Skip to content

fix: Make cert-manager optional for secured metrics endpoints #3706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 11, 2025
Merged

fix: Make cert-manager optional for secured metrics endpoints #3706

merged 1 commit into from
Nov 11, 2025

Conversation

@anik120
Copy link
Member

@anik120 anik120 commented Nov 11, 2025

Problem:

PR #3660 introduced cert-manager as a hard dependency for OLM deployments, causing installation failures when cert-manager CRDs are not present:

error getting resource "olm/olm-cert" with GVK "cert-manager.io/v1, Kind=Certificate": no matches for kind "Certificate" in version "cert-manager.io/v1"

This is a breaking change for existing users who don't have cert-manager installed.

Solution:

Make secured metrics endpoints an opt-in feature by setting certManager.enabled: false by default in Helm values. Users who want authenticated metrics must explicitly enable cert-manager.

Changes:

  • Set certManager.enabled: false in deploy/chart/values.yaml
  • Remove cert-manager-install dependency from make run-local
  • Remove --set certManager.enabled=true override from make deploy
  • Remove automatic cert-manager cleanup from make undeploy

Behavior:

  • Default (cert-manager disabled): HTTP metrics on port 8080, no authentication
  • Opt-in (certManager.enabled: true): HTTPS metrics on port 8443 with authentication/authorization

Fixes the breaking change introduced in #3660 while preserving the secured metrics feature for users who want it.

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Bug fixes are accompanied by regression test(s)
  • e2e tests and flake fixes are accompanied evidence of flake testing, e.g. executing the test 100(0) times
  • tech debt/todo is accompanied by issue link(s) in comments in the surrounding code
  • Tests are comprehensible, e.g. Ginkgo DSL is being used appropriately
  • Docs updated or added to /doc
  • Commit messages sensible and descriptive
  • Tests marked as [FLAKE] are truly flaky and have an issue
  • Code is properly formatted

@anik120
fix: Make cert-manager optional for secured metrics endpoints
601bc62 
**Problem:**

PR operator-framework#3660 introduced cert-manager as a hard dependency for OLM deployments, causing installation failures when
cert-manager CRDs are not present:

error getting resource "olm/olm-cert" with GVK "cert-manager.io/v1, Kind=Certificate":
no matches for kind "Certificate" in version "cert-manager.io/v1"

This is a breaking change for existing users who don't have cert-manager installed.

**Solution:**

Make secured metrics endpoints an opt-in feature by setting `certManager.enabled: false` by default in Helm values.
Users who want authenticated metrics must explicitly enable cert-manager.

**Changes:**

- Set `certManager.enabled: false` in `deploy/chart/values.yaml`
- Remove `cert-manager-install` dependency from `make run-local`
- Remove `--set certManager.enabled=true` override from `make deploy`
- Remove automatic cert-manager cleanup from `make undeploy`

**Behavior:**

- Default (cert-manager disabled): HTTP metrics on port 8080, no authentication
- Opt-in (`certManager.enabled: true`): HTTPS metrics on port 8443 with authentication/authorization

Fixes the breaking change introduced in operator-framework#3660 while preserving the secured metrics feature for users who want it.
@openshift-ci openshift-ci bot requested review from dtfranz and tmshort November 11, 2025 14:19
@tmshort
Copy link
Contributor

tmshort commented Nov 11, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 11, 2025
@tmshort
Copy link
Contributor

tmshort commented Nov 11, 2025

/approve

@openshift-ci
Copy link

openshift-ci bot commented Nov 11, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 11, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 6838e5e into operator-framework:master Nov 11, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dtfranz dtfranz Awaiting requested review from dtfranz

@tmshort tmshort Awaiting requested review from tmshort

Assignees

@tmshort tmshort

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anik120 @tmshort