Merge pull request #7182 from wallrj/7065-webhook-metrics

[VC-34401] Add a metrics server to the webhook

deploy/charts/cert-manager/README.template.md

@@ -373,14 +373,14 @@ config:
     StableCertificateRequestName: true
     UseCertificateRequestBasicConstraints: true
     ValidateCAA: true
+  # Configure the metrics server for TLS
+  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
   metricsTLSConfig:
     dynamic:
       secretNamespace: "cert-manager"
       secretName: "cert-manager-metrics-ca"
       dnsNames:
       - cert-manager-metrics
-      - cert-manager-metrics.cert-manager
-      - cert-manager-metrics.cert-manager.svc
 ```
 #### **dns01RecursiveNameservers** ~ `string`
 > Default value:
@@ -660,9 +660,9 @@ enableServiceLinks indicates whether information about services should be inject
 > true
 > ```
 
-Enable Prometheus monitoring for the cert-manager controller to use with the. Prometheus Operator. If this option is enabled without enabling `prometheus.servicemonitor.enabled` or  
+Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a  
-`prometheus.podmonitor.enabled`, 'prometheus.io' annotations are added to the cert-manager Deployment  
+ServiceMonitor resource.  
-resources. Additionally, a service is created which can be used together with your own ServiceMonitor (managed outside of this Helm chart). Otherwise, a ServiceMonitor/ PodMonitor is created.
+Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in a error.
 #### **prometheus.servicemonitor.enabled** ~ `bool`
 > Default value:
 > ```yaml
@@ -828,6 +828,15 @@ endpointAdditionalProperties:
    sourceLabels:
    - __meta_kubernetes_pod_node_name
    targetLabel: instance
+ # Configure the PodMonitor for TLS connections
+ # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
+ scheme: https
+ tlsConfig:
+   serverName: cert-manager-metrics
+   ca:
+     secret:
+       name: cert-manager-metrics-ca
+       key: "tls.crt"
 ```
 
 
@@ -878,6 +887,14 @@ kind: WebhookConfiguration
 # This should be uncommented and set as a default by the chart once
 # the apiVersion of WebhookConfiguration graduates beyond v1alpha1.
 securePort: 10250
+# Configure the metrics server for TLS
+# See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
+metricsTLSConfig:
+  dynamic:
+    secretNamespace: "cert-manager"
+    secretName: "cert-manager-metrics-ca"
+    dnsNames:
+    - cert-manager-metrics
 ```
 #### **webhook.strategy** ~ `object`
 > Default value:

deploy/charts/cert-manager/templates/podmonitor.yaml

@@ -29,10 +29,21 @@ metadata:
 spec:
   jobLabel: {{ template "cert-manager.fullname" . }}
   selector:
-    matchLabels:
+    matchExpressions:
-      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+      - key: app.kubernetes.io/name
-      app.kubernetes.io/instance: {{ .Release.Name }}
+        operator: In
-      app.kubernetes.io/component: "controller"
+        values:
+        - {{ template "cert-manager.name" . }}
+        - {{ include "webhook.name" . }}
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - {{ .Release.Name }}
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - controller
+        - webhook
 {{- if .Values.prometheus.podmonitor.namespace }}
   namespaceSelector:
     matchNames:

deploy/charts/cert-manager/templates/servicemonitor.yaml

@@ -29,10 +29,21 @@ metadata:
 spec:
   jobLabel: {{ template "cert-manager.fullname" . }}
   selector:
-    matchLabels:
+    matchExpressions:
-      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+      - key: app.kubernetes.io/name
-      app.kubernetes.io/instance: {{ .Release.Name }}
+        operator: In
-      app.kubernetes.io/component: "controller"
+        values:
+        - {{ template "cert-manager.name" . }}
+        - {{ include "webhook.name" . }}
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - {{ .Release.Name }}
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - controller
+        - webhook
 {{- if .Values.prometheus.servicemonitor.namespace }}
   namespaceSelector:
     matchNames:

deploy/charts/cert-manager/templates/webhook-deployment.yaml

@@ -43,6 +43,14 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
