USHIFT-6951: Add metrics-server as optional MicroShift component

Makefile.kube_git.var

@@ -1,5 +1,5 @@
 KUBE_GIT_MAJOR=1
 KUBE_GIT_MINOR=35
 KUBE_GIT_VERSION=v1.35.3
-KUBE_GIT_COMMIT=872bd3722d0954b31459f715fbd4fb7612aaf338
+KUBE_GIT_COMMIT=d8d517e6bbe7cf7359026cac26bb96ea45e18806
 KUBE_GIT_TREE_STATE=clean

Makefile.version.aarch64.var

@@ -1 +1 @@
-OCP_VERSION := 5.0.0-0.nightly-arm64-2026-06-10-025037
+OCP_VERSION := 5.0.0-0.nightly-arm64-2026-06-14-225436

Makefile.version.x86_64.var

@@ -1 +1 @@
-OCP_VERSION := 5.0.0-0.nightly-2026-06-09-112600
+OCP_VERSION := 5.0.0-0.nightly-2026-06-14-221055

assets/components/multus/kustomization.aarch64.yaml

@@ -2,7 +2,7 @@
 images:
   - name: multus-cni-microshift
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:12f6644c521588d72e607d5761c7fa3e9a73bb0aab88b08420a8c5e4d4236ec5
+    digest: sha256:fbc294064821a949122c19e8d01b9049e431b5144a26c251103d6679a4bbfa27
   - name: containernetworking-plugins-microshift
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:fc47b7c1f5138b74498c9c7ce7ad845f8fe73aa51fed2c735d6ebfa8882545a3
+    digest: sha256:14d52df91337b4c53777c351589adc82772a0f6e0fe3f40abf17c305163ef558

assets/components/multus/kustomization.x86_64.yaml

@@ -2,7 +2,7 @@
 images:
   - name: multus-cni-microshift
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:457d82310a2ecd6823e5eb2a1650d14443c2730ecda4d62ad8b88d181f63463d
+    digest: sha256:131da38b7935bb3497cacaf564697508d8298ffacb19b06df4d0ab2fd16bef9f
   - name: containernetworking-plugins-microshift
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:db6025036ff280675e8d784ab0457acfcfa29ec4af35e823e64f04901d39da72
+    digest: sha256:7335aca1b6454b6b5f02fecd7a062eaf27fe4c2367f9ddf071eedb80b47ce7ab

assets/components/multus/release-multus-aarch64.json

@@ -1,9 +1,9 @@
 {
   "release": {
-    "base": "5.0.0-0.nightly-arm64-2026-06-10-025037"
+    "base": "5.0.0-0.nightly-arm64-2026-06-14-225436"
   },
   "images": {
-    "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:12f6644c521588d72e607d5761c7fa3e9a73bb0aab88b08420a8c5e4d4236ec5",
-    "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:fc47b7c1f5138b74498c9c7ce7ad845f8fe73aa51fed2c735d6ebfa8882545a3"
+    "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:fbc294064821a949122c19e8d01b9049e431b5144a26c251103d6679a4bbfa27",
+    "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:14d52df91337b4c53777c351589adc82772a0f6e0fe3f40abf17c305163ef558"
   }
 }

assets/components/multus/release-multus-x86_64.json

@@ -1,9 +1,9 @@
 {
   "release": {
-    "base": "5.0.0-0.nightly-2026-06-09-112600"
+    "base": "5.0.0-0.nightly-2026-06-14-221055"
   },
   "images": {
-    "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:457d82310a2ecd6823e5eb2a1650d14443c2730ecda4d62ad8b88d181f63463d",
-    "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:db6025036ff280675e8d784ab0457acfcfa29ec4af35e823e64f04901d39da72"
+    "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:131da38b7935bb3497cacaf564697508d8298ffacb19b06df4d0ab2fd16bef9f",
+    "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:7335aca1b6454b6b5f02fecd7a062eaf27fe4c2367f9ddf071eedb80b47ce7ab"
   }
 }

assets/optional/metrics-server/00-namespace.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-monitoring
+  labels:
+    name: openshift-monitoring
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: auth-delegator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: openshift-monitoring

assets/optional/metrics-server/01-cluster-role-binding.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+  - kind: ServiceAccount
+    name: metrics-server
+    namespace: openshift-monitoring
+  - kind: User
+    name: system:metrics-server

assets/optional/metrics-server/01-cluster-role.yaml

@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes/metrics
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch

assets/optional/metrics-server/01-role-binding-auth-reader.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server-auth-reader
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: openshift-monitoring

assets/optional/metrics-server/01-service-account.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server
+  namespace: openshift-monitoring

assets/optional/metrics-server/02-configmap-audit-profiles.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+data:
+  metadata-profile.yaml: |-
+    "apiVersion": "audit.k8s.io/v1"
+    "kind": "Policy"
+    "metadata":
+      "name": "Metadata"
+    "omitStages":
+    - "RequestReceived"
+    "rules":
+    - "level": "Metadata"
+  none-profile.yaml: |-
+    "apiVersion": "audit.k8s.io/v1"
+    "kind": "Policy"
+    "metadata":
+      "name": "None"
+    "omitStages":
+    - "RequestReceived"
+    "rules":
+    - "level": "None"
+  request-profile.yaml: |-
+    "apiVersion": "audit.k8s.io/v1"
+    "kind": "Policy"
+    "metadata":
+      "name": "Request"
+    "omitStages":
+    - "RequestReceived"
+    "rules":
+    - "level": "Request"
+  requestresponse-profile.yaml: |-
+    "apiVersion": "audit.k8s.io/v1"
+    "kind": "Policy"
+    "metadata":
+      "name": "RequestResponse"
+    "omitStages":
+    - "RequestReceived"
+    "rules":
+    - "level": "RequestResponse"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server-audit-profiles
+  namespace: openshift-monitoring

assets/optional/metrics-server/03-deployment.yaml

@@ -0,0 +1,114 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server
+  namespace: openshift-monitoring
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: metrics-server
+      app.kubernetes.io/name: metrics-server
+      app.kubernetes.io/part-of: openshift-monitoring
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      annotations:
+        openshift.io/required-scc: restricted-v2
+        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+      labels:
+        app.kubernetes.io/component: metrics-server
+        app.kubernetes.io/name: metrics-server
+        app.kubernetes.io/part-of: openshift-monitoring
+    spec:
+      containers:
+        - args:