pkg: Introduce options to disable granularly authn/authz for metrics

In HyperShift, the CVO currently needs to have disabled both
authorization and authentication. Ensure the aspects are disabled so as
not break HyperShift.

However, in the future, the authentication will be enabled using mTLS
and a mounted CA bundle file. Thus, authentication needs to be
configurable.

Authorization needs to be configurable, as well as HyperShift allows a
custom monitoring stack to scrape hosted control plane components.
In the future in HyperShift, authentication of the metrics endpoint of
the CVO will be enforced; however, the authorization will be disabled.
This commit prepares the code for these changes.

Author: DavidHurta

pkg/cvo/metrics.go

@@ -193,14 +193,19 @@ func handleServerResult(result asyncResult, lastLoopError error) error {
 	return lastError
 }
 
+type MetricsOptions struct {
+	DisableAuthentication bool
+	DisableAuthorization  bool
+}
+
 // RunMetrics launches a server bound to listenAddress serving
 // Prometheus metrics at /metrics over HTTPS. Continues serving
 // until runContext.Done() and then attempts a clean shutdown
 // limited by shutdownContext.Done(). Assumes runContext.Done()
 // occurs before or simultaneously with shutdownContext.Done().
 // The TLS configuration automatically reloads certificates when
 // they change on disk using dynamiccertificates.
-func RunMetrics(runContext context.Context, shutdownContext context.Context, listenAddress, certFile, keyFile string, restConfig *rest.Config, disableMetricsAuth bool) error {
+func RunMetrics(runContext context.Context, shutdownContext context.Context, listenAddress, certFile, keyFile string, restConfig *rest.Config, metricsOptions MetricsOptions) error {
 	if listenAddress == "" {
 		return errors.New("TLS configuration is required to serve metrics")
 	}
@@ -217,34 +222,45 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, lis
 	// Start the serving cert controller to begin watching the cert and key files
 	go servingContentController.Run(runContext, 1)
 
-	// Create a dynamic CA controller to watch for client CA changes from a ConfigMap.
-	kubeClient, err := kubernetes.NewForConfig(restConfig)
-	if err != nil {
-		return fmt.Errorf("failed to create kube client: %w", err)
-	}
+	var clientCA dynamiccertificates.CAContentProvider
+	var clientCAController *dynamiccertificates.ConfigMapCAController
+	if !metricsOptions.DisableAuthentication {
+		// Create a dynamic CA controller to watch for client CA changes from a ConfigMap.
+		kubeClient, err := kubernetes.NewForConfig(restConfig)
+		if err != nil {
+			return fmt.Errorf("failed to create kube client: %w", err)
+		}
 
-	clientCAController, err := dynamiccertificates.NewDynamicCAFromConfigMapController(
-		"metrics-client-ca",
-		"kube-system",
-		"extension-apiserver-authentication",
-		"client-ca-file",
-		kubeClient)
-	if err != nil {
-		return fmt.Errorf("failed to create client CA controller: %w", err)
-	}
+		clientCAController, err = dynamiccertificates.NewDynamicCAFromConfigMapController(
+			"metrics-client-ca",
+			"kube-system",
+			"extension-apiserver-authentication",
+			"client-ca-file",
+			kubeClient)
+		if err != nil {
+			return fmt.Errorf("failed to create client CA controller: %w", err)
+		}
+
+		if err := clientCAController.RunOnce(runContext); err != nil {
+			return fmt.Errorf("failed to initialize client CA controller: %w", err)
+		}
 
-	if err := clientCAController.RunOnce(runContext); err != nil {
-		return fmt.Errorf("failed to initialize client CA controller: %w", err)
+		// Start the client CA controller to begin watching the ConfigMap
+		go clientCAController.Run(runContext, 1)
+
+		// Assign to interface variable to ensure proper nil handling
+		clientCA = clientCAController
 	}
 
-	// Start the client CA controller to begin watching the ConfigMap
-	go clientCAController.Run(runContext, 1)
+	clientAuth := tls.NoClientCert
+	if !metricsOptions.DisableAuthentication {
+		clientAuth = tls.RequireAndVerifyClientCert
+	}
 
+	baseTlSConfig := crypto.SecureTLSConfig(&tls.Config{ClientAuth: clientAuth})
 	servingCertController := dynamiccertificates.NewDynamicServingCertificateController(
-		crypto.SecureTLSConfig(&tls.Config{
-			ClientAuth: tls.RequireAndVerifyClientCert,
-		}),
-		clientCAController,
+		baseTlSConfig,
+		clientCA,
 		servingContentController,
 		nil,
 		nil,
@@ -253,12 +269,14 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, lis
 		return fmt.Errorf("failed to initialize serving certificate controller: %w", err)
 	}
 
-	clientCAController.AddListener(servingCertController)
+	if clientCAController != nil {
+		clientCAController.AddListener(servingCertController)
+	}
 	servingContentController.AddListener(servingCertController)
 
 	go servingCertController.Run(1, runContext.Done())
 
-	server := createHttpServer(disableMetricsAuth)
+	server := createHttpServer(metricsOptions.DisableAuthorization)
 
 	resultChannel := make(chan asyncResult, 1)
 	resultChannelCount := 1
@@ -267,7 +285,7 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, lis
 	// If authentication is enabled, ClientAuth is set to ensure connections are rejected rather than
 	// fall back to unauthenticated mode if the callback fails to provide a valid config.
 	tlsConfig := crypto.SecureTLSConfig(&tls.Config{
-		ClientAuth:         tls.RequireAndVerifyClientCert,
+		ClientAuth:         clientAuth,
 		GetConfigForClient: servingCertController.GetConfigForClient,
 	})
 	go startListening(server, tlsConfig, listenAddress, resultChannel)

pkg/start/start.go

@@ -350,8 +350,11 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 						resultChannelCount++
 						go func() {
 							defer utilruntime.HandleCrash()
-							disableMetricsAuth := o.HyperShift
-							err := cvo.RunMetrics(postMainContext, shutdownContext, o.ListenAddr, o.ServingCertFile, o.ServingKeyFile, restConfig, disableMetricsAuth)
+							options := cvo.MetricsOptions{
+								DisableAuthentication: o.HyperShift,
+								DisableAuthorization:  o.HyperShift,
+							}
+							err := cvo.RunMetrics(postMainContext, shutdownContext, o.ListenAddr, o.ServingCertFile, o.ServingKeyFile, restConfig, options)
 							resultChannel <- asyncResult{name: "metrics server", error: err}
 						}()
 					}