OCPBUGS-77256: Implement mTLS authentication and authorization for CVO metrics endpoint by DavidHurta · Pull Request #1326 · openshift/cluster-version-operator

DavidHurta · 2026-02-25T00:30:57Z

A manual backport of #1271 due to conflicts in the pkg/cvo/metrics.go file caused by #1299 when applying the pkg/cvo/metrics: Utilize dynamiccertificates package for certificate updates commit.

(cherry picked from commit f77bc1e)

…updates This commit's goal is to prepare the existing code for mTLS support. In OpenShift, core operators SHOULD require authentication, and they SHOULD support TLS client certificate authentication [1]. They also SHOULD support local authorization and SHOULD allow the well-known metrics scraping identity [1]. To achieve this, an operator must be able to verify a client's certificate. To do this, the certificate can be verified using the certificate authority (CA) bundle located in a ConfigMap in the kube-system namespace [2]. This would entail an implementation of a new controller to watch the ConfigMap for changes. To avoid such implementation to avoid potential bugs and future maintenance, my goal is to utilize the `k8s.io/apiserver/pkg/server/dynamiccertificates` package for this goal as the package provides a functionality for this specific use case. While doing so, we can also rework the existing, a bit complex, implementation and utilize the package for existing use cases as well to simplify the logic and use an existing, well-tested library. [1]: https://github.com/openshift/enhancements/blob/master/CONVENTIONS.md#metrics [2]: https://rhobs-handbook.netlify.app/products/openshiftmonitoring/collecting_metrics.md/#exposing-metrics-for-prometheus Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> (cherry picked from commit 2a432a6)

In OpenShift, core operators SHOULD require authentication and they SHOULD support TLS client certificate authentication [1]. They also SHOULD support local authorization and SHOULD allow the well-known metrics scraping identity [1]. To achieve this, an operator must be able to verify a client's certificate. To do this, the certificate can be verified using the certificate authority (CA) bundle located at the client-ca-file key of the kube-system/extension-apiserver-authentication ConfigMap [2]. Guarantee failed connections when the config from the GetConfigForClient method is nil to ensure connections are only using the TLS config from the serving cert controller. [1]: https://github.com/openshift/enhancements/blob/master/CONVENTIONS.md#metrics [2]: https://rhobs-handbook.netlify.app/products/openshiftmonitoring/collecting_metrics.md/#exposing-metrics-for-prometheus Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> (cherry picked from commit 622e335)

…arer token The paths are specified at [1]. [1]: https://github.com/openshift/enhancements/blob/master/CONVENTIONS.md (cherry picked from commit 81f3bb5)

In OpenShift, core operators SHOULD support local authorization and SHOULD allow the well-known metrics scraping identity (system:serviceaccount:openshift-monitoring:prometheus-k8s) to access the /metrics endpoint. They MAY support delegated authorization check via SubjectAccessReviews. [1] The well-known metrics scraping identity's client certificate is issued for the system:serviceaccount:openshift-monitoring:prometheus-k8s Common Name (CN) and signed by the kubernetes.io/kube-apiserver-client signer. [2] Thus, the commit utilizes this fact to check the client's certificate for this specific CN value. This is also done by the hardcodedauthorizer package utilized by other OpenShift operators for the metrics endpoint [3]. We could utilize the existing bearer token authorization as a fallback. However, I would like to minimize the attack surface. Especially for security things that we are implementing and testing, rather than importing from well-established modules. The commit implements a user information extraction from a certificate to minimize the needed dependencies. [1]: https://github.com/openshift/enhancements/blob/master/CONVENTIONS.md#metrics [2]: https://rhobs-handbook.netlify.app/products/openshiftmonitoring/collecting_metrics.md/#exposing-metrics-for-prometheus [3]: https://pkg.go.dev/github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> (cherry picked from commit 18495ae)

The `o.HyperShift` option is not available in older release branches. In newer branches, the option can be utilized. (cherry picked from commit 554fea0)

In HyperShift, the CVO currently needs to have disabled both authorization and authentication. Ensure the aspects are disabled so as not break HyperShift. However, in the future, the authentication will be enabled using mTLS and a mounted CA bundle file. Thus, authentication needs to be configurable. Authorization needs to be configurable as well because HyperShift allows a custom monitoring stack to scrape hosted control plane components. In the future in HyperShift, authentication of the metrics endpoint of the CVO will be enforced; however, the authorization will be disabled. This commit prepares the code for these changes. (cherry picked from commit 3519037)

