Skip to content

use tls for prometheus metrics in ssp operator and template validator #1567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kubevirt-bot merged 2 commits into from
Dec 19, 2025
Merged

use tls for prometheus metrics in ssp operator and template validator #1567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fb9f170
remove unnecessary symlink creation
Ruclo Oct 30, 2025
a025e86
Add TLS support for metrics endpoints with service CA certificates
Ruclo Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions data/olm-catalog/ssp-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,7 @@ spec:
containers:
- args:
- --leader-elect
- --olm-deployment
command:
- /manager
env:
Expand Down
17 changes: 15 additions & 2 deletions hack/csv-generator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,16 @@ import (
"bytes"
"encoding/json"
"fmt"
"io"
"os"

"github.com/blang/semver/v4"
"github.com/operator-framework/api/pkg/lib/version"
csvv1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
"github.com/spf13/cobra"
"io"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/util/yaml"
"os"
sigsyaml "sigs.k8s.io/yaml"

"kubevirt.io/ssp-operator/internal/env"
Expand Down Expand Up @@ -120,6 +121,8 @@ func runGenerator() error {
removeCerts(&csv)
}

addOLMArg(&csv)

relatedImages, err := buildRelatedImages(f)
if err != nil {
return err
Expand All @@ -144,6 +147,16 @@ func runGenerator() error {
return nil
}

func addOLMArg(csv *csvv1.ClusterServiceVersion) {
templateSpec := &csv.Spec.InstallStrategy.StrategySpec.DeploymentSpecs[0].Spec.Template.Spec
for i, container := range templateSpec.Containers {
if container.Name == "manager" {
templateSpec.Containers[i].Args = append(container.Args, "--olm-deployment")
break
}
}
}

func dumpFiles(path string) error {
files, err := os.ReadDir(path)
if err != nil {
Expand Down
7 changes: 7 additions & 0 deletions internal/common/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
package common

const (
SspOperatorMetricsServiceName = "ssp-operator-metrics"
TemplateValidatorMetricsServiceName = "template-validator-metrics"
VirtTemplateValidator = "virt-template-validator"
)
4 changes: 3 additions & 1 deletion internal/common/request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@ type Request struct {
VersionCache VersionCache
TopologyMode osconfv1.TopologyMode

CrdList crd_watch.CrdList
CrdList crd_watch.CrdList
OLMDeployment bool
SSPServiceHostname string
}

func (r *Request) IsSingleReplicaTopologyMode() bool {
Expand Down
6 changes: 3 additions & 3 deletions internal/controllers/services_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import (

const (
ServiceManagedByLabelValue = "ssp-operator-services"
MetricsServiceName = "ssp-operator-metrics"
OperatorName = "ssp-operator"
ServiceControllerName = "service-controller"
)
Expand All @@ -38,13 +37,14 @@ func ServiceObject(namespace string, appKubernetesPartOfValue string) *v1.Servic
common.AppKubernetesVersionLabel: env.GetOperatorVersion(),
common.AppKubernetesComponentLabel: ServiceControllerName,
metrics.PrometheusLabelKey: metrics.PrometheusLabelValue,
metrics.MetricsServiceKey: common.SspOperatorMetricsServiceName,
}
if appKubernetesPartOfValue != "" {
labels[common.AppKubernetesPartOfLabel] = appKubernetesPartOfValue
}
return &v1.Service{
ObjectMeta: metav1.ObjectMeta{
Name: MetricsServiceName,
Name: common.SspOperatorMetricsServiceName,
Namespace: namespace,
Labels: labels,
},
Expand Down Expand Up @@ -136,7 +136,7 @@ func (s *serviceReconciler) setupController(mgr ctrl.Manager) error {
Named("service-controller").
For(&v1.Service{}, builder.WithPredicates(predicate.NewPredicateFuncs(
func(object client.Object) bool {
return object.GetName() == MetricsServiceName && object.GetNamespace() == s.operatorNamespace
return object.GetName() == common.SspOperatorMetricsServiceName && object.GetNamespace() == s.operatorNamespace
}))).
Complete(s)
}
Expand Down
4 changes: 2 additions & 2 deletions internal/controllers/setup.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func StartControllers(ctx context.Context, mgr controllerruntime.Manager, contro
return nil
}

func CreateControllers(ctx context.Context, apiReader client.Reader) ([]Controller, error) {
func CreateControllers(ctx context.Context, apiReader client.Reader, olmDeployment bool, sspServiceHostname string) ([]Controller, error) {
runningOnOpenShift, err := env.RunningOnOpenshift(ctx, apiReader)
if err != nil {
return nil, fmt.Errorf("failed to check if running on openshift: %w", err)
Expand Down Expand Up @@ -102,7 +102,7 @@ func CreateControllers(ctx context.Context, apiReader client.Reader) ([]Controll
serviceController,
NewWebhookConfigurationController(),
NewVmController(),
NewSspController(infrastructureTopology, sspOperands),
NewSspController(infrastructureTopology, sspOperands, olmDeployment, sspServiceHostname),
}, nil
}