+      {{- if not .Values.podAnnotations }}
+      annotations:
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+      {{- end }}
     spec:
       serviceAccountName: {{ template "webhook.serviceAccountName" . }}
       {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
@@ -95,6 +103,9 @@ spec:
           {{- with .Values.webhook.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if not .Values.prometheus.enabled }}
+          - --metrics-listen-address=0
+          {{- end }}
           ports:
           - name: https
             protocol: TCP
@@ -112,6 +123,11 @@ spec:
             {{- else }}
             containerPort: 6080
             {{- end }}
+          {{- if .Values.prometheus.enabled }}
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /livez

deploy/charts/cert-manager/templates/webhook-rbac.yaml

@@ -15,6 +15,15 @@ rules:
   resources: ["secrets"]
   resourceNames:
   - '{{ template "webhook.fullname" . }}-ca'
+  {{- $certmanagerNamespace := include "cert-manager.namespace" . }}
+  {{- with (.Values.webhook.config.metricsTLSConfig).dynamic }}
+  {{- if $certmanagerNamespace | eq .secretNamespace }}
+  # Allow webhook to read and update the metrics CA Secret when dynamic TLS is
+  # enabled for the metrics server and if the Secret is configured to be in the
+  # same namespace as cert-manager.
+  - {{ .secretName | quote }}
+  {{- end }}
+  {{- end }}
   verbs: ["get", "list", "watch", "update"]
 # It's not possible to grant CREATE permission on a single resourceName.
 - apiGroups: [""]

deploy/charts/cert-manager/templates/webhook-service.yaml

@@ -32,6 +32,12 @@ spec:
     port: 443
     protocol: TCP
     targetPort: "https"
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
+  - name: metrics
+    port: 9402
+    protocol: TCP
+    targetPort: "http-metrics"
+{{- end }}
   selector:
     app.kubernetes.io/name: {{ include "webhook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}

deploy/charts/cert-manager/values.schema.json

@@ -554,7 +554,7 @@
     },
     "helm-values.config": {
       "default": {},
-      "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n  apiVersion: controller.config.cert-manager.io/v1alpha1\n  kind: ControllerConfiguration\n  logging:\n    verbosity: 2\n    format: text\n  leaderElectionConfig:\n    namespace: kube-system\n  kubernetesAPIQPS: 9000\n  kubernetesAPIBurst: 9000\n  numberOfConcurrentWorkers: 200\n  featureGates:\n    AdditionalCertificateOutputFormats: true\n    DisallowInsecureCSRUsageDefinition: true\n    ExperimentalCertificateSigningRequestControllers: true\n    ExperimentalGatewayAPISupport: true\n    LiteralCertificateSubject: true\n    SecretsFilteredCaching: true\n    ServerSideApply: true\n    StableCertificateRequestName: true\n    UseCertificateRequestBasicConstraints: true\n    ValidateCAA: true\n  metricsTLSConfig:\n    dynamic:\n      secretNamespace: \"cert-manager\"\n      secretName: \"cert-manager-metrics-ca\"\n      dnsNames:\n      - cert-manager-metrics\n      - cert-manager-metrics.cert-manager\n      - cert-manager-metrics.cert-manager.svc",
+      "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n  apiVersion: controller.config.cert-manager.io/v1alpha1\n  kind: ControllerConfiguration\n  logging:\n    verbosity: 2\n    format: text\n  leaderElectionConfig:\n    namespace: kube-system\n  kubernetesAPIQPS: 9000\n  kubernetesAPIBurst: 9000\n  numberOfConcurrentWorkers: 200\n  featureGates:\n    AdditionalCertificateOutputFormats: true\n    DisallowInsecureCSRUsageDefinition: true\n    ExperimentalCertificateSigningRequestControllers: true\n    ExperimentalGatewayAPISupport: true\n    LiteralCertificateSubject: true\n    SecretsFilteredCaching: true\n    ServerSideApply: true\n    StableCertificateRequestName: true\n    UseCertificateRequestBasicConstraints: true\n    ValidateCAA: true\n  # Configure the metrics server for TLS\n  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n  metricsTLSConfig:\n    dynamic:\n      secretNamespace: \"cert-manager\"\n      secretName: \"cert-manager-metrics-ca\"\n      dnsNames:\n      - cert-manager-metrics",
       "type": "object"
     },
     "helm-values.containerSecurityContext": {
