Secure metrics endpoint with cntrlr-runtime metrics authz mechanics #3660
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anik120
requested review from
tmshort
and removed request for
ankitathomas and
perdasilva
anik120
force-pushed
the
native-metrics-authnz
branch
3 times, most recently
from
a62b02f to
f63b885
Compare
11 tasks
tmshort
reviewed
Sep 23, 2025
Contributor
|
/lgtm |
Member
Author
|
Looks like I have to make change to the metrics e2e tests coz the current ones are not authenticating themselves which is why they're failing. Great sign that the changes are working, working on the modifications to the e2e tests..... |
anik120
force-pushed
the
native-metrics-authnz
branch
from
f63b885 to
7704b39
Compare
anik120
force-pushed
the
native-metrics-authnz
branch
from
7704b39 to
9bac784
Compare
Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
force-pushed
the
native-metrics-authnz
branch
from
9bac784 to
63ab287
Compare
anik120
commented
Sep 24, 2025
| KIND_CLUSTER_NAME="kind-olmv0-${i}" \ | ||
| KIND_CREATE_OPTS="--kubeconfig=${E2E_KUBECONFIG_ROOT}/kubeconfig-${i}" \ | ||
| HELM_INSTALL_OPTS="--kubeconfig ${E2E_KUBECONFIG_ROOT}/kubeconfig-${i}" \ | ||
| HELM_INSTALL_OPTS="--kubeconfig ${E2E_KUBECONFIG_ROOT}/kubeconfig-${i} --set certManager.enabled=false" \ |
Member
Author
There was a problem hiding this comment.
This presented itself as the easiest way to do all the tests we have for metrics (since these tests are about testing the metrics omitted, eg "creating a subscription emits these metrics", and not the security aspect of the endpoints).
| path: /healthz | ||
| port: {{ .Values.olm.service.internalPort }} | ||
| scheme: {{ if .Values.olm.tlsSecret }}HTTPS{{ else }}HTTP{{end}} | ||
| port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }} |
Member
Author
There was a problem hiding this comment.
Which means the templates had to be updated to configure different endpoints based on the presence of the cert-manager
| e2e-local: e2e-build kind-create e2e-local-deploy e2e | ||
|
|
||
| .PHONY: e2e-local-deploy | ||
| e2e-local-deploy: $(KIND) $(HELM) #HELP Deploy OLM for e2e testing (without cert-manager) |
Member
Author
There was a problem hiding this comment.
Also had to make a new deploy target to deploy olm without cert-manager for e2e testing
Contributor
|
/lgtm |
perdasilva
approved these changes
Oct 10, 2025
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: perdasilva The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-merge-bot
bot
merged commit 589a5d0
into
operator-framework:master
14 checks passed
camilamacedo86
added a commit
to camilamacedo86/operator-lifecycle-manager
that referenced
this pull request
Oct 23, 2025
…hanics (operator-framework#3660)" This reverts commit 589a5d0.
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Nov 11, 2025
**Problem:** PR operator-framework#3660 introduced cert-manager as a hard dependency for OLM deployments, causing installation failures when cert-manager CRDs are not present: error getting resource "olm/olm-cert" with GVK "cert-manager.io/v1, Kind=Certificate": no matches for kind "Certificate" in version "cert-manager.io/v1" This is a breaking change for existing users who don't have cert-manager installed. **Solution:** Make secured metrics endpoints an opt-in feature by setting `certManager.enabled: false` by default in Helm values. Users who want authenticated metrics must explicitly enable cert-manager. **Changes:** - Set `certManager.enabled: false` in `deploy/chart/values.yaml` - Remove `cert-manager-install` dependency from `make run-local` - Remove `--set certManager.enabled=true` override from `make deploy` - Remove automatic cert-manager cleanup from `make undeploy` **Behavior:** - Default (cert-manager disabled): HTTP metrics on port 8080, no authentication - Opt-in (`certManager.enabled: true`): HTTPS metrics on port 8443 with authentication/authorization Fixes the breaking change introduced in operator-framework#3660 while preserving the secured metrics feature for users who want it.
11 tasks
openshift-merge-bot bot
pushed a commit
that referenced
this pull request
Nov 11, 2025
**Problem:** PR #3660 introduced cert-manager as a hard dependency for OLM deployments, causing installation failures when cert-manager CRDs are not present: error getting resource "olm/olm-cert" with GVK "cert-manager.io/v1, Kind=Certificate": no matches for kind "Certificate" in version "cert-manager.io/v1" This is a breaking change for existing users who don't have cert-manager installed. **Solution:** Make secured metrics endpoints an opt-in feature by setting `certManager.enabled: false` by default in Helm values. Users who want authenticated metrics must explicitly enable cert-manager. **Changes:** - Set `certManager.enabled: false` in `deploy/chart/values.yaml` - Remove `cert-manager-install` dependency from `make run-local` - Remove `--set certManager.enabled=true` override from `make deploy` - Remove automatic cert-manager cleanup from `make undeploy` **Behavior:** - Default (cert-manager disabled): HTTP metrics on port 8080, no authentication - Opt-in (`certManager.enabled: true`): HTTPS metrics on port 8443 with authentication/authorization Fixes the breaking change introduced in #3660 while preserving the secured metrics feature for users who want it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change:
Implements native metrics authentication and authorization for OLM and catalog operators using controller-runtime
filters. Adds TLS support with automatic certificate management via cert-manager, replacing unprotected HTTP metrics
endpoints with authenticated HTTPS endpoints on port 8443.
Motivation for the change:
Current metrics endpoints are unprotected and accessible to anyone with cluster access, creating potential security
risks. This change secures metrics access by requiring proper Kubernetes RBAC authentication and authorization,
following the same pattern used by operator-controller for production deployments.
Architectural changes:
WithAuthenticationAndAuthorizationfilter for metrics endpointsTesting remarks:
Reviewer Checklist
/doc[FLAKE]are truly flaky and have an issue