OCPBUGS-66898: Implement mTLS authentication and authorization for CVO metrics endpoint #1271

DavidHurta · 2025-12-10T23:29:50Z

This pull request proposes to migrate the CVO metrics endpoint from bearer token authentication to mutual TLS (mTLS) to comply with OpenShift metrics conventions.

Key changes:

Replaced custom certificate watching logic with the k8s.io/apiserver/pkg/server/dynamiccertificates package to simplify logic
Authenticate clients using mutual TLS (mTLS)
Authorize clients by verifying CN
Perform authorization once during TLS handshake instead of per-request
Add configurable authentication/authorization options for HyperShift compatibility
Update ServiceMonitor to use mTLS instead of bearer tokens

Breaking Changes:

Prometheus must now authenticate using client certificates signed by a trusted cluster CA. Clients without valid certificates are rejected during the TLS handshake.

Trade-offs:

Authorization at the TLS layer improves performance but produces less descriptive errors on failures.

openshift-ci · 2025-12-10T23:29:54Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

coderabbitai · 2025-12-10T23:29:56Z

Walkthrough

Switched metrics auth from bearer-token to TLS client certificates with CN-based authorization, introduced dynamic certificate controllers and a MetricsOptions API, removed fsnotify-based reloads and token-review code, updated ServiceMonitor and go.mod, and adjusted tests and startup wiring.

Changes

Cohort / File(s)	Summary
Dependency updates `go.mod`	Replaced `gopkg.in/fsnotify.v1` v1.4.7 with `github.com/fsnotify/fsnotify` v1.9.0 (moved between require blocks); added direct `k8s.io/apiserver` v0.34.1 and removed its prior indirect entry.
ServiceMonitor manifest `install/0000_90_cluster-version-operator_02_servicemonitor.yaml`	Removed `bearerTokenFile` from endpoint; added `tlsConfig.certFile` and `tlsConfig.keyFile` to configure client-certificate TLS for Prometheus scraping.
Metrics implementation `pkg/cvo/metrics.go`	Replaced TokenReview/token-based auth with certificate-based auth using dynamic serving cert controller and optional client CA; added public `MetricsOptions` (`DisableAuthentication`, `DisableAuthorization`); changed `RunMetrics` and `createHttpServer` signatures; removed fsnotify and token-review helpers and related TLS rotation helpers.
Metrics tests `pkg/cvo/metrics_test.go`	Rewrote tests to validate `verifyPeerCertificate` using x509 certificate chains; removed fake TokenReview client and bearer-token HTTP tests.
Startup wiring `pkg/start/start.go`	Updated `RunMetrics` call to pass `MetricsOptions` instead of the previous boolean disable flag.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing touches

📝 Generate docstrings

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7bbe4ec and 290ee8b.

📒 Files selected for processing (2)

pkg/cvo/metrics.go
pkg/cvo/metrics_test.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

pkg/cvo/metrics_test.go
pkg/cvo/metrics.go

🪛 ast-grep (0.40.3)

pkg/cvo/metrics.go

[warning] 270-270: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{ClientAuth: clientAuth}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

[warning] 304-307: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{
ClientAuth: clientAuth,
GetConfigForClient: servingCertController.GetConfigForClient,
}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

🔇 Additional comments (10)

pkg/cvo/metrics.go (9)

31-37: LGTM!

The constant is well-documented and references the OpenShift metrics conventions. The CN format correctly follows the Kubernetes service account naming pattern.

135-141: LGTM!

The simplified HTTP server creation is appropriate since authentication and authorization are now handled at the TLS layer during the handshake.

171-174: LGTM!

The public MetricsOptions struct provides clean configuration options for disabling authentication and authorization, which is necessary for HyperShift compatibility as documented in the PR objectives.

176-188: LGTM!

The CN-based authorization logic correctly:

Validates that verified certificate chains are present

Extracts the Common Name from the leaf certificate

Performs case-sensitive comparison against the allowed CN

Logs access decisions at appropriate verbosity levels

197-204: LGTM!

The configuration validation correctly prevents an invalid state where authorization is enabled without authentication, with a clear error message explaining the constraint.

206-227: LGTM!

The serving certificate controller is properly initialized:

RunOnce is called to validate the initial certificate state before starting the controller

The controller goroutine is tracked for proper lifecycle management

Error handling is appropriate

229-261: LGTM with note!

