STOR-2884: Add service to generate a TLS cert for EFS operator

[jsafrane]

Add service aws-efs-csi-driver-operator-metrics to the EFS CSI driver OLM manifests. OLM will instantiate it together with the operator Deployment.

This service causes service-ca-operator to generate a TLS key + certificate for the operator. As result, the operator stops generating a self-signed cert and uses the provided one instead.

cc @openshift/storage

[openshift-ci-robot]

@jsafrane: This pull request references STOR-2884 which is a valid jira issue.

Details

In response to this:

Add service aws-efs-csi-driver-operator-metrics to the EFS CSI driver OLM manifests. OLM will instantiate it together with the operator Deployment.

This service causes service-ca-operator to generate a TLS key + certificate for the operator. As result, the operator stops generating a self-signed cert and uses the provided one instead.

cc @openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 048c4d48-6a82-4c2c-9d2a-7d394471891b

📥 Commits

Reviewing files that changed from the base of the PR and between bb442b7 and 1474830.

📒 Files selected for processing (3)

• config/aws-efs/bundle.Dockerfile
• config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml
• config/aws-efs/manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• config/aws-efs/bundle.Dockerfile
• config/aws-efs/manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml

---

📝 Walkthrough

Walkthrough

Adds a new ClusterIP Service manifest at config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml exposing port 443 (targetPort 8443) with an annotation to request a serving certificate. Updates the operator CSV to add two terminate-on-files arguments, add a secret-backed volume named metrics-serving-cert sourced from aws-efs-csi-driver-operator-metrics-serving-cert, and mount it at /var/run/secrets/serving-cert. Updates the bundle Dockerfile to copy the new Service manifest into the image.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding a service to generate a TLS certificate for the EFS operator, which is the primary objective evident from all modified files.
Description check	✅ Passed	The description accurately explains the purpose of the changes: adding a metrics service to trigger TLS certificate generation via service-ca-operator instead of self-signed certificates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml (1)

1-21: Service configuration looks correct for certificate generation purpose.

The manifest correctly uses the service.beta.openshift.io/serving-cert-secret-name annotation to trigger service-ca-operator certificate generation, and the secret name matches what's referenced in the ClusterServiceVersion.

A few observations:

1. The selector app: aws-efs-csi-driver-operator correctly matches the Deployment's pod labels.
2. The inline comments clearly document this is a placeholder for certificate generation.

The TODO on lines 12-13 acknowledges that the operator metrics endpoint needs to be exposed later. Ensure this follow-up work is tracked.

Would you like me to open an issue to track the follow-up work for exposing the operator metrics port and creating a ServiceMonitor?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml`
around lines 1 - 21, Create tracking work to implement the TODO: open an issue
(or Jira ticket) titled e.g. "Expose operator metrics and add ServiceMonitor for
aws-efs-csi-driver-operator" that describes adding a real metrics port to the
operator Deployment and updating the Service aws-efs-csi-driver-operator-metrics
to point to that port (replace the fake port mapping to target the operator
metrics port), plus creating a ServiceMonitor resource to scrape the endpoint;
reference the Service name aws-efs-csi-driver-operator-metrics, the serving-cert
annotation service.beta.openshift.io/serving-cert-secret-name, and the TODO
comment in this manifest so the future PR updates config/manifests and CSV
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml`:
- Around line 1-21: Create tracking work to implement the TODO: open an issue
(or Jira ticket) titled e.g. "Expose operator metrics and add ServiceMonitor for
aws-efs-csi-driver-operator" that describes adding a real metrics port to the
operator Deployment and updating the Service aws-efs-csi-driver-operator-metrics
to point to that port (replace the fake port mapping to target the operator
metrics port), plus creating a ServiceMonitor resource to scrape the endpoint;
reference the Service name aws-efs-csi-driver-operator-metrics, the serving-cert
annotation service.beta.openshift.io/serving-cert-secret-name, and the TODO
comment in this manifest so the future PR updates config/manifests and CSV
accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 98152978-dd32-40c8-aec5-83885f889b9e

📥 Commits

Reviewing files that changed from the base of the PR and between a682e87 and bb442b7.

📒 Files selected for processing (3)

• config/aws-efs/bundle.Dockerfile
• config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml
• config/aws-efs/manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jsafrane]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@jsafrane: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/hypershift-aws-e2e-external	1474830	link	true	/test hypershift-aws-e2e-external
ci/prow/hypershift-e2e-aks	1474830	link	true	/test hypershift-e2e-aks
ci/prow/e2e-azure	1474830	link	true	/test e2e-azure

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.