feat: utilize native tls serving for metrics without sidecar proxy

cmd/reference-addon-manager/main.go

@@ -93,10 +93,8 @@ func setupManager(log logr.Logger, opts options) (ctrl.Manager, error) {
 		LeaderElectionResourceLock: "leases",
 		LeaderElection:             opts.EnableLeaderElection,
 		LeaderElectionID:           "8a4hp84a6s.addon-operator-lock",
-		Metrics: server.Options{
-			BindAddress: opts.MetricsAddr,
-		},
-		Scheme: scheme,
+		Metrics:                    getMetricsOpts(opts),
+		Scheme:                     scheme,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("initializing manager: %w", err)
@@ -188,6 +186,19 @@ func initializeScheme() (*runtime.Scheme, error) {
 	return scheme, nil
 }
 
+func getMetricsOpts(opts options) server.Options {
+	metricsOpts := server.Options{
+		BindAddress: opts.MetricsAddr,
+	}
+
+	if opts.MetricsCertDir != "" {
+		metricsOpts.SecureServing = true
+		metricsOpts.CertDir = opts.MetricsCertDir
+	}
+
+	return metricsOpts
+}
+
 func fail(log logr.Logger, err error, msg string) {
 	log.Error(err, msg)
 

cmd/reference-addon-manager/options.go

@@ -5,6 +5,7 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"strings"
 	"time"
 
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
@@ -15,6 +16,7 @@ type options struct {
 	EnableLeaderElection   bool
 	EnableMetricsRecorder  bool
 	MetricsAddr            string
+	MetricsCertDir         string
 	Namespace              string
 	OperatorName           string
 	ParameterSecretname    string
@@ -66,6 +68,16 @@ func (o *options) processFlags() {
 		"The address the metric endpoint binds to.",
 	)
 
+	flags.StringVar(
+		&o.MetricsCertDir,
+		"metrics-cert-dir",
+		o.MetricsCertDir,
+		strings.Join([]string{
+			"The directory containing the TLS certificate (tls.crt) and key (tls.key) for secure metrics serviing.",
+			"If unset metrics will be served without TLS.",
+		}, " "),
+	)
+
 	flags.StringVar(
 		&o.Namespace,
 		"namespace",

config/components/olm/cluster_service_version.yaml

@@ -37,7 +37,3 @@ spec:
     type: SingleNamespace
   - supported: false
     type: MultiNamespace
-  customresourcedefinitions:
-    owned:
-      - kind: ReferenceAddon
-        name: referenceaddons.reference.addons.managed.openshift.io

config/deploy/kustomization.yaml

@@ -4,6 +4,7 @@ namePrefix: reference-addon-
 commonLabels:
   app.kubernetes.io/name: reference-addon-operator
 resources:
+- reference.addons.managed.openshift.io_referenceaddons.yaml
 - deployment.yaml
 - role_binding.yaml
 - role.yaml

config/deploy/addons.managed.openshift.io_addoninstances.yaml → config/overlays/dev/00_addons.managed.openshift.io_addoninstances.yaml

@@ -148,4 +148,4 @@ status:
     kind: ""
     plural: ""
   conditions: []
-  storedVersions: []
+  storedVersions: []

config/overlays/dev/kustomization.yaml

@@ -7,4 +7,5 @@ images:
   newTag: latest
 resources:
 - ./00_namespace.yaml
+- ./00_addons.managed.openshift.io_addoninstances.yaml
 - ../../deploy

config/overlays/olm/deployment_patch.yaml

@@ -6,50 +6,18 @@ spec:
   template:
     spec:
       containers:
-      - name: metrics-proxy
-        image: metrics-proxy
-        imagePullPolicy: IfNotPresent
+      - name: manager
         ports:
-        - name: metrics-proxy
+        - name: tls-manager-metrics
           containerPort: 8443
         args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --ignore-paths=/metrics,/healthz
-        - --tls-cert-file=/etc/tls/private/tls.crt
-        - --tls-private-key-file=/etc/tls/private/tls.key
-        - --proxy-endpoints-port=8643
+        - --enable-leader-election
+        - --metrics-addr=:8443
+        - --metrics-cert-dir=/etc/tls/manager/metrics
         volumeMounts:
-        - mountPath: /etc/tls/private
-          name: metrics-proxy-tls
-        resources:
-          limits:
-            cpu: 100m
-            memory: 64Mi
-          requests:
-            cpu: 25m
-            memory: 32Mi
-        livenessProbe:
-          httpGet:
-            path: healthz
-            port: 8643
-            scheme: HTTPS
-          initialDelaySeconds: 15
-          periodSeconds: 20
-        readinessProbe:
-          httpGet:
-            path: healthz
-            port: 8643
-            scheme: HTTPS
-          initialDelaySeconds: 5
-          periodSeconds: 10
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
+        - mountPath: /etc/tls/manager/metrics
+          name: tls-manager-metrics
       volumes:
-      - name: metrics-proxy-tls
+      - name: tls-manager-metrics
         secret:
-          secretName: metrics-proxy-tls
+          secretName: tls-manager-metrics

config/overlays/olm/metrics.service.yaml

@@ -3,7 +3,7 @@ kind: Service
 metadata:
   name: reference-addon-metrics
   annotations:
-    service.beta.openshift.io/serving-cert-secret-name: metrics-proxy-tls
+    service.beta.openshift.io/serving-cert-secret-name: tls-manager-metrics
   labels:
     app.kubernetes.io/name: reference-addon-operator
 spec:

integration/suite_test.go

@@ -76,7 +76,7 @@ var _ = BeforeSuite(func() {
 		},
 		Paths: []string{
 			filepath.Join(root, "config", "deploy", "reference.addons.managed.openshift.io_referenceaddons.yaml"),
-			filepath.Join(root, "config", "deploy", "addons.managed.openshift.io_addoninstances.yaml"),
+			filepath.Join(root, "config", "overlays", "dev", "00_addons.managed.openshift.io_addoninstances.yaml"),
 		},
 		Scheme: scheme,
 	})