feat: add openshift serving certs to metrics endpoint, fixes RHOAIENG…

…-1828 (#120)

config/overlays/odh/kustomization.yaml

@@ -4,9 +4,13 @@ kind: Kustomization
 # Adds odh namespace to all resources.
 namespace: opendatahub
 
-# patch to remove default `system` namespace in ../../manager/manager.yaml
 patches:
-  - path: delete-namespace.yaml
+  # patch to remove default `system` namespace in ../../manager/manager.yaml
+  - path: patches/delete-namespace.yaml
+  # patch to add OpenShift serving cert annotation in metrics service
+  - path: patches/auth_proxy_service_patch.yaml
+  # patch to add serving cert to auth proxy container
+  - path: patches/manager_auth_proxy_patch.yaml
 
 # Labels to add to all resources and selectors.
 labels:

config/overlays/odh/patches/auth_proxy_service_patch.yaml

@@ -0,0 +1,8 @@
+# This patch adds OpenShift serving cert annotation in HTTPS proxy for the controller manager
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: controller-manager-metrics-service
+  name: controller-manager-metrics-service
+  namespace: system

config/overlays/odh/patches/manager_auth_proxy_patch.yaml

@@ -0,0 +1,29 @@
+# This patch injects serving cert in HTTPS proxy for the controller manager
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        - "--tls-cert-file=/etc/server-cert/tls.crt"
+        - "--tls-private-key-file=/etc/server-cert/tls.key"
+        # name must match the volume name below
+        volumeMounts:
+        - name: server-cert
+          mountPath: /etc/server-cert
+          readOnly: true
+      # The secret data is exposed to Containers in the Pod through a Volume.
+      volumes:
+        - name: server-cert
+          secret:
+            secretName: controller-manager-metrics-service
+            defaultMode: 0600

config/overlays/odh/replacements.yaml

@@ -49,3 +49,24 @@
         name: controller-manager
       fieldPaths:
         - spec.template.spec.containers.[name=manager].env.[name=DEFAULT_CERT].value
+# Metrics service name replacements for auth proxy serving cert
+- source:
+    kind: Service
+    name: controller-manager-metrics-service
+    fieldPath: metadata.name
+  targets:
+    - select:
+        kind: Service
+        name: controller-manager-metrics-service
+      fieldPaths:
+        - metadata.annotations.[service.beta.openshift.io/serving-cert-secret-name]
+- source:
+    kind: Service
+    name: controller-manager-metrics-service
+    fieldPath: metadata.name
+  targets:
+    - select:
+        kind: Deployment
+        name: controller-manager
+      fieldPaths:
+        - spec.template.spec.volumes.[name=server-cert].secret.secretName