Secure TLS for Prometheus metrics endpoint

Remove insecureSkipVerify from ServiceMonitor and implement proper
TLS certificate verification using OpenShift service-ca.

Changes:
- Add service-ca annotation to metrics Service for automatic cert generation
- Mount certificate Secret in operator Pod
- Configure metrics server to use service-ca certificates
- Update ServiceMonitor with CA bundle and server name verification
- Create CA bundle ConfigMap for Prometheus
- Regenerate bundle manifests

Fixes: OSPR-30557

 On branch feat/OSPR-30557_tls-metrics-endpoint
	modified:   bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml
	modified:   bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml
	modified:   cmd/main.go
	modified:   config/default/metrics_service.yaml
	modified:   config/manager/manager.yaml
	new file:   config/prometheus/ca-bundle-configmap.yaml
	modified:   config/prometheus/kustomization.yaml
	modified:   config/prometheus/monitor.yaml

Author: malingatembo

bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: operator-metrics-tls
   creationTimestamp: null
   labels:
     app.kubernetes.io/managed-by: kustomize

bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml

@@ -25,7 +25,7 @@ metadata:
       ]
     capabilities: Basic Install
     categories: AI/Machine Learning
-    createdAt: "2026-04-15T07:57:01Z"
+    createdAt: "2026-06-24T11:27:18Z"
     description: AI-powered virtual assistant for Red Hat OpenStack Services on OpenShift
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
@@ -242,10 +242,18 @@ spec:
                   capabilities:
                     drop:
                     - ALL
+                volumeMounts:
+                - mountPath: /tmp/k8s-metrics-server/serving-certs
+                  name: cert
+                  readOnly: true
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: openstack-lightspeed-operator-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: cert
+                secret:
+                  secretName: operator-metrics-tls
       permissions:
       - rules:
         - apiGroups:

cmd/main.go

@@ -110,13 +110,11 @@ func main() {
 	metricsServerOptions := metricsserver.Options{
 		BindAddress:   metricsAddr,
 		SecureServing: secureMetrics,
-		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
-		// not provided, self-signed certificates will be generated by default. This option is not recommended for
-		// production environments as self-signed certificates do not offer the same level of trust and security
-		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
-		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
-		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
-		TLSOpts: tlsOpts,
+		// Use certificates from service-ca mounted at /tmp/k8s-metrics-server/serving-certs
+		TLSOpts:  tlsOpts,
+		CertDir:  "/tmp/k8s-metrics-server/serving-certs",
+		CertName: "tls.crt",
+		KeyName:  "tls.key",
 	}
 
 	if secureMetrics {

config/default/metrics_service.yaml

@@ -5,6 +5,8 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: openstack-lightspeed-operator
     app.kubernetes.io/managed-by: kustomize
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: operator-metrics-tls
   name: metrics
   namespace: system
 spec:

config/manager/manager.yaml

@@ -100,5 +100,13 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
+        volumeMounts:
+        - name: cert
+          mountPath: /tmp/k8s-metrics-server/serving-certs
+          readOnly: true
       serviceAccountName: controller-manager
+      volumes:
+      - name: cert
+        secret:
+          secretName: operator-metrics-tls
       terminationGracePeriodSeconds: 10

config/prometheus/ca-bundle-configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: serving-certs-ca-bundle
+  namespace: system
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+data: {}

config/prometheus/kustomization.yaml

@@ -1,2 +1,3 @@
 resources:
 - monitor.yaml
+- ca-bundle-configmap.yaml

config/prometheus/monitor.yaml

@@ -15,16 +15,8 @@ spec:
       scheme: https
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
-        # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
-        # certificate verification. This poses a significant security risk by making the system vulnerable to
-        # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between
-        # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data,
-        # compromising the integrity and confidentiality of the information.
-        # Please use the following options for secure configurations:
-        # caFile: /etc/metrics-certs/ca.crt
-        # certFile: /etc/metrics-certs/tls.crt
-        # keyFile: /etc/metrics-certs/tls.key
-        insecureSkipVerify: true
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: metrics.system.svc
   selector:
     matchLabels:
       control-plane: controller-manager