The client CA controller setup correctly:

Conditionally creates the controller only when authentication is enabled

Uses the standard extension-apiserver-authentication ConfigMap from kube-system namespace

Properly handles the interface assignment to avoid nil issues

Note: The code assumes the extension-apiserver-authentication ConfigMap exists in kube-system. Based on PR comments, this may not be available in HyperShift hosted control planes, which is why the DisableAuthentication flag exists.

310-354: LGTM!

The server lifecycle management is well-implemented:

Proper goroutine tracking with resultChannelCount

Graceful shutdown initiated via server.Shutdown(shutdownContext)

Context cancellation properly propagates shutdown signals to all goroutines

Error aggregation preserves the first error encountered

Shutdown timeout is enforced via shutdownContext.Done()

263-308: The TLS configuration correctly uses crypto.SecureTLSConfig from library-go, which enforces secure defaults including MinVersion 1.2. Static analysis tool warnings about the inner tls.Config objects (lines 271 and 305) are false positives—the configurations are properly secured through the wrapper function. The implementation is correct.

pkg/cvo/metrics_test.go (1)

1018-1138: LGTM!

The test provides excellent coverage of the CN-based authorization logic:

Tests the happy path with the authorized CN

Tests rejection of unauthorized CNs

Tests handling of missing certificates (nil and empty chains)

Tests that only the leaf certificate's CN is checked (not intermediate CAs)

Tests case sensitivity, which is critical for security

Uses proper error message validation

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

DavidHurta · 2025-12-10T23:30:07Z

/test ?

openshift-ci · 2025-12-10T23:30:12Z

@DavidHurta: The following commands are available to trigger required jobs:

/test e2e-agnostic-operator

/test e2e-agnostic-operator-techpreview

/test e2e-agnostic-ovn

/test e2e-agnostic-ovn-upgrade-into-change

/test e2e-agnostic-ovn-upgrade-into-change-techpreview

/test e2e-agnostic-ovn-upgrade-out-of-change

/test e2e-agnostic-ovn-upgrade-out-of-change-techpreview

/test e2e-aws-ovn-techpreview

/test e2e-hypershift

/test e2e-hypershift-conformance

/test gofmt

/test images

/test lint

/test okd-scos-images

/test unit

/test verify-deps

/test verify-update

/test verify-yaml

The following commands are available to trigger optional jobs:

/test e2e-agnostic-operator-devpreview

/test e2e-extended-tests

/test okd-scos-e2e-aws-ovn

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-cluster-version-operator-main-e2e-agnostic-operator

pull-ci-openshift-cluster-version-operator-main-e2e-agnostic-ovn

pull-ci-openshift-cluster-version-operator-main-e2e-agnostic-ovn-upgrade-into-change

pull-ci-openshift-cluster-version-operator-main-e2e-agnostic-ovn-upgrade-out-of-change

pull-ci-openshift-cluster-version-operator-main-e2e-aws-ovn-techpreview

pull-ci-openshift-cluster-version-operator-main-e2e-hypershift

pull-ci-openshift-cluster-version-operator-main-e2e-hypershift-conformance

pull-ci-openshift-cluster-version-operator-main-gofmt

pull-ci-openshift-cluster-version-operator-main-images

pull-ci-openshift-cluster-version-operator-main-lint

pull-ci-openshift-cluster-version-operator-main-okd-scos-images

pull-ci-openshift-cluster-version-operator-main-unit

pull-ci-openshift-cluster-version-operator-main-verify-deps

pull-ci-openshift-cluster-version-operator-main-verify-update

pull-ci-openshift-cluster-version-operator-main-verify-yaml

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci · 2025-12-10T23:30:15Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DavidHurta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [DavidHurta]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

DavidHurta · 2025-12-10T23:33:36Z

/test e2e-agnostic-ovn
/test e2e-hypershift
/test e2e-hypershift-conformance

DavidHurta · 2025-12-11T19:13:06Z

/test e2e-agnostic-ovn
/test e2e-hypershift
/test e2e-hypershift-conformance

DavidHurta · 2025-12-12T00:46:40Z

/test all

DavidHurta · 2025-12-12T23:46:30Z

/test all

DavidHurta · 2025-12-13T00:17:03Z

Note: PromeCIeus and the e2e-hypershift job can be used to verify that the CVO metrics in a hosted control plane can be scraped (when HyperShift is specified to use the OCP monitoring).

DavidHurta · 2025-12-13T00:17:51Z

@coderabbitai review

coderabbitai · 2025-12-13T00:17:56Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/cvo/metrics.go (1)
201-299: Harden the listener TLS config: ensure MinVersion/ciphers apply even if GetConfigForClient returns nil.

