Squashed commit of the following:

commit 3f462ad
Author: Christoph Kleineweber <christoph.kleineweber@loodse.com>
Date:   Mon Jun 28 13:12:44 2021 +0200

    Change cookie names for OAuth2 Proxy deployments (kyma-project#11566)

    To avoid problems with logging in to services that ran keycloak-proxy
    before.

commit 76b3a86
Author: Karol Szwaj <karol.szwaj@gmail.com>
Date:   Mon Jun 28 11:10:44 2021 +0200

    Update Istio to 1.10.2 (kyma-project#11562)

commit f601e1c
Author: Marco Bebway <marco.bebway@sap.com>
Date:   Mon Jun 28 10:10:44 2021 +0200

    Update Eventing resource limits for the evaluation profile (kyma-project#11551)

commit 72cb41e
Author: Michał Jakóbczyk <michal.jakobczyk@sap.com>
Date:   Mon Jun 28 08:12:44 2021 +0200

    Remove ConfigMap creation from Certificates components (kyma-project#11525)

commit 3055a94
Author: Karol Szwaj <karol.szwaj@gmail.com>
Date:   Fri Jun 25 19:10:43 2021 +0200

    Update Istio-installer to 1.10.2 (kyma-project#11556)

commit 9fe2825
Author: ralikio <74771103+ralikio@users.noreply.github.com>
Date:   Fri Jun 25 19:06:43 2021 +0200

    Corrected Runtime Agent Container Version (kyma-project#11555)

    * Corrected Agent Container Version

    * Correction

    Co-authored-by: Rafał Potempa <33723064+rafalpotempa@users.noreply.github.com>

    Co-authored-by: Rafał Potempa <33723064+rafalpotempa@users.noreply.github.com>

commit 650ff1e
Author: Tomasz Gorgol <45565988+tgorgol@users.noreply.github.com>
Date:   Fri Jun 25 18:08:43 2021 +0200

    Bump serverless images (kyma-project#11554)

commit 2d94fad
Author: Christoph Kleineweber <christoph.kleineweber@loodse.com>
Date:   Fri Jun 25 17:04:43 2021 +0200

    Replace keycloak-proxy by oauth2-proxy (kyma-project#11518)

    * Replace keycloak-proxy by oaht2-proxy for Grafana

    * Replace keycloak-proxy by oauth2-proxy for Kiali

    * Replace keycloak-proxy by oauth2-proxy for Jaeger

    * Update values for kcproxy to oauth2 proxy migration

    * Do not shop oauth2 proxy login page when using Dex

    * Adapt Dex redirect URLs for oauth2 proxy

    * Add oauth2 proxy overrides for fast integration test

    * Apply review comments

    * Update oauth2 proxy image tag

    * Disable request logging

commit dd7c314
Author: Andreas Thaler <andreas.thaler01@sap.com>
Date:   Fri Jun 25 16:04:43 2021 +0200

    istio tracing config is set to 100 (kyma-project#11549)

    * cleaning istio tracing config and setting a sampling rate of 100 for evaluation profile only

    * made sampling configurable at runtime via env variables

commit 0c95f2d
Author: Piotr Kopec <piotr@kubermatic.com>
Date:   Fri Jun 25 15:04:43 2021 +0200

    bump `apiserver-proxy` version (kyma-project#11553)

    Related: kyma-project#11533

commit d892771
Author: Piotr Kopec <piotr@kubermatic.com>
Date:   Fri Jun 25 14:04:43 2021 +0200

    remove `namespaces` dir because it's no longer needed (kyma-project#11529)

    After dropping support for namespace creation
    in preinstall this directory is no longer needed

    Resolves: kyma-project/hydroform#314

commit 3555ef0
Author: Patryk Strugacz <werdes72@users.noreply.github.com>
Date:   Fri Jun 25 13:00:43 2021 +0200

    Use postgres 11.12 (kyma-project#11534)

commit 6129fc5
Author: Andreas Thaler <andreas.thaler01@sap.com>
Date:   Fri Jun 25 11:36:43 2021 +0200

    prepare kyma-gateway for kyma2 migration (kyma-project#11514)

commit 22eac25
Author: Andreas Thaler <andreas.thaler01@sap.com>
Date:   Thu Jun 24 17:42:42 2021 +0200

    updated base image kiali - fluent-bit, grafana patch update 7.4.5 (kyma-project#11542)

