From 6c480eab92f4ab5141e26d713dfd817c01887efb Mon Sep 17 00:00:00 2001
From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>
Date: Tue, 19 Nov 2024 18:54:07 +0000
Subject: [PATCH] Provide CertManager certificates for the metrics service.

If certificates are not provided, the metrics service offered by controller-runtime will default to using its own self-signed certificates. While functional, relying on those self-signed certs is not recommended for production environments due to security reasons.
---
 cmd/manager/main.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
index 2ba29b054..5a26a116f 100644
--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -186,6 +186,13 @@ func main() {
 		// These configurations ensure that only authorized users and service accounts
 		// can access the metrics endpoint.
 		FilterProvider: filters.WithAuthenticationAndAuthorization,
+
+		// Ensure that metrics is protected with certs managed by cert-manager
+		// If not informed, the metrics service provided by controller-runtime will generate
+		// and use its own self-assigned certs which is not recommended for production envs.
+		CertDir:  "/var/certs/",
+		CertName: "olm-ca.crt",
+		KeyName:  "ca.crt",
 	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{