The base TLS config is secured via crypto.SecureTLSConfig, but the listener uses a fresh tls.Config literal containing only GetConfigForClient. If the callback returns nil or fails, the listener operates with default TLS settings lacking explicit cipher suite and minimum version constraints. Wrap the listener config with crypto.SecureTLSConfig to guarantee hardened settings at the listener level.
-	tlsConfig := &tls.Config{GetConfigForClient: servingCertController.GetConfigForClient}
+	tlsConfig := crypto.SecureTLSConfig(&tls.Config{GetConfigForClient: servingCertController.GetConfigForClient})
 	go startListening(server, tlsConfig, listenAddress, resultChannel)
Also verify the process has RBAC to read kube-system/extension-apiserver-authentication and that client-ca-file is the intended trust root for Prometheus' client cert chain in all target environments.

🧹 Nitpick comments (3)

pkg/cvo/metrics_test.go (1)

4-6: CN-based TLS auth tests are aligned with the new implementation; consider using httptest.NewRequest for a fully-formed request.
Current http.NewRequest("GET", "url-not-important", nil) is probably fine for this handler, but httptest.NewRequest("GET", "https://example.invalid/metrics", nil) is more idiomatic and avoids edge cases if the handler later reads URL/Host.

Also applies to: 1030-1088
pkg/cvo/metrics.go (2)
126-143: Rename disableAuth to disableAuthorization to avoid confusion (authn vs authz).
Right now createHttpServer(disableAuth bool) is called with metricsOptions.DisableAuthorization, but the parameter name reads like “disable authentication”.
-func createHttpServer(disableAuth bool) *http.Server {
-	if disableAuth {
+func createHttpServer(disableAuthorization bool) *http.Server {
+	if disableAuthorization {
 		handler := http.NewServeMux()
 		handler.Handle("/metrics", promhttp.Handler())
 		server := &http.Server{
 			Handler: handler,
 		}
 		return server
 	}
149-166: CN authorization is very strict; confirm the allowed identity set is complete for all supported deployments.
Hardcoding only system:serviceaccount:openshift-monitoring:prometheus-k8s may be correct, but it will break scraping if the client cert CN differs in hosted control planes / alternate Prometheus setups. Consider allowing a small allowlist (still static) to reduce fragility.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d4cb3b0 and 920ad71.

⛔ Files ignored due to path filters (69)

go.sum is excluded by !**/*.sum
vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/.mailmap is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/internal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/system_bsd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/fsnotify/fsnotify/system_darwin.go is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/.editorconfig is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/.travis.yml is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/AUTHORS is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/README.md is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/fen.go is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/fsnotify.go is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/inotify.go is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/inotify_poller.go is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/kqueue.go is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/open_mode_bsd.go is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/open_mode_darwin.go is excluded by !vendor/**, !**/vendor/**
vendor/gopkg.in/fsnotify.v1/windows.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/cert_key.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/client_ca.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_serving_content.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_sni_content.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/interfaces.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/named_certificates.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/static_content.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/tlsconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/union_content.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/util.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/client-go/tools/events/OWNERS is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/client-go/tools/events/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/client-go/tools/events/event_broadcaster.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/client-go/tools/events/event_recorder.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/client-go/tools/events/fake.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/client-go/tools/events/helper.go is excluded by !vendor/**, !**/vendor/**
vendor/k8s.io/client-go/tools/events/interfaces.go is excluded by !vendor/**, !**/vendor/**
vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (5)

go.mod (2 hunks)
install/0000_90_cluster-version-operator_02_servicemonitor.yaml (1 hunks)
pkg/cvo/metrics.go (5 hunks)
pkg/cvo/metrics_test.go (2 hunks)
pkg/start/start.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

install/0000_90_cluster-version-operator_02_servicemonitor.yaml
pkg/cvo/metrics_test.go
pkg/start/start.go
pkg/cvo/metrics.go
go.mod

🧬 Code graph analysis (1)

pkg/start/start.go (1)

pkg/cvo/metrics.go (2)

MetricsOptions (196-199)

RunMetrics (208-299)

🪛 ast-grep (0.40.0)

pkg/cvo/metrics.go

[warning] 245-245: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

[warning] 247-247: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{ClientAuth: tls.RequireAndVerifyClientCert}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

[warning] 273-273: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{GetConfigForClient: servingCertController.GetConfigForClient}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

🔇 Additional comments (5)

install/0000_90_cluster-version-operator_02_servicemonitor.yaml (1)

14-21: Verify Prometheus mounts metrics-client-certs at the referenced file paths (otherwise scraping will fail).
ServiceMonitor now expects client cert/key at /etc/prometheus/secrets/metrics-client-certs/{tls.crt,tls.key}; ensure the cluster-monitoring-managed Prometheus pod has that secret mounted and populated in all target topologies (self-managed + hosted).

go.mod (1)

29-29: Dependency changes look consistent with dynamiccertificates adoption; please verify module graph is tidy and conflict-free.
Run a go mod tidy-equivalent in CI and ensure no remaining imports of gopkg.in/fsnotify.v1, and no k8s.io/* version skew introduced by the new direct k8s.io/apiserver requirement.