Expand Down
48 changes: 27 additions & 21 deletions internal/controllers/ssp_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,24 +61,28 @@ const (

// sspController reconciles a SSP object
type sspController struct {
log logr.Logger
operands []operands.Operand
lastSspSpec ssp.SSPSpec
subresourceCache common.VersionCache
topologyMode osconfv1.TopologyMode
areCrdsMissing bool
log logr.Logger
operands []operands.Operand
lastSspSpec ssp.SSPSpec
subresourceCache common.VersionCache
topologyMode osconfv1.TopologyMode
areCrdsMissing bool
olmDeployment bool
sspServiceHostname string

client client.Client
uncachedReader client.Reader
crdList crd_watch.CrdList
}

func NewSspController(infrastructureTopology osconfv1.TopologyMode, operands []operands.Operand) Controller {
func NewSspController(infrastructureTopology osconfv1.TopologyMode, operands []operands.Operand, olmDeployment bool, sspServiceHostname string) Controller {
return &sspController{
log: ctrl.Log.WithName("controllers").WithName("SSP"),
operands: operands,
subresourceCache: common.VersionCache{},
topologyMode: infrastructureTopology,
log: ctrl.Log.WithName("controllers").WithName("SSP"),
operands: operands,
subresourceCache: common.VersionCache{},
topologyMode: infrastructureTopology,
olmDeployment: olmDeployment,
sspServiceHostname: sspServiceHostname,
}
}

Expand Down Expand Up @@ -175,16 +179,18 @@ func (s *sspController) Reconcile(ctx context.Context, req ctrl.Request) (res ct
sspChanged := s.clearCacheIfNeeded(instance)

sspRequest := &common.Request{
Request: req,
Client: s.client,
UncachedReader: s.uncachedReader,
Context: ctx,
Instance: instance,
InstanceChanged: sspChanged,
Logger: reqLogger,
VersionCache: s.subresourceCache,
TopologyMode: s.topologyMode,
CrdList: s.crdList,
Request: req,
Client: s.client,
UncachedReader: s.uncachedReader,
Context: ctx,
Instance: instance,
InstanceChanged: sspChanged,
Logger: reqLogger,
VersionCache: s.subresourceCache,
TopologyMode: s.topologyMode,
CrdList: s.crdList,
OLMDeployment: s.olmDeployment,
SSPServiceHostname: s.sspServiceHostname,
}

if !isInitialized(sspRequest.Instance) {
Expand Down
14 changes: 11 additions & 3 deletions internal/operands/metrics/reconcile.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ func (m *metrics) WatchClusterTypes() []operands.WatchType {

func (m *metrics) Reconcile(request *common.Request) ([]common.ReconcileResult, error) {
return common.CollectResourceStatus(request,
reconcilePrometheusMonitor,
reconcileValidatorMetricsMonitor,
reconcileSspMetricsMonitor,
reconcilePrometheusRule,
reconcileMonitoringRbacRole,
reconcileMonitoringRbacRoleBinding,
Expand All @@ -75,9 +76,16 @@ const (
operandComponent = common.AppComponentMonitoring
)

func reconcilePrometheusMonitor(request *common.Request) (common.ReconcileResult, error) {
func reconcileSspMetricsMonitor(request *common.Request) (common.ReconcileResult, error) {
return common.CreateOrUpdate(request).
NamespacedResource(newServiceMonitorCR(request.Namespace)).
NamespacedResource(newSspServiceMonitor(request)).
WithAppLabels(operandName, operandComponent).
Reconcile()
}

func reconcileValidatorMetricsMonitor(request *common.Request) (common.ReconcileResult, error) {
return common.CreateOrUpdate(request).
NamespacedResource(newValidatorServiceMonitor(request)).
WithAppLabels(operandName, operandComponent).
Reconcile()
}
Expand Down
3 changes: 2 additions & 1 deletion internal/operands/metrics/reconcile_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,8 @@ var _ = Describe("Metrics operand", func() {
Expect(err).ToNot(HaveOccurred())