(cherry picked from commit 2f736b5)

(cherry picked from commit 3cd9e22)

(cherry picked from commit e47ae18)

(cherry picked from commit b68827c)

This is done to provide HTTP return values in failures to comply with the origin test suite. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> (cherry picked from commit 62f88dd)

coderabbitai · 2026-02-25T00:31:10Z

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-02-25T00:31:32Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DavidHurta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [DavidHurta]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

DavidHurta · 2026-02-25T00:33:01Z

/jira cherrypick OCPBUGS-66898

openshift-ci-robot · 2026-02-25T00:33:12Z

@DavidHurta: Jira Issue OCPBUGS-66898 has been cloned as Jira Issue OCPBUGS-77256. Will retitle bug to link to clone.
/retitle OCPBUGS-77256: Backport metrics mtls to 4.21

Details

In response to this:

/jira cherrypick OCPBUGS-66898

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-02-25T00:33:44Z

@DavidHurta: This pull request references Jira Issue OCPBUGS-77256, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected dependent Jira Issue OCPBUGS-66898 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

A manual backport #1271 of due to conflicts in the pkg/cvo/metrics.go file caused by #1299 when applying the pkg/cvo/metrics: Utilize dynamiccertificates package for certificate updates commit.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

DavidHurta · 2026-02-25T00:53:09Z

/hold

openshift/release#75219

DavidHurta · 2026-02-25T16:29:59Z

/retest

openshift-ci · 2026-02-25T19:21:17Z

@DavidHurta: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

wking · 2026-02-27T01:30:23Z

/jira refresh

openshift-ci-robot · 2026-02-27T01:30:31Z

@wking: This pull request references Jira Issue OCPBUGS-77256, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.21.z) matches configured target version for branch (4.21.z)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-66898 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-66898 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
bug has dependents

Requesting review from QA contact:
/cc @jiajliu

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

jiajliu · 2026-03-04T00:55:42Z

/jira refresh

openshift-ci-robot · 2026-03-04T00:55:47Z

@jiajliu: This pull request references Jira Issue OCPBUGS-77256, which is valid.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.21.z) matches configured target version for branch (4.21.z)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-66898 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-66898 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
bug has dependents

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

dis016 · 2026-03-05T11:02:52Z

Test Scenario's:
Prometheus can scrape using mTLS

dinesh@Dineshs-MacBook-Pro ~ % oc get clusterversion 
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0-2026-03-05-093718-test-ci-ln-nknvyqk-latest   True        False         33m     Cluster version is 4.21.0-0-2026-03-05-093718-test-ci-ln-nknvyqk-latest
dinesh@Dineshs-MacBook-Pro ~ %

Prometheus should not scrape with bearer token.

dinesh@Dineshs-MacBook-Pro ~ % token=$(oc create token prometheus-k8s  -n openshift-monitoring)
dinesh@Dineshs-MacBook-Pro ~ % oc -n openshift-monitoring exec -c prometheus pod/prometheus-k8s-0 -- curl -i -H "Authorization:Bearer $token"  https://cluster-version-operator.openshift-cluster-version.svc.cluster.local:9099/metrics
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
command terminated with exit code 60
dinesh@Dineshs-MacBook-Pro ~ %

Client key is required with CA bundle

dinesh@Dineshs-MacBook-Pro ~ % oc -n openshift-monitoring exec -c prometheus pod/prometheus-k8s-0 -- curl -i --cacert /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt --cert /etc/prometheus/secrets/metrics-client-certs/tls.crt https://cluster-version-operator.openshift-cluster-version.svc.cluster.local:9099/metrics
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (58) unable to set private key file: '/etc/prometheus/secrets/metrics-client-certs/tls.crt' type PEM
command terminated with exit code 58
dinesh@Dineshs-MacBook-Pro ~ %

dis016 · 2026-03-05T11:16:13Z

Test Scenario: Verify CVO endpoint cluster-version-operator.openshift-cluster-version.svc_9099 is working well with new mTLS authentication. used code from OTP#28753

dinesh@Dineshs-MacBook-Pro openshift-tests-private % ./bin/extended-platform-tests run all --dry-run |grep -E "41391" |./bin/extended-platform-tests run --timeout "90m" -f -
  I0305 16:43:49.907451 16357 test.go:180] Found authentication type used: 
  I0305 16:43:49.907865 16357 test_context.go:567] The --provider flag is not set. Continuing as if --provider=skeleton had been used.
  I0305 16:43:53.860946 16357 api.go:57] EnvIsKubernetesCluster = no, start monitoring ClusterOperators and ClusterVersions
started: (0/1/1) "[sig-updates] OTA cvo should NonHyperShiftHOST-Author:dis-Medium-41391-cvo serves metrics over only https not http"