Also applies to: 42-42

pkg/start/start.go (1)

353-358: Double-check HyperShift semantics: this disables both client-cert auth and CN authorization.
Wiring to o.HyperShift is clean, but please confirm the hosted-control-plane scraping model really expects unauthenticated metrics over TLS (vs. mTLS with different client identity).

pkg/cvo/metrics.go (2)

18-20: Good move switching to dynamiccertificates; verify k8s.io/apiserver integration matches the vendored K8s minor version.
This import-level change is appropriate for hot-reloading certs/CA; just ensure no k8s.io/* skew and that dynamiccertificates APIs used here match v0.34.1 expectations.

196-199: MetricsOptions is a clean API shape for callers.

DavidHurta · 2025-12-13T16:33:19Z

/test e2e-hypershift
/test e2e-agnostic-ovn

DavidHurta · 2025-12-19T21:55:17Z

/test all

DavidHurta · 2025-12-19T21:55:52Z

@coderabbitai review

coderabbitai · 2025-12-19T21:55:58Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/cvo/metrics.go (1)

149-166: Certificate-based authorization correctly implemented.

The CN validation logic is sound: it checks for the presence of peer certificates and validates that the Common Name matches the expected Prometheus service account. The HTTP status codes (401 for missing certificate, 403 for unauthorized CN) are appropriate.

Note: The CN "system:serviceaccount:openshift-monitoring:prometheus-k8s" is hardcoded. Consider whether this should be configurable via MetricsOptions if other clients might need access in the future.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 920ad71 and ff6d96e.

📒 Files selected for processing (4)

install/0000_90_cluster-version-operator_02_servicemonitor.yaml (1 hunks)
pkg/cvo/metrics.go (5 hunks)
pkg/cvo/metrics_test.go (2 hunks)
pkg/start/start.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

pkg/cvo/metrics_test.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

install/0000_90_cluster-version-operator_02_servicemonitor.yaml
pkg/start/start.go
pkg/cvo/metrics.go

🧬 Code graph analysis (1)

pkg/start/start.go (1)

pkg/cvo/metrics.go (2)

MetricsOptions (196-199)

RunMetrics (208-312)

🪛 ast-grep (0.40.0)

pkg/cvo/metrics.go

[warning] 256-256: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{ClientAuth: clientAuth}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

[warning] 283-286: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{
ClientAuth: clientAuth,
GetConfigForClient: servingCertController.GetConfigForClient,
}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

🔇 Additional comments (10)

install/0000_90_cluster-version-operator_02_servicemonitor.yaml (1)

14-21: LGTM! TLS client certificate authentication correctly configured.

The ServiceMonitor now uses TLS client certificates (certFile and keyFile) for authentication instead of bearer tokens, aligning with the mTLS implementation in pkg/cvo/metrics.go that validates the client certificate's CN.

pkg/cvo/metrics.go (8)

18-19: LGTM! Imports correctly updated for certificate-based approach.

The new imports for dynamiccertificates and kubernetes client replace the previous token-based authentication dependencies and support the dynamic certificate loading implementation.

126-143: LGTM! Simplified server creation aligns with TLS-based authentication.

The function signature correctly removes the authentication client dependency since authentication is now handled at the TLS layer via client certificates, with authorization delegated to the authHandler.

196-199: LGTM! Clean options struct for metrics configuration.

The MetricsOptions struct provides a clear, type-safe way to configure authentication and authorization behavior for the metrics server.

208-223: LGTM! Serving certificate controller correctly initialized.

The serving certificate controller is properly set up to watch and automatically reload the server's TLS certificate and key files. The RunOnce initialization before starting the background watcher ensures the files are loaded before the server starts.

225-249: LGTM! Client CA controller correctly set up when authentication is enabled.

The conditional creation and initialization of the client CA controller is appropriate—it's only needed when client certificate authentication is enabled. The controller watches the extension-apiserver-authentication ConfigMap in kube-system for CA changes, which aligns with Kubernetes' standard approach for extension API server authentication.

