pkg/cvo/metrics: Do not require auth when --hypershift is set

wking · wking · commit e16ed47aecf2 · 2025-10-08T14:57:56.000-07:00
In 313f8fb (CVO protects /metrics with authorization, 2025-07-22, #1215) and 833a491 (CVO protects /metrics with authorization, 2025-07-22, #1215), the /metrics endpoint began requiring client auth. The only authentication system was Bearer tokens, and the only authorization system was validating that the token belonged to system:serviceaccount:openshift-monitoring:prometheus-k8s. That worked well for standalone clusters, where the ServiceMonitor scraper is the Prometheus from the openshift-monitoring namespace. But it broke scraping on HyperShift [1], where the ServiceMonitor does not request any client authorization [2]. Getting ServiceAccount tokens (and keeping them fresh [3]) from the hosted cluster into a Prometheus scraper running on the management cluster is hard. This commit buys time to sort out a HyperShift metrics authentication strategy by wiring the existing --hypershift option to code that disables the authentication requirement in that environment. Standalone clusters will continue to require prometheus-k8s ServiceAccount tokens.
diff --git a/pkg/cvo/metrics.go b/pkg/cvo/metrics.go
@@ -133,9 +133,12 @@ type asyncResult struct {
 }
 
 func createHttpServer(ctx context.Context, client *authenticationclientsetv1.AuthenticationV1Client) *http.Server {
-	auth := authHandler{downstream: promhttp.Handler(), ctx: ctx, client: client.TokenReviews()}
+	auth := &authHandler{downstream: promhttp.Handler(), ctx: ctx}
+	if client != nil {
+		auth.client = client.TokenReviews()
+	}
 	handler := http.NewServeMux()
-	handler.Handle("/metrics", &auth)
+	handler.Handle("/metrics", auth)
 	server := &http.Server{
 		Handler: handler,
 	}
@@ -173,30 +176,32 @@ func (a *authHandler) authorize(token string) (bool, error) {
 }
 
 func (a *authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	authHeader := r.Header.Get("Authorization")
-	if authHeader == "" {
-		http.Error(w, "failed to get the Authorization header", http.StatusUnauthorized)
-		return
-	}
-	token := strings.TrimPrefix(authHeader, "Bearer ")
-	if token == "" {
-		http.Error(w, "empty Bearer token", http.StatusUnauthorized)
-		return
-	}
-	if token == authHeader {
-		http.Error(w, "failed to get the Bearer token", http.StatusUnauthorized)
-		return
-	}
+	if a.client != nil {
+		authHeader := r.Header.Get("Authorization")
+		if authHeader == "" {
+			http.Error(w, "failed to get the Authorization header", http.StatusUnauthorized)
+			return
+		}
+		token := strings.TrimPrefix(authHeader, "Bearer ")
+		if token == "" {
+			http.Error(w, "empty Bearer token", http.StatusUnauthorized)
+			return
+		}
+		if token == authHeader {
+			http.Error(w, "failed to get the Bearer token", http.StatusUnauthorized)
+			return
+		}
 
-	authorized, err := a.authorize(token)
-	if err != nil {
-		klog.Warningf("Failed to authorize token: %v", err)
-		http.Error(w, "failed to authorize due to an internal error", http.StatusInternalServerError)
-		return
-	}
-	if !authorized {
-		http.Error(w, "failed to authorize", http.StatusUnauthorized)
-		return
+		authorized, err := a.authorize(token)
+		if err != nil {
+			klog.Warningf("Failed to authorize token: %v", err)
+			http.Error(w, "failed to authorize due to an internal error", http.StatusInternalServerError)
+			return
+		}
+		if !authorized {
+			http.Error(w, "failed to authorize", http.StatusUnauthorized)
+			return
+		}
 	}
 	a.downstream.ServeHTTP(w, r)
 }
@@ -246,7 +251,7 @@ func handleServerResult(result asyncResult, lastLoopError error) error {
 // Also detects changes to metrics certificate files upon which
 // the metrics HTTP server is shutdown and recreated with a new
 // TLS configuration.
-func RunMetrics(runContext context.Context, shutdownContext context.Context, listenAddress, certFile, keyFile string, restConfig *rest.Config) error {
+func RunMetrics(runContext context.Context, shutdownContext context.Context, listenAddress, certFile, keyFile string, hyperShift bool, restConfig *rest.Config) error {
 	var tlsConfig *tls.Config
 	if listenAddress != "" {
 		var err error
@@ -258,9 +263,13 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, lis
 		return errors.New("TLS configuration is required to serve metrics")
 	}
 
-	client, err := authenticationclientsetv1.NewForConfig(restConfig)
-	if err != nil {
-		return fmt.Errorf("failed to create config: %w", err)
+	var client *authenticationclientsetv1.AuthenticationV1Client
+	if !hypershift {
+		var err error
+		client, err = authenticationclientsetv1.NewForConfig(restConfig)
+		if err != nil {
+			return fmt.Errorf("failed to create config: %w", err)
+		}
 	}
 
 	server := createHttpServer(runContext, client)
diff --git a/pkg/start/start.go b/pkg/start/start.go
@@ -350,7 +350,7 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 						resultChannelCount++
 						go func() {
 							defer utilruntime.HandleCrash()
-							err := cvo.RunMetrics(postMainContext, shutdownContext, o.ListenAddr, o.ServingCertFile, o.ServingKeyFile, restConfig)
+							err := cvo.RunMetrics(postMainContext, shutdownContext, o.ListenAddr, o.ServingCertFile, o.ServingKeyFile, o.HyperShift, restConfig)
 							resultChannel <- asyncResult{name: "metrics server", error: err}
 						}()
 					}

Original file line number	Diff line number	Diff line change
`@@ -350,7 +350,7 @@ func (o Options) run(ctx context.Context, controllerCtx Context, lock resource`
`350`	`350`	`resultChannelCount++`
`351`	`351`	`go func() {`
`352`	`352`	`defer utilruntime.HandleCrash()`
`353`		`- err := cvo.RunMetrics(postMainContext, shutdownContext, o.ListenAddr, o.ServingCertFile, o.ServingKeyFile, restConfig)`
	`353`	`+ err := cvo.RunMetrics(postMainContext, shutdownContext, o.ListenAddr, o.ServingCertFile, o.ServingKeyFile, o.HyperShift, restConfig)`
`354`	`354`	`resultChannel <- asyncResult{name: "metrics server", error: err}`
`355`	`355`	`}()`
`356`	`356`	`}`