@@ -976,7 +976,7 @@
     },
     "helm-values.prometheus.enabled": {
       "default": true,
-      "description": "Enable Prometheus monitoring for the cert-manager controller to use with the. Prometheus Operator. If this option is enabled without enabling `prometheus.servicemonitor.enabled` or\n`prometheus.podmonitor.enabled`, 'prometheus.io' annotations are added to the cert-manager Deployment\nresources. Additionally, a service is created which can be used together with your own ServiceMonitor (managed outside of this Helm chart). Otherwise, a ServiceMonitor/ PodMonitor is created.",
+      "description": "Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a\nServiceMonitor resource.\nOtherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in a error.",
       "type": "boolean"
     },
     "helm-values.prometheus.podmonitor": {
@@ -1027,7 +1027,7 @@
     },
     "helm-values.prometheus.podmonitor.endpointAdditionalProperties": {
       "default": {},
-      "description": "EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.\n\nFor example:\nendpointAdditionalProperties:\n relabelings:\n - action: replace\n   sourceLabels:\n   - __meta_kubernetes_pod_node_name\n   targetLabel: instance",
+      "description": "EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.\n\nFor example:\nendpointAdditionalProperties:\n relabelings:\n - action: replace\n   sourceLabels:\n   - __meta_kubernetes_pod_node_name\n   targetLabel: instance\n # Configure the PodMonitor for TLS connections\n # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n scheme: https\n tlsConfig:\n   serverName: cert-manager-metrics\n   ca:\n     secret:\n       name: cert-manager-metrics-ca\n       key: \"tls.crt\"",
       "type": "object"
     },
     "helm-values.prometheus.podmonitor.honorLabels": {
@@ -1683,7 +1683,7 @@
     },
     "helm-values.webhook.config": {
       "default": {},
-      "description": "This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\napiVersion: webhook.config.cert-manager.io/v1alpha1\nkind: WebhookConfiguration\n# The port that the webhook listens on for requests.\n# In GKE private clusters, by default Kubernetes apiservers are allowed to\n# talk to the cluster nodes only on 443 and 10250. Configuring\n# securePort: 10250 therefore will work out-of-the-box without needing to add firewall\n# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.\n# This should be uncommented and set as a default by the chart once\n# the apiVersion of WebhookConfiguration graduates beyond v1alpha1.\nsecurePort: 10250",
+      "description": "This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\napiVersion: webhook.config.cert-manager.io/v1alpha1\nkind: WebhookConfiguration\n# The port that the webhook listens on for requests.\n# In GKE private clusters, by default Kubernetes apiservers are allowed to\n# talk to the cluster nodes only on 443 and 10250. Configuring\n# securePort: 10250 therefore will work out-of-the-box without needing to add firewall\n# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.\n# This should be uncommented and set as a default by the chart once\n# the apiVersion of WebhookConfiguration graduates beyond v1alpha1.\nsecurePort: 10250\n# Configure the metrics server for TLS\n# See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\nmetricsTLSConfig:\n  dynamic:\n    secretNamespace: \"cert-manager\"\n    secretName: \"cert-manager-metrics-ca\"\n    dnsNames:\n    - cert-manager-metrics",
       "type": "object"
     },
     "helm-values.webhook.containerSecurityContext": {

deploy/charts/cert-manager/values.yaml

@@ -236,14 +236,14 @@ enableCertificateOwnerRef: false
 #      StableCertificateRequestName: true
 #      UseCertificateRequestBasicConstraints: true
 #      ValidateCAA: true
+#    # Configure the metrics server for TLS
+#    # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
 #    metricsTLSConfig:
 #      dynamic:
 #        secretNamespace: "cert-manager"
 #        secretName: "cert-manager-metrics-ca"
 #        dnsNames:
 #        - cert-manager-metrics
-#        - cert-manager-metrics.cert-manager
-#        - cert-manager-metrics.cert-manager.svc
 config: {}
 