276-288: LGTM! Server and TLS configuration properly wired.

The HTTP server creation respects the DisableAuthorization setting, and the TLS configuration correctly uses GetConfigForClient to enable dynamic certificate updates. The ClientAuth setting in the final config ensures proper fallback behavior if the callback fails.

290-311: LGTM! Server lifecycle properly managed with graceful shutdown.

The implementation correctly handles the run/shutdown contexts, waits for server termination, performs graceful shutdown on context cancellation, and properly collects results from the server goroutine. Error handling and logging are appropriate.

252-267: This concern is not valid. crypto.SecureTLSConfig from github.com/openshift/library-go/pkg/crypto automatically sets MinVersion to the cluster's default TLS version (via DefaultTLSVersion()) when MinVersion is not explicitly set in the passed tls.Config. The code in metrics.go correctly relies on this behavior and does not need explicit MinVersion configuration.

Likely an incorrect or invalid review comment.

pkg/start/start.go (1)

353-357: LGTM! MetricsOptions correctly configured for HyperShift mode.

The creation of the MetricsOptions struct with both DisableAuthentication and DisableAuthorization set to o.HyperShift is appropriate. This ensures that in HyperShift deployments, both authentication and authorization are disabled together, while in standard deployments, both are enabled.

DavidHurta · 2025-12-20T01:23:00Z

/retest

DavidHurta · 2025-12-20T14:01:18Z

/retest

DavidHurta · 2025-12-20T22:01:10Z

/test e2e-hypershift-conformance
/test e2e-hypershift

DavidHurta · 2025-12-21T01:45:04Z

/test all

DavidHurta · 2025-12-22T02:15:55Z

/test all

DavidHurta · 2026-01-06T00:35:55Z

@coderabbitai review

coderabbitai · 2026-01-06T00:36:00Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

The previous approach of checking the client certificate on every HTTP request was redundant. The certificate remains constant for the entire session duration, which can span days with TLS session tickets and resumptions. Optimize authorization by verifying the CN once during the TLS handshake instead. This moves the authorization from the application onto the TLS layer. This can result in harder debugging due to the TLS layer failing without providing detailed information. For example: ``` curl: (56) OpenSSL SSL_read: error:0A000412:SSL routines::sslv3 alert bad certificate, errno 0 command terminated with exit code 56 ``` However, it also makes the current authorization mechanism more explicit. The previous mechanism could infer that every HTTP request was being authorized, but that was not the case in reality. Some alternatives may be: - Disable session tickets and the resumption support to force more frequent authorizations. - Verify the client's certificate in the application layer, but add useful logic, such as checking for the certificate expiration date per every HTTP request. Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

openshift-ci-robot · 2026-01-06T16:32:46Z

@DavidHurta: This pull request references Jira Issue OCPBUGS-66898, which is invalid:

expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This pull request proposes to migrate the CVO metrics endpoint from bearer token authentication to mutual TLS (mTLS) to comply with OpenShift metrics conventions.

Key changes:

Replaced custom certificate watching logic with the k8s.io/apiserver/pkg/server/dynamiccertificates package to simplify logic

Authenticate clients using mutual TLS (mTLS)

Authorize clients by verifying CN

Perform authorization once during TLS handshake instead of per-request

Add configurable authentication/authorization options for HyperShift compatibility

Update ServiceMonitor to use mTLS instead of bearer tokens

Breaking Changes:

Prometheus must now authenticate using client certificates signed by a trusted cluster CA. Clients without valid certificates are rejected during the TLS handshake.

Trade-offs:

Authorization at the TLS layer improves performance but produces less descriptive errors on authentication failures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

DavidHurta · 2026-01-06T16:34:00Z

/jira refresh

openshift-ci-robot · 2026-01-06T16:34:08Z

@DavidHurta: This pull request references Jira Issue OCPBUGS-66898, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

DavidHurta · 2026-01-06T16:57:41Z

Testing

Standalone OpenShift

Prometheus can scrape using mTLS

$ oc --as system:admin -n openshift-monitoring exec -c prometheus pod/prometheus-k8s-0 -- curl -si --cacert /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt --cert /etc/prometheus/secrets/metrics-client-certs/tls.crt --key /etc/prometheus/secrets/metrics-client-certs/tls.key https://cluster-version-operator.openshift-cluster-version.svc.cluster.local:9099/metrics
HTTP/1.1 200 OK
Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=underscores
Date: Tue, 06 Jan 2026 15:39:21 GMT
Transfer-Encoding: chunked