ExpectResourceExists(prometheusRule, request)
ExpectResourceExists(newServiceMonitorCR(namespace), request)
ExpectResourceExists(newSspServiceMonitor(&request), request)
ExpectResourceExists(newValidatorServiceMonitor(&request), request)
ExpectResourceExists(newMonitoringClusterRole(), request)
ExpectResourceExists(newMonitoringClusterRoleBinding(), request)
})
Expand Down
92 changes: 76 additions & 16 deletions internal/operands/metrics/resources.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
package metrics

import (
"fmt"
promv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
v1 "k8s.io/api/core/v1"
rbac "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"k8s.io/utils/ptr"

"kubevirt.io/ssp-operator/pkg/monitoring/rules"
"kubevirt.io/ssp-operator/internal/common"
Copy link
Collaborator

@akrejcir akrejcir Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a newline above this line to split imports into 3 blocks.

Copy link
Member

@0xFelix 0xFelix Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still applies

)

const (
Expand All @@ -18,6 +21,7 @@ const (
PrometheusClusterRoleName = "prometheus-k8s-ssp"
PrometheusServiceAccountName = "prometheus-k8s"
MetricsPortName = "http-metrics"
MetricsServiceKey = "metrics.ssp.kubevirt.io"
)

func newMonitoringClusterRole() *rbac.ClusterRole {
Expand Down Expand Up @@ -61,31 +65,87 @@ func ServiceMonitorLabels() map[string]string {
}
}

func newServiceMonitorCR(namespace string) *promv1.ServiceMonitor {
return &promv1.ServiceMonitor{
func serviceCABundle() promv1.SecretOrConfigMap {
return promv1.SecretOrConfigMap{
ConfigMap: &v1.ConfigMapKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "openshift-service-ca.crt",
},
Key: "service-ca.crt",
},
}
}

func olmManagedCABundle() promv1.SecretOrConfigMap {
return promv1.SecretOrConfigMap{
Secret: &v1.SecretKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "ssp-operator-service-cert",
},
Key: "olmCAKey",
},
}
}

func getCAConfigForServiceMonitor(olmDeployment bool) promv1.SecretOrConfigMap {
if olmDeployment {
return olmManagedCABundle()
}
return serviceCABundle()
}

func newValidatorServiceMonitor(request *common.Request) *promv1.ServiceMonitor {
tlsConfig := &promv1.TLSConfig{
SafeTLSConfig: promv1.SafeTLSConfig{
CA: serviceCABundle(),
},
}

tlsConfig.ServerName = ptr.To(fmt.Sprintf("%s.%s.svc", common.VirtTemplateValidator, request.Namespace))
serviceMonitor := newServiceMonitor(common.TemplateValidatorMetricsServiceName, request.Namespace, tlsConfig, metav1.LabelSelector{
MatchLabels: map[string]string{
MetricsServiceKey: common.TemplateValidatorMetricsServiceName,
},
})
return &serviceMonitor
}

func newSspServiceMonitor(request *common.Request) *promv1.ServiceMonitor {
tlsConfig := &promv1.TLSConfig{
SafeTLSConfig: promv1.SafeTLSConfig{
CA: getCAConfigForServiceMonitor(request.OLMDeployment),
},
}
tlsConfig.ServerName = ptr.To(request.SSPServiceHostname)

serviceMonitor := newServiceMonitor(common.SspOperatorMetricsServiceName, request.Namespace, tlsConfig, metav1.LabelSelector{
MatchLabels: map[string]string{
MetricsServiceKey: common.SspOperatorMetricsServiceName,
},
})
return &serviceMonitor
}

func newServiceMonitor(name,
namespace string,
tlsConfig *promv1.TLSConfig,
selector metav1.LabelSelector) promv1.ServiceMonitor {
return promv1.ServiceMonitor{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
Name: rules.RuleName,
Name: name,
Labels: ServiceMonitorLabels(),
},
Spec: promv1.ServiceMonitorSpec{
NamespaceSelector: promv1.NamespaceSelector{
Any: true,
},
Selector: metav1.LabelSelector{
MatchLabels: map[string]string{
PrometheusLabelKey: PrometheusLabelValue,
},
},
Selector: selector,
Endpoints: []promv1.Endpoint{
{
Port: MetricsPortName,
Scheme: ptr.To(promv1.Scheme("https")),
TLSConfig: &promv1.TLSConfig{
SafeTLSConfig: promv1.SafeTLSConfig{
InsecureSkipVerify: ptr.To(true),
},
},
Port: MetricsPortName,
Scheme: ptr.To(promv1.Scheme("https")),
TLSConfig: tlsConfig,
HonorLabels: true,
},
},
Expand Down
Loading