  I0305 16:43:58.601902 16428 openshift-tests.go:203] Is kubernetes cluster: no, is external OIDC cluster: no
  I0305 16:43:58.602222 16428 test_context.go:567] The --provider flag is not set. Continuing as if --provider=skeleton had been used.
  [1772709234] openshift extended e2e - 1/1 specs I0305 16:44:05.030890 16428 client.go:293] configPath is now "/var/folders/gw/q6gbymqn2xn3t21cr090k05h0000gn/T/configfile1722277165"
  I0305 16:44:05.030927 16428 client.go:368] The user is now "e2e-test-openshift-cluster-version-pjsnf-user"
  I0305 16:44:05.030938 16428 client.go:370] Creating project "e2e-test-openshift-cluster-version-pjsnf"
  I0305 16:44:06.466717 16428 client.go:378] Waiting on permissions in project "e2e-test-openshift-cluster-version-pjsnf" ...
  I0305 16:44:07.595821 16428 client.go:407] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs
  I0305 16:44:07.880202 16428 client.go:422] Waiting for ServiceAccount "default" to be provisioned...
  I0305 16:44:08.632994 16428 client.go:422] Waiting for ServiceAccount "builder" to be provisioned...
  I0305 16:44:09.309721 16428 client.go:422] Waiting for ServiceAccount "deployer" to be provisioned...
  I0305 16:44:09.969758 16428 client.go:432] Waiting for RoleBinding "system:image-pullers" to be provisioned...
  I0305 16:44:10.578495 16428 client.go:432] Waiting for RoleBinding "system:image-builders" to be provisioned...
  I0305 16:44:11.190614 16428 client.go:432] Waiting for RoleBinding "system:deployers" to be provisioned...
  I0305 16:44:12.920808 16428 client.go:469] Project "e2e-test-openshift-cluster-version-pjsnf" has been fully provisioned.
  STEP: Check cvo delopyment config file... 03/05/26 16:44:12.921
  I0305 16:44:12.921054 16428 utils.go:64] Dumping deployments cluster-version-operator from namespace openshift-cluster-version
  I0305 16:44:13.789803 16428 utils.go:70] apiVersion: apps/v1
  kind: Deployment
  metadata:
    annotations:
      deployment.kubernetes.io/revision: "2"
      exclude.release.openshift.io/internal-openshift-hosted: "true"
      include.release.openshift.io/self-managed-high-availability: "true"
      kubernetes.io/description: The cluster-version operator manages OpenShift updates
        and reconciles core resources and cluster operators.
    creationTimestamp: "2026-03-05T09:54:59Z"
    generation: 2
    name: cluster-version-operator
    namespace: openshift-cluster-version
    ownerReferences:
    - apiVersion: config.openshift.io/v1
      controller: true
      kind: ClusterVersion
      name: version
      uid: b07bb9b8-4a1d-48ff-a2d2-a7e5bfeda654
    resourceVersion: "9544"
    uid: fe5cf609-9c38-45c4-9e77-08d94dab2f29
  spec:
    progressDeadlineSeconds: 600
    replicas: 1
    revisionHistoryLimit: 10
    selector:
      matchLabels:
        k8s-app: cluster-version-operator
    strategy:
      type: Recreate
    template:
      metadata:
        annotations:
          openshift.io/required-scc: hostaccess
          target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
        labels:
          k8s-app: cluster-version-operator
        name: cluster-version-operator
      spec:
        automountServiceAccountToken: false
        containers:
        - args:
          - start
          - --release-image=registry.build08.ci.openshift.org/ci-ln-nknvyqk/release@sha256:25b0a2bf088a0b972bc3f2a33d9b18d5e5dcf4de911354bbb05cccc2be0ac2a8
          - --enable-auto-update=false
          - --listen=0.0.0.0:9099
          - --serving-cert-file=/etc/tls/serving-cert/tls.crt
          - --serving-key-file=/etc/tls/serving-cert/tls.key
          - --v=2
          - --always-enable-capabilities=Ingress
          env:
          - name: OPERATOR_IMAGE_VERSION
            value: 0.0.1-snapshot
          - name: KUBERNETES_SERVICE_PORT
            value: "6443"
          - name: KUBERNETES_SERVICE_HOST
            value: api-int.ci-ln-nknvyqk-72292.gcp-2.ci.openshift.org
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: CLUSTER_PROFILE
            value: self-managed-high-availability
          image: registry.build08.ci.openshift.org/ci-ln-nknvyqk/release@sha256:25b0a2bf088a0b972bc3f2a33d9b18d5e5dcf4de911354bbb05cccc2be0ac2a8
          imagePullPolicy: IfNotPresent
          name: cluster-version-operator
          ports:
          - containerPort: 9099
            hostPort: 9099
            name: metrics
            protocol: TCP
          resources:
            requests:
              cpu: 20m
              memory: 50Mi
          securityContext:
            readOnlyRootFilesystem: true
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: FallbackToLogsOnError
          volumeMounts:
          - mountPath: /etc/ssl/certs
            name: etc-ssl-certs
            readOnly: true
          - mountPath: /etc/cvo/updatepayloads
            name: etc-cvo-updatepayloads
            readOnly: true
          - mountPath: /etc/tls/serving-cert
            name: serving-cert
            readOnly: true
          - mountPath: /etc/tls/service-ca
            name: service-ca
            readOnly: true
          - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
            name: kube-api-access
            readOnly: true
        dnsPolicy: Default
        hostNetwork: true
        nodeSelector:
          node-role.kubernetes.io/master: ""
        priorityClassName: system-cluster-critical
        restartPolicy: Always
        schedulerName: default-scheduler
        securityContext: {}
        terminationGracePeriodSeconds: 130
        tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
        - effect: NoSchedule
          key: node.kubernetes.io/network-unavailable
          operator: Exists
        - effect: NoSchedule
          key: node.kubernetes.io/not-ready
          operator: Exists
        - effect: NoExecute
          key: node.kubernetes.io/unreachable
          operator: Exists
          tolerationSeconds: 120
        - effect: NoExecute
          key: node.kubernetes.io/not-ready
          operator: Exists
          tolerationSeconds: 120
        volumes:
        - hostPath:
            path: /etc/ssl/certs
            type: ""
          name: etc-ssl-certs
        - hostPath:
            path: /etc/cvo/updatepayloads
            type: ""
          name: etc-cvo-updatepayloads
        - name: serving-cert
          secret:
            defaultMode: 420
            secretName: cluster-version-operator-serving-cert
        - configMap:
            defaultMode: 420
            name: openshift-service-ca.crt
          name: service-ca
        - name: kube-api-access
          projected:
            defaultMode: 420
            sources:
            - serviceAccountToken:
                expirationSeconds: 3600
                path: token
            - configMap:
                items:
                - key: ca.crt
                  path: ca.crt
                name: kube-root-ca.crt
            - downwardAPI:
                items:
                - fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.namespace
                  path: namespace
  status:
    availableReplicas: 1
    conditions:
    - lastTransitionTime: "2026-03-05T10:01:16Z"
      lastUpdateTime: "2026-03-05T10:01:16Z"
      message: Deployment has minimum availability.
      reason: MinimumReplicasAvailable
      status: "True"
      type: Available
    - lastTransitionTime: "2026-03-05T09:54:59Z"
      lastUpdateTime: "2026-03-05T10:01:16Z"
      message: ReplicaSet "cluster-version-operator-664d46fcfb" has successfully progressed.
      reason: NewReplicaSetAvailable
      status: "True"
      type: Progressing
    observedGeneration: 2
    readyReplicas: 1
    replicas: 1
    updatedReplicas: 1
  STEP: Check cluster-version-operator binary help 03/05/26 16:44:13.791
  I0305 16:44:15.081296 16428 cvo.go:463] Get cvo pods: [cluster-version-operator-664d46fcfb-r5ncr]
  I0305 16:44:18.082557 16428 cvo.go:467] CVO help returned: Starts Cluster Version Operator

