Skip to content

feat: secure operator metrics by WithAuthenticationAndAuthorization #1110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat: secure operator metrics by WithAuthenticationAndAuthorization #1110

wants to merge 2 commits into from

Conversation

@osmman
Copy link
Collaborator

@osmman osmman commented May 13, 2025
edited by sourcery-ai bot
Loading

Refs: securesign/fbc#65

Summary by Sourcery

Secure operator metrics by default with HTTPS, authentication and authorization; enable dynamic TLS certificate loading for metrics and webhook servers; update manifests and RBAC to support secure metrics, and standardize labels across resources.

New Features:

  • Serve operator metrics over HTTPS on port 8443 by default and protect them with Kubernetes authentication and authorization.
  • Introduce dynamic TLS certificate watching for both metrics and webhook servers via certwatcher.
  • Add CLI flags to configure metrics and webhook certificate paths, names, and keys.

Enhancements:

  • Update Kustomize configurations to include a secure metrics service, related RBAC roles and bindings for tokenreviews and subjectaccessreviews, and a network policy to restrict /metrics access.
  • Revise ServiceMonitor manifests to use HTTPS, bearer tokens, and optional TLS verification, with corresponding patches for cert-manager integration.
  • Standardize resource labels (app.kubernetes.io/name: rhtas-operator, control-plane: controller-manager) across all manifests.
  • Update the ClusterServiceVersion to grant necessary authentication and authorization permissions for secure metrics.

Build:

  • Add and bump various indirect Go module dependencies to support new certificate watcher and metrics features.

@sourcery-ai
Copy link

sourcery-ai bot commented May 13, 2025
edited
Loading

Reviewer's Guide

This PR secures the operator’s metrics endpoint by defaulting to HTTPS, integrating controller-runtime’s authentication and authorization filter, managing TLS certificates via watchers, and updating the Helm-style Kustomize overlays, RBAC, network policies, and bundle manifests to support secure metrics access.

File-Level Changes

Change Details Files
Integrate secure metrics TLS and authn/authz in the operator binary
  • Introduced CLI flags for metrics and webhook certificate paths, names, and keys
  • Defaulted secureMetrics to true and enabled HTTPS on port 8443
  • Initialized certwatcher for hot-reloading webhook and metrics certificates
  • Configured metricsServerOptions.FilterProvider to filters.WithAuthenticationAndAuthorization
  • Attached certificate watchers to the controller manager
 cmd/main.go
Enable secure metrics and network policy in Kustomize overlays
  • Added metrics_service.yaml to default resources
  • Reordered and added patches: manager_metrics_patch.yaml and cert_metrics_manager_patch.yaml
  • Included network-policy overlay for controlling /metrics ingress
 config/default/kustomization.yaml
config/default/manager_metrics_patch.yaml
config/default/cert_metrics_manager_patch.yaml
config/network-policy/allow-metrics-traffic.yaml
Replace kube-rbac-proxy with controller-runtime authn/authz RBAC
  • Removed auth_proxy_* RBAC objects
  • Added ClusterRoles and RoleBindings for metrics-auth-role and metrics-reader roles
  • Updated rbac kustomization to include new metrics auth files
 config/rbac/kustomization.yaml
config/rbac/metrics_auth_role.yaml
config/rbac/metrics_auth_role_binding.yaml
config/rbac/metrics_reader_role.yaml
Adjust Prometheus ServiceMonitor for HTTPS metrics
  • Switched ServiceMonitor port to https, scheme to https, and added bearerTokenFile
  • Provided monitor_tls_patch.yaml for cert-manager-managed TLS
  • Updated ServiceMonitor manifests in both config and bundle to use HTTPS and unified labels
 config/prometheus/monitor.yaml
config/prometheus/monitor_tls_patch.yaml
bundle/manifests/*metrics-monitor*.yaml
Update CSV bundle with new permissions and labels
  • Granted tokenreviews and subjectaccessreviews verbs in CSV permissions
  • Unified app.kubernetes.io/name and control-plane labels to 'rhtas-operator'/'controller-manager'
  • Bumped createdAt timestamp and related image digests in the CSV
 bundle/manifests/rhtas-operator.clusterserviceversion.yaml
Add new dependencies for certwatcher and metrics filters
  • Imported sigs.k8s.io/controller-runtime/pkg/certwatcher and pkg/metrics/filters
  • Updated go.mod and go.sum to include new indirect dependencies
 go.mod
go.sum
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@openshift-ci openshift-ci bot requested review from JasonPowr and bouskaJ May 13, 2025 13:57
@openshift-ci
Copy link

openshift-ci bot commented May 13, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: osmman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

sourcery-ai[bot]
sourcery-ai bot reviewed May 13, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @osmman - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

  • Using insecureSkipVerify: true is a security risk. (link)
Here's what I looked at during the review
  • 🟡 General issues: 1 issue found
  • 🔴 Security: 1 blocking issue, 1 other issue
  • 🟢 Testing: all looks good
  • 🟢 Documentation: all looks good
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

config/prometheus/monitor.yaml
Comment on lines +17 to +23
tlsConfig:
# TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
# certificate verification, exposing the system to potential man-in-the-middle attacks.
# For production environments, it is recommended to use cert-manager for automatic TLS certificate management.
# To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml,
# which securely references the certificate from the 'metrics-server-cert' secret.
insecureSkipVerify: true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 issue (security): Using insecureSkipVerify: true is a security risk.

Disabling TLS verification with insecureSkipVerify allows MITM attacks. Limit it to dev/testing, and in production enable cert-manager with valid certificates.

config/default/kustomization.yaml
Comment on lines +32 to +36
# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy.
# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics.
# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
# be able to communicate with the Webhook Server.
#- ../network-policy
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): NetworkPolicy is not enabled by default; consider enabling for production.

Enabling NetworkPolicy in production helps secure metrics and webhook endpoints from unauthorized access.

@osmman osmman force-pushed the tturek/migrate-kube-rbac-proxy branch 3 times, most recently from 7d54839 to 1b381a4 Compare May 13, 2025 15:47
osmman added a commit to securesign/pipelines that referenced this pull request May 14, 2025
@osmman
fix: rename rhtas deployment name
fbf4312 
Change RHTAS operator deployment name to rhtas-controller-manager which has been
caused because of cahnges in immutable sections which causes OLM upgrade to fail.

Refs: securesign/secure-sign-operator#1110
@osmman osmman mentioned this pull request May 14, 2025
Draft
@osmman
Copy link
Collaborator Author

osmman commented May 14, 2025

CI-operator and Konflux E2e tests are failing because of changes in manager's deployment name.
securesign/pipelines#129
openshift/release#64891

@osmman osmman force-pushed the tturek/migrate-kube-rbac-proxy branch from 1b381a4 to 1d97db4 Compare May 14, 2025 12:20
@osmman osmman force-pushed the tturek/migrate-kube-rbac-proxy branch from 1d97db4 to 5ad7d3d Compare May 15, 2025 11:51
@openshift-ci
Copy link

openshift-ci bot commented May 15, 2025

@osmman: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/tas-operator-e2e 5ad7d3d link true /test tas-operator-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@osmman osmman marked this pull request as draft May 29, 2025 07:15
@osmman osmman added the enhancement New feature or request label Jun 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@bouskaJ bouskaJ Awaiting requested review from bouskaJ

@JasonPowr JasonPowr Awaiting requested review from JasonPowr

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

approved enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@osmman