Skip to content

fix(controller): secure metrics ServiceMonitor TLS#2747

Open
rootp1 wants to merge 1 commit into
kubearmor:mainfrom
rootp1:fix/controller-metrics-tls
Open

fix(controller): secure metrics ServiceMonitor TLS#2747
rootp1 wants to merge 1 commit into
kubearmor:mainfrom
rootp1:fix/controller-metrics-tls

Conversation

@rootp1

@rootp1 rootp1 commented Jul 7, 2026

Copy link
Copy Markdown

Purpose of PR?:

Fixes #2746

Does this PR introduce a breaking change?

No.

If the changes in this PR are manually verified, list down the scenarios covered::

  • Rendered the standalone controller ServiceMonitor and confirmed it no longer uses insecureSkipVerify: true.
  • Rendered a secure metrics overlay with cert-manager resources enabled and confirmed:
    • the ServiceMonitor uses insecureSkipVerify: false
    • the TLS serverName tracks the rendered metrics service name
    • the controller deployment mounts metrics-server-cert at the controller-runtime metrics cert path

Additional information for reviewer? :
This keeps the change scoped to controller manifests and secure-metrics wiring. It does not enable Prometheus or cert-manager by default in config/default; it documents and scaffolds the secure path that should be enabled alongside Prometheus scraping.

Checklist:

  • Bug fix. Fixes Controller ServiceMonitor disables TLS verification by default #2746
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

Summary

  • replace the controller ServiceMonitor default from insecure TLS skip-verify to cert-manager-backed certificate verification
  • add the missing cert-manager certificate resources and metrics secret mount patch needed for secure scraping
  • document the kustomize toggles and replacements required when enabling Prometheus scraping

Linked Issue

Fixes #2746

What Changed

  • updated pkg/KubeArmorController/config/prometheus/monitor.yaml to verify TLS with metrics-server-cert
  • added pkg/KubeArmorController/config/certmanager/* resources for webhook and metrics certificates
  • added pkg/KubeArmorController/config/default/cert_metrics_manager_patch.yaml
  • expanded pkg/KubeArmorController/config/default/kustomization.yaml guidance for secure Prometheus + cert-manager wiring

Verification

  • make build (in pkg/KubeArmorController) — passed
  • GOWORK=off go run sigs.k8s.io/kustomize/kustomize/v5@v5.5.0 build /tmp/kubearmor-controller-prometheus — passed
  • GOWORK=off go run sigs.k8s.io/kustomize/kustomize/v5@v5.5.0 build --load-restrictor LoadRestrictionsNone /tmp/kubearmor-controller-config-build/secure — passed
  • make test (in pkg/KubeArmorController) — failed: the target stopped during envtest tool bootstrap with tar: Error opening archive: Unrecognized archive format before project tests executed
  • make docker-build TAG=latest (in pkg/KubeArmorController) — failed: docker is not installed in this environment
  • make docker-build (in pkg/KubeArmorOperator) — failed: docker is not installed in this environment
  • ./KubeArmor/build/build_kubearmor.sh — failed: docker is not installed in this environment

Scope

  • only controller manifest/config files required for secure metrics scraping were changed; no unrelated repository files were included

Signed-off-by: rootp1 <arnav.iitr@gmail.com>
@rootp1

rootp1 commented Jul 7, 2026

Copy link
Copy Markdown
Author

@Aryan-sharma11 @AryanBakliwal @achrefbensaad
Please have a look, whenever you have a chance to

@rootp1

rootp1 commented Jul 8, 2026

Copy link
Copy Markdown
Author

GitHub Actions did not start on this PR. The workflow runs are ending in action_required immediately with zero jobs created, so this looks like a maintainer approval / fork-workflow gate rather than a repository-code failure. Once the workflows are approved to run, I can recheck any real CI results if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Controller ServiceMonitor disables TLS verification by default

1 participant