From 8c1505c5587dbdcd6c89a3c02849b1f18ca35563 Mon Sep 17 00:00:00 2001
From: Dhiraj Bokde <dhirajsb@users.noreply.github.com>
Date: Sat, 3 Aug 2024 11:55:13 -0700
Subject: [PATCH] feat: add openshift serving certs to metrics endpoint, fixes
 RHOAIENG-1828 (#120)

---
 config/overlays/odh/kustomization.yaml        |  8 +++--
 .../odh/patches/auth_proxy_service_patch.yaml |  8 +++++
 .../odh/{ => patches}/delete-namespace.yaml   |  0
 .../odh/patches/manager_auth_proxy_patch.yaml | 29 +++++++++++++++++++
 config/overlays/odh/replacements.yaml         | 21 ++++++++++++++
 5 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 config/overlays/odh/patches/auth_proxy_service_patch.yaml
 rename config/overlays/odh/{ => patches}/delete-namespace.yaml (100%)
 create mode 100644 config/overlays/odh/patches/manager_auth_proxy_patch.yaml

diff --git a/config/overlays/odh/kustomization.yaml b/config/overlays/odh/kustomization.yaml
index 010d3ca..b9baf3c 100644
--- a/config/overlays/odh/kustomization.yaml
+++ b/config/overlays/odh/kustomization.yaml
@@ -4,9 +4,13 @@ kind: Kustomization
 # Adds odh namespace to all resources.
 namespace: opendatahub
 
-# patch to remove default `system` namespace in ../../manager/manager.yaml
 patches:
-  - path: delete-namespace.yaml
+  # patch to remove default `system` namespace in ../../manager/manager.yaml
+  - path: patches/delete-namespace.yaml
+  # patch to add OpenShift serving cert annotation in metrics service
+  - path: patches/auth_proxy_service_patch.yaml
+  # patch to add serving cert to auth proxy container
+  - path: patches/manager_auth_proxy_patch.yaml
 
 # Labels to add to all resources and selectors.
 labels:
diff --git a/config/overlays/odh/patches/auth_proxy_service_patch.yaml b/config/overlays/odh/patches/auth_proxy_service_patch.yaml
new file mode 100644
index 0000000..4e44776
--- /dev/null
+++ b/config/overlays/odh/patches/auth_proxy_service_patch.yaml
@@ -0,0 +1,8 @@
+# This patch adds OpenShift serving cert annotation in HTTPS proxy for the controller manager
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: controller-manager-metrics-service
+  name: controller-manager-metrics-service
+  namespace: system
diff --git a/config/overlays/odh/delete-namespace.yaml b/config/overlays/odh/patches/delete-namespace.yaml
similarity index 100%
rename from config/overlays/odh/delete-namespace.yaml
rename to config/overlays/odh/patches/delete-namespace.yaml
diff --git a/config/overlays/odh/patches/manager_auth_proxy_patch.yaml b/config/overlays/odh/patches/manager_auth_proxy_patch.yaml
new file mode 100644
index 0000000..5417b64
--- /dev/null
+++ b/config/overlays/odh/patches/manager_auth_proxy_patch.yaml
@@ -0,0 +1,29 @@
+# This patch injects serving cert in HTTPS proxy for the controller manager
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        - "--tls-cert-file=/etc/server-cert/tls.crt"
+        - "--tls-private-key-file=/etc/server-cert/tls.key"
+        # name must match the volume name below
+        volumeMounts:
+        - name: server-cert
+          mountPath: /etc/server-cert
+          readOnly: true
+      # The secret data is exposed to Containers in the Pod through a Volume.
+      volumes:
+        - name: server-cert
+          secret:
+            secretName: controller-manager-metrics-service
+            defaultMode: 0600
diff --git a/config/overlays/odh/replacements.yaml b/config/overlays/odh/replacements.yaml
index e0292f9..b7c6d92 100644
--- a/config/overlays/odh/replacements.yaml
+++ b/config/overlays/odh/replacements.yaml
@@ -49,3 +49,24 @@
         name: controller-manager
       fieldPaths:
         - spec.template.spec.containers.[name=manager].env.[name=DEFAULT_CERT].value
+# Metrics service name replacements for auth proxy serving cert
+- source:
+    kind: Service
+    name: controller-manager-metrics-service
+    fieldPath: metadata.name
+  targets:
+    - select:
+        kind: Service
+        name: controller-manager-metrics-service
+      fieldPaths:
+        - metadata.annotations.[service.beta.openshift.io/serving-cert-secret-name]
+- source:
+    kind: Service
+    name: controller-manager-metrics-service
+    fieldPath: metadata.name
+  targets:
+    - select:
+        kind: Deployment
+        name: controller-manager
+      fieldPaths:
+        - spec.template.spec.volumes.[name=server-cert].secret.secretName