feat: securet operator metrics by WithAuthenticationAndAuthorization

Refs: securesign/fbc#65
Signed-off-by: Tomas Turek <[email protected]>

Author: osmman

.github/workflows/main.yml

@@ -221,7 +221,7 @@ jobs:
 
       - name: Wait for operator to be ready
         run: |
-          kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
+          kubectl wait --for=condition=available deployment/rhtas-controller-manager --timeout=120s -n openshift-rhtas-operator
 
       - name: Add service hosts to /etc/hosts
         run: |
@@ -241,7 +241,7 @@ jobs:
           if-no-files-found: ignore
 
       - name: dump the logs of the operator
-        run: kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
+        run: kubectl logs -n openshift-rhtas-operator deployment/rhtas-controller-manager
         if: always()
 
   test-upgrade:
@@ -448,7 +448,7 @@ jobs:
 
       - name: Wait for operator to be ready
         run: |
-          kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
+          kubectl wait --for=condition=available deployment/rhtas-controller-manager --timeout=120s -n openshift-rhtas-operator
 
       - name: Install securesign
         run: |
@@ -478,7 +478,7 @@ jobs:
 
       - name: dump the logs of the operator
         run: |
-          kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
+          kubectl logs -n openshift-rhtas-operator deployment/rhtas-controller-manager
         if: failure()
 
   test-eks:
@@ -622,7 +622,7 @@ jobs:
 
       - name: dump the logs of the operator
         run: |
-          kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
+          kubectl logs -n openshift-rhtas-operator deployment/rhtas-controller-manager
         if: always()
 
       - name: delete the cluster

bundle/manifests/rhtas-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml

@@ -0,0 +1,20 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: rhtas-operator
+    control-plane: controller-manager
+  name: rhtas-controller-manager-metrics-monitor
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    path: /metrics
+    port: https
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: rhtas-operator
+      control-plane: controller-manager

bundle/manifests/rhtas-controller-manager-metrics-service_v1_service.yaml

@@ -3,14 +3,18 @@ kind: Service
 metadata:
   creationTimestamp: null
   labels:
-    control-plane: operator-controller-manager
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: rhtas-operator
+    control-plane: controller-manager
   name: rhtas-controller-manager-metrics-service
 spec:
   ports:
-  - name: metrics
-    port: 8080
-    targetPort: metrics
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: 8443
   selector:
-    control-plane: operator-controller-manage
+    app.kubernetes.io/name: rhtas-operator
+    control-plane: controller-manager
 status:
   loadBalancer: {}

bundle/manifests/rhtas-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: rhtas-metrics-reader
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get

bundle/manifests/rhtas-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml

@@ -5,11 +5,15 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
     app.kubernetes.io/name: rhtas-operator
     control-plane: controller-manager
-  name: rhtas-operator-controller-manager-metrics-monitor
+  name: rhtas-controller-manager-metrics-monitor
 spec:
   endpoints:
-  - path: /metrics
-    port: metrics
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    path: /metrics
+    port: https
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
   selector:
     matchLabels:
       app.kubernetes.io/name: rhtas-operator

bundle/manifests/rhtas-operator-controller-manager-metrics-service_v1_service.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
     app.kubernetes.io/name: rhtas-operator
     control-plane: controller-manager
-  name: rhtas-operator-controller-manager-metrics-service
+  name: rhtas-controller-manager-metrics-service
 spec:
   ports:
   - name: metrics

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -297,7 +297,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:0332d8e99dca5eb443a0de6800817d286057498374faa7a9d59b592efb453a3a
-    createdAt: "2025-05-15T11:50:45Z"
+    createdAt: "2025-05-15T11:51:22Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -600,13 +600,25 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
         serviceAccountName: rhtas-operator-controller-manager
       deployments:
       - label:
           app.kubernetes.io/managed-by: kustomize
           app.kubernetes.io/name: rhtas-operator
           control-plane: controller-manager
-        name: rhtas-operator-controller-manager
+        name: rhtas-controller-manager
         spec:
           replicas: 1
           selector:
@@ -624,8 +636,8 @@ spec:
             spec:
               containers:
               - args:
+                - --metrics-bind-address=:8443
                 - --leader-elect
-                - --metrics-bind-address=0.0.0.0:8080
                 command:
                 - /manager
                 env:
@@ -672,8 +684,12 @@ spec:
                   periodSeconds: 20
                 name: manager
                 ports:
-                - containerPort: 8080
+                - containerPort: 8081
+                  name: health
+                  protocol: TCP
+                - containerPort: 8443
                   name: metrics
+                  protocol: TCP
                 readinessProbe:
                   httpGet:
                     path: /readyz

ci/openshift/sign-test.sh

@@ -68,7 +68,7 @@ spec:
   backoffLimit: 4 # Defines the number of retries before considering the Job failed.
 EOF
 
-oc logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
+oc logs -n openshift-rhtas-operator deployment/rhtas-controller-manager
 
 # Apply the modified YAML using kubectl
 kubectl apply -f job.yaml -n default

cmd/main.go

@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"flag"
 	"os"
+	"path/filepath"
 	"strconv"
 
 	"github.com/securesign/operator/internal/images"
@@ -46,7 +47,9 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
@@ -79,26 +82,43 @@ func init() {
 	//+kubebuilder:scaffold:scheme
 }
 
+// nolint:gocyclo
 func main() {
 	var (
 		metricsAddr          string
+		metricsCertPath      string
+		metricsCertName      string
+		metricsCertKey       string
+		webhookCertPath      string
+		webhookCertName      string
+		webhookCertKey       string
 		enableLeaderElection bool
 		probeAddr            string
 		pprofAddr            string
 		secureMetrics        bool
 		enableHTTP2          bool
+		tlsOpts              []func(*tls.Config)
 	)
 
 	flag.StringVar(&pprofAddr, "pprof-address", "", "The address to expose the pprof server. Default is empty string which disables the pprof server.")
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
-	flag.BoolVar(&secureMetrics, "metrics-secure", false,
-		"If set the metrics endpoint is served securely")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.")
+	flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.")
+	flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.")
+	flag.StringVar(&metricsCertPath, "metrics-cert-path", "",
+		"The directory that contains the metrics server certificate.")
+	flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.")
+	flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+
 	flag.Int64Var(&constants.CreateTreeDeadline, "create-tree-deadline", constants.CreateTreeDeadline, "The time allowance (in seconds) for the create tree job to run before failing.")
 	utils.BoolFlagOrEnv(&constants.Openshift, "openshift", "OPENSHIFT", false, "Enable to ensures the operator applies OpenShift specific configurations.")
 	utils.RelatedImageFlag("trillian-log-signer-image", images.TrillianLogSigner, "The image used for trillian log signer.")
@@ -135,22 +155,87 @@ func main() {
 		c.NextProtos = []string{"http/1.1"}
 	}
 
-	tlsOpts := []func(*tls.Config){}
 	if !enableHTTP2 {
 		tlsOpts = append(tlsOpts, disableHTTP2)
 	}
 
+	// Create watchers for metrics and webhooks certificates
+	var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher
+
+	// Initial webhook TLS options
+	webhookTLSOpts := tlsOpts
+
+	if len(webhookCertPath) > 0 {
+		setupLog.Info("Initializing webhook certificate watcher using provided certificates",
+			"webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey)
+
+		var err error
+		webhookCertWatcher, err = certwatcher.New(
+			filepath.Join(webhookCertPath, webhookCertName),
+			filepath.Join(webhookCertPath, webhookCertKey),
+		)
+		if err != nil {
+			setupLog.Error(err, "Failed to initialize webhook certificate watcher")
+			os.Exit(1)
+		}
+
+		webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) {
+			config.GetCertificate = webhookCertWatcher.GetCertificate
+		})
+	}
+
 	webhookServer := webhook.NewServer(webhook.Options{
-		TLSOpts: tlsOpts,
+		TLSOpts: webhookTLSOpts,
 	})
 
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
+	// If the certificate is not specified, controller-runtime will automatically
+	// generate self-signed certificates for the metrics server. While convenient for development and testing,
+	// this setup is not recommended for production.
+	//
+	// TODO(user): If you enable certManager, uncomment the following lines:
+	// - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates
+	// managed by cert-manager for the metrics server.
+	// - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification.
+	if len(metricsCertPath) > 0 {
+		setupLog.Info("Initializing metrics certificate watcher using provided certificates",
+			"metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey)
+
+		var err error
+		metricsCertWatcher, err = certwatcher.New(
+			filepath.Join(metricsCertPath, metricsCertName),
+			filepath.Join(metricsCertPath, metricsCertKey),
+		)
+		if err != nil {
+			setupLog.Error(err, "to initialize metrics certificate watcher", "error", err)
+			os.Exit(1)
+		}
+
+		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) {
+			config.GetCertificate = metricsCertWatcher.GetCertificate
+		})
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme: scheme,
-		Metrics: metricsserver.Options{
-			BindAddress:   metricsAddr,
-			SecureServing: secureMetrics,
-			TLSOpts:       tlsOpts,
-		},
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
 		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		PprofBindAddress:       pprofAddr,
@@ -233,6 +318,22 @@ func main() {
 	}
 	//+kubebuilder:scaffold:builder
 
+	if metricsCertWatcher != nil {
+		setupLog.Info("Adding metrics certificate watcher to manager")
+		if err := mgr.Add(metricsCertWatcher); err != nil {
+			setupLog.Error(err, "unable to add metrics certificate watcher to manager")
+			os.Exit(1)
+		}
+	}
+
+	if webhookCertWatcher != nil {
+		setupLog.Info("Adding webhook certificate watcher to manager")
+		if err := mgr.Add(webhookCertWatcher); err != nil {
+			setupLog.Error(err, "unable to add webhook certificate watcher to manager")
+			os.Exit(1)
+		}
+	}
+
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
 		os.Exit(1)