chore: Update quay.io/oauth2-proxy/oauth2-proxy and quay.io/brancz/ku… (#2124)

* chore: Update quay.io/oauth2-proxy/oauth2-proxy and quay.io/brancz/kube-rbac-proxy images

Signed-off-by: Anatolii Bazko <abazko@redhat.com>

Author: tolusha

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -86,7 +86,7 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:next
-    createdAt: "2026-05-15T10:45:47Z"
+    createdAt: "2026-05-21T07:42:52Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     features.operators.openshift.io/cnf: "false"
@@ -108,7 +108,7 @@ metadata:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.arm64: supported
     operatorframework.io/os.linux: supported
-  name: eclipse-che.v7.118.0-980.next
+  name: eclipse-che.v7.118.0-986.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -978,13 +978,11 @@ spec:
                       - name: RELATED_IMAGE_single_host_gateway_config_sidecar
                         value: quay.io/che-incubator/configbump:next
                       - name: RELATED_IMAGE_gateway_authentication_sidecar
-                        value: quay.io/openshift/origin-oauth-proxy:4.9
-                      - name: RELATED_IMAGE_gateway_authorization_sidecar
-                        value: quay.io/openshift/origin-kube-rbac-proxy:4.9
+                        value: quay.io/openshift/origin-oauth-proxy:4.22
                       - name: RELATED_IMAGE_gateway_authentication_sidecar_k8s
-                        value: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-                      - name: RELATED_IMAGE_gateway_authorization_sidecar_k8s
-                        value: quay.io/brancz/kube-rbac-proxy:v0.13.1
+                        value: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
+                      - name: RELATED_IMAGE_gateway_authorization_sidecar
+                        value: quay.io/brancz/kube-rbac-proxy:v0.22.0
                       - name: RELATED_IMAGE_gateway_header_sidecar
                         value: quay.io/che-incubator/header-rewrite-proxy:latest
                       - name: CHE_FLAVOR
@@ -1146,17 +1144,15 @@ spec:
       name: single-host-gateway
     - image: quay.io/che-incubator/configbump:next
       name: single-host-gateway-config-sidecar
-    - image: quay.io/openshift/origin-oauth-proxy:4.9
+    - image: quay.io/openshift/origin-oauth-proxy:4.22
       name: gateway-authentication-sidecar
-    - image: quay.io/openshift/origin-kube-rbac-proxy:4.9
-      name: gateway-authorization-sidecar
-    - image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
       name: gateway-authentication-sidecar-k8s
-    - image: quay.io/brancz/kube-rbac-proxy:v0.13.1
-      name: gateway-authorization-sidecar-k8s
+    - image: quay.io/brancz/kube-rbac-proxy:v0.22.0
+      name: gateway-authorization-sidecar
     - image: quay.io/che-incubator/header-rewrite-proxy:latest
       name: gateway-header-sidecar
-  version: 7.118.0-980.next
+  version: 7.118.0-986.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

config/manager/manager.yaml

@@ -74,13 +74,11 @@ spec:
             - name: RELATED_IMAGE_single_host_gateway_config_sidecar
               value: quay.io/che-incubator/configbump:next
             - name: RELATED_IMAGE_gateway_authentication_sidecar
-              value: quay.io/openshift/origin-oauth-proxy:4.9
-            - name: RELATED_IMAGE_gateway_authorization_sidecar
-              value: quay.io/openshift/origin-kube-rbac-proxy:4.9
+              value: quay.io/openshift/origin-oauth-proxy:4.22
             - name: RELATED_IMAGE_gateway_authentication_sidecar_k8s
-              value: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-            - name: RELATED_IMAGE_gateway_authorization_sidecar_k8s
-              value: quay.io/brancz/kube-rbac-proxy:v0.13.1
+              value: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
+            - name: RELATED_IMAGE_gateway_authorization_sidecar
+              value: quay.io/brancz/kube-rbac-proxy:v0.22.0
             - name: RELATED_IMAGE_gateway_header_sidecar
               value: quay.io/che-incubator/header-rewrite-proxy:latest
             - name: CHE_FLAVOR

deploy/deployment/kubernetes/combined.yaml

@@ -23722,13 +23722,11 @@ spec:
         - name: RELATED_IMAGE_single_host_gateway_config_sidecar
           value: quay.io/che-incubator/configbump:next
         - name: RELATED_IMAGE_gateway_authentication_sidecar
-          value: quay.io/openshift/origin-oauth-proxy:4.9
-        - name: RELATED_IMAGE_gateway_authorization_sidecar
-          value: quay.io/openshift/origin-kube-rbac-proxy:4.9
+          value: quay.io/openshift/origin-oauth-proxy:4.22
         - name: RELATED_IMAGE_gateway_authentication_sidecar_k8s
-          value: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-        - name: RELATED_IMAGE_gateway_authorization_sidecar_k8s
-          value: quay.io/brancz/kube-rbac-proxy:v0.13.1
+          value: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
+        - name: RELATED_IMAGE_gateway_authorization_sidecar
+          value: quay.io/brancz/kube-rbac-proxy:v0.22.0
         - name: RELATED_IMAGE_gateway_header_sidecar
           value: quay.io/che-incubator/header-rewrite-proxy:latest
         - name: CHE_FLAVOR

deploy/deployment/kubernetes/objects/che-operator.Deployment.yaml

@@ -68,13 +68,11 @@ spec:
         - name: RELATED_IMAGE_single_host_gateway_config_sidecar
           value: quay.io/che-incubator/configbump:next
         - name: RELATED_IMAGE_gateway_authentication_sidecar
-          value: quay.io/openshift/origin-oauth-proxy:4.9
-        - name: RELATED_IMAGE_gateway_authorization_sidecar
-          value: quay.io/openshift/origin-kube-rbac-proxy:4.9
+          value: quay.io/openshift/origin-oauth-proxy:4.22
         - name: RELATED_IMAGE_gateway_authentication_sidecar_k8s
-          value: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-        - name: RELATED_IMAGE_gateway_authorization_sidecar_k8s
-          value: quay.io/brancz/kube-rbac-proxy:v0.13.1
+          value: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
+        - name: RELATED_IMAGE_gateway_authorization_sidecar
+          value: quay.io/brancz/kube-rbac-proxy:v0.22.0
         - name: RELATED_IMAGE_gateway_header_sidecar
           value: quay.io/che-incubator/header-rewrite-proxy:latest
         - name: CHE_FLAVOR

deploy/deployment/openshift/combined.yaml

@@ -23724,13 +23724,11 @@ spec:
         - name: RELATED_IMAGE_single_host_gateway_config_sidecar
           value: quay.io/che-incubator/configbump:next
         - name: RELATED_IMAGE_gateway_authentication_sidecar
-          value: quay.io/openshift/origin-oauth-proxy:4.9
-        - name: RELATED_IMAGE_gateway_authorization_sidecar
-          value: quay.io/openshift/origin-kube-rbac-proxy:4.9
+          value: quay.io/openshift/origin-oauth-proxy:4.22
         - name: RELATED_IMAGE_gateway_authentication_sidecar_k8s
-          value: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-        - name: RELATED_IMAGE_gateway_authorization_sidecar_k8s
-          value: quay.io/brancz/kube-rbac-proxy:v0.13.1
+          value: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
+        - name: RELATED_IMAGE_gateway_authorization_sidecar
+          value: quay.io/brancz/kube-rbac-proxy:v0.22.0
         - name: RELATED_IMAGE_gateway_header_sidecar
           value: quay.io/che-incubator/header-rewrite-proxy:latest
         - name: CHE_FLAVOR

deploy/deployment/openshift/objects/che-operator.Deployment.yaml

@@ -68,13 +68,11 @@ spec:
         - name: RELATED_IMAGE_single_host_gateway_config_sidecar
           value: quay.io/che-incubator/configbump:next
         - name: RELATED_IMAGE_gateway_authentication_sidecar
-          value: quay.io/openshift/origin-oauth-proxy:4.9
-        - name: RELATED_IMAGE_gateway_authorization_sidecar
-          value: quay.io/openshift/origin-kube-rbac-proxy:4.9
+          value: quay.io/openshift/origin-oauth-proxy:4.22
         - name: RELATED_IMAGE_gateway_authentication_sidecar_k8s
-          value: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-        - name: RELATED_IMAGE_gateway_authorization_sidecar_k8s
-          value: quay.io/brancz/kube-rbac-proxy:v0.13.1
+          value: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
+        - name: RELATED_IMAGE_gateway_authorization_sidecar
+          value: quay.io/brancz/kube-rbac-proxy:v0.22.0
         - name: RELATED_IMAGE_gateway_header_sidecar
           value: quay.io/che-incubator/header-rewrite-proxy:latest
         - name: CHE_FLAVOR

helmcharts/next/templates/che-operator.Deployment.yaml

@@ -68,13 +68,11 @@ spec:
         - name: RELATED_IMAGE_single_host_gateway_config_sidecar
           value: quay.io/che-incubator/configbump:next
         - name: RELATED_IMAGE_gateway_authentication_sidecar
-          value: quay.io/openshift/origin-oauth-proxy:4.9
-        - name: RELATED_IMAGE_gateway_authorization_sidecar
-          value: quay.io/openshift/origin-kube-rbac-proxy:4.9
+          value: quay.io/openshift/origin-oauth-proxy:4.22
         - name: RELATED_IMAGE_gateway_authentication_sidecar_k8s
-          value: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-        - name: RELATED_IMAGE_gateway_authorization_sidecar_k8s
-          value: quay.io/brancz/kube-rbac-proxy:v0.13.1
+          value: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
+        - name: RELATED_IMAGE_gateway_authorization_sidecar
+          value: quay.io/brancz/kube-rbac-proxy:v0.22.0
         - name: RELATED_IMAGE_gateway_header_sidecar
           value: quay.io/che-incubator/header-rewrite-proxy:latest
         - name: CHE_FLAVOR

pkg/common/operator-defaults/defaults.go

@@ -36,9 +36,8 @@ var (
 	defaultSingleHostGatewayImage                           string
 	defaultSingleHostGatewayConfigSidecarImage              string
 	defaultGatewayKubernetesAuthenticationSidecarImage      string
-	defaultGatewayKubernetesAuthorizationSidecarImage       string
 	defaultGatewayOpenShiftAuthenticationSidecarImage       string
-	defaultGatewayOpenShiftAuthorizationSidecarImage        string
+	defaultGatewayAuthorizationSidecarImage                 string
 	defaultConsoleLinkName                                  string
 	defaultConsoleLinkDisplayName                           string
 	defaultConsoleLinkSection                               string
@@ -99,10 +98,9 @@ func Initialize() {
 	defaultSingleHostGatewayImage = ensureEnv(util.GetArchitectureDependentEnvName("RELATED_IMAGE_single_host_gateway"))
 	defaultSingleHostGatewayConfigSidecarImage = ensureEnv(util.GetArchitectureDependentEnvName("RELATED_IMAGE_single_host_gateway_config_sidecar"))
 
+	defaultGatewayAuthorizationSidecarImage = ensureEnv(util.GetArchitectureDependentEnvName("RELATED_IMAGE_gateway_authorization_sidecar"))
 	defaultGatewayOpenShiftAuthenticationSidecarImage = ensureEnv(util.GetArchitectureDependentEnvName("RELATED_IMAGE_gateway_authentication_sidecar"))
-	defaultGatewayOpenShiftAuthorizationSidecarImage = ensureEnv(util.GetArchitectureDependentEnvName("RELATED_IMAGE_gateway_authorization_sidecar"))
 	defaultGatewayKubernetesAuthenticationSidecarImage = ensureEnv(util.GetArchitectureDependentEnvName("RELATED_IMAGE_gateway_authentication_sidecar_k8s"))
-	defaultGatewayKubernetesAuthorizationSidecarImage = ensureEnv(util.GetArchitectureDependentEnvName("RELATED_IMAGE_gateway_authorization_sidecar_k8s"))
 
 	// Don't get some k8s specific env
 	if !infrastructure.IsOpenShift() {
@@ -186,14 +184,6 @@ func GetGatewayKubernetesAuthenticationSidecarImage(checluster interface{}) stri
 	return PatchDefaultImageName(checluster, defaultGatewayKubernetesAuthenticationSidecarImage)
 }
 
-func GetGatewayKubernetesAuthorizationSidecarImage(checluster interface{}) string {
-	if !initialized {
-		Initialize()
-	}
-
-	return PatchDefaultImageName(checluster, defaultGatewayKubernetesAuthorizationSidecarImage)
-}
-
 func GetGatewayOpenShiftAuthenticationSidecarImage(checluster interface{}) string {
 	if !initialized {
 		Initialize()
@@ -202,12 +192,12 @@ func GetGatewayOpenShiftAuthenticationSidecarImage(checluster interface{}) strin
 	return PatchDefaultImageName(checluster, defaultGatewayOpenShiftAuthenticationSidecarImage)
 }
 
-func GetGatewayOpenShiftAuthorizationSidecarImage(checluster interface{}) string {
+func GetGatewayAuthorizationSidecarImage(checluster interface{}) string {
 	if !initialized {
 		Initialize()
 	}
 
-	return PatchDefaultImageName(checluster, defaultGatewayOpenShiftAuthorizationSidecarImage)
+	return PatchDefaultImageName(checluster, defaultGatewayAuthorizationSidecarImage)
 }
 
 func GetCheFlavor() string {

pkg/deploy/gateway/gateway_test.go

@@ -265,7 +265,7 @@ func TestCustomizeGatewayDeploymentSingleImage(t *testing.T) {
 	assert.Equal(t, defaults.GetGatewayOpenShiftAuthenticationSidecarImage(checluster), containers[2].Image)
 
 	assert.Equal(t, constants.GatewayAuthorizationContainerName, containers[3].Name)
-	assert.Equal(t, defaults.GetGatewayOpenShiftAuthorizationSidecarImage(checluster), containers[3].Image)
+	assert.Equal(t, defaults.GetGatewayAuthorizationSidecarImage(checluster), containers[3].Image)
 }
 
 func TestTraefikLogLevel(t *testing.T) {
@@ -325,7 +325,7 @@ func TestKubeRbacProxyLogLevel(t *testing.T) {
 
 	containers := deployment.Spec.Template.Spec.Containers
 	assert.Equal(t, constants.GatewayAuthorizationContainerName, containers[3].Name)
-	assert.Equal(t, "--v=10", containers[3].Args[4])
+	assert.Equal(t, "--v=10", containers[3].Args[3])
 }
 
 func TestKubeRbacProxyLogLevelDefault(t *testing.T) {
@@ -336,5 +336,5 @@ func TestKubeRbacProxyLogLevelDefault(t *testing.T) {
 
 	containers := deployment.Spec.Template.Spec.Containers
 	assert.Equal(t, constants.GatewayAuthorizationContainerName, containers[3].Name)
-	assert.Equal(t, "--v=0", containers[3].Args[4])
+	assert.Equal(t, "--v=0", containers[3].Args[3])
 }

pkg/deploy/gateway/kube_rbac_proxy.go

@@ -16,7 +16,6 @@ import (
 	"strconv"
 
 	"github.com/eclipse-che/che-operator/pkg/common/chetypes"
-	"github.com/eclipse-che/che-operator/pkg/common/infrastructure"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	chev2 "github.com/eclipse-che/che-operator/api/v2"
@@ -55,26 +54,19 @@ authorization:
 }
 
 func getKubeRbacProxyContainerSpec(ctx *chetypes.DeployContext) corev1.Container {
+	image := defaults.GetGatewayAuthorizationSidecarImage(ctx.CheCluster)
 	logLevel := constants.DefaultKubeRbacProxyLogLevel
 	if ctx.CheCluster.Spec.Networking.Auth.Gateway.KubeRbacProxy != nil && ctx.CheCluster.Spec.Networking.Auth.Gateway.KubeRbacProxy.LogLevel != nil {
 		logLevel = *ctx.CheCluster.Spec.Networking.Auth.Gateway.KubeRbacProxy.LogLevel
 	}
 
-	var image string
-	if infrastructure.IsOpenShiftOAuthEnabled() {
-		image = defaults.GetGatewayOpenShiftAuthorizationSidecarImage(ctx.CheCluster)
-	} else {
-		image = defaults.GetGatewayKubernetesAuthorizationSidecarImage(ctx.CheCluster)
-	}
-
 	return corev1.Container{
 		Name:            "kube-rbac-proxy",
 		Image:           image,
 		ImagePullPolicy: corev1.PullIfNotPresent,
 		Args: []string{
 			"--insecure-listen-address=0.0.0.0:8089",
 			"--upstream=http://127.0.0.1:8090/ping",
-			"--logtostderr=true",
 			"--config-file=/etc/kube-rbac-proxy/authorization-config.yaml",
 			"--v=" + strconv.FormatInt(int64(logLevel), 10),
 		},