# HELP cluster_installer Reports info about the installation process and, if applicable, the install tool. The type is either 'openshift-install', indicating that openshift-install was used to install the cluster, or 'other', indicating that an unknown process installed the cluster. The invoker is 'user' by default, but it may be overridden by a consuming tool. The version reported is that of the openshift-install that was used to generate the manifests and, if applicable, provision the infrastructure.
# TYPE cluster_installer gauge

Client needs to provide its certificate

$ oc --as system:admin -n openshift-monitoring exec -c prometheus pod/prometheus-k8s-0 -- curl --cacert /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt https://cluster-version-operator.openshift-cluster-version.svc.cluster.local:9099/metrics
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (56) OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0
command terminated with exit code 56

The CN is verified correctly

The metrics-server Pod has its client certificate signed by the same issuer as does Prometheus. Let's try to scrape the CVO using the metric-server certs. I am using --insecure to bypass the need for a relevant local CA bundle file.

$ oc --as system:admin -n openshift-monitoring exec pod/metrics-server-676544b7fb-kzjbp -- curl --insecure --cert /etc/tls/metrics-server-client-certs/tls.crt --key /etc/tls/metrics-server-client-certs/tls.key  https://cluster-version-operator.openshift-cluster-version.svc.cluster.local:9099/metrics | head
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (56) OpenSSL SSL_read: error:0A000412:SSL routines::sslv3 alert bad certificate, errno 0
command terminated with exit code 56

Checking the CVO logs:

I0106 15:39:30.018925       1 metrics.go:183] Access denied for CN: system:serviceaccount:openshift-monitoring:metrics-server

HyperShift

PromeCleus can be used in combination with the e2e-hypershift job to verify that the CVO metrics in a hosted control plane can be scraped. However, to my knowledge, the job utilizes the OCP monitoring. The metrics endpoint needs to be accessible by a custom monitoring stack as well. For the time being, that means having a disabled authorization and authentication to allow any client to scrape the hosted CVO.

Given that the OCP monitoring is able to scrape hosted CVO, it is safe to assume that a custom monitoring stack can as well. The hosted CVO does not even have access to the required CA bundle.

Prometheus output using PromeCIeus from a e2e-hypershift job run showcases a number of clusters:

The E2E functionality requires a follow-up with the HyperShift team regarding the E2E testing to not potentially introduce a regression with this PR.

DavidHurta · 2026-01-06T16:58:14Z

/hold

I am checking with the HyperShift team.

However, the PR is ready for a review.

DavidHurta · 2026-01-07T01:03:16Z

/test e2e-agnostic-ovn-upgrade-into-change
/test e2e-aws-ovn-techpreview
/test e2e-hypershift

openshift-ci · 2026-01-07T02:56:07Z

@DavidHurta: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-techpreview	`290ee8b`	link	true	`/test e2e-aws-ovn-techpreview`
ci/prow/okd-scos-images	`290ee8b`	link	true	`/test okd-scos-images`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

DavidHurta · 2026-01-07T17:17:19Z

pkg/cvo/metrics.go

 // RunMetrics launches a server bound to listenAddress serving
-// Prometheus metrics at /metrics over HTTPS.  Continues serving
+// Prometheus metrics at /metrics over HTTPS. Continues serving
 // until runContext.Done() and then attempts a clean shutdown
-// limited by shutdownContext.Done().  Assumes runContext.Done()
+// limited by shutdownContext.Done(). Assumes runContext.Done()
 // occurs before or simultaneously with shutdownContext.Done().
-// Also detects changes to metrics certificate files upon which
-// the metrics HTTP server is shutdown and recreated with a new
-// TLS configuration.
-func RunMetrics(runContext context.Context, shutdownContext context.Context, listenAddress, certFile, keyFile string, restConfig *rest.Config, disableMetricsAuth bool) error {
-	var tlsConfig *tls.Config
-	if listenAddress != "" {
-		var err error
-		tlsConfig, err = makeTLSConfig(certFile, keyFile)
-		if err != nil {
-			return fmt.Errorf("Failed to create TLS config: %w", err)
-		}
-	} else {
+// The TLS configuration automatically reloads certificates when
+// they change on disk using dynamiccertificates.


TODO: Update the description.

openshift-ci-robot · 2026-01-07T19:04:30Z

@DavidHurta: This pull request references Jira Issue OCPBUGS-66898, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

This pull request proposes to migrate the CVO metrics endpoint from bearer token authentication to mutual TLS (mTLS) to comply with OpenShift metrics conventions.

