TRT-2568: Revert "CCO-788: Remove kube-rbac-proxy container from metrics"

[stbenjam]

Revertomatic Revert

Field	Value
Original PR	#976
JIRA	TRT-2568
Payload	4.22.0-0.nightly-2026-03-08-004901
Confidence	95 (HIGH)

Why

This PR is causing blocking job failures in the 4.22 nightly amd64 payload. All serial and techpreview-serial blocking jobs fail with:

[sig-instrumentation][Late] Platform Prometheus targets should not be accessible without auth [Serial]

Error: failed to ensure scraping target of pod openshift-cloud-credential-operator/cco-metrics requires auth: context deadline exceeded

The PR removed kube-rbac-proxy from the CCO metrics endpoint and reimplemented RBAC via controller-runtime. The Prometheus auth test checks that metrics endpoints require authentication, and the CCO metrics endpoint now fails this check.

Failing Jobs

• aws-ovn-serial-1of2
• aws-ovn-serial-2of2
• aws-ovn-techpreview-serial-1of3
• aws-ovn-techpreview-serial-2of3
• aws-ovn-techpreview-serial-3of3
• overall-analysis-all (downstream)

cc @jstuever

[openshift-ci-robot]

@stbenjam: This pull request references CCO-788 which is a valid jira issue.

Details

In response to this:

Revertomatic Revert

Field	Value
Original PR	#976
Payload	4.22.0-0.nightly-2026-03-08-004901
Confidence	95 (HIGH)

Why

This PR is causing blocking job failures in the 4.22 nightly amd64 payload. All serial and techpreview-serial blocking jobs fail with:

[sig-instrumentation][Late] Platform Prometheus targets should not be accessible without auth [Serial]

Error: failed to ensure scraping target of pod openshift-cloud-credential-operator/cco-metrics requires auth: context deadline exceeded

The PR removed kube-rbac-proxy from the CCO metrics endpoint and reimplemented RBAC via controller-runtime. The Prometheus auth test checks that metrics endpoints require authentication, and the CCO metrics endpoint now fails this check.

Failing Jobs

• aws-ovn-serial-1of2
• aws-ovn-serial-2of2
• aws-ovn-techpreview-serial-1of3
• aws-ovn-techpreview-serial-2of3
• aws-ovn-techpreview-serial-3of3
• overall-analysis-all (downstream)

cc @jstuever

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stbenjam]

/payload-job 4.22 nightly aws-ovn-serial-1of2

[openshift-ci]

@stbenjam: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[stbenjam]

/payload-job 4.22 nightly aws-ovn-techpreview-serial-1of3

[openshift-ci]

@stbenjam: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[openshift-ci-robot]

@stbenjam: This pull request references CCO-788 which is a valid jira issue.

Details

In response to this:

Revertomatic Revert

Field	Value
Original PR	#976
JIRA	TRT-2568
Payload	4.22.0-0.nightly-2026-03-08-004901
Confidence	95 (HIGH)

Why

This PR is causing blocking job failures in the 4.22 nightly amd64 payload. All serial and techpreview-serial blocking jobs fail with:

[sig-instrumentation][Late] Platform Prometheus targets should not be accessible without auth [Serial]

Error: failed to ensure scraping target of pod openshift-cloud-credential-operator/cco-metrics requires auth: context deadline exceeded

The PR removed kube-rbac-proxy from the CCO metrics endpoint and reimplemented RBAC via controller-runtime. The Prometheus auth test checks that metrics endpoints require authentication, and the CCO metrics endpoint now fails this check.

Failing Jobs

• aws-ovn-serial-1of2
• aws-ovn-serial-2of2
• aws-ovn-techpreview-serial-1of3
• aws-ovn-techpreview-serial-2of3
• aws-ovn-techpreview-serial-3of3
• overall-analysis-all (downstream)

cc @jstuever

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@stbenjam: This pull request references TRT-2568 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Revertomatic Revert

Field	Value
Original PR	#976
JIRA	TRT-2568
Payload	4.22.0-0.nightly-2026-03-08-004901
Confidence	95 (HIGH)

Why

This PR is causing blocking job failures in the 4.22 nightly amd64 payload. All serial and techpreview-serial blocking jobs fail with:

[sig-instrumentation][Late] Platform Prometheus targets should not be accessible without auth [Serial]

Error: failed to ensure scraping target of pod openshift-cloud-credential-operator/cco-metrics requires auth: context deadline exceeded

The PR removed kube-rbac-proxy from the CCO metrics endpoint and reimplemented RBAC via controller-runtime. The Prometheus auth test checks that metrics endpoints require authentication, and the CCO metrics endpoint now fails this check.

Failing Jobs

• aws-ovn-serial-1of2
• aws-ovn-serial-2of2
• aws-ovn-techpreview-serial-1of3
• aws-ovn-techpreview-serial-2of3
• aws-ovn-techpreview-serial-3of3
• overall-analysis-all (downstream)

cc @jstuever

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stbenjam]

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-1of3

[openshift-ci]

@stbenjam: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-1of3

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/60ef6be0-1af1-11f1-9139-ca1df5029cef-0

[codecov]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 46.20%. Comparing base (6b2f075) to head (42d7c14).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/cmd/operator/cmd.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #982      +/-   ##
==========================================
+ Coverage   46.19%   46.20%   +0.01%     
==========================================
  Files          98       98              
  Lines       12256    12253       -3     
==========================================
  Hits         5662     5662              
+ Misses       5944     5941       -3     
  Partials      650      650              

Files with missing lines	Coverage Δ
pkg/cmd/operator/cmd.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[neisw]

/lgtm

Resolves the [sig-instrumentation][Late] Platform Prometheus targets should not be accessible without auth [Serial] [Suite:openshift/conformance/serial] failures

[neisw]

/verified by ci

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: neisw, stbenjam
Once this PR has been reviewed and has the lgtm label, please assign jstuever for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@neisw: This PR has been marked as verified by ci.

Details

In response to this:

/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[neisw]

/label approved

[stbenjam]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-serial-1of2
/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-1of3

[openshift-ci]

@stbenjam: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-serial-1of2
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-1of3

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/784a76a0-1b22-11f1-8f57-10277777bf8d-0

[stbenjam]

/payload-job abort

[openshift-ci]

@stbenjam: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[stbenjam]

Hypershift is hitting another regression with CVO and AWS looks like a flake

/override ci/prow/e2e-hypershift
/override ci/prow/e2e-aws-ovn

[openshift-ci]

@stbenjam: Overrode contexts on behalf of stbenjam: ci/prow/e2e-aws-ovn, ci/prow/e2e-hypershift

Details

In response to this:

Hypershift is hitting another regression with CVO and AWS looks like a flake

/override ci/prow/e2e-hypershift
/override ci/prow/e2e-aws-ovn

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.