From bc95909cc4916e37e6431c31eebfdf8a8211d568 Mon Sep 17 00:00:00 2001
From: Manuel Alejandro de Brito Fontes <aledbf@gmail.com>
Date: Thu, 23 Sep 2021 07:16:30 -0300
Subject: [PATCH 1/4] [ws-manager-bridge] Remove duplicated roleRef

---
 chart/templates/ws-manager-bridge-rolebinding.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/chart/templates/ws-manager-bridge-rolebinding.yaml b/chart/templates/ws-manager-bridge-rolebinding.yaml
index bf048b8fa640d9..5c1b05746632ad 100644
--- a/chart/templates/ws-manager-bridge-rolebinding.yaml
+++ b/chart/templates/ws-manager-bridge-rolebinding.yaml
@@ -20,10 +20,6 @@ roleRef:
   kind: ClusterRole
   name: {{ .Release.Namespace }}-ns-psp:unprivileged
   apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name:  {{ .Release.Namespace }}-kube-rbac-proxy
-  apiGroup: rbac.authorization.k8s.io
 
 ---
 

From 81af62ccf2c96dff45f3b598ee5c80b7523e48b1 Mon Sep 17 00:00:00 2001
From: Manuel Alejandro de Brito Fontes <aledbf@gmail.com>
Date: Thu, 23 Sep 2021 07:23:02 -0300
Subject: [PATCH 2/4] [proxy] Mount Service Account Token

---
 chart/templates/proxy-serviceaccount.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/chart/templates/proxy-serviceaccount.yaml b/chart/templates/proxy-serviceaccount.yaml
index 87c5f1ae82e576..f6d15d8256ba68 100644
--- a/chart/templates/proxy-serviceaccount.yaml
+++ b/chart/templates/proxy-serviceaccount.yaml
@@ -10,4 +10,3 @@ metadata:
     component: proxy
     kind: service-account
     stage: {{ .Values.installation.stage }}
-automountServiceAccountToken: false
\ No newline at end of file

From 72b16edf71ded4537747613a499a5bbda2220ec5 Mon Sep 17 00:00:00 2001
From: Manuel Alejandro de Brito Fontes <aledbf@gmail.com>
Date: Thu, 23 Sep 2021 07:41:20 -0300
Subject: [PATCH 3/4] Listen on localhost

---
 components/proxy/conf/Caddyfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/proxy/conf/Caddyfile b/components/proxy/conf/Caddyfile
index 8a70b9f5f2175a..ff90675ad1e6f5 100644
--- a/components/proxy/conf/Caddyfile
+++ b/components/proxy/conf/Caddyfile
@@ -131,7 +131,7 @@
 	respond /ready 200
 }
 
-127.0.0.1:9500 {
+localhost:9500 {
 	metrics /metrics {
 		disable_openmetrics
 	}

From 629e858aff21794ed8cd705ae12fc61b52248561 Mon Sep 17 00:00:00 2001
From: Manuel Alejandro de Brito Fontes <aledbf@gmail.com>
Date: Thu, 23 Sep 2021 07:51:14 -0300
Subject: [PATCH 4/4] Fix Caddy prometheus configuration

---
 ...deny-all-allow-explicit-networkpolicy.yaml |  2 +-
 chart/templates/proxy-deployment.yaml         | 28 ++++++++++++++++++-
 components/proxy/conf/Caddyfile               |  3 +-
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml b/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml
index bb0f0019343e1b..5e6a60b9736448 100644
--- a/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml
+++ b/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml
@@ -28,7 +28,7 @@ spec:
   # Allow prometheus scraping from proxy /metrics endpoint
   - ports:
     - protocol: TCP
-      port: 9145
+      port: 9500
     from:
     - namespaceSelector:
         matchLabels:
diff --git a/chart/templates/proxy-deployment.yaml b/chart/templates/proxy-deployment.yaml
index a9b28701e02661..b6c975566ef5fb 100644
--- a/chart/templates/proxy-deployment.yaml
+++ b/chart/templates/proxy-deployment.yaml
@@ -51,7 +51,33 @@ spec:
             - -c
             - "sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range='1024 65000'"
       containers:
-{{ include "gitpod.kube-rbac-proxy" $this | indent 6 }}
+      # TODO: remove once Caddy can listen only in localhost
+      - name: kube-rbac-proxy
+        args:
+        - --v=10
+        - --logtostderr
+        - --insecure-listen-address=[$(IP)]:9500
+        - --upstream=http://127.0.0.1:9545/
+        env:
+        - name: IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 9500
+          name: metrics
+          protocol: TCP
+        resources:
+          requests:
+            cpu: 1m
+            memory: 30Mi
+        securityContext:
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
       - name: proxy
         image: {{ template "gitpod.comp.imageFull" $this }}
 {{ include "gitpod.container.imagePullPolicy" $this | indent 8 }}
diff --git a/components/proxy/conf/Caddyfile b/components/proxy/conf/Caddyfile
index ff90675ad1e6f5..2c1bddd4844bfd 100644
--- a/components/proxy/conf/Caddyfile
+++ b/components/proxy/conf/Caddyfile
@@ -131,7 +131,8 @@
 	respond /ready 200
 }
 
-localhost:9500 {
+# TODO: refactor once we can listen only in localhost
+:9545 {
 	metrics /metrics {
 		disable_openmetrics
 	}