 # Setting Nameservers for DNS01 Self Check.
@@ -482,12 +482,14 @@ enableServiceLinks: false
 # +docs:section=Prometheus
 
 prometheus:
-  # Enable Prometheus monitoring for the cert-manager controller to use with the
+  # Enable Prometheus monitoring for the cert-manager controller and webhook.
-  # Prometheus Operator. If this option is enabled without enabling `prometheus.servicemonitor.enabled` or
+  # If you use the Prometheus Operator, set prometheus.podmonitor.enabled or
-  # `prometheus.podmonitor.enabled`, 'prometheus.io' annotations are added to the cert-manager Deployment
+  # prometheus.servicemonitor.enabled, to create a PodMonitor or a
-  # resources. Additionally, a service is created which can be used together
+  # ServiceMonitor resource.
-  # with your own ServiceMonitor (managed outside of this Helm chart).
+  # Otherwise, 'prometheus.io' annotations are added to the cert-manager and
-  # Otherwise, a ServiceMonitor/ PodMonitor is created.
+  # cert-manager-webhook Deployments.
+  # Note that you can not enable both PodMonitor and ServiceMonitor as they are
+  # mutually exclusive. Enabling both will result in a error.
   enabled: true
 
   servicemonitor:
@@ -583,6 +585,15 @@ prometheus:
     #     sourceLabels:
     #     - __meta_kubernetes_pod_node_name
     #     targetLabel: instance
+    #   # Configure the PodMonitor for TLS connections
+    #   # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
+    #   scheme: https
+    #   tlsConfig:
+    #     serverName: cert-manager-metrics
+    #     ca:
+    #       secret:
+    #         name: cert-manager-metrics-ca
+    #         key: "tls.crt"
     #
     # +docs:property
     endpointAdditionalProperties: {}
@@ -632,6 +643,14 @@ webhook:
   #  # This should be uncommented and set as a default by the chart once
   #  # the apiVersion of WebhookConfiguration graduates beyond v1alpha1.
   #  securePort: 10250
+  #  # Configure the metrics server for TLS
+  #  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
+  #  metricsTLSConfig:
+  #    dynamic:
+  #      secretNamespace: "cert-manager"
+  #      secretName: "cert-manager-metrics-ca"
+  #      dnsNames:
+  #      - cert-manager-metrics
   config: {}
 
   # The update strategy for the cert-manager webhook deployment.

internal/apis/config/webhook/fuzzer/fuzzer.go

@@ -33,6 +33,9 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 			if s.PprofAddress == "" {
 				s.PprofAddress = "something:1234"
 			}
+			if s.MetricsListenAddress == "" {
+				s.MetricsListenAddress = "something:1234"
+			}
 
 			logsapi.SetRecommendedLoggingConfiguration(&s.Logging)
 		},

internal/apis/config/webhook/types.go

@@ -62,4 +62,12 @@ type WebhookConfiguration struct {
 	// featureGates is a map of feature names to bools that enable or disable experimental
 	// features.
 	FeatureGates map[string]bool
+
+	// The host and port that the metrics endpoint should listen on.
+	// The value "0" disables the metrics server.
+	// Defaults to '0.0.0.0:9402'.