Key changes:

Replaced custom certificate watching logic with the k8s.io/apiserver/pkg/server/dynamiccertificates package to simplify logic

Authenticate clients using mutual TLS (mTLS)

Authorize clients by verifying CN

Perform authorization once during TLS handshake instead of per-request

Add configurable authentication/authorization options for HyperShift compatibility

Update ServiceMonitor to use mTLS instead of bearer tokens

Breaking Changes:

Prometheus must now authenticate using client certificates signed by a trusted cluster CA. Clients without valid certificates are rejected during the TLS handshake.

Trade-offs:

Authorization at the TLS layer improves performance but produces less descriptive errors on failures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

wking · 2026-01-08T00:38:55Z

pkg/cvo/metrics.go

+	cn := verifiedChains[0][0].Subject.CommonName
+	if cn != metricsAllowedClientCN {
+		klog.V(4).Infof("Access denied for CN: %s", cn)
+		return errors.New("unauthorized CN")


nit: I don't mind as much for logs, but for error messages, which might eventually reach users, can we avoid accronyms with unauthorized common name or similar instead of using CN?

Also, not clear to me why we'd log the rejected CN in the previous Infof but not include it in the error message here. The client has the certificate, and they can go look at their CN there, but if we include the CN in the error message, maybe that saves them a bit of work?

wking · 2026-01-08T01:20:43Z

pkg/cvo/metrics.go

+// they change on disk using dynamiccertificates.
+func RunMetrics(runContext context.Context, shutdownContext context.Context, listenAddress, certFile, keyFile string, restConfig *rest.Config, metricsOptions MetricsOptions) error {
+	if listenAddress == "" {
 		return errors.New("TLS configuration is required to serve metrics")


probably worth updating this error message to point out that listenAddress is required. Looks like it's been stale since 0e6136c 😅

wking · 2026-01-08T01:33:35Z

pkg/cvo/metrics.go

-	origKeyChecksum, err := checksumFile(keyFile)
-	if err != nil {
-		return fmt.Errorf("Failed to initialize key file checksum: %w", err)
+	if err := servingContentController.RunOnce(metricsContext); err != nil {


I suspect that the RunOnce approach is intended to catch issues early and allow this function to hard fail, before launching the Run method. But there's more going on in Run than in RunOnce, and having no way to get information back out of the Run goroutine to tell you how it's going seems like it could be problematic. What if we have some kind of issue that would need a container restart to recover? But 🤷, I guess if I was particularly motivated, I could try to push for a clearer feedback mechanism in the upstream library. And ClusterVersionOperatorDown gives us a chance at calling in an admin to manually recover things if something in the metrics-serving pipe breaks. So not a blocker, just something that I'm grumbling about, in the hopes that it might motivate someone else to chase upstream about moving to an API with better feeback mechanisms ;)

wking · 2026-01-08T05:18:05Z

pkg/cvo/metrics.go

+	}
+
+	clientAuth := tls.NoClientCert
+	if !metricsOptions.DisableAuthentication {


nit: this seems like it would be slightly simpler if you shifted the clientAuth := tls.NoClientCert default up to the var clientCA ... level above, and merged the clientAuth = tls.RequireAndVerifyClientCert line into the previous !metricsOptions.DisableAuthentication block, instead of having two of those blocks in such close proximity.

Same for baseTlSConfig too, I think collecting all the insecure defaults in one place, and then overriding all of them in the secure section. Or maybe for the cheap ones we can initialize to the secure settings, like:

clientAuth := tls.RequireAndVerifyClientCert baseTlSConfig := crypto.SecureTLSConfig(&tls.Config{ClientAuth: clientAuth}) baseTlSConfig.VerifyPeerCertificate = verifyPeerCertificate var clientCA dynamiccertificates.CAContentProvider var clientCAController *dynamiccertificates.ConfigMapCAController if metricsOptions.DisableAuthentication { // weakening clientAuth = tls.NoClientCert baseTlSConfig.VerifyPeerCertificate = someDefault } else { // expensive strengthening kubeClient, err := kubernetes.NewForConfig(restConfig) ... }

wking · 2026-01-08T05:27:27Z

pkg/cvo/metrics.go

+
+	resultChannelCount++
+	go func() {
+		servingCertController.Run(1, metricsContext.Done())


Wondering about that workers=1 argument, 😂:

doesn't matter what workers say, only start one.

wking · 2026-01-08T05:29:51Z

pkg/cvo/metrics.go

-					continue
-				}
+			case <-metricsContext.Done():
+				klog.Infof("Clean shutdown requested: %v", metricsContext.Err())


the klog line will include metrics.go, but maybe mention metrics here, just to be extra clear? Clean metrics shutdown requested: ...?

