Skip to content

WIP: OCPBUGS-59768: Authenticated metrics endpoints using controller-runtime auth filters #1111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

WIP: OCPBUGS-59768: Authenticated metrics endpoints using controller-runtime auth filters #1111

wants to merge 5 commits into from

Conversation

anik120
Copy link
Contributor

@anik120 anik120 commented Sep 16, 2025

No description provided.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 16, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 16, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: anik120
Once this PR has been reviewed and has the lgtm label, please assign perdasilva for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@anik120
Copy link
Contributor Author

anik120 commented Sep 16, 2025

/test unit-olm

joelanford
joelanford reviewed Sep 16, 2025
View reviewed changes
staging/operator-lifecycle-manager/pkg/lib/server/server.go
Comment on lines 119 to 143
certPoolStore, err := filemonitor.NewCertPoolStore(*sc.clientCAPath)
if err != nil {
return nil, fmt.Errorf("certificate monitoring for client-ca failed: %v", err)
}
cpsw, err := filemonitor.NewWatch(sc.logger, []string{filepath.Dir(*sc.clientCAPath)}, certPoolStore.HandleCABundleUpdate)
if err != nil {
return nil, fmt.Errorf("error creating cert file watcher: %v", err)
}
cpsw.Run(context.Background())

s.TLSConfig = &tls.Config{
GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
return certStore.GetCertificate(), nil
},
GetConfigForClient: func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
var certs []tls.Certificate
if cert := certStore.GetCertificate(); cert != nil {
certs = append(certs, *cert)
}
return &tls.Config{
Certificates: certs,
ClientCAs: certPoolStore.GetCertPool(),
ClientAuth: tls.VerifyClientCertIfGiven,
}, nil
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It isn't obvious to me what the connection is between use of filters.WithAuthenticationAndAuthorization and removing the certPoolStore/GetConfigForClient. What's the story here?

@anik120 anik120 mentioned this pull request Sep 17, 2025
Closed
@anik120
Copy link
Contributor Author

anik120 commented Sep 18, 2025

@joelanford doesn't look like this set up is working for this operator.

$ oc get pods -n openshift-operator-lifecycle-manager                                                          
NAME                                     READY   STATUS    RESTARTS   AGE                                             
catalog-operator-5dbb86796b-r25vk        1/1     Running   0          133m                                         
olm-operator-d98db4949-l4bcg             1/1     Running   0          133m                                            
package-server-manager-79658c858-r2k5p   2/2     Running   0          133m                                        
packageserver-7b7957b98-9s2g7            1/1     Running   0          130m                                            
packageserver-7b7957b98-lw9c7            1/1     Running   0          130m                                            
$ oc get svc -n openshift-operator-lifecycle-manager                                                             
 NAME                             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE                            
 catalog-operator-metrics         ClusterIP   172.30.186.209   <none>        8443/TCP   137m                           
 olm-operator-metrics             ClusterIP   172.30.78.175    <none>        8443/TCP   137m                           
 package-server-manager-metrics   ClusterIP   172.30.37.240    <none>        8443/TCP   136m                           
 packageserver-service            ClusterIP   172.30.8.255     <none>        5443/TCP   131m

TLS Configuration Verification

Both operators are correctly configured with TLS arguments:

OLM Operator:

 args:                                                                                                                 
 - --tls-cert                                                                                                          
 - /srv-cert/tls.crt                                                                                                   
 - --tls-key                                                                                                           
 - /srv-cert/tls.key                                                                                                   
 - --client-ca                                                                                                         
 - /profile-collector-cert/tls.crt

Catalog Operator:

args:                                                                                                                 
- --tls-cert                                                                                                          
- /srv-cert/tls.crt                                                                                                   
- --tls-key                                                                                                           
- /srv-cert/tls.key                                                                                                   
- --client-ca                                                                                                         
- /profile-collector-cert/tls.crt

Both services correctly expose HTTPS on port 8443 with proper health checks:

ports:                                                                                                                
- containerPort: 8443                                                                                                 
 name: metrics                                                                                                       
 protocol: TCP                                                                                                       
livenessProbe:                                                                                                        
  httpGet:                                                                                                            
    path: /healthz                                                                                                    
    port: 8443                                                                                                        
    scheme: HTTPS

Unauthenticated Access Test:

$ oc run test-pod --image=curlimages/curl:latest --rm -it --restart=Never -- \                                   
 curl -k https://olm-operator-metrics.openshift-operator-lifecycle-manager.svc.cluster.local:8443/metrics            
                                                                                                             
# HELP csv_count Number of CSVs successfully registered                                                               
# TYPE csv_count gauge                                                                                                
csv_count 1                                                                                                           
 # HELP csv_succeeded Successful CSV install                                                                           
 # TYPE csv_succeeded gauge                                                                                            
csv_succeeded{name="packageserver",namespace="openshift-operator-lifecycle-manager",version="0.0.1-snapshot"} 1       
[... full metrics output returned without authentication ...]

Port Forward Test:

$ kubectl port-forward -n openshift-operator-lifecycle-manager svc/olm-operator-metrics 8443:8443                     
$ curl -k https://localhost:8443/metrics                                                                              
                                                                                                    
# Full metrics data returned without any authentication

@jianzhangbjz
Copy link
Contributor

/assign @Xia-Zhao-rh

@anik120
Copy link
Contributor Author

anik120 commented Sep 23, 2025

Okay so this worked 🎉

$ oc run test-pod
  --image=curlimages/curl:latest --rm -i --restart=Never -- curl -k
  https://olm-operator-metrics.openshift-operator-lifecycle-manager.svc.cluster.local:8443/metrics & sleep 2 && oc
  logs olm-operator-699dcc89c9-p5gnq -n openshift-operator-lifecycle-manager --tail=10

.
.
.
time="2025-09-23T15:22:09Z" level=info msg="DEBUG: Metrics request from 10.129.2.12:58916, Auth header present: false,
User-Agent: curl/8.16.0"
Unauthorized
pod "test-pod" deleted

I'll start the plumbing from upstream and update this PR once the upstream bits are downstreamed.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 28, 2025

@anik120: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify 7c09b00 link true /test verify
ci/prow/e2e-upgrade 7c09b00 link true /test e2e-upgrade
ci/prow/okd-scos-e2e-aws-ovn 7c09b00 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-gcp-olm 7c09b00 link true /test e2e-gcp-olm

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@anik120 anik120 changed the title WIP: Authenticated metrics endpoints using controller-runtime auth filters WIP: OCPBUGS-59768: Authenticated metrics endpoints using controller-runtime auth filters Oct 2, 2025
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Oct 2, 2025
@openshift-ci-robot
Copy link

@anik120: This pull request references Jira Issue OCPBUGS-59768, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @Xia-Zhao-rh

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from Xia-Zhao-rh October 2, 2025 01:14
@anik120
Copy link
Contributor Author

anik120 commented Oct 2, 2025

Still waiting for upstream PR to merge: operator-framework/operator-lifecycle-manager#3660

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joelanford joelanford joelanford left review comments

@rashmigottipati rashmigottipati Awaiting requested review from rashmigottipati

@thetechnick thetechnick Awaiting requested review from thetechnick

@Xia-Zhao-rh Xia-Zhao-rh Awaiting requested review from Xia-Zhao-rh

Assignees

@Xia-Zhao-rh Xia-Zhao-rh

Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@anik120 @jianzhangbjz @openshift-ci-robot @joelanford @Xia-Zhao-rh