  Usage:
    cluster-version-operator start [flags]

  Flags:
        --always-enable-capabilities strings   List of the cluster capabilities which will always be implicitly enabled.
        --enable-auto-update                   Enables the autoupdate controller.
    -h, --help                                 help for start
        --hypershift                           This options indicates whether the CVO is running inside a hosted control plane.
        --kubeconfig string                    Kubeconfig file to access a remote cluster (testing only)
        --listen string                        Address to listen on for metrics (default "0.0.0.0:9099")
        --metrics-ca-bundle-file string        The service CA bundle file containing one or more X.509 certificate files for validating certificates generated from the service CA for the respective remote PromQL query service. (default "/etc/tls/service-ca/service-ca.crt")
        --metrics-namespace string             The name of the namespace where the the remote PromQL query service resides. Must be specified when --use-dns-for-services is disabled. (default "openshift-monitoring")
        --metrics-service string               The name of the remote PromQL query service. Must be specified when --use-dns-for-services is disabled. (default "thanos-querier")
        --metrics-token-file string            The bearer token file used to access the remote PromQL query service. (default "/var/run/secrets/kubernetes.io/serviceaccount/token")
        --metrics-url string                   The URL used to access the remote PromQL query service. (default "https://thanos-querier.openshift-monitoring.svc.cluster.local:9091")
        --node-name string                     kubernetes node name CVO is scheduled on. (default "ci-ln-nknvyqk-72292-5ch4j-master-0")
        --release-image string                 The Openshift release image url.
        --serving-cert-file string             The X.509 certificate file for serving metrics over HTTPS.  You must set both --serving-cert-file and --serving-key-file unless you set --listen empty.
        --serving-key-file string              The X.509 key file for serving metrics over HTTPS.  You must set both --serving-cert-file and --serving-key-file unless you set --listen empty.
        --update-service string                The preferred update service.  If set, this option overrides any upstream value configured in ClusterVersion spec.
        --use-dns-for-services                 Configures the CVO to use DNS for resolution of services in the cluster.

  Global Flags:
        --add_dir_header                   If true, adds the file directory to the header of the log messages
        --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true) (default true)
        --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
        --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
        --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
        --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
        --logtostderr                      log to standard error instead of files (default true)
        --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
        --skip_headers                     If true, avoid header prefixes in the log messages
        --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
        --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
    -v, --v Level                          number for the log level verbosity
        --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
  STEP: Verify cvo metrics is only exported via https 03/05/26 16:44:18.082
  I0305 16:44:18.927608 16428 cvo.go:482] Get cvo's spec.endpoints: [map[interval:30s port:metrics scheme:https tlsConfig:map[caFile:/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt certFile:/etc/prometheus/secrets/metrics-client-certs/tls.crt keyFile:/etc/prometheus/secrets/metrics-client-certs/tls.key serverName:cluster-version-operator.openshift-cluster-version.svc]]]
  I0305 16:44:19.875436 16428 cvo.go:489] Get cvo's spec.endpoints scheme: https
  I0305 16:44:19.875597 16428 cvo.go:499] Constructed CVO endpoint: cluster-version-operator.openshift-cluster-version.svc.cluster.local:9099
  STEP: Check metric server is providing service https, but not http 03/05/26 16:44:19.875
  STEP: Check metrics is not provided via token auth 03/05/26 16:44:23.287
  I0305 16:44:23.287837 16428 prometheus_monitoring.go:208] Getting a token assgined to prometheus-k8s from openshift-monitoring namespace...
  I0305 16:44:27.418202 16428 client.go:1094] Error running oc --kubeconfig=/Users/dinesh/Downloads/kubeconfig exec -n openshift-monitoring prometheus-k8s-0 -- /bin/bash -c curl -i -H "Authorization: Bearer <redacted>" https://cluster-version-operator.openshift-cluster-version.svc.cluster.local:9099/metrics:
  StdOut>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  curl: (60) SSL certificate problem: self-signed certificate in certificate chain
  More details here: https://curl.se/docs/sslcerts.html

  curl failed to verify the legitimacy of the server and therefore could not
  establish a secure connection to it. To learn more about this situation and
  how to fix it, please visit the web page mentioned above.
  command terminated with exit code 60
  StdErr>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  curl: (60) SSL certificate problem: self-signed certificate in certificate chain
  More details here: https://curl.se/docs/sslcerts.html

  curl failed to verify the legitimacy of the server and therefore could not
  establish a secure connection to it. To learn more about this situation and
  how to fix it, please visit the web page mentioned above.
  command terminated with exit code 60

