metrics-server: use SecureServing option (#3837)

As part of an effort to standardize metric exposure across KubeVirt
components on port 8443, we are transitioning to HTTPS with TLS
encryption for the metrics-server.

To facilitate this, we leverage the controller-runtime's SecureServing
option, which creates a self-signed certificate and configures it as the
server certificate for the metrics endpoint when no external certificate
is provided[1].

Subsequent PRs will replace this self-signed certificate with a CDI
generated one to enable a fully trusted and secure connection between
the Prometheus instance and the target metrics endpoints as specified by
the CDI ServiceMonitor. Until that integration is complete, the
ServiceMonitor will be configured with insecureSkipVerify to allow
scraping despite the untrusted certificate.

[1] kubernetes-sigs/controller-runtime#2407

Signed-off-by: Adi Aloni <[email protected]>

Author: Acedus

cmd/cdi-controller/BUILD.bazel

@@ -44,6 +44,7 @@ go_library(
         "//vendor/sigs.k8s.io/controller-runtime/pkg/log/zap:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/manager:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals:go_default_library",
+        "//vendor/sigs.k8s.io/controller-runtime/pkg/metrics/server:go_default_library",
     ],
 )
 

cmd/cdi-controller/controller.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"crypto/rsa"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
@@ -36,6 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
 	forklift "kubevirt.io/containerized-data-importer-api/pkg/apis/forklift/v1beta1"
@@ -198,6 +200,15 @@ func start() {
 		LeaderElectionResourceLock: "leases",
 		Cache:                      getCacheOptions(apiClient, namespace),
 		Scheme:                     scheme,
+		Metrics: server.Options{
+			BindAddress:   ":8443",
+			SecureServing: true,
+			// Disable HTTP/2 to prevent rapid reset vulnerability
+			// See CVE-2023-44487, CVE-2023-39325
+			TLSOpts: []func(*tls.Config){func(c *tls.Config) {
+				c.NextProtos = []string{"http/1.1"}
+			}},
+		},
 	}
 
 	mgr, err := manager.New(config.GetConfigOrDie(), opts)

cmd/cdi-operator/BUILD.bazel

@@ -22,6 +22,7 @@ go_library(
         "//vendor/sigs.k8s.io/controller-runtime/pkg/log/zap:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/manager:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals:go_default_library",
+        "//vendor/sigs.k8s.io/controller-runtime/pkg/metrics/server:go_default_library",
     ],
 )
 

cmd/cdi-operator/operator.go

@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
@@ -38,6 +39,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
 	"kubevirt.io/containerized-data-importer/pkg/operator/controller"
@@ -96,6 +98,15 @@ func main() {
 		LeaderElectionNamespace:    namespace,
 		LeaderElectionID:           "cdi-operator-leader-election-helper",
 		LeaderElectionResourceLock: "leases",
+		Metrics: server.Options{
+			BindAddress:   ":8443",
+			SecureServing: true,
+			// Disable HTTP/2 to prevent rapid reset vulnerability
+			// See CVE-2023-44487, CVE-2023-39325
+			TLSOpts: []func(*tls.Config){func(c *tls.Config) {
+				c.NextProtos = []string{"http/1.1"}
+			}},
+		},
 	}
 
 	// Create a new Manager to provide shared dependencies and start components

pkg/operator/controller/prometheus.go

@@ -211,7 +211,7 @@ func newPrometheusServiceMonitor(namespace string) *promv1.ServiceMonitor {
 			Endpoints: []promv1.Endpoint{
 				{
 					Port:   "metrics",
-					Scheme: "http",
+					Scheme: "https",
 					TLSConfig: &promv1.TLSConfig{
 						SafeTLSConfig: promv1.SafeTLSConfig{
 							InsecureSkipVerify: ptr.To(true),

pkg/operator/resources/namespaced/controller.go

@@ -187,7 +187,7 @@ func createControllerDeployment(controllerImage, importerImage, clonerImage, ovi
 	container.Ports = []corev1.ContainerPort{
 		{
 			Name:          "metrics",
-			ContainerPort: 8080,
+			ContainerPort: 8443,
 			Protocol:      "TCP",
 		},
 	}
@@ -386,7 +386,7 @@ func createPrometheusService() *corev1.Service {
 	service.Spec.Ports = []corev1.ServicePort{
 		{
 			Name: "metrics",
-			Port: 8080,
+			Port: 8443,
 			TargetPort: intstr.IntOrString{
 				Type:   intstr.String,
 				StrVal: "metrics",

pkg/operator/resources/operator/operator.go

@@ -442,7 +442,7 @@ func createPrometheusPorts() []corev1.ContainerPort {
 	return []corev1.ContainerPort{
 		{
 			Name:          "metrics",
-			ContainerPort: 8080,
+			ContainerPort: 8443,
 			Protocol:      "TCP",
 		},
 	}