openstack-lightspeed · malingatembo · Jun 24, 2026
diff --git a/bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml b/bundle/manifests/openstack-lightspeed-operator-metrics_v1_service.yaml
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: operator-metrics-tls
   creationTimestamp: null
   labels:
     app.kubernetes.io/managed-by: kustomize

diff --git a/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml b/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml
@@ -25,7 +25,7 @@ metadata:
       ]
     capabilities: Basic Install
     categories: AI/Machine Learning
-    createdAt: "2026-04-15T07:57:01Z"
+    createdAt: "2026-06-24T11:27:18Z"
     description: AI-powered virtual assistant for Red Hat OpenStack Services on OpenShift
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
@@ -242,10 +242,18 @@ spec:
                   capabilities:
                     drop:
                     - ALL
+                volumeMounts:
+                - mountPath: /tmp/k8s-metrics-server/serving-certs
+                  name: cert
+                  readOnly: true
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: openstack-lightspeed-operator-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: cert
+                secret:
+                  secretName: operator-metrics-tls
       permissions:
       - rules:
         - apiGroups:

diff --git a/cmd/main.go b/cmd/main.go
@@ -110,13 +110,11 @@ func main() {
 	metricsServerOptions := metricsserver.Options{
 		BindAddress:   metricsAddr,
 		SecureServing: secureMetrics,
-		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
-		// not provided, self-signed certificates will be generated by default. This option is not recommended for
-		// production environments as self-signed certificates do not offer the same level of trust and security
-		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
-		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
-		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
-		TLSOpts: tlsOpts,
+		// Use certificates from service-ca mounted at /tmp/k8s-metrics-server/serving-certs
+		TLSOpts:  tlsOpts,
+		CertDir:  "/tmp/k8s-metrics-server/serving-certs",
+		CertName: "tls.crt",
+		KeyName:  "tls.key",
 	}
 
 	if secureMetrics {

diff --git a/config/default/metrics_service.yaml b/config/default/metrics_service.yaml
@@ -5,6 +5,8 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: openstack-lightspeed-operator
     app.kubernetes.io/managed-by: kustomize
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: operator-metrics-tls
   name: metrics
   namespace: system
 spec:

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -100,5 +100,13 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
+        volumeMounts:
+        - name: cert
+          mountPath: /tmp/k8s-metrics-server/serving-certs
+          readOnly: true
       serviceAccountName: controller-manager
+      volumes:
+      - name: cert
+        secret:
+          secretName: operator-metrics-tls
       terminationGracePeriodSeconds: 10
diff --git a/config/prometheus/ca-bundle-configmap.yaml b/config/prometheus/ca-bundle-configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: serving-certs-ca-bundle
+  namespace: system
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+data: {}
diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml
@@ -1,2 +1,3 @@
 resources:
 - monitor.yaml
+- ca-bundle-configmap.yaml
diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml
@@ -15,16 +15,8 @@ spec:
       scheme: https
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
-        # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
-        # certificate verification. This poses a significant security risk by making the system vulnerable to
-        # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between
-        # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data,
-        # compromising the integrity and confidentiality of the information.
-        # Please use the following options for secure configurations:
-        # caFile: /etc/metrics-certs/ca.crt
-        # certFile: /etc/metrics-certs/tls.crt
-        # keyFile: /etc/metrics-certs/tls.key
-        insecureSkipVerify: true
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: metrics.system.svc
   selector:
     matchLabels:
       control-plane: controller-manager