temp

bundle.Dockerfile

@@ -1,34 +1,5 @@
 FROM scratch
 
-# This block are standard Red Hat container labels
-LABEL name="openshift4-wincw/windows-machine-config-operator-bundle" \
-    License="ASL 2.0" \
-    io.k8s.display-name="Windows Machine Config Operator bundle" \
-    io.k8s.description="Windows Machine Config Operator's OLM bundle image" \
-    summary="Windows Machine Config Operator's OLM bundle image" \
-    maintainer="Team Windows Containers <[email protected]>"
-
-# These are three labels needed to control how the pipeline should handle this container image
-# This first label tells the pipeline that this is a bundle image and should be
-# delivered via an index image
-LABEL com.redhat.delivery.operator.bundle=true
-
-# This second label tells the pipeline which versions of OpenShift the operator supports.
-# This is used to control which index images should include this operator.
-LABEL com.redhat.openshift.versions="=v4.17"
-
-# This third label tells the pipeline that this operator should *also* be supported on OCP 4.4 and
-# earlier.  It is used to control whether or not the pipeline should attempt to automatically
-# backport this content into the old appregistry format and upload it to the quay.io application
-# registry endpoints.
-LABEL com.redhat.delivery.backport=false
-
-# This label gets replaced by render_templates, so it is safer to keep it on its own
-LABEL version="v0.0.0"
-
-# This label maps to the brew build target
-LABEL com.redhat.component="windows-machine-config-operator-bundle-container"
-
 # Core bundle labels.
 LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
@@ -40,6 +11,11 @@ LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
 
+# Labels for testing.
+LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1
+LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/
+
 # Copy files to locations specified by labels.
 COPY bundle/manifests /manifests/
 COPY bundle/metadata /metadata/
+COPY bundle/tests/scorecard /tests/scorecard/

bundle/manifests/controller-manager-metrics-service_v1_service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: project
+    control-plane: controller-manager
+  name: controller-manager-metrics-service
+spec:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    control-plane: controller-manager
+status:
+  loadBalancer: {}

bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: metrics-reader
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get

bundle/manifests/windows-machine-config-operator.clusterserviceversion.yaml

@@ -6,7 +6,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: OpenShift Optional
     certified: "false"
-    createdAt: REPLACE_DATE
+    createdAt: "2024-08-20T17:28:40Z"
     description: An operator that enables Windows container workloads on OCP
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "true"
@@ -163,6 +163,18 @@ spec:
     spec:
       clusterPermissions:
       - rules:
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
         - apiGroups:
           - ""
           resources:
@@ -365,6 +377,14 @@ spec:
           verbs:
           - list
           - watch
+        - apiGroups:
+          - monitoring.coreos.com
+          resources:
+          - servicemonitors
+          verbs:
+          - create
+          - delete
+          - get
         - apiGroups:
           - operators.coreos.com
           resources:
@@ -399,17 +419,11 @@ spec:
           - securitycontextconstraints
           verbs:
           - use
-        - apiGroups:
-          - monitoring.coreos.com
-          resources:
-          - servicemonitors
-          verbs:
-          - create
-          - get
-          - delete
         serviceAccountName: windows-machine-config-operator
       deployments:
-      - name: windows-machine-config-operator
+      - label:
+          name: windows-machine-config-operator
+        name: windows-machine-config-operator
         spec:
           replicas: 1
           selector:
@@ -425,8 +439,8 @@ spec:
             spec:
               containers:
               - args:
+                - --metrics-bind-address=:8443
                 - --debugLogging
-                - --certDir=/etc/tls/private
                 command:
                 - windows-machine-config-operator
                 env:
@@ -450,10 +464,6 @@ spec:
                   requests:
                     cpu: 20m
                     memory: 300Mi
-                volumeMounts:
-                  - mountPath: /etc/tls/private
-                    name: windows-machine-config-operator-tls
-                    readOnly: true
               dnsPolicy: ClusterFirstWithHostNet
               hostNetwork: true
               nodeSelector:
@@ -473,10 +483,6 @@ spec:
                 key: node.kubernetes.io/not-ready
                 operator: Exists
                 tolerationSeconds: 120
-              volumes:
-                - name: windows-machine-config-operator-tls
-                  secret:
-                    secretName: windows-machine-config-operator-tls
       permissions:
       - rules:
         - apiGroups:

bundle/metadata/annotations.yaml

@@ -9,7 +9,7 @@ annotations:
   operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3
-  com.redhat.openshift.versions: "=v4.17"
+
   # Annotations for testing.
   operators.operatorframework.io.test.mediatype.v1: scorecard+v1
   operators.operatorframework.io.test.config.v1: tests/scorecard/

cmd/operator/main.go

@@ -22,6 +22,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	"github.com/openshift/windows-machine-config-operator/controllers"
@@ -61,11 +62,17 @@ func init() {
 
 func main() {
 	var debugLogging bool
+	var secureMetrics bool
 	var certDir string
+	var metricsAddr string
 
 	flag.BoolVar(&debugLogging, "debugLogging", false, "Log debug messages")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served "+
+		"securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
 	flag.StringVar(&certDir, "certDir", "/etc/tls/private", "The directory where the TLS certificates "+
 		"are stored.")
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds "+
+		"to. Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
 
 	// Add flags registered by imported packages (e.g. glog and
 	// controller-runtime)
@@ -159,11 +166,12 @@ func main() {
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
-			BindAddress:   fmt.Sprintf("%s:%d", metrics.Host, metrics.Port),
-			SecureServing: true,
-			CertDir:       certDir,
-			CertName:      "tls.crt",
-			KeyName:       "tls.key",
+			BindAddress:    metricsAddr,
+			SecureServing:  true,
+			CertDir:        certDir,
+			CertName:       "tls.crt",
+			KeyName:        "tls.key",
+			FilterProvider: filters.WithAuthenticationAndAuthorization,
 		},
 	})
 	if err != nil {

config/default/kustomization.yaml

@@ -29,6 +29,15 @@ resources:
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+  # [METRICS] Expose the controller manager metrics service.
+- metrics_service.yaml
+
+patches:
+  # [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
+  # More info: https://book.kubebuilder.io/reference/metrics
+- path: manager_metrics_patch.yaml
+  target:
+    kind: Deployment
 
 patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.

config/default/manager_metrics_patch.yaml

@@ -0,0 +1,4 @@
+# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-bind-address=:8443

config/default/metrics_service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: project
+    app.kubernetes.io/managed-by: kustomize
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+    - name: https
+      port: 8443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    control-plane: controller-manager

config/rbac/kustomization.yaml

@@ -16,3 +16,12 @@ resources:
 #- auth_proxy_role.yaml
 #- auth_proxy_role_binding.yaml
 #- auth_proxy_client_clusterrole.yaml
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- metrics_auth_role.yaml
+- metrics_auth_role_binding.yaml
+- metrics_reader_role.yaml

config/rbac/metrics_auth_role.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-auth-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create

config/rbac/metrics_auth_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-auth-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metrics-auth-role
+subjects:
+  - kind: ServiceAccount
+    name: windows-machine-config-operator
+    namespace: system

config/rbac/metrics_reader_role.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-reader
+rules:
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get

config/rbac/role.yaml

@@ -1,3 +1,4 @@
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -207,6 +208,14 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - create
+  - delete
+  - get
 - apiGroups:
   - operators.coreos.com
   resources:
@@ -241,11 +250,3 @@ rules:
   - securitycontextconstraints
   verbs:
   - use
-- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - servicemonitors
-  verbs:
-  - create
-  - get
-  - delete