    * base image versions bumped

    * upgraded to grafana 7.4.5

commit 3e1e71e
Author: ralikio <74771103+ralikio@users.noreply.github.com>
Date:   Thu Jun 24 15:38:46 2021 +0200

    Dependency Upgrade (kyma-project#11522)

    * Dependency Upgrade

    * Module Upgrades

commit ee0d95d
Author: Mohamed El Sayed <m.elsayed@gmail.com>
Date:   Thu Jun 24 15:32:46 2021 +0200

    Fix nodejs build container (kyma-project#11536)

commit e3fa5f7
Author: Patryk Strugacz <werdes72@users.noreply.github.com>
Date:   Thu Jun 24 14:12:46 2021 +0200

    Add jaegertracing crd (kyma-project#11532)

commit 1d087c9
Author: Michał Jakóbczyk <michal.jakobczyk@sap.com>
Date:   Thu Jun 24 13:10:46 2021 +0200

    Remove cert-manager from Kyma (kyma-project#11442)

    * Remove cert-manager from Kyma

    * Include gitkeep in namespaces to maintain dir

    * Restore removed xip-patch job

    * Fix xip-patch job formatting

commit 9a2ecd1
Author: Piotr <piotr.bochynski@sap.com>
Date:   Thu Jun 24 12:10:46 2021 +0200

    Fix problem with duplicated keys (name label) (kyma-project#11528)

commit 120e9e0
Author: Karol Szwaj <karol.szwaj@gmail.com>
Date:   Thu Jun 24 11:12:46 2021 +0200

    Remove old Istio mutating webhook patches (kyma-project#11502)

commit e386863
Author: Michał Jakóbczyk <michal.jakobczyk@sap.com>
Date:   Thu Jun 24 07:40:46 2021 +0200

    Perform cleanup for Impersonate-Group header in request (kyma-project#11533)

    * Perform cleanup for Impersonate-Group header in request

    * Perform header cleanup with Delete, add check to tests

    * Make malicious group a common var

    * Fix apiserver-proxy tests

commit 736dfd0
Author: Jan Wozniak <wozniak.jan@gmail.com>
Date:   Wed Jun 23 13:10:45 2021 +0200

    Bump helm-broker resource (kyma-project#11516)

commit 3fabb5f
Author: Krzysztof <6783567+kwiatekus@users.noreply.github.com>
Date:   Tue Jun 22 12:38:45 2021 +0200

    Update default busola URL and enable pkce by default (kyma-project#11517)

    Co-authored-by: Kwiatosz, Krzysztof <kwiatekus@users.noreply.github.com>

commit 42b1390
Author: Piotr <piotr.bochynski@sap.com>
Date:   Tue Jun 22 09:36:45 2021 +0200

    Remove duplicated keys in monitoring YAMLs (kyma-project#11515)

CODEOWNERS

@@ -49,9 +49,6 @@
 # The `rafter` chart
 /resources/rafter/ @m00g3n @pPrecel @dbadura @tgorgol @rJankowski93
 
-# The `cert-manager` chart
-/resources/cert-manager/ @Tomasz-Smelcerz-SAP @strekm @werdes72 @PhillipAmend @colunira @mjakobczyk
-
 # The `application-connector` chart
 /resources/application-connector/ @akgalwas @janmedrek @Szymongib @franpog859 @Maladie @crabtree @rafalpotempa @koala7659
 

components/apiserver-proxy/internal/proxy/proxy.go

@@ -81,6 +81,7 @@ func (h *kubeRBACProxy) Handle(w http.ResponseWriter, req *http.Request) bool {
 	}
 
 	req.Header.Set("Impersonate-User", r.User.GetName())
+	h.cleanupImpersonateGroupHeader(req)
 	for _, gr := range r.User.GetGroups() {
 		req.Header.Add("Impersonate-Group", gr)
 	}
@@ -90,6 +91,10 @@ func (h *kubeRBACProxy) Handle(w http.ResponseWriter, req *http.Request) bool {
 	return true
 }
 
+func (h *kubeRBACProxy) cleanupImpersonateGroupHeader(req *http.Request) {
+	req.Header.Del("Impersonate-Group")
+}
+
 func newKubeRBACProxyAuthorizerAttributesGetter(authzConfig *authz.Config) authorizer.RequestAttributesGetter {
 	return krpAuthorizerAttributesGetter{authzConfig, newRequestInfoResolver()}
 }

components/apiserver-proxy/internal/proxy/proxy_test.go

@@ -29,6 +29,7 @@ func TestProxyWithOIDCSupport(t *testing.T) {
 		Authorization: &authz.Config{},
 	}
 
