Skip to content

Add TLS encryption to /metrics endpoint

Placeholder Peppi-Lotta requested to merge github/fork/Nordix/peppi-lotta/add-tls-to-metrics-endpoint into main

Explanation

The implementation allows users to secure their metrics endpoints with HTTPS while maintaining backward compatibility for existing deployments that rely on HTTP metrics collection.

Related issue

Fixes: #13953 @realshuting

Milestone of this PR

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind feature

Proposed Changes

  • Adds configurable TLS support for Prometheus metrics endpoints across all Kyverno controllers (admission, background, cleanup, and reports controllers)
  • Automatically loads TLS certificates from Kubernetes secrets, with support for self-signed certificate generation
  • Introduces new configuration options (secure and createSelfSignedCert) in the Helm metering values to enable/disable TLS for metrics endpoints
  • TLS is disabled by default to allow backward compability

Proof Manifests

admissionController:
  initContainer:
    image:
      registry: ko.local
      repository: github.com/kyverno/kyverno/cmd/kyverno-init
      tag: <tag>
      pullPolicy: "Never"
  container:
    image:
      registry: ko.local
      repository: github.com/kyverno/kyverno/cmd/kyverno
      tag: <tag>
      pullPolicy: Never
  metering:
    secure: true
    createSelfSignedCert: true

backgroundController:
  image:
    registry: ko.local
    repository: github.com/kyverno/kyverno/cmd/background-controller
    tag: <tag>
    pullPolicy: Never
  metering:
    secure: true
    createSelfSignedCert: true

cleanupController:
  image:
    registry: ko.local
    repository: github.com/kyverno/kyverno/cmd/cleanup-controller
    tag: <tag>
    pullPolicy: Never
  metering:
    secure: true
    createSelfSignedCert: true

reportsController:
  image:
    registry: ko.local
    repository: github.com/kyverno/kyverno/cmd/reports-controller
    tag: <tag>
    pullPolicy: Never
  metering:
    secure: true
    createSelfSignedCert: true

I've tested these changes by building a local images that I load to kind and using helm install with these overwrite values. Then I check if metrics can be accessed via https.

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

Merge request reports