feat(metrics): expose metrics via HTTP on :8080 for vmagent scraping (#8)

* feat(metrics): expose metrics via HTTP on :8080 for vmagent scraping

Switch metrics endpoint from HTTPS :8443 to HTTP :8080 to enable
automatic scraping via the kubernetes-pods vmagent job using
prometheus.io pod annotations. Webhook TLS on :9443 is unchanged.

* fix(metrics): add --metrics-secure=false to expose HTTP without TLS

* feat(metrics): expose HTTP metrics on :8080 with podAnnotations support

- Switch metrics endpoint from :8443 (TLS) to :8080 (HTTP) for vmagent scraping
- Disable cert_metrics_manager_patch to remove metrics-certs volume dependency
- Add podAnnotations injection in helm-generator for vmagent scrape annotations

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore(crd): revert controller-gen version annotation to v0.18.0

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: igoramf

chart/templates/deployment-operator-controller-manager.yaml

@@ -17,16 +17,19 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: manager
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       labels:
         app.kubernetes.io/name: operator
         control-plane: controller-manager
     spec:
       containers:
       - args:
-        - --metrics-bind-address=:8443
+        - --metrics-bind-address=:8080
+        - --metrics-secure=false
         - --leader-elect
         - --health-probe-bind-address=:8081
-        - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs
         - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs
         command:
         - /manager
@@ -124,6 +127,9 @@ spec:
           periodSeconds: 20
         name: manager
         ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
@@ -146,9 +152,6 @@ spec:
             drop:
             - ALL
         volumeMounts:
-        - mountPath: /tmp/k8s-metrics-server/metrics-certs
-          name: metrics-certs
-          readOnly: true
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: webhook-certs
           readOnly: true
@@ -159,17 +162,6 @@ spec:
       serviceAccountName: {{ .Release.Name }}-controller-manager
       terminationGracePeriodSeconds: 10
       volumes:
-      - name: metrics-certs
-        secret:
-          items:
-          - key: ca.crt
-            path: ca.crt
-          - key: tls.crt
-            path: tls.crt
-          - key: tls.key
-            path: tls.key
-          optional: false
-          secretName: metrics-server-cert
       - name: webhook-certs
         secret:
           secretName: webhook-server-cert

chart/values.yaml

@@ -58,7 +58,7 @@ healthProbe:
 # Metrics configuration
 metrics:
   enabled: true
-  port: 8443
+  port: 8080
 
 # Leader election
 leaderElection:

config/default/kustomization.yaml

@@ -44,9 +44,9 @@ patches:
 # Uncomment the patches line if you enable Metrics and CertManager
 # [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line.
 # This patch will protect the metrics with certManager self-signed certs.
-- path: cert_metrics_manager_patch.yaml
-  target:
-    kind: Deployment
+#- path: cert_metrics_manager_patch.yaml
+#  target:
+#    kind: Deployment
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

config/default/manager_metrics_patch.yaml

@@ -1,4 +1,13 @@
-# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+# This patch adds the args to expose the metrics endpoint via HTTP
 - op: add
   path: /spec/template/spec/containers/0/args/0
-  value: --metrics-bind-address=:8443
+  value: --metrics-bind-address=:8080
+- op: add
+  path: /spec/template/spec/containers/0/args/1
+  value: --metrics-secure=false
+- op: add
+  path: /spec/template/spec/containers/0/ports/-
+  value:
+    containerPort: 8080
+    name: metrics
+    protocol: TCP

hack/helm-generator/main.go

@@ -93,6 +93,11 @@ func main() {
 		fmt.Fprintf(os.Stderr, "Warning: Could not add builder service account: %v\n", err)
 	}
 
+	// Add podAnnotations to deployment pod template
+	if err := addPodAnnotations(templatesDir); err != nil {
+		fmt.Fprintf(os.Stderr, "Warning: Could not add pod annotations to deployment: %v\n", err)
+	}
+
 	fmt.Printf("✓ Generated %d Helm templates\n\n", fileCount)
 	fmt.Println("Test with:")
 	fmt.Println("  make helm-lint")
@@ -285,6 +290,33 @@ func addEnvVarsToDeployment(templatesDir string) error {
 	return os.WriteFile(deploymentFile, []byte(contentStr), 0644)
 }
 
+func addPodAnnotations(templatesDir string) error {
+	files, err := filepath.Glob(filepath.Join(templatesDir, "deployment-*.yaml"))
+	if err != nil || len(files) == 0 {
+		return fmt.Errorf("no deployment file found")
+	}
+
+	deploymentFile := files[0]
+	content, err := os.ReadFile(deploymentFile)
+	if err != nil {
+		return err
+	}
+
+	contentStr := string(content)
+
+	annotationsBlock := `      annotations:
+        kubectl.kubernetes.io/default-container: manager
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}`
+
+	contentStr = strings.ReplaceAll(contentStr,
+		"      annotations:\n        kubectl.kubernetes.io/default-container: manager",
+		annotationsBlock)
+
+	return os.WriteFile(deploymentFile, []byte(contentStr), 0644)
+}
+
 func addBuilderServiceAccount(templatesDir string) error {
 	content := `{{- if .Values.build.serviceAccount }}
 apiVersion: v1