Skip to content

Fix: Secure TLS for Prometheus metrics endpoint#120

Merged
openshift-merge-bot[bot] merged 1 commit into
lcore-migrationfrom
feat/OSPR-30557_tls-metrics-endpoint
Jul 2, 2026
Merged

Fix: Secure TLS for Prometheus metrics endpoint#120
openshift-merge-bot[bot] merged 1 commit into
lcore-migrationfrom
feat/OSPR-30557_tls-metrics-endpoint

Conversation

@malingatembo

@malingatembo malingatembo commented Jun 24, 2026

Copy link
Copy Markdown

Followed pattern from openstack-k8s-operators/telemetry-operator
Commit: 6111e80d by Jaromir Wysoglad (2024-02-28)
TLS implementation for Prometheus metrics in OpenShift

How adapted here

Jaromir's approach: Optional TLS via API (flexible, supports cert-manager or service-ca)
Our approach: Always-on TLS with service-ca only

Core pattern (5 components):

  1. Service annotation: triggers service-ca to create certificate
  2. Volume mounts: makes certificate accessible to Pod
  3. Metrics server config: loads certificate from volume
  4. CA bundle ConfigMap: service-ca injects CA certificate
  5. ServiceMonitor : references CA, verifies certificate

Result:
same security outcome as reference implementation
simpler
automatic certificate management

Files Changed

6 source files + 4 auto-generated bundle files (via make bundle)

Summary by CodeRabbit

Summary

  • New Features

    • Improved metrics endpoint TLS handling by explicitly loading the serving certificate/key.
    • Updated metrics services and operator components to use the designated serving-certificate secret.
  • Bug Fixes

    • Secured Prometheus scraping by removing TLS “skip verification”.
    • Enabled verified HTTPS scraping using an injected CA bundle and expected certificate identity.

@openshift-ci openshift-ci Bot requested review from lpiwowar and umago June 24, 2026 10:00
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a687abc-dacf-4287-9393-531955cc8d13

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The metrics server now reads serving certs from an OpenShift-provided secret mounted at /tmp/k8s-metrics-server/serving-certs. Prometheus now verifies the /metrics endpoint with a CA bundle and server name, and the bundle manifests are aligned with the new TLS wiring.

Changes

Metrics Server TLS Hardening

Layer / File(s) Summary
OpenShift cert provisioning and volume mount
config/default/metrics_service.yaml, config/manager/manager.yaml, config/prometheus/ca-bundle-configmap.yaml, config/prometheus/kustomization.yaml
Adds the serving-cert secret annotation to the metrics Service, mounts the resulting secret into the manager container at /tmp/k8s-metrics-server/serving-certs, and adds the CABundle-injected ConfigMap to the Prometheus Kustomize resources.
Metrics server TLS options
cmd/main.go
Adds CLI flags and options for CertDir, CertName, and KeyName, with defaults pointing to the mounted serving-certs path and tls.crt/tls.key.
Prometheus TLS verification
config/prometheus/monitor.yaml
Replaces insecureSkipVerify: true in the ServiceMonitor tlsConfig with caFile and serverName for verified TLS.
Bundle manifests sync
bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml, bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml
Updates the OLM bundle service annotation, adds the CSV cert volumeMount and volume, and refreshes the CSV createdAt timestamp and builder annotation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hop hop, the certs are in place,
Secret and bundle now share the space.
Metrics speak TLS, neat and bright,
Prometheus checks with proper light.
Soft ears twinkle at the secure sight!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: securing the Prometheus metrics endpoint with TLS.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/OSPR-30557_tls-metrics-endpoint

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
config/prometheus/monitor.yaml (1)

18-19: 🎯 Functional Correctness | 🔵 Trivial | 🏗️ Heavy lift

Avoid hardcoding one rendered namespace into serverName.

The rest of this manifest set still uses the system placeholder namespace, but Line 19 pins hostname verification to metrics.openstack-lightspeed-system.svc. That only works for one rendered namespace; installing into any other namespace will break TLS verification against the service-ca cert. Please drive serverName from the same namespace transform/replacement path as the Service resource instead of baking in a single output.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/prometheus/monitor.yaml` around lines 18 - 19, The Prometheus TLS
config is hardcoding a rendered namespace in the serverName value, which will
break hostname verification when the manifest is installed into a different
namespace. Update the serverName in the Prometheus config to use the same
namespace substitution/replacement mechanism as the Service resource and the
rest of this manifest set, so it is generated dynamically from the target
namespace instead of being fixed to metrics.openstack-lightspeed-system.svc.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/main.go`:
- Around line 113-116: The metrics server setup is missing the TLS policy from
tlsOpts, so only the serving cert paths are being applied. Update the metrics
server options in main to also set TLSOpts: tlsOpts alongside CertDir, CertName,
and KeyName so the metrics endpoint inherits the same TLS 1.3 minimum and HTTP/2
disablement as the webhook server.

---

Nitpick comments:
In `@config/prometheus/monitor.yaml`:
- Around line 18-19: The Prometheus TLS config is hardcoding a rendered
namespace in the serverName value, which will break hostname verification when
the manifest is installed into a different namespace. Update the serverName in
the Prometheus config to use the same namespace substitution/replacement
mechanism as the Service resource and the rest of this manifest set, so it is
generated dynamically from the target namespace instead of being fixed to
metrics.openstack-lightspeed-system.svc.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a9dc39c-bf0c-4d32-8c47-657fb3555182

📥 Commits

Reviewing files that changed from the base of the PR and between d598c3f and cc98139.

📒 Files selected for processing (6)
  • cmd/main.go
  • config/default/metrics_service.yaml
  • config/manager/manager.yaml
  • config/prometheus/ca-bundle-configmap.yaml
  • config/prometheus/kustomization.yaml
  • config/prometheus/monitor.yaml

Comment thread cmd/main.go Outdated
@malingatembo malingatembo force-pushed the feat/OSPR-30557_tls-metrics-endpoint branch 2 times, most recently from 073deac to 845c723 Compare June 24, 2026 14:16
Comment thread config/prometheus/monitor.yaml Outdated
# keyFile: /etc/metrics-certs/tls.key
insecureSkipVerify: true
caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
serverName: metrics.system.svc

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey! Just a heads-up that Kustomize won't automatically update this serverName field, leaving it stuck as metrics.system.svc. Because the actual service name changes after rendering, Prometheus will see a domain mismatch and TLS verification will fail. We'll need to either hardcode the final rendered name or use a Kustomize replacements block to inject it dynamically.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Omkar for catching that, you are correct. I have since mad ethe correction. Cheers

@malingatembo malingatembo force-pushed the feat/OSPR-30557_tls-metrics-endpoint branch from 66039c3 to f09cae8 Compare June 29, 2026 13:53
@omkarjoshi0304

Copy link
Copy Markdown
Contributor

Thanks for the changes , LGTM:)

@lpiwowar lpiwowar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice start!:) Couple of changes required 🙈

Comment thread cmd/main.go Outdated
Comment on lines +115 to +117
CertDir: "/tmp/k8s-metrics-server/serving-certs",
CertName: "tls.crt",
KeyName: "tls.key",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (blocking): Can we make it please so that these values are not hardcoded but passed to the operator's code via parameters? [1]

[1] https://github.com/openshift/lightspeed-operator/blob/f913cabc5a38eb99dcd0c7206a75e7172786d09c/cmd/main.go#L280-L282

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for review!
I've implemented your suggestion to parameterise the cert paths.

@malingatembo malingatembo changed the base branch from main to lcore-migration June 30, 2026 11:48
@malingatembo

Copy link
Copy Markdown
Author

/retest

@malingatembo malingatembo force-pushed the feat/OSPR-30557_tls-metrics-endpoint branch from 130ebec to 82a32b8 Compare June 30, 2026 12:16
@malingatembo malingatembo force-pushed the feat/OSPR-30557_tls-metrics-endpoint branch from 82a32b8 to 60ab3d0 Compare June 30, 2026 12:36
@malingatembo

Copy link
Copy Markdown
Author

/retest

1 similar comment
@malingatembo

Copy link
Copy Markdown
Author

/retest

@malingatembo malingatembo force-pushed the feat/OSPR-30557_tls-metrics-endpoint branch from d1c6cb4 to 41737d2 Compare June 30, 2026 14:23
Comment thread bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml Outdated
@malingatembo malingatembo force-pushed the feat/OSPR-30557_tls-metrics-endpoint branch 3 times, most recently from 8a82f38 to 57404d5 Compare July 1, 2026 09:12

@lpiwowar lpiwowar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The blocking comment should be resolved before we merge:). Maybe something to discuss within the team.

Comment thread cmd/main.go Outdated
Comment thread config/prometheus/monitor.yaml Outdated
@malingatembo malingatembo force-pushed the feat/OSPR-30557_tls-metrics-endpoint branch 5 times, most recently from 58fe00f to e6e96bd Compare July 1, 2026 14:26
Comment thread config/prometheus/monitor.yaml
Implement HTTPS serving for the operator's /metrics endpoint using
OpenShift service-ca for automatic certificate management.

Changes:
- Add service-ca annotation to metrics Service for automatic cert generation
- Mount certificate Secret in operator Pod
- Configure metrics server to use service-ca certificates (TLS 1.3, HTTP/2 disabled)
- Parameterize certificate paths via command-line flags (--cert-dir, --cert-name, --key-name)
- Regenerate bundle manifests

Note: ServiceMonitor TLS configuration (Prometheus scraping) will be
handled in a follow-up ticket, as ../prometheus is currently commented
out in the deployment.

Fixes: OSPR-30557
@malingatembo malingatembo force-pushed the feat/OSPR-30557_tls-metrics-endpoint branch from e6e96bd to 4e0116a Compare July 1, 2026 14:52

@lpiwowar lpiwowar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

The /metrics endpoint now works solely over HTTPS (tested with curl). Let's see how to jobs turn out but I think it should be alright.

@umago umago left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Malinga! The patch looks quite straight forward now. I like the "always on TLS approach" as it feels production ready. So /lgtm

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lpiwowar, malingatembo, umago

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 2, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit f504f8f into lcore-migration Jul 2, 2026
8 checks passed
@malingatembo

malingatembo commented Jul 2, 2026

Copy link
Copy Markdown
Author

Thanks Team for all the reviews <3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants