diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml index 90e827d0e1d..466417f6ea3 100644 --- a/bundle/manifests/gitops-operator.clusterserviceversion.yaml +++ b/bundle/manifests/gitops-operator.clusterserviceversion.yaml @@ -190,7 +190,7 @@ metadata: capabilities: Deep Insights console.openshift.io/plugins: '["gitops-plugin"]' containerImage: quay.io/redhat-developer/gitops-operator - createdAt: "2026-06-16T17:25:03Z" + createdAt: "2026-06-30T06:15:57Z" description: Enables teams to adopt GitOps principles for managing cluster configurations and application delivery across hybrid multi-cluster Kubernetes environments. features.operators.openshift.io/disconnected: "true" @@ -864,6 +864,7 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8443 - --leader-elect + - --metrics-secure=true command: - /usr/local/bin/manager env: @@ -910,10 +911,18 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + volumeMounts: + - mountPath: /tmp/k8s-metrics-server/serving-certs + name: metrics-certs + readOnly: true securityContext: runAsNonRoot: true serviceAccountName: openshift-gitops-operator-controller-manager terminationGracePeriodSeconds: 10 + volumes: + - name: metrics-certs + secret: + secretName: openshift-gitops-operator-metrics-tls permissions: - rules: - apiGroups: diff --git a/bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml b/bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml index e6ff79c93d6..efbfdcc6f89 100644 --- a/bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml +++ b/bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - service.beta.openshift.io/serving-cert-secret-name: kube-rbac-proxy-tls + service.beta.openshift.io/serving-cert-secret-name: openshift-gitops-operator-metrics-tls creationTimestamp: null labels: control-plane: gitops-operator diff --git a/cmd/main.go b/cmd/main.go index a96f5be3b3b..40f7c7fee17 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -93,7 +93,7 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string - + var secureMetrics = false var enableHTTP2 = false var skipControllerNameValidation = true var disableClusterTLSProfile = false @@ -107,6 +107,8 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&enableHTTP2, "enable-http2", enableHTTP2, "If HTTP/2 should be enabled for the metrics and webhook servers.") flag.BoolVar(&disableClusterTLSProfile, "disable-cluster-tls-profile", false, "Disable use of the cluster TLS security profile") + flag.BoolVar(&secureMetrics, "metrics-secure", secureMetrics, "If the metrics endpoint should be served securely.") + //Configure log level logLevelStr := strings.ToLower(os.Getenv("LOG_LEVEL")) logLevel := zapcore.InfoLevel @@ -179,11 +181,7 @@ func main() { } webhookServer := webhook.NewServer(webhookServerOptions) - metricsServerOptions := metricsserver.Options{ - BindAddress: metricsAddr, - TLSOpts: tlsOpts, - FilterProvider: filters.WithAuthenticationAndAuthorization, - } + metricsServerOptions := buildMetricsServerOptions(metricsAddr, secureMetrics, tlsOpts) // Set default manager options options := ctrl.Options{ @@ -472,3 +470,18 @@ func initK8sClient() (*kubernetes.Clientset, error) { return k8sClient, nil } + +func buildMetricsServerOptions(metricsAddr string, secureMetrics bool, tlsOpts []func(*tls.Config)) metricsserver.Options { + opts := metricsserver.Options{ + SecureServing: secureMetrics, + BindAddress: metricsAddr, + TLSOpts: tlsOpts, + } + + if secureMetrics { + opts.FilterProvider = filters.WithAuthenticationAndAuthorization + opts.CertDir = "/tmp/k8s-metrics-server/serving-certs" + } + + return opts +} diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml index fd3be311cc0..cda6fb908da 100644 --- a/config/default/manager_metrics_patch.yaml +++ b/config/default/manager_metrics_patch.yaml @@ -15,6 +15,7 @@ spec: - "--health-probe-bind-address=:8081" - "--metrics-bind-address=:8443" - "--leader-elect" + - "--metrics-secure=true" ports: - name: metrics containerPort: 8443 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index d897178eb10..d3da79874bc 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -27,7 +27,8 @@ spec: securityContext: runAsNonRoot: true containers: - - command: + - name: manager + command: - /usr/local/bin/manager env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES @@ -47,7 +48,6 @@ spec: port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz @@ -62,5 +62,13 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + volumeMounts: + - name: metrics-certs + mountPath: /tmp/k8s-metrics-server/serving-certs + readOnly: true + volumes: + - name: metrics-certs + secret: + secretName: openshift-gitops-operator-metrics-tls serviceAccountName: controller-manager - terminationGracePeriodSeconds: 10 + terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/config/rbac/metrics_service.yaml b/config/rbac/metrics_service.yaml index dfaaf9f522a..78fca50345d 100644 --- a/config/rbac/metrics_service.yaml +++ b/config/rbac/metrics_service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - service.beta.openshift.io/serving-cert-secret-name: kube-rbac-proxy-tls + service.beta.openshift.io/serving-cert-secret-name: openshift-gitops-operator-metrics-tls labels: control-plane: gitops-operator name: metrics-service