Remove redundant secret migration code and RBAC objects in Compass Runtime Agent

[koala7659]

Description

As part of https://github.com/kyma-project/kyma/issues/15915 we have recently updated Compass Runtime Agent service in Kyma to store the secret configuration data inside kyma-system namespace and stop using the old compass-system namespace for it.

To not affect existing runtimes some specialised code has been written to copy the content of old secrets from compass-system namespace into new desired location in secrets in kyma-system namespace. This migrator code required additional RBAC rules to access data inside multiple namespaces and configuration variables in Compass Runtime Agent deployment.

Used ClusterRoleBindings:

    - apiGroups: [""]
      resources: ["secrets"]
      resourceNames: ["compass-agent-configuration","cluster-client-certificates"]
      verbs: ["get", "delete"]

After successful migration there is need to maintain old secret migrator code and keep too broad RBAC rules for Compass Runtime Agent service account.

Reason:

To secure Kyma Runtime we should limit the scope of privileges assigned for Kyma components. Removing secret migrator code and related RBAC objects will ensure Compass Runtime Agent cannot not access secrets in different namespaces.

Expected code change:

• Remove redundant secret migration code from Compass Runtime Agent
• Remove redundant RBAC rules to access data inside multiple namespaces from Compass Runtime Agent helm charts.
• Remove redundant configuration variables from Compass Runtime Agent deployment.

Related PRs:

• https://github.com/kyma-project/kyma/pull/16024
• https://github.com/kyma-project/control-plane/pull/2817

[kyma-bot]

This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

[koala7659]

There is still a dependency to istio-system namespace. We must address it to avoid pod crashing without the namespace.

[github-actions[bot]]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically closed due to the lack of recent activity. /lifecycle rotten