+	MetricsListenAddress string
+
+	// Metrics endpoint TLS config
+	MetricsTLSConfig shared.TLSConfig
 }

internal/apis/config/webhook/v1alpha1/defaults.go

@@ -24,6 +24,8 @@ import (
 	"github.com/cert-manager/cert-manager/pkg/apis/config/webhook/v1alpha1"
 )
 
+const defaultPrometheusMetricsServerAddress = "0.0.0.0:9402"
+
 func addDefaultingFuncs(scheme *runtime.Scheme) error {
 	return RegisterDefaults(scheme)
 }
@@ -39,5 +41,9 @@ func SetDefaults_WebhookConfiguration(obj *v1alpha1.WebhookConfiguration) {
 		obj.PprofAddress = "localhost:6060"
 	}
 
+	if obj.MetricsListenAddress == "" {
+		obj.MetricsListenAddress = defaultPrometheusMetricsServerAddress
+	}
+
 	logsapi.SetRecommendedLoggingConfiguration(&obj.Logging)
 }

internal/apis/config/webhook/v1alpha1/testdata/defaults.json

@@ -21,5 +21,12 @@
 				"infoBufferSize": "0"
 			}
 		}
+	},
+	"metricsListenAddress": "0.0.0.0:9402",
+	"metricsTLSConfig": {
+		"filesystem": {},
+		"dynamic": {
+			"leafDuration": "168h0m0s"
+		}
 	}
 }

internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go

@@ -68,6 +68,10 @@ func autoConvert_v1alpha1_WebhookConfiguration_To_webhook_WebhookConfiguration(i
 	out.PprofAddress = in.PprofAddress
 	out.Logging = in.Logging
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
+	out.MetricsListenAddress = in.MetricsListenAddress
+	if err := sharedv1alpha1.Convert_v1alpha1_TLSConfig_To_shared_TLSConfig(&in.MetricsTLSConfig, &out.MetricsTLSConfig, s); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -92,6 +96,10 @@ func autoConvert_webhook_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(i
 	out.PprofAddress = in.PprofAddress
 	out.Logging = in.Logging
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
+	out.MetricsListenAddress = in.MetricsListenAddress
+	if err := sharedv1alpha1.Convert_shared_TLSConfig_To_v1alpha1_TLSConfig(&in.MetricsTLSConfig, &out.MetricsTLSConfig, s); err != nil {
+		return err
+	}
 	return nil
 }
 

internal/apis/config/webhook/v1alpha1/zz_generated.defaults.go

@@ -38,4 +38,5 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
 func SetObjectDefaults_WebhookConfiguration(in *v1alpha1.WebhookConfiguration) {
 	SetDefaults_WebhookConfiguration(in)
 	sharedv1alpha1.SetDefaults_DynamicServingConfig(&in.TLSConfig.Dynamic)
+	sharedv1alpha1.SetDefaults_DynamicServingConfig(&in.MetricsTLSConfig.Dynamic)
 }

internal/apis/config/webhook/zz_generated.deepcopy.go

@@ -38,6 +38,7 @@ func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
 			(*out)[key] = val
 		}
 	}
+	in.MetricsTLSConfig.DeepCopyInto(&out.MetricsTLSConfig)
 	return
 }
 

internal/webhook/webhook.go

@@ -81,6 +81,10 @@ func NewCertManagerWebhookServer(log logr.Logger, opts config.WebhookConfigurati
 		MinTLSVersion:            opts.TLSConfig.MinTLSVersion,
 		ValidationWebhook:        admissionHandler,
 		MutationWebhook:          admissionHandler,
+		MetricsListenAddress:     opts.MetricsListenAddress,
+		MetricsCertificateSource: buildCertificateSource(log, opts.MetricsTLSConfig, restcfg),
+		MetricsCipherSuites:      opts.MetricsTLSConfig.CipherSuites,
+		MetricsMinTLSVersion:     opts.MetricsTLSConfig.MinTLSVersion,
 	}
 	for _, fn := range optionFunctions {
 		fn(s)

pkg/apis/config/webhook/v1alpha1/types.go

@@ -64,4 +64,12 @@ type WebhookConfiguration struct {
 	// features.
 	// +optional
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
+
+	// The host and port that the metrics endpoint should listen on.
+	// The value "0" disables the metrics server.
+	// Defaults to '0.0.0.0:9402'.
+	MetricsListenAddress string `json:"metricsListenAddress,omitempty"`
+
+	// metricsTLSConfig is used to configure the metrics server TLS settings.
+	MetricsTLSConfig sharedv1alpha1.TLSConfig `json:"metricsTLSConfig"`
 }

pkg/apis/config/webhook/v1alpha1/zz_generated.deepcopy.go

@@ -48,6 +48,7 @@ func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
 			(*out)[key] = val
 		}
 	}
+	in.MetricsTLSConfig.DeepCopyInto(&out.MetricsTLSConfig)
 	return
 }
 

pkg/webhook/configfile/configfile.go

@@ -81,6 +81,8 @@ func WebhookConfigurationPathRefs(cfg *config.WebhookConfiguration) ([]*string,
 	return []*string{
 		&cfg.TLSConfig.Filesystem.KeyFile,
 		&cfg.TLSConfig.Filesystem.CertFile,
+		&cfg.MetricsTLSConfig.Filesystem.KeyFile,
+		&cfg.MetricsTLSConfig.Filesystem.CertFile,
 		&cfg.KubeConfig,
 	}, nil
 }

pkg/webhook/options/options.go

@@ -90,4 +90,20 @@ func AddConfigFlags(fs *pflag.FlagSet, c *config.WebhookConfiguration) {
 		"Options are:\n"+strings.Join(utilfeature.DefaultFeatureGate.KnownFeatures(), "\n"))
 
 	logf.AddFlags(&c.Logging, fs)
+
+	fs.StringVar(&c.MetricsListenAddress, "metrics-listen-address", c.MetricsListenAddress, "The host and port that the metrics endpoint should listen on. The value '0' disables the metrics server")
+	fs.StringVar(&c.MetricsTLSConfig.Filesystem.CertFile, "metrics-tls-cert-file", c.MetricsTLSConfig.Filesystem.CertFile, "path to the file containing the TLS certificate to serve metrics with")
+	fs.StringVar(&c.MetricsTLSConfig.Filesystem.KeyFile, "metrics-tls-private-key-file", c.MetricsTLSConfig.Filesystem.KeyFile, "path to the file containing the TLS private key to serve metrics with")
+
+	fs.DurationVar(&c.MetricsTLSConfig.Dynamic.LeafDuration, "metrics-dynamic-serving-leaf-duration", c.MetricsTLSConfig.Dynamic.LeafDuration, "leaf duration of metrics serving certificates")
+	fs.StringVar(&c.MetricsTLSConfig.Dynamic.SecretNamespace, "metrics-dynamic-serving-ca-secret-namespace", c.MetricsTLSConfig.Dynamic.SecretNamespace, "namespace of the secret used to store the CA that signs metrics serving certificates")
+	fs.StringVar(&c.MetricsTLSConfig.Dynamic.SecretName, "metrics-dynamic-serving-ca-secret-name", c.MetricsTLSConfig.Dynamic.SecretName, "name of the secret used to store the CA that signs serving certificates")
+	fs.StringSliceVar(&c.MetricsTLSConfig.Dynamic.DNSNames, "metrics-dynamic-serving-dns-names", c.MetricsTLSConfig.Dynamic.DNSNames, "DNS names that should be present on certificates generated by the metrics dynamic serving CA")
+	fs.StringSliceVar(&c.MetricsTLSConfig.CipherSuites, "metrics-tls-cipher-suites", c.MetricsTLSConfig.CipherSuites,
+		"Comma-separated list of cipher suites for the metrics server. "+
+			"If omitted, the default Go cipher suites will be used.  "+
+			"Possible values: "+strings.Join(tlsCipherPossibleValues, ","))
+	fs.StringVar(&c.MetricsTLSConfig.MinTLSVersion, "metrics-tls-min-version", c.MetricsTLSConfig.MinTLSVersion,
+		"Minimum TLS version supported by the metrics server. If omitted, the default Go minimum version will be used. "+
+			"Possible values: "+strings.Join(tlsPossibleVersions, ", "))
 }

pkg/webhook/server/server.go

@@ -86,6 +86,21 @@ type Server struct {
 	// MinTLSVersion is the minimum TLS version supported.
 	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
 	MinTLSVersion string
+
+	// The host and port that the metrics endpoint should listen on.
+	MetricsListenAddress string
+
+	// If specified, the metrics server will listen with TLS using certificates
+	// provided by this CertificateSource.
+	MetricsCertificateSource servertls.CertificateSource
+
+	// MetricsCipherSuites is the list of allowed cipher suites for the server.
+	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
+	MetricsCipherSuites []string
+
+	// MetricsMinTLSVersion is the minimum TLS version supported.
+	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
+	MetricsMinTLSVersion string
 }
 
 func (s *Server) Run(ctx context.Context) error {
@@ -104,6 +119,15 @@ func (s *Server) Run(ctx context.Context) error {
 		return err
 	}
 
+	metricsCipherSuites, err := ciphers.TLSCipherSuites(s.MetricsCipherSuites)
+	if err != nil {
+		return err
+	}
+	metricsMinVersion, err := ciphers.TLSVersion(s.MetricsMinTLSVersion)
+	if err != nil {
+		return err
+	}
+
 	if s.ListenAddr == 0 {
 		webhookPort, err := freePort()
 		if err != nil {
@@ -119,7 +143,17 @@ func (s *Server) Run(ctx context.Context) error {
 			Scheme:         s.ResourceScheme,
 			Logger:         log,
 			LeaderElection: false, // The webhook component does not need to perform leader election
-			Metrics:        metricsserver.Options{BindAddress: "0"},
+			Metrics: metricsserver.Options{
+				BindAddress:   s.MetricsListenAddress,
+				SecureServing: s.MetricsCertificateSource != nil,
+				TLSOpts: []func(*tls.Config){
+					func(cfg *tls.Config) {
+						cfg.CipherSuites = metricsCipherSuites
+						cfg.MinVersion = metricsMinVersion
+						cfg.GetCertificate = s.MetricsCertificateSource.GetCertificate
+					},
+				},
+			},
 			WebhookServer: webhook.NewServer(webhook.Options{
 				Port: int(s.ListenAddr),
 				TLSOpts: []func(*tls.Config){
@@ -139,6 +173,12 @@ func (s *Server) Run(ctx context.Context) error {
 		return err
 	}
 
+	if s.MetricsCertificateSource != nil {
+		if err := mgr.Add(s.MetricsCertificateSource); err != nil {
+			return err
+		}
+	}
+
 	// if a HealthzAddr is provided, start the healthz listener
 	if s.HealthzAddr != nil {
 		healthzListener, err := net.Listen("tcp", fmt.Sprintf(":%d", *s.HealthzAddr))

test/integration/framework/apiserver.go

@@ -100,7 +100,10 @@ func RunControlPlane(t *testing.T, ctx context.Context, optionFunctions ...RunCo
 	}
 
 	webhookOpts, stopWebhook := webhooktesting.StartWebhookServer(
-		t, ctx, []string{"--kubeconfig", f.Name()},
+		// Disable the metrics server to avoid multiple webhook servers
+		// attempting to listen on metrics port 9402 when tests are running in
+		// parallel.
+		t, ctx, []string{"--kubeconfig", f.Name(), "--metrics-listen-address=0"},
 	)
 
 	crds := readCustomResourcesAtPath(t, *options.crdsDir)