+	maliciousGroup := "malicious-group"
 	fakeUser := user.DefaultInfo{Name: "Foo Bar", Groups: []string{"foo-bars"}}
 	authenticator := fakeOIDCAuthenticator(t, &fakeUser)
 	metrics, _ := monitoring.NewProxyMetrics()
@@ -55,8 +56,13 @@ func TestProxyWithOIDCSupport(t *testing.T) {
 				if user != fakeUser.GetName() {
 					t.Errorf("User in the response header does not match authenticated user. Expected : %s, received : %s ", fakeUser.GetName(), user)
 				}
+
+				if strings.Contains(v.req.Header.Get("Impersonate-Group"), maliciousGroup) {
+					t.Errorf("Groups should not contain %s injected in the request", maliciousGroup)
+				}
+
 				if groups != strings.Join(fakeUser.GetGroups(), cfg.Authentication.Header.GroupSeparator) {
-					t.Errorf("Groupsr in the response header does not match authenticated user groups. Expected : %s, received : %s ", fakeUser.GetName(), groups)
+					t.Errorf("Groups in the response header does not match authenticated user groups. Expected : %s, received : %s ", fakeUser.GetGroups(), groups)
 				}
 			}
 		})
@@ -114,7 +120,7 @@ func setupTestScenario() []testCase {
 		{
 			description: "Request with invalid Token should be authenticated and rejected with 401",
 			given: given{
-				req:        fakeJWTRequest("GET", "/accounts", "Bearer INVALID"),
+				req:        fakeJWTRequest("GET", "/accounts", "Bearer INVALID", "malicious-group"),
 				authorizer: denier{},
 			},
 			expected: expected{
@@ -124,7 +130,7 @@ func setupTestScenario() []testCase {
 		{
 			description: "Request with valid token, should return 200 due to sufficient permissions",
 			given: given{
-				req:        fakeJWTRequest("GET", "/accounts", "Bearer VALID"),
+				req:        fakeJWTRequest("GET", "/accounts", "Bearer VALID", "malicious-group"),
 				authorizer: approver{},
 			},
 			expected: expected{
@@ -136,9 +142,10 @@ func setupTestScenario() []testCase {
 	return testScenario
 }
 
-func fakeJWTRequest(method, path, token string) *http.Request {
+func fakeJWTRequest(method, path, token, groups string) *http.Request {
 	req := requestFor(method, path)
 	req.Header.Add("Authorization", token)
+	req.Header.Add("Impersonate-Group", groups)
 
 	return req
 }

components/application-operator/go.mod

@@ -5,27 +5,28 @@ go 1.16
 require (
 	cloud.google.com/go v0.65.0 // indirect
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
+	github.com/docker/docker v20.10.7+incompatible // indirect
 	github.com/emicklei/go-restful v2.9.6+incompatible // indirect
 	github.com/gorilla/mux v1.8.0
 	github.com/kubernetes-sigs/service-catalog v0.3.0
 	github.com/mattn/go-colorable v0.1.7 // indirect
 	github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
 	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.7.0
+	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0
 	github.com/vrischmann/envconfig v1.1.0
-	helm.sh/helm/v3 v3.5.2
-	k8s.io/apimachinery v0.20.2
-	k8s.io/cli-runtime v0.20.2
-	k8s.io/client-go v0.20.2
+	helm.sh/helm/v3 v3.6.1
+	k8s.io/apimachinery v0.21.2
+	k8s.io/cli-runtime v0.21.0
+	k8s.io/client-go v0.21.2
 	k8s.io/klog v1.0.0
-	sigs.k8s.io/controller-runtime v0.8.3
+	sigs.k8s.io/controller-runtime v0.9.1
 )
 
 replace (
 	github.com/containerd/containerd => github.com/containerd/containerd v1.4.4
 	github.com/docker/distribution => github.com/docker/distribution v0.0.0-20191216044856-a8371794149d
-	github.com/docker/docker => github.com/docker/docker v20.10.3+incompatible
+	github.com/docker/docker => github.com/docker/docker v20.10.7+incompatible
 	github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.0-rc93
 
 	golang.org/x/crypto => golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad