use tls for prometheus metrics in ssp operator and template validator

Signed-off-by: Michal Vavrinec <[email protected]>

Author: Ruclo

internal/controllers/services_controller.go

@@ -38,6 +38,7 @@ func ServiceObject(namespace string, appKubernetesPartOfValue string) *v1.Servic
 		common.AppKubernetesVersionLabel:   env.GetOperatorVersion(),
 		common.AppKubernetesComponentLabel: ServiceControllerName,
 		metrics.PrometheusLabelKey:         metrics.PrometheusLabelValue,
+		metrics.MetricsServiceKey:          MetricsServiceName,
 	}
 	if appKubernetesPartOfValue != "" {
 		labels[common.AppKubernetesPartOfLabel] = appKubernetesPartOfValue

internal/operands/metrics/reconcile.go

@@ -50,7 +50,8 @@ func (m *metrics) WatchClusterTypes() []operands.WatchType {
 
 func (m *metrics) Reconcile(request *common.Request) ([]common.ReconcileResult, error) {
 	return common.CollectResourceStatus(request,
-		reconcilePrometheusMonitor,
+		reconcileValidatorMetricsMonitor,
+		reconcileSspMetricsMonitor,
 		reconcilePrometheusRule,
 		reconcileMonitoringRbacRole,
 		reconcileMonitoringRbacRoleBinding,
@@ -75,9 +76,16 @@ const (
 	operandComponent = common.AppComponentMonitoring
 )
 
-func reconcilePrometheusMonitor(request *common.Request) (common.ReconcileResult, error) {
+func reconcileSspMetricsMonitor(request *common.Request) (common.ReconcileResult, error) {
 	return common.CreateOrUpdate(request).
-		NamespacedResource(newServiceMonitorCR(request.Namespace)).
+		NamespacedResource(newSspServiceMonitor(request.Namespace)).
+		WithAppLabels(operandName, operandComponent).
+		Reconcile()
+}
+
+func reconcileValidatorMetricsMonitor(request *common.Request) (common.ReconcileResult, error) {
+	return common.CreateOrUpdate(request).
+		NamespacedResource(newValidatorServiceMonitor(request.Namespace)).
 		WithAppLabels(operandName, operandComponent).
 		Reconcile()
 }

internal/operands/metrics/reconcile_test.go

@@ -74,7 +74,7 @@ var _ = Describe("Metrics operand", func() {
 		Expect(err).ToNot(HaveOccurred())
 
 		ExpectResourceExists(prometheusRule, request)
-		ExpectResourceExists(newServiceMonitorCR(namespace), request)
+		ExpectResourceExists(newSspServiceMonitor(namespace), request)
 		ExpectResourceExists(newMonitoringClusterRole(), request)
 		ExpectResourceExists(newMonitoringClusterRoleBinding(), request)
 	})

internal/operands/metrics/resources.go

@@ -1,25 +1,43 @@
 package metrics
 
 import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+	"path/filepath"
+
 	promv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	v1 "k8s.io/api/core/v1"
 	rbac "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
-
 	"kubevirt.io/ssp-operator/pkg/monitoring/rules"
 )
 
 const (
-	MonitorNamespace             = "openshift-monitoring"
-	defaultRunbookURLTemplate    = "https://kubevirt.io/monitoring/runbooks/%s"
-	runbookURLTemplateEnv        = "RUNBOOK_URL_TEMPLATE"
-	PrometheusLabelKey           = "prometheus.ssp.kubevirt.io"
-	PrometheusLabelValue         = "true"
-	PrometheusClusterRoleName    = "prometheus-k8s-ssp"
-	PrometheusServiceAccountName = "prometheus-k8s"
-	MetricsPortName              = "http-metrics"
+	MonitorNamespace                    = "openshift-monitoring"
+	defaultRunbookURLTemplate           = "https://kubevirt.io/monitoring/runbooks/%s"
+	runbookURLTemplateEnv               = "RUNBOOK_URL_TEMPLATE"
+	PrometheusLabelKey                  = "prometheus.ssp.kubevirt.io"
+	PrometheusLabelValue                = "true"
+	PrometheusClusterRoleName           = "prometheus-k8s-ssp"
+	PrometheusServiceAccountName        = "prometheus-k8s"
+	MetricsPortName                     = "http-metrics"
+	CertFilename                        = "tls.crt"
+	DefaultCertsDirectory               = "/tmp/k8s-webhook-server/serving-certs"
+	TemplateValidatorMetricsServiceName = "template-validator-metrics"
+	MetricsServiceName                  = "ssp-operator-metrics"
+	MetricsServiceKey                   = "metrics.ssp.kubevirt.io"
 )
 
+// Variable to store OLM deployment info (set from main)
+var isOLMDeployment bool
+
+func SetOLMDeployment(isOLM bool) {
+	isOLMDeployment = isOLM
+}
+
 func newMonitoringClusterRole() *rbac.ClusterRole {
 	return &rbac.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
@@ -61,31 +79,122 @@ func ServiceMonitorLabels() map[string]string {
 	}
 }
 
-func newServiceMonitorCR(namespace string) *promv1.ServiceMonitor {
-	return &promv1.ServiceMonitor{
+func extractHostnameFromCert(certPath string) (string, error) {
+	certBytes, err := os.ReadFile(certPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to read certificate file: %w", err)
+	}
+
+	block, _ := pem.Decode(certBytes)
+	if block == nil {
+		return "", fmt.Errorf("failed to parse certificate PEM")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	if cert.Subject.CommonName != "" {
+		return cert.Subject.CommonName, nil
+	}
+
+	if len(cert.DNSNames) > 0 {
+		return cert.DNSNames[0], nil
+	}
+
+	return "", fmt.Errorf("no hostname found in certificate")
+}
+
+// getCAConfigForServiceMonitor returns the appropriate CA configuration
+func getCAConfigForServiceMonitor() *promv1.SecretOrConfigMap {
+	if isOLMDeployment {
+		// OLM deployment: use ssp-operator-service-cert secret with olmCAKey
+		return &promv1.SecretOrConfigMap{
+			Secret: &v1.SecretKeySelector{
+				LocalObjectReference: v1.LocalObjectReference{
+					Name: "ssp-operator-service-cert",
+				},
+				Key: "olmCAKey",
+			},
+		}
+	}
+
+	// Service-CA deployment: use openshift-service-ca.crt configmap
+	return &promv1.SecretOrConfigMap{
+		ConfigMap: &v1.ConfigMapKeySelector{
+			LocalObjectReference: v1.LocalObjectReference{
+				Name: "openshift-service-ca.crt",
+			},
+			Key: "service-ca.crt",
+		},
+	}
+}
+
+func newValidatorServiceMonitor(namespace string) *promv1.ServiceMonitor {
+	tlsConfig := &promv1.TLSConfig{
+		SafeTLSConfig: promv1.SafeTLSConfig{
+			InsecureSkipVerify: ptr.To(false),
+			CA: promv1.SecretOrConfigMap{
+				ConfigMap: &v1.ConfigMapKeySelector{
+					LocalObjectReference: v1.LocalObjectReference{
+						Name: "openshift-service-ca.crt",
+					},
+					Key: "service-ca.crt",
+				},
+			},
+		},
+	}
+	tlsConfig.ServerName = ptr.To("virt-template-validator.kubevirt.svc")
+
+	serviceMonitor := newServiceMonitor(TemplateValidatorMetricsServiceName, namespace, tlsConfig, metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			MetricsServiceKey: TemplateValidatorMetricsServiceName,
+		},
+	})
+	return &serviceMonitor
+}
+
+func newSspServiceMonitor(namespace string) *promv1.ServiceMonitor {
+	certPath := filepath.Join(DefaultCertsDirectory, CertFilename)
+	hostname, _ := extractHostnameFromCert(certPath)
+
+	tlsConfig := &promv1.TLSConfig{
+		SafeTLSConfig: promv1.SafeTLSConfig{
+			InsecureSkipVerify: ptr.To(false),
+			// Use appropriate CA based on deployment type
+			CA: *getCAConfigForServiceMonitor(),
+		},
+	}
+
+	if hostname != "" {
+		tlsConfig.ServerName = &hostname
+	}
+
+	serviceMonitor := newServiceMonitor(rules.RuleName, namespace, tlsConfig, metav1.LabelSelector{})
+	return &serviceMonitor
+}
+
+func newServiceMonitor(name,
+	namespace string,
+	tlsConfig *promv1.TLSConfig,
+	selector metav1.LabelSelector) promv1.ServiceMonitor {
+	return promv1.ServiceMonitor{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
-			Name:      rules.RuleName,
+			Name:      name,
 			Labels:    ServiceMonitorLabels(),
 		},
 		Spec: promv1.ServiceMonitorSpec{
 			NamespaceSelector: promv1.NamespaceSelector{
 				Any: true,
 			},
-			Selector: metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					PrometheusLabelKey: PrometheusLabelValue,
-				},
-			},
+			Selector: selector,
 			Endpoints: []promv1.Endpoint{
 				{
-					Port:   MetricsPortName,
-					Scheme: "https",
-					TLSConfig: &promv1.TLSConfig{
-						SafeTLSConfig: promv1.SafeTLSConfig{
-							InsecureSkipVerify: ptr.To(true),
-						},
-					},
+					Port:        MetricsPortName,
+					Scheme:      "https",
+					TLSConfig:   tlsConfig,
 					HonorLabels: true,
 				},
 			},

internal/operands/template-validator/resources.go

@@ -372,6 +372,7 @@ func newValidatingWebhook(serviceNamespace string) *admission.ValidatingWebhookC
 func PrometheusServiceLabels() map[string]string {
 	return map[string]string{
 		metrics.PrometheusLabelKey: metrics.PrometheusLabelValue,
+		metrics.MetricsServiceKey:  MetricsServiceName,
 	}
 }
 

main.go

@@ -41,13 +41,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-	"sigs.k8s.io/controller-runtime/pkg/metrics"
+	k8smetrics "sigs.k8s.io/controller-runtime/pkg/metrics"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	ssp "kubevirt.io/ssp-operator/api/v1beta3"
 	"kubevirt.io/ssp-operator/internal/common"
 	"kubevirt.io/ssp-operator/internal/controllers"
+	"kubevirt.io/ssp-operator/internal/operands/metrics"
 	sspMetrics "kubevirt.io/ssp-operator/pkg/monitoring/metrics/ssp-operator"
 	"kubevirt.io/ssp-operator/pkg/monitoring/rules"
 	"kubevirt.io/ssp-operator/webhooks"
@@ -162,7 +163,7 @@ func (s *prometheusServer) NeedLeaderElection() bool {
 
 func (s *prometheusServer) Start(ctx context.Context) error {
 	setupLog.Info("Starting Prometheus metrics endpoint server with TLS")
-	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
+	handler := promhttp.HandlerFor(k8smetrics.Registry, promhttp.HandlerOpts{})
 	mux := http.NewServeMux()
 	mux.Handle("/metrics", handler)
 
@@ -225,10 +226,15 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
-	err := createCertificateSymlinks()
-	if err != nil {
-		setupLog.Error(err, "Error creating certificate symlinks")
-		os.Exit(1)
+	if deployedOnOLM() {
+		err := createCertificateSymlinks()
+		if err != nil {
+			setupLog.Error(err, "Error creating certificate symlinks")
+			os.Exit(1)
+		}
+		metrics.SetOLMDeployment(true)
+	} else {
+		metrics.SetOLMDeployment(false)
 	}
 
 	ctx := ctrl.SetupSignalHandler()
@@ -311,33 +317,35 @@ func main() {
 	}
 }
 
-func createCertificateSymlinks() error {
+func deployedOnOLM() bool {
 	olmDir, olmDirErr := os.Stat(olmTLSDir)
 	_, sdkDirErr := os.Stat(sdkTLSDir)
-
-	// If certificates are generated by OLM, we should use OLM certificates mount path
 	if olmDirErr == nil && olmDir.IsDir() && os.IsNotExist(sdkDirErr) {
-		// For some reason, OLM maps the cert/key files to apiserver.crt/apiserver.key
-		// instead of tls.crt/tls.key like the SDK expects. Creating symlinks to allow
-		// the operator to find and use them.
-		setupLog.Info("OLM cert directory found, copying cert files")
+		setupLog.Info("OLM cert directory found")
+		return true
+	}
+	setupLog.Info("OLM cert directory not found")
+	return false
+}
 
-		err := os.MkdirAll(sdkTLSDir, 0755)
-		if err != nil {
-			return fmt.Errorf("failed to create %s: %w", sdkTLSCrt, err)
-		}
+func createCertificateSymlinks() error {
+	// For some reason, OLM maps the cert/key files to apiserver.crt/apiserver.key
+	// instead of tls.crt/tls.key like the SDK expects. Creating symlinks to allow
+	// the operator to find and use them.
 
-		err = os.Symlink(path.Join(olmTLSDir, olmTLSCrt), path.Join(sdkTLSDir, sdkTLSCrt))
-		if err != nil {
-			return err
-		}
+	err := os.MkdirAll(sdkTLSDir, 0755)
+	if err != nil {
+		return fmt.Errorf("failed to create %s: %w", sdkTLSCrt, err)
+	}
 
-		err = os.Symlink(path.Join(olmTLSDir, olmTLSKey), path.Join(sdkTLSDir, sdkTLSKey))
-		if err != nil {
-			return err
-		}
-	} else {
-		setupLog.Info("OLM cert directory not found, using default cert directory")
+	err = os.Symlink(path.Join(olmTLSDir, olmTLSCrt), path.Join(sdkTLSDir, sdkTLSCrt))
+	if err != nil {
+		return err
+	}
+
+	err = os.Symlink(path.Join(olmTLSDir, olmTLSKey), path.Join(sdkTLSDir, sdkTLSKey))
+	if err != nil {
+		return err
 	}
 
 	return nil