OCPBUGS-59768: metrics endpoints security - add client cert auth to kube-rbac-proxy

**Problem:**
OLM metrics endpoints were exposed without proper authentication, allowing unauthorized access to sensitive operational data.

**Root Cause:**
kube-rbac-proxy configuration was missing critical authentication arguments:
- `--client-ca-file`
- `--auth-mode=rbac`

**Solution:**
- Add missing authentication arguments to kube-rbac-proxy in package-server-manager
- Mount client CA certificate from new `metrics-client-ca` ConfigMap
- Update ServiceMonitor to use `scrapeClass: tls-client-certificate-auth`
- Create ConfigMap with service CA injection for automatic CA bundle sync

**Security Impact:**
- **Before:** Any HTTPS client could access metrics endpoints
- **After:** Only authorized Prometheus service account (`system:serviceaccount:openshift-monitoring:prometheus-k8s`) can access metrics

Author: anik120

manifests/0000_50_olm_02-metrics-client-ca.configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: metrics-client-ca
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.beta.openshift.io/inject-cabundle: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+data: {}

manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml

@@ -35,6 +35,8 @@ spec:
             - --upstream=http://127.0.0.1:9090/
             - --tls-cert-file=/etc/tls/private/tls.crt
             - --tls-private-key-file=/etc/tls/private/tls.key
+            - --client-ca-file=/etc/tls/client/client-ca-file
+            - --auth-mode=rbac
             - --logtostderr=true
           image: quay.io/openshift/origin-kube-rbac-proxy:latest
           imagePullPolicy: IfNotPresent
@@ -57,6 +59,9 @@ spec:
           volumeMounts:
             - mountPath: /etc/tls/private
               name: package-server-manager-serving-cert
+            - mountPath: /etc/tls/client
+              name: metrics-client-ca
+              readOnly: true
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -120,3 +125,6 @@ spec:
         - name: package-server-manager-serving-cert
           secret:
             secretName: package-server-manager-serving-cert
+        - name: metrics-client-ca
+          configMap:
+            name: metrics-client-ca

manifests/0000_50_olm_06-psm-operator.deployment.yaml

@@ -35,6 +35,8 @@ spec:
             - --upstream=http://127.0.0.1:9090/
             - --tls-cert-file=/etc/tls/private/tls.crt
             - --tls-private-key-file=/etc/tls/private/tls.key
+            - --client-ca-file=/etc/tls/client/client-ca-file
+            - --auth-mode=rbac
             - --logtostderr=true
           image: quay.io/openshift/origin-kube-rbac-proxy:latest
           imagePullPolicy: IfNotPresent
@@ -57,6 +59,9 @@ spec:
           volumeMounts:
             - mountPath: /etc/tls/private
               name: package-server-manager-serving-cert
+            - mountPath: /etc/tls/client
+              name: metrics-client-ca
+              readOnly: true
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -121,3 +126,6 @@ spec:
         - name: package-server-manager-serving-cert
           secret:
             secretName: package-server-manager-serving-cert
+        - name: metrics-client-ca
+          configMap:
+            name: metrics-client-ca

manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml

@@ -9,13 +9,12 @@ metadata:
     capability.openshift.io/name: "OperatorLifecycleManager"
 spec:
   endpoints:
-    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      interval: 30s
+    - interval: 30s
       port: metrics
       scheme: https
       tlsConfig:
-        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
         serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  scrapeClass: tls-client-certificate-auth
   namespaceSelector:
     matchNames:
       - openshift-operator-lifecycle-manager

microshift-manifests/0000_50_olm_02-metrics-client-ca.configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: metrics-client-ca
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.beta.openshift.io/inject-cabundle: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+data: {}

microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml

@@ -35,6 +35,8 @@ spec:
             - --upstream=http://127.0.0.1:9090/
             - --tls-cert-file=/etc/tls/private/tls.crt
             - --tls-private-key-file=/etc/tls/private/tls.key
+            - --client-ca-file=/etc/tls/client/client-ca-file
+            - --auth-mode=rbac
             - --logtostderr=true
           image: quay.io/openshift/origin-kube-rbac-proxy:latest
           imagePullPolicy: IfNotPresent
@@ -57,6 +59,9 @@ spec:
           volumeMounts:
             - mountPath: /etc/tls/private
               name: package-server-manager-serving-cert
+            - mountPath: /etc/tls/client
+              name: metrics-client-ca
+              readOnly: true
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -120,3 +125,6 @@ spec:
         - name: package-server-manager-serving-cert
           secret:
             secretName: package-server-manager-serving-cert
+        - name: metrics-client-ca
+          configMap:
+            name: metrics-client-ca

microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml

@@ -35,6 +35,8 @@ spec:
             - --upstream=http://127.0.0.1:9090/
             - --tls-cert-file=/etc/tls/private/tls.crt
             - --tls-private-key-file=/etc/tls/private/tls.key
+            - --client-ca-file=/etc/tls/client/client-ca-file
+            - --auth-mode=rbac
             - --logtostderr=true
           image: quay.io/openshift/origin-kube-rbac-proxy:latest
           imagePullPolicy: IfNotPresent
@@ -57,6 +59,9 @@ spec:
           volumeMounts:
             - mountPath: /etc/tls/private
               name: package-server-manager-serving-cert
+            - mountPath: /etc/tls/client
+              name: metrics-client-ca
+              readOnly: true
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -121,3 +126,6 @@ spec:
         - name: package-server-manager-serving-cert
           secret:
             secretName: package-server-manager-serving-cert
+        - name: metrics-client-ca
+          configMap:
+            name: metrics-client-ca

microshift-manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml

@@ -9,13 +9,12 @@ metadata:
     capability.openshift.io/name: "OperatorLifecycleManager"
 spec:
   endpoints:
-    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      interval: 30s
+    - interval: 30s
       port: metrics
       scheme: https
       tlsConfig:
-        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
         serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  scrapeClass: tls-client-certificate-auth
   namespaceSelector:
     matchNames:
       - openshift-operator-lifecycle-manager

microshift-manifests/kustomization.yaml

@@ -15,6 +15,7 @@ resources:
   - 0000_50_olm_00-pprof-secret.yaml
   - 0000_50_olm_00-subscriptions.crd.yaml
   - 0000_50_olm_01-networkpolicies.yaml
+  - 0000_50_olm_02-metrics-client-ca.configmap.yaml
   - 0000_50_olm_02-olm-operator.serviceaccount.yaml
   - 0000_50_olm_03-olmconfig.yaml
   - 0000_50_olm_03-services.yaml

scripts/generate_crds_manifests.sh

@@ -123,6 +123,18 @@ spec:
       name: quay.io/openshift/origin-kube-rbac-proxy:latest
 EOF
 
+cat << EOF > manifests/0000_50_olm_02-metrics-client-ca.configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: metrics-client-ca
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.beta.openshift.io/inject-cabundle: "true"
+data: {}
+EOF
+
 cat << EOF > manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -196,6 +208,8 @@ spec:
           - --upstream=http://127.0.0.1:9090/
           - --tls-cert-file=/etc/tls/private/tls.crt
           - --tls-private-key-file=/etc/tls/private/tls.key
+          - --client-ca-file=/etc/tls/client/client-ca-file
+          - --auth-mode=rbac
           - --logtostderr=true
           image: quay.io/openshift/origin-kube-rbac-proxy:latest
           imagePullPolicy: IfNotPresent
@@ -218,6 +232,9 @@ spec:
           volumeMounts:
           - mountPath: /etc/tls/private
             name: package-server-manager-serving-cert
+          - mountPath: /etc/tls/client
+            name: metrics-client-ca
+            readOnly: true
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -282,6 +299,9 @@ spec:
       - name: package-server-manager-serving-cert
         secret:
           secretName: package-server-manager-serving-cert
+      - name: metrics-client-ca
+        configMap:
+          name: metrics-client-ca
 EOF
 
 cat << EOF > manifests/0000_50_olm_06-psm-operator.service.yaml
@@ -315,13 +335,12 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
 spec:
   endpoints:
-  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-    interval: 30s
+  - interval: 30s
     port: metrics
     scheme: https
     tlsConfig:
-      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
       serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  scrapeClass: tls-client-certificate-auth
   namespaceSelector:
     matchNames:
     - openshift-operator-lifecycle-manager