Move Metrics Initialization Behind Feature Gates

[camilamacedo86]

The metrics server should be controlled through a feature gate (MetricsEndpoint) to provide flexibility in enabling or disabling it. The following requirements must be met:

1. If the feature gate is disabled, the MetricsServer in the controller should not be initialized.
2. If the feature gate is enabled, the metrics server should function as expected.
3. No changes should be required in the default Kustomize configuration or deployment files to accommodate this functionality.

(Discussed in the meeting on Jan 14)

Acceptance Criteria - TL'DR

1. Metrics Server Initialization:

   • The metrics server is initialized only when the feature gate is enabled for catalogd and operator-controller
     -

     operator-controller/cmd/operator-controller/main.go

     Lines 187 to 224 in da28803

     	metricsServerOptions := server.Options{}
     	if len(certFile) > 0 && len(keyFile) > 0 {
     	setupLog.Info("Starting metrics server with TLS enabled", "addr", metricsAddr, "tls-cert", certFile, "tls-key", keyFile)
     	metricsServerOptions.BindAddress = metricsAddr
     	metricsServerOptions.SecureServing = true
     	metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
     	// If the certificate files change, the watcher will reload them.
     	var err error
     	certWatcher, err = certwatcher.New(certFile, keyFile)
     	if err != nil {
     	setupLog.Error(err, "Failed to initialize certificate watcher")
     	os.Exit(1)
     	}
     	metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) {
     	config.GetCertificate = certWatcher.GetCertificate
     	// If the enable-http2 flag is false (the default), http/2 should be disabled
     	// due to its vulnerabilities. More specifically, disabling http/2 will
     	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
     	// Rapid Reset CVEs. For more information see:
     	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
     	// - https://github.com/advisories/GHSA-4374-p667-p6c8
     	// Besides, those CVEs are solved already; the solution is still insufficient, and we need to mitigate
     	// the risks. More info https://github.com/golang/go/issues/63417
     	config.NextProtos = []string{"http/1.1"}
     	})
     	} else {
     	// Note that the metrics server is not serving if the BindAddress is set to "0".
     	// Therefore, the metrics server is disabled by default. It is only enabled
     	// if certFile and keyFile are provided. The intention is not allowing the metrics
     	// be served with the default self-signed certificate generated by controller-runtime.
     	metricsServerOptions.BindAddress = "0"
     	setupLog.Info("WARNING: Metrics Server is disabled. " +
     	"Metrics will not be served since the TLS certificate and key file are not provided.")
     	}

     
     -

     operator-controller/catalogd/cmd/catalogd/main.go

     Lines 191 to 208 in da28803

     	metricsServerOptions := metricsserver.Options{}
     	if len(certFile) > 0 && len(keyFile) > 0 {
     	setupLog.Info("Starting metrics server with TLS enabled", "addr", metricsAddr, "tls-cert", certFile, "tls-key", keyFile)
     	metricsServerOptions.BindAddress = metricsAddr
     	metricsServerOptions.SecureServing = true
     	metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
     	metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, tlsOpts)
     	} else {
     	// Note that the metrics server is not serving if the BindAddress is set to "0".
     	// Therefore, the metrics server is disabled by default. It is only enabled
     	// if certFile and keyFile are provided. The intention is not allowing the metrics
     	// be served with the default self-signed certificate generated by controller-runtime.
     	metricsServerOptions.BindAddress = "0"
     	setupLog.Info("WARNING: Metrics Server is disabled. " +
     	"Metrics will not be served since the TLS certificate and key file are not provided.")
     	}

   • If the feature gate is disabled, the server should bind 0 to metricsServerOptions.BindAddress to prevent the controller runtime from starting the server.

2. Kustomize Configuration:

   • The existing Kustomize configuration should remain unchanged.

3. Testing:

• The e2e tests to validate the metrics endpoint should still be used and working with the future gate enabled.
  • https://github.com/operator-framework/operator-controller/blob/main/catalogd/test/e2e/metrics_endpoint_test.go
  • https://github.com/operator-framework/operator-controller/blob/main/test/e2e/metrics_test.go

4. Default Behavior:

   • (Required to discuss in the channel/PR) The default configuration should continue to enable the metrics server (i.e., the feature gate is enabled by default).

5. Ensure properly documentation

   • We have the PR: WIP: 📖 (doc): Add a doc as a guidance to help users know how to consume the metrics and integrate it with other solutions #1524, which will be addressed under docs/draft.
     - Update it to ensure the doc covers enabling and disabling the metrics
     - Check if the docs should be moved for the public docs as a feature gate feature

[camilamacedo86]

c/c @LalatenduMohanty @joelanford ^