/system/etcd-operator/Chart.yaml
echo "---"
# Check the git history to see if this file is regenerated
git log --oneline packages/system/etcd-operator/charts/etcd-operator/values.yaml | head -5
echo "---"
# Check if values.yaml modification is recent or part of vendored output
git diff HEAD~1 packages/system/etcd-operator/charts/etcd-operator/values.yaml | head -30Repository: cozystack/cozystack
Length of output: 469
🏁 Script executed:
#!/bin/bash
# Get details on the fix commit
git show 4946383c --stat
echo "---"
# Show the actual changes in that commit
git show 4946383cRepository: cozystack/cozystack
Length of output: 50378
🏁 Script executed:
#!/bin/bash
# Get just the diff for the etcd-operator values file
git show 4946383c -- packages/system/etcd-operator/charts/etcd-operator/values.yaml | head -100Repository: cozystack/cozystack
Length of output: 2707
🏁 Script executed:
#!/bin/bash
# Check how values.yaml is used in the umbrella chart
cat packages/system/etcd-operator/Chart.yaml
echo "---"
# Check the templates directory to see if custom values are applied
ls -la packages/system/etcd-operator/templates/ 2>/dev/null || echo "No templates dir"
echo "---"
# Look for helmrelease or helm deployment mechanism
find packages/system/etcd-operator -type f -name "*.yaml" ! -path "*/charts/*" | xargs cat 2>/dev/null | head -50Repository: cozystack/cozystack
Length of output: 337
Ensure the image replacement is tracked in the chart's vendoring source, not just the vendored output.
This file lives under packages/system/etcd-operator/charts/etcd-operator/, which is completely regenerated by make update. Editing values.yaml directly here will be lost on the next vendor refresh. Either apply this fix in a Helm values override at the umbrella chart level or report the image deprecation to the upstream etcd-operator chart maintainers at https://github.com/aenix-io/charts.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/system/etcd-operator/charts/etcd-operator/values.yaml` around lines
101 - 107, The change to the image (repository/pullPolicy/tag in values.yaml)
was made in a generated vendored chart and will be overwritten by "make update";
instead, apply the image override in the umbrella chart's Helm values (add an
override for the etcd-operator chart setting repository and tag), or update the
chart source used by the vendoring process (open an issue/PR to the upstream
etcd-operator chart at https://github.com/aenix-io/charts to update the image),
and then re-run the vendor regeneration so the change persists.
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request proactively resolves an upcoming issue where the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](proxy.php?url=https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly replaces a deprecated kube-rbac-proxy image. No security vulnerabilities were found in this change. For best practices, it is recommended to use the official Kubernetes container registry for the image to ensure long-term support and stability, with specific suggestions provided in values.yaml and README.md.
| | kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | ||
| | kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Image repository | | ||
| | kubeRbacProxy.image.tag | string | `"v0.16.0"` | Version of image | | ||
| | kubeRbacProxy.image.repository | string | `"quay.io/brancz/kube-rbac-proxy"` | Image repository | |
There was a problem hiding this comment.
To keep the documentation consistent with the recommended change in values.yaml, please update the default repository value here to point to the official kube-rbac-proxy image from registry.k8s.io.
| | kubeRbacProxy.image.repository | string | `"quay.io/brancz/kube-rbac-proxy"` | Image repository | | |
| | kubeRbacProxy.image.repository | string | `"registry.k8s.io/kube-rbac-proxy/kube-rbac-proxy"` | Image repository | |
|
|
||
| # -- Image repository | ||
| repository: gcr.io/kubebuilder/kube-rbac-proxy | ||
| repository: quay.io/brancz/kube-rbac-proxy |
There was a problem hiding this comment.
While quay.io/brancz/kube-rbac-proxy is a valid image, it is recommended to use images from the official Kubernetes registry for better long-term support and stability. The kube-rbac-proxy project's official images are hosted at registry.k8s.io.
repository: registry.k8s.io/kube-rbac-proxy/kube-rbac-proxy
|
Successfully created backport PR for |
|
Successfully created backport PR for |
## Summary - Replace deprecated `gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0` with `quay.io/brancz/kube-rbac-proxy:v0.18.1` in the vendored etcd-operator chart - The GCR-hosted image became unavailable after March 18, 2025 Fixes #2172 #488 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated proxy component to v0.18.1 with configuration changes for improved stability and compatibility. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2 participants
Summary
gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0withquay.io/brancz/kube-rbac-proxy:v0.18.1in the vendored etcd-operator chartFixes #2172 #488
Summary by CodeRabbit