Provide CertManager certificates for the metrics service.

If certificates are not provided, the metrics service offered by controller-runtime will default to using its own self-signed certificates. While functional, relying on those self-signed certs is not recommended for production environments due to security reasons.
operator-framework · Nov 19, 2024 · 6c480ea · 6c480ea
1 parent 99d4973
commit 6c480ea
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -186,6 +186,13 @@ func main() {
 		// These configurations ensure that only authorized users and service accounts
 		// can access the metrics endpoint.
 		FilterProvider: filters.WithAuthenticationAndAuthorization,
+
+		// Ensure that metrics is protected with certs managed by cert-manager
+		// If not informed, the metrics service provided by controller-runtime will generate
+		// and use its own self-assigned certs which is not recommended for production envs.
+		CertDir:  "/var/certs/",
+		CertName: "olm-ca.crt",
+		KeyName:  "ca.crt",
 	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{