  STEP: Check metric server is providing service via https correctly with ssl auth 03/05/26 16:44:27.418
  I0305 16:44:31.126526 16428 client.go:689] Deleted {user.openshift.io/v1, Resource=users  e2e-test-openshift-cluster-version-pjsnf-user}, err: <nil>
  I0305 16:44:31.409250 16428 client.go:689] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-openshift-cluster-version-pjsnf}, err: <nil>
  I0305 16:44:31.777062 16428 client.go:689] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~TuD2m9yVXM4NFojKkxOASLVHhVPE_sWzZSI01JziYz4}, err: <nil>
  • SUCCESS! 30.954491565s 
passed: (38.2s) 2026-03-05T11:14:32 "[sig-updates] OTA cvo should NonHyperShiftHOST-Author:dis-Medium-41391-cvo serves metrics over only https not http"

1 pass, 0 skip (38.2s)
dinesh@Dineshs-MacBook-Pro openshift-tests-private %

dis016 · 2026-03-05T11:16:25Z

/verified by @dis016

openshift-ci-robot · 2026-03-05T11:16:40Z

@dis016: This PR has been marked as verified by @dis016.

Details

In response to this:

/verified by @dis016

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

DavidHurta and others added 12 commits February 25, 2026 01:26

Run go mod tidy & go mod vendor

9d59280

(cherry picked from commit f77bc1e)

install/servicemonitor: Instruct Prometheus to use mTLS instead of be…

9d4ccf3

…arer token The paths are specified at [1]. [1]: https://github.com/openshift/enhancements/blob/master/CONVENTIONS.md (cherry picked from commit 81f3bb5)

pkg/start/start: Use directly HyperShift flag

6490d3a

The `o.HyperShift` option is not available in older release branches. In newer branches, the option can be utilized. (cherry picked from commit 554fea0)

pkg/cvo/metrics: Fix error returned when listen address is empty

6b98ad3

(cherry picked from commit 2f736b5)

pkg/cvo/metrics: Log certificate controller events into stdout

7aa9804

(cherry picked from commit 3cd9e22)

pkg/cvo/metrics: Add more fields to MetricsOptions

2a8cb57

(cherry picked from commit e47ae18)

metrics: Populate MetricsOptions at startup

ffa57fc

(cherry picked from commit b68827c)

pkg/cvo/metrics: Authenticate in application layer

0f44016

This is done to provide HTTP return values in failures to comply with the origin test suite. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> (cherry picked from commit 62f88dd)

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 25, 2026

openshift-ci bot changed the title ~~Backport metrics mtls to 4.21~~ OCPBUGS-77256: Backport metrics mtls to 4.21 Feb 25, 2026

DavidHurta changed the title ~~OCPBUGS-77256: Backport metrics mtls to 4.21~~ OCPBUGS-77256: Implement mTLS authentication and authorization for CVO metrics endpoint Feb 25, 2026

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 25, 2026

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 27, 2026

openshift-ci bot requested a review from jiajliu February 27, 2026 01:30

openshift-ci bot requested a review from dis016 March 4, 2026 00:55

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Mar 5, 2026

Conversation

DavidHurta commented Feb 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot commented Feb 25, 2026

Review skipped

Uh oh!

openshift-ci bot commented Feb 25, 2026

Uh oh!

DavidHurta commented Feb 25, 2026

Uh oh!

openshift-ci-robot commented Feb 25, 2026

Uh oh!

openshift-ci-robot commented Feb 25, 2026

Uh oh!

DavidHurta commented Feb 25, 2026

Uh oh!

DavidHurta commented Feb 25, 2026

Uh oh!

openshift-ci bot commented Feb 25, 2026

Uh oh!

wking commented Feb 27, 2026

Uh oh!

openshift-ci-robot commented Feb 27, 2026

Uh oh!

jiajliu commented Mar 4, 2026

Uh oh!

openshift-ci-robot commented Mar 4, 2026

Uh oh!

dis016 commented Mar 5, 2026

Uh oh!

dis016 commented Mar 5, 2026

Uh oh!

dis016 commented Mar 5, 2026

Uh oh!

openshift-ci-robot commented Mar 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

DavidHurta commented Feb 25, 2026 •

edited

Loading