From 845c7234b1e0e60fcffb8e11119e57dd1deb3be4 Mon Sep 17 00:00:00 2001
From: malingatembo <tembomalinga@gmail.com>
Date: Wed, 24 Jun 2026 16:13:56 +0200
Subject: [PATCH] Secure TLS for Prometheus metrics endpoint

Remove insecureSkipVerify from ServiceMonitor and implement proper
TLS certificate verification using OpenShift service-ca.

Changes:
- Add service-ca annotation to metrics Service for automatic cert generation
- Mount certificate Secret in operator Pod
- Configure metrics server to use service-ca certificates
- Update ServiceMonitor with CA bundle and server name verification
- Create CA bundle ConfigMap for Prometheus
- Regenerate bundle manifests

Fixes: OSPR-30557

 On branch feat/OSPR-30557_tls-metrics-endpoint
	modified:   bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml
	modified:   bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml
	modified:   cmd/main.go
	modified:   config/default/metrics_service.yaml
	modified:   config/manager/manager.yaml
	new file:   config/prometheus/ca-bundle-configmap.yaml
	modified:   config/prometheus/kustomization.yaml
	modified:   config/prometheus/monitor.yaml
---
 ...stack-lightspeed-operator-metrics_v1_service.yaml |  2 ++
 ...ck-lightspeed-operator.clusterserviceversion.yaml | 10 +++++++++-
 cmd/main.go                                          | 12 +++++-------
 config/default/metrics_service.yaml                  |  2 ++
 config/manager/manager.yaml                          |  8 ++++++++
 config/prometheus/ca-bundle-configmap.yaml           |  8 ++++++++
 config/prometheus/kustomization.yaml                 |  1 +
 config/prometheus/monitor.yaml                       | 12 ++----------
 8 files changed, 37 insertions(+), 18 deletions(-)
 create mode 100644 config/prometheus/ca-bundle-configmap.yaml

diff --git a/bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml b/bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml
index 906d54ae..6236f5bb 100644
--- a/bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml
+++ b/bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: operator-metrics-tls
   creationTimestamp: null
   labels:
     app.kubernetes.io/managed-by: kustomize
diff --git a/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml b/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml
index 47a123de..942af6b0 100644
--- a/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml
@@ -25,7 +25,7 @@ metadata:
       ]
     capabilities: Basic Install
     categories: AI/Machine Learning
-    createdAt: "2026-04-15T07:57:01Z"
+    createdAt: "2026-06-24T11:27:18Z"
     description: AI-powered virtual assistant for Red Hat OpenStack Services on OpenShift
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
@@ -242,10 +242,18 @@ spec:
                   capabilities:
                     drop:
                     - ALL
+                volumeMounts:
+                - mountPath: /tmp/k8s-metrics-server/serving-certs
+                  name: cert
+                  readOnly: true
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: openstack-lightspeed-operator-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: cert
+                secret:
+                  secretName: operator-metrics-tls
       permissions:
       - rules:
         - apiGroups:
diff --git a/cmd/main.go b/cmd/main.go
index 8c0505d3..1efff364 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -110,13 +110,11 @@ func main() {
 	metricsServerOptions := metricsserver.Options{
 		BindAddress:   metricsAddr,
 		SecureServing: secureMetrics,
-		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
-		// not provided, self-signed certificates will be generated by default. This option is not recommended for
-		// production environments as self-signed certificates do not offer the same level of trust and security
-		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
-		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
-		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
-		TLSOpts: tlsOpts,
+		// Use certificates from service-ca mounted at /tmp/k8s-metrics-server/serving-certs
+		TLSOpts:  tlsOpts,
+		CertDir:  "/tmp/k8s-metrics-server/serving-certs",
+		CertName: "tls.crt",
+		KeyName:  "tls.key",
 	}
 
 	if secureMetrics {
diff --git a/config/default/metrics_service.yaml b/config/default/metrics_service.yaml
index b580e957..fe32bdef 100644
--- a/config/default/metrics_service.yaml
+++ b/config/default/metrics_service.yaml
@@ -5,6 +5,8 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: openstack-lightspeed-operator
     app.kubernetes.io/managed-by: kustomize
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: operator-metrics-tls
   name: metrics
   namespace: system
 spec:
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 788d464a..35595396 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -100,5 +100,13 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
+        volumeMounts:
+        - name: cert
+          mountPath: /tmp/k8s-metrics-server/serving-certs
+          readOnly: true
       serviceAccountName: controller-manager
+      volumes:
+      - name: cert
+        secret:
+          secretName: operator-metrics-tls
       terminationGracePeriodSeconds: 10
diff --git a/config/prometheus/ca-bundle-configmap.yaml b/config/prometheus/ca-bundle-configmap.yaml
new file mode 100644
index 00000000..fe3831af
--- /dev/null
+++ b/config/prometheus/ca-bundle-configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: serving-certs-ca-bundle
+  namespace: system
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+data: {}
diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml
index ed137168..0adeff62 100644
--- a/config/prometheus/kustomization.yaml
+++ b/config/prometheus/kustomization.yaml
@@ -1,2 +1,3 @@
 resources:
 - monitor.yaml
+- ca-bundle-configmap.yaml
diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml
index a02a048a..9f83d435 100644
--- a/config/prometheus/monitor.yaml
+++ b/config/prometheus/monitor.yaml
@@ -15,16 +15,8 @@ spec:
       scheme: https
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
-        # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
-        # certificate verification. This poses a significant security risk by making the system vulnerable to
-        # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between
-        # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data,
-        # compromising the integrity and confidentiality of the information.
-        # Please use the following options for secure configurations:
-        # caFile: /etc/metrics-certs/ca.crt
-        # certFile: /etc/metrics-certs/tls.crt
-        # keyFile: /etc/metrics-certs/tls.key
-        insecureSkipVerify: true
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: metrics.system.svc
   selector:
     matchLabels:
       control-plane: controller-manager