diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml index fef39a10f92..40f5356c1b2 100644 --- a/bundle/manifests/gitops-operator.clusterserviceversion.yaml +++ b/bundle/manifests/gitops-operator.clusterserviceversion.yaml @@ -190,7 +190,7 @@ metadata: capabilities: Deep Insights console.openshift.io/plugins: '["gitops-plugin"]' containerImage: quay.io/redhat-developer/gitops-operator - createdAt: "2026-06-12T08:52:50Z" + createdAt: "2026-06-30T06:15:57Z" description: Enables teams to adopt GitOps principles for managing cluster configurations and application delivery across hybrid multi-cluster Kubernetes environments. features.operators.openshift.io/disconnected: "true" @@ -863,6 +863,7 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8443 - --leader-elect + - --metrics-secure=true command: - /usr/local/bin/manager env: @@ -907,10 +908,18 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + volumeMounts: + - mountPath: /tmp/k8s-metrics-server/serving-certs + name: metrics-certs + readOnly: true securityContext: runAsNonRoot: true serviceAccountName: openshift-gitops-operator-controller-manager terminationGracePeriodSeconds: 10 + volumes: + - name: metrics-certs + secret: + secretName: openshift-gitops-operator-metrics-tls permissions: - rules: - apiGroups: diff --git a/bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml b/bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml index e6ff79c93d6..efbfdcc6f89 100644 --- a/bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml +++ b/bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - service.beta.openshift.io/serving-cert-secret-name: kube-rbac-proxy-tls + service.beta.openshift.io/serving-cert-secret-name: openshift-gitops-operator-metrics-tls creationTimestamp: null labels: control-plane: gitops-operator diff --git a/cmd/main.go b/cmd/main.go index acbe0809fad..b8c0ef818e2 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -91,7 +91,7 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string - + var secureMetrics = false var enableHTTP2 = false var skipControllerNameValidation = true @@ -103,6 +103,7 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&enableHTTP2, "enable-http2", enableHTTP2, "If HTTP/2 should be enabled for the metrics and webhook servers.") + flag.BoolVar(&secureMetrics, "metrics-secure", secureMetrics, "If the metrics endpoint should be served securely.") //Configure log level logLevelStr := strings.ToLower(os.Getenv("LOG_LEVEL")) @@ -148,11 +149,8 @@ func main() { } webhookServer := webhook.NewServer(webhookServerOptions) - metricsServerOptions := metricsserver.Options{ - BindAddress: metricsAddr, - TLSOpts: []func(*tls.Config){disableHTTP2}, - FilterProvider: filters.WithAuthenticationAndAuthorization, - } + tlsOpts := []func(*tls.Config){disableHTTP2} + metricsServerOptions := buildMetricsServerOptions(metricsAddr, secureMetrics, tlsOpts) // Set default manager options options := ctrl.Options{ @@ -410,3 +408,18 @@ func initK8sClient() (*kubernetes.Clientset, error) { return k8sClient, nil } + +func buildMetricsServerOptions(metricsAddr string, secureMetrics bool, tlsOpts []func(*tls.Config)) metricsserver.Options { + opts := metricsserver.Options{ + SecureServing: secureMetrics, + BindAddress: metricsAddr, + TLSOpts: tlsOpts, + } + + if secureMetrics { + opts.FilterProvider = filters.WithAuthenticationAndAuthorization + opts.CertDir = "/tmp/k8s-metrics-server/serving-certs" + } + + return opts +} diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml index fd3be311cc0..cda6fb908da 100644 --- a/config/default/manager_metrics_patch.yaml +++ b/config/default/manager_metrics_patch.yaml @@ -15,6 +15,7 @@ spec: - "--health-probe-bind-address=:8081" - "--metrics-bind-address=:8443" - "--leader-elect" + - "--metrics-secure=true" ports: - name: metrics containerPort: 8443 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index c34b8d9e093..21c1cea5ff5 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -27,7 +27,8 @@ spec: securityContext: runAsNonRoot: true containers: - - command: + - name: manager + command: - /usr/local/bin/manager env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES @@ -45,7 +46,6 @@ spec: port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz @@ -60,5 +60,13 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + volumeMounts: + - name: metrics-certs + mountPath: /tmp/k8s-metrics-server/serving-certs + readOnly: true + volumes: + - name: metrics-certs + secret: + secretName: openshift-gitops-operator-metrics-tls serviceAccountName: controller-manager - terminationGracePeriodSeconds: 10 + terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/config/rbac/metrics_service.yaml b/config/rbac/metrics_service.yaml index dfaaf9f522a..78fca50345d 100644 --- a/config/rbac/metrics_service.yaml +++ b/config/rbac/metrics_service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - service.beta.openshift.io/serving-cert-secret-name: kube-rbac-proxy-tls + service.beta.openshift.io/serving-cert-secret-name: openshift-gitops-operator-metrics-tls labels: control-plane: gitops-operator name: metrics-service