Add OpenShift service-ca support for authenticated metrics endpoints (#3677)

anik120 · web-flow · commit 971d680a2b87 · 2025-10-20T15:12:18.000Z
Adds support for OpenShift service-ca-operator alongside existing cert-manager support for authenticated metrics
endpoints. This enables the metrics authentication feature to work in both upstream Kubernetes (with cert-manager) and
OpenShift (with service-ca) environments.

 - Add explicit RBAC permissions for `tokenreviews` and `subjectaccessreviews` required by authentication filters
 - Add `serviceCa` configuration section to values.yaml with configurable secret/service names
 - Update deployment templates to support both `certManager` and `serviceCa` modes conditionally
 - Update service templates to conditionally add service-ca annotations when enabled
 - Maintain backward compatibility with existing `certManager` and `monitoring` configurations
diff --git a/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml b/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml
@@ -8,6 +8,18 @@ rules:
   verbs: ["watch", "list", "get", "create", "update", "patch", "delete", "deletecollection", "escalate", "bind"]
 - nonResourceURLs: ["*"]
   verbs: ["*"]
+- apiGroups:
+    - authentication.k8s.io
+  resources:
+    - tokenreviews
+  verbs:
+    - create
+- apiGroups:
+    - authorization.k8s.io
+  resources:
+    - subjectaccessreviews
+  verbs:
+    - create
 ---
 kind: ServiceAccount
 apiVersion: v1
diff --git a/deploy/chart/templates/0000_50_olm_03-services.yaml b/deploy/chart/templates/0000_50_olm_03-services.yaml
@@ -1,39 +1,43 @@
-{{ if .Values.monitoring.enabled }}
+{{- if or .Values.monitoring.enabled .Values.serviceCa.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
-  name: olm-operator-metrics
+  name: {{ .Values.olm.service.name }}
   namespace: {{ .Values.namespace }}
+  {{- if .Values.serviceCa.enabled }}
   annotations:
-    service.alpha.openshift.io/serving-cert-secret-name: olm-operator-serving-cert
+    service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.serviceCa.olmOperator.secretName }}
+  {{- end }}
   labels:
     app: olm-operator
 spec:
   type: ClusterIP
   ports:
   - name: https-metrics
-    port: {{ .Values.olm.service.externalPort }}
+    port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.externalPort }}{{ end }}
     protocol: TCP
-    targetPort: {{ .Values.olm.service.internalPort }}
+    targetPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
   selector:
     app: olm-operator
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: catalog-operator-metrics
+  name: {{ .Values.catalog.service.name }}
   namespace: {{ .Values.namespace }}
+  {{- if .Values.serviceCa.enabled }}
   annotations:
-    service.alpha.openshift.io/serving-cert-secret-name: catalog-operator-serving-cert
+    service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.serviceCa.catalogOperator.secretName }}
+  {{- end }}
   labels:
     app: catalog-operator
 spec:
   type: ClusterIP
   ports:
   - name: https-metrics
-    port: {{ .Values.catalog.service.externalPort }}
+    port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.externalPort }}{{ end }}
     protocol: TCP
-    targetPort: {{ .Values.catalog.service.internalPort }}
+    targetPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
   selector:
     app: catalog-operator
 {{ end }}
diff --git a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml
@@ -30,6 +30,13 @@ spec:
       - name: profile-collector-cert
         secret:
           secretName: {{ .Values.certManager.certificate.secretName }}
+      {{- else if .Values.serviceCa.enabled }}
+      - name: srv-cert
+        secret:
+          secretName: {{ .Values.serviceCa.olmOperator.secretName }}
+      - name: profile-collector-cert
+        secret:
+          secretName: {{ .Values.serviceCa.olmOperator.secretName }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -41,7 +48,7 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if .Values.certManager.enabled }}
+          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
@@ -74,7 +81,7 @@ spec:
           - --writePackageServerStatusName
           - {{ .Values.writePackageServerStatusName }}
           {{- end }}
-         {{- if .Values.certManager.enabled }}
+         {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
@@ -85,18 +92,18 @@ spec:
           image: {{ .Values.olm.image.ref }}
           imagePullPolicy: {{ .Values.olm.image.pullPolicy }}
           ports:
-            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+            - containerPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
           terminationMessagePolicy: FallbackToLogsOnError
           env:
           - name: OPERATOR_NAMESPACE
diff --git a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml
@@ -30,6 +30,13 @@ spec:
       - name: profile-collector-cert
         secret:
           secretName: {{ .Values.certManager.certificate.secretName }}
+      {{- else if .Values.serviceCa.enabled }}
+      - name: srv-cert
+        secret:
+          secretName: {{ .Values.serviceCa.catalogOperator.secretName }}
+      - name: profile-collector-cert
+        secret:
+          secretName: {{ .Values.serviceCa.catalogOperator.secretName }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -41,7 +48,7 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if .Values.certManager.enabled }}
+          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
@@ -71,7 +78,7 @@ spec:
           - --writeStatusName
           - {{ .Values.writeStatusNameCatalog }}
           {{- end }}
-          {{- if .Values.certManager.enabled }}
+          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
@@ -92,18 +99,18 @@ spec:
           {{- end }}
           imagePullPolicy: {{ .Values.catalog.image.pullPolicy }}
           ports:
-            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+            - containerPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
           terminationMessagePolicy: FallbackToLogsOnError
           {{- if .Values.catalog.resources }}
           resources:
diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml
@@ -27,6 +27,7 @@ olm:
     ref: quay.io/operator-framework/olm:master
     pullPolicy: Always
   service:
+    name: olm-operator-metrics
     internalPort: 8080
     internalPortHttps: 8443
     externalPort: metrics
@@ -46,6 +47,7 @@ catalog:
     ref: quay.io/operator-framework/olm:master
     pullPolicy: Always
   service:
+    name: catalog-operator-metrics
     internalPort: 8080
     internalPortHttps: 8443
     externalPort: metrics
@@ -89,6 +91,18 @@ certManager:
     extraDnsNames: []
     extraIpAddresses: []
 
+# OpenShift service-ca configuration
+# When enabled, uses OpenShift service-ca-operator for certificate management
+# This is mutually exclusive with certManager - only one should be enabled
+serviceCa:
+  enabled: false
+  # Secret names are left empty in upstream, to be filled by downstream values.yaml
+  # Service names are taken from olm.service.name and catalog.service.name
+  olmOperator:
+    secretName: ""
+  catalogOperator:
+    secretName: ""
+
 networkPolicy:
   dns:
     ports:
