fix2

cmd/operator/main.go

@@ -288,6 +288,10 @@ func main() {
 	})
 
 	secureMetrics := strings.HasSuffix(opcfg.GetMetricsAddr(), "8443")
+	var metricCertDir string
+	if opcfg.GetMetricsTLSSecret() != "" {
+		metricCertDir = "/cert"
+	}
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:
 	// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server
@@ -302,6 +306,7 @@ func main() {
 		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
 		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
 		TLSOpts: metricsTLSOpts,
+		CertDir: metricCertDir,
 	}
 
 	if secureMetrics {
@@ -316,7 +321,7 @@ func main() {
 
 	var cacheNamespaces map[string]cache.Config
 	if opcfg.GetWatchNamespace() != "" {
-		cacheNamespaces := make(map[string]cache.Config)
+		cacheNamespaces = make(map[string]cache.Config)
 		cacheNamespaces[opcfg.GetWatchNamespace()] = cache.Config{}
 	}
 	mgr, err := ctrl.NewManager(restCfg, ctrl.Options{

config/manager/operator-envs

@@ -6,7 +6,7 @@ WEBHOOKS_ENABLED
 CONTROLLERS_ENABLED
 CONTROLLERS_SCOPE
 METRICS_ADDR
-METRICS_TLS
+METRICS_TLS_SECRET
 METRICS_PROXY_RBAC
 LOG_LEVEL
 CONCURRENCY_VERTICADB

pkg/opcfg/config.go

@@ -91,6 +91,11 @@ func GetMetricsAddr() string {
 	return lookupStringEnvVar("METRICS_ADDR", envCanNotExist)
 }
 
+// GetMetricsTLSSecret returns TLS secret name of the manager's Prometheus endpoint.
+func GetMetricsTLSSecret() string {
+	return lookupStringEnvVar("METRICS_TLS_SECRET", envCanNotExist)
+}
+
 // GetUseCertManager returns true if cert-manager is used to setup the webhook's
 // TLS certs.
 func GetUseCertManager() bool {

scripts/template-helm-chart.sh

@@ -114,6 +114,10 @@ do
   echo "{{- end }}" >> $f
 done
 
+# 11.  Template the prometheus metrics service
+perl -i -pe 's/^/{{- if hasPrefix "Enable" .Values.prometheus.expose -}}\n/ if 1 .. 1' $TEMPLATE_DIR/verticadb-operator-controller-manager-metrics-service-svc.yaml
+echo "{{- end }}" >> $TEMPLATE_DIR/verticadb-operator-controller-manager-metrics-service-svc.yaml
+
 # 11.  Template the roles/rolebindings for access to the rbac proxy
 for f in verticadb-operator-metrics-reader-cr.yaml
 do
@@ -130,8 +134,9 @@ perl -i -0777 -pe 's/(.*endpoints:)/$1\n{{- if eq "EnableWithAuthProxy" .Values.
 perl -i -0777 -pe 's/(.*insecureSkipVerify:.*)/$1\n{{- else }}\n  - path: \/metrics\n    port: metrics\n    scheme: http\n{{- end }}/g' $TEMPLATE_DIR/verticadb-operator-metrics-monitor-servicemonitor.yaml
 
 # 13.  Template the metrics bind address
+perl -i -0777 -pe 's/(METRICS_TLS_SECRET: )(.*)/$1 "{{ .Values.prometheus.tlsSecret }}"/' $TEMPLATE_DIR/verticadb-operator-manager-config-cm.yaml
 perl -i -0777 -pe 's/(METRICS_ADDR: )(.*)/$1 "{{ if eq "EnableWithAuthProxy" .Values.prometheus.expose }}127.0.0.1{{ end }}:{{ if eq "EnableWithAuthProxy" .Values.prometheus.expose }}8080{{ else }}8443{{ end }}"/' $TEMPLATE_DIR/verticadb-operator-manager-config-cm.yaml
-perl -i -0777 -pe 's/(.*METRICS_ADDR:.*)/{{- if hasPrefix "Enable" .Values.prometheus.expose }}\n$1\n{{- else }}\n  METRICS_ADDR: ""\n{{- end }}/g' $TEMPLATE_DIR/verticadb-operator-manager-config-cm.yaml
+perl -i -0777 -pe 's/(.*METRICS_ADDR:.*)/{{- if hasPrefix "Enable" .Values.prometheus.expose }}\n$1\n{{- else }}\n  METRICS_ADDR: "0"\n{{- end }}/g' $TEMPLATE_DIR/verticadb-operator-manager-config-cm.yaml
 perl -i -0777 -pe 's/(.*ports:\n.*containerPort: 9443\n.*webhook-server.*\n.*)/$1\n{{- if hasPrefix "EnableWithoutAuth" .Values.prometheus.expose }}\n        - name: metrics\n          containerPort: 8443\n          protocol: TCP\n{{- end }}/g' $TEMPLATE_DIR/verticadb-operator-manager-deployment.yaml
 
 # 14.  Template the rbac container