wking · 2026-01-08T05:31:45Z

pkg/cvo/metrics.go

 			if loopError == nil {
 				loopError = shutdownError
-			} else if shutdownError != nil { // log the error we are discarding
-				klog.Errorf("Failed to gracefully shut down metrics server: %v", shutdownError)


I think you want to keep the logging down here, instead of shifting it to log unconditionally, otherwise you'll double up on the loopError message (which is getting logged below at the Infof level, and then again (presumably at the Errorf level) in whatever is at the top of the bubbled-back return loopError pipeline.

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 10, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 10, 2025

Run go mod tidy & go mod vendor

7d2ed9a

DavidHurta force-pushed the metrics-mtls branch from cb7083d to e7705e2 Compare December 12, 2025 00:14

DavidHurta force-pushed the metrics-mtls branch from e6cc3ae to 920ad71 Compare December 12, 2025 18:40

coderabbitai bot reviewed Dec 13, 2025

View reviewed changes

DavidHurta force-pushed the metrics-mtls branch from 920ad71 to ff6d96e Compare December 19, 2025 21:53

coderabbitai bot reviewed Dec 19, 2025

View reviewed changes

DavidHurta force-pushed the metrics-mtls branch from 1db20de to b0454ca Compare December 22, 2025 02:15

DavidHurta force-pushed the metrics-mtls branch from 7bbe4ec to 290ee8b Compare January 6, 2026 16:23

DavidHurta changed the title ~~WIP: Metrics mTLS~~ OCPBUGS-66898: Implement mTLS authentication and authorization for CVO metrics endpoint Jan 6, 2026

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 6, 2026

openshift-ci bot requested a review from dis016 January 6, 2026 16:34

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 6, 2026

DavidHurta marked this pull request as ready for review January 6, 2026 16:59

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 6, 2026

DavidHurta commented Jan 7, 2026

View reviewed changes

wking reviewed Jan 8, 2026

View reviewed changes

OCPBUGS-66898: Implement mTLS authentication and authorization for CVO metrics endpoint #1271

Are you sure you want to change the base?

OCPBUGS-66898: Implement mTLS authentication and authorization for CVO metrics endpoint #1271

Conversation

DavidHurta commented Dec 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci bot commented Dec 10, 2025

Uh oh!

coderabbitai bot commented Dec 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

DavidHurta commented Dec 10, 2025

Uh oh!

openshift-ci bot commented Dec 10, 2025

Uh oh!

openshift-ci bot commented Dec 10, 2025

Uh oh!

DavidHurta commented Dec 10, 2025

Uh oh!

DavidHurta commented Dec 11, 2025

Uh oh!

DavidHurta commented Dec 12, 2025

Uh oh!

DavidHurta commented Dec 12, 2025

Uh oh!

DavidHurta commented Dec 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

DavidHurta commented Dec 13, 2025

Uh oh!

coderabbitai bot commented Dec 13, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

DavidHurta commented Dec 13, 2025

Uh oh!

DavidHurta commented Dec 19, 2025

Uh oh!

DavidHurta commented Dec 19, 2025

Uh oh!

coderabbitai bot commented Dec 19, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

DavidHurta commented Dec 20, 2025

Uh oh!

DavidHurta commented Dec 20, 2025

Uh oh!

DavidHurta commented Dec 20, 2025

Uh oh!

DavidHurta commented Dec 21, 2025

Uh oh!

DavidHurta commented Dec 22, 2025

Uh oh!

DavidHurta commented Jan 6, 2026

Uh oh!

coderabbitai bot commented Jan 6, 2026

Uh oh!

openshift-ci-robot commented Jan 6, 2026

Uh oh!

DavidHurta commented Jan 6, 2026

Uh oh!

openshift-ci-robot commented Jan 6, 2026

Uh oh!

DavidHurta commented Jan 6, 2026

Testing

Standalone OpenShift

Prometheus can scrape using mTLS

Client needs to provide its certificate

The CN is verified correctly

HyperShift

Uh oh!

DavidHurta commented Jan 6, 2026

Uh oh!

DavidHurta commented Dec 10, 2025 •

edited

Loading

coderabbitai bot commented Dec 10, 2025 •

edited

Loading

DavidHurta commented Dec 13, 2025 •

edited

Loading

wking Jan 8, 2026 •

edited

Loading

wking Jan 8, 2026 •

edited

Loading