✨ (Blocked by #1475) - Ensure that metrics is protected with TLS for Prometheus integration. #1476
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…n/authorization This commit removes the use of the kube-rbac-proxy image and replaces it with metrics authentication/authorization provided by controller-runtime. The kube-rbac-proxy image is deprecated and will no longer be maintained, which introduces risks to production environments. For more details, see: kubernetes-sigs/kubebuilder#3907 Key changes: - Updated to configure metrics server options with secure authentication/authorization using controller-runtime filters. - Added support for disabling HTTP/2 by default to mitigate vulnerabilities (e.g., HTTP/2 Stream Cancellation CVE). - Changed the default metrics endpoint to HTTPS (port 8443) and removed the kube-rbac-proxy container from deployment configurations. - Updated RBAC files to include metrics-specific roles and bindings, ensuring secure access to metrics. This aligns with best practices for security and simplifies the metrics setup by leveraging built-in capabilities of controller-runtime.
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
camilamacedo86
force-pushed
the
ensure-prometheus-protection
branch
from
5c8f432 to
ea6d722
Compare
camilamacedo86
changed the title
camilamacedo86
changed the title
camilamacedo86
force-pushed
the
ensure-prometheus-protection
branch
from
ea6d722 to
a3928ad
Compare
This change replaces controllers-runtime's self-signed certificates for metrics with cert-manager-managed certificates, ensuring security. We should not use `insecureSkipVerify: true`. Also, it is not a good practice for production env relay on the certs self-signed generated by controller-runtime and/or the old kube-rbac-proxy according to sig-security. Key updates: - Configured `metricsServerOptions` to use cert-manager-managed certificates (`/var/metrics/certs`). - Added `ClusterIssuer` (`olmv1-metrics-ca`) and `Certificate` resources for automated certificate management. - Updated `ServiceMonitor` to enable secure TLS scraping by Prometheus using certificates issued by `olmv1-metrics-ca`. - The deployment was pushed to mount metrics certificates as secrets. Benefits: - Enhanced security with automated certificate lifecycle management. - Production-ready TLS setup for Prometheus metrics scraping.
camilamacedo86
force-pushed
the
ensure-prometheus-protection
branch
from
a3928ad to
32c69b4
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1476 +/- ##
==========================================
+ Coverage 74.73% 74.96% +0.23%
==========================================
Files 42 42
Lines 3241 3272 +31
==========================================
+ Hits 2422 2453 +31
Misses 646 646
Partials 173 173
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
This should use the existing This should add support to rotate the certificates via |
|
Hi @tmshort thank you for the feedback. |
|
We also need to consider that when/if we merge catalogd/operator-controller into a single binary, that this may be a combined service. catalogd already has support for |
|
Hi @tmshort I will create a Brief and RFC to explain why it is required And yes, you are right. We need to do the same with catalogD |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change replaces controllers-runtime's self-signed certificates for metrics with cert-manager-managed certificates, ensuring security. We should not use
insecureSkipVerify: true. Also, it is not a good practice for production env relay on the certs self-signed generated by controller-runtime and/or the old kube-rbac-proxy according to sig-security.Key updates:
metricsServerOptionsto use cert-manager-managed certificates (/var/metrics/certs).ClusterIssuer(olmv1-metrics-ca) andCertificateresources for automated certificate management.ServiceMonitorto enable secure TLS scraping by Prometheus using certificates issued byolmv1-metrics-ca.Benefits: