Enable metrics by default with secure HTTPS and authentication

[Copilot]

Plan to Enable Metrics by Default with Security

• Analyze current metrics configuration
• Update main.go to enable metrics by default (change default from "0" to ":8443")
• Update ServiceMonitor with bearerTokenFile and scheme
• Update manager deployment to add metrics args
• Update helm chart deployment with metrics configuration
• Update helm chart values with metrics settings
• Regenerate bundle manifests
• Fix version in bundle manifests
• Test the changes
• Revert kustomize version to v5.6.0
• Restore missing labels to metrics resources

Changes Made:

1. cmd/main.go: Changed default metrics-bind-address from "0" (disabled) to ":8443" (enabled with HTTPS)
2. config/prometheus/monitor.yaml: Added bearerTokenFile and scheme: https to ServiceMonitor
3. config/manager/manager.yaml: Added metrics args (--metrics-bind-address=:8443, --metrics-secure=true) and port 8443
4. Helm Chart Updates:
   • Added metrics args to deployment template
   • Added metrics port (8443) to deployment
   • Created metrics-service.yaml template
   • Created servicemonitor.yaml template with bearerTokenFile and scheme
   • Created RBAC templates (metrics-auth-role, metrics-auth-rolebinding, metrics-reader-role)
   • Updated values.yaml with metrics configuration (enabled by default)
5. Bundle manifests: Regenerated with version 0.0.9 to reflect all changes
6. Makefile: Kustomize version kept at v5.6.0 (original)
7. Labels: Restored all original labels (app.kubernetes.io/component, app.kubernetes.io/created-by, app.kubernetes.io/instance, app.kubernetes.io/name, app.kubernetes.io/managed-by) to metrics service and ClusterRole resources

Security Features:

• Metrics served over HTTPS (port 8443) by default
• Authentication via bearer token from service account
• Authorization via SubjectAccessReview
• RBAC configured for metrics access using WithAuthenticationAndAuthorization filter

All tests pass and bundle manifests validated successfully.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Have metrics by default</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.

Enable metrics by default, enable them secure.
Add to svc monitor: https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.6.1/#gov2-gov3-ansiblev1-helmv1-add-scheme-token-and-tls-config-to-the-prometheus-servicemonitor-metrics-endpoint

• bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
• scheme: https

add rbac, see: https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/filters#WithAuthenticationAndAuthorization

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
N/A

Additional context
Fell apart when the rbac proxy was dropped.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #307

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[davidkarlsen]

@copilot don't change the kustomize version

[Copilot]

@copilot don't change the kustomize version

Reverted the kustomize version back to v5.6.0 in commit 3c6c0dd.

[davidkarlsen]

@copilot don't remove any existing labels unrelated to the change from the yamls

[Copilot]

@copilot don't remove any existing labels unrelated to the change from the yamls

Restored all the original labels (app.kubernetes.io/component, app.kubernetes.io/created-by, app.kubernetes.io/instance, app.kubernetes.io/name, app.kubernetes.io/managed-by) to the metrics service and ClusterRole resources in commit f8a4e2b.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/kubernetes-sigs/kustomize/releases/tags/kustomize%2Fv5.6.0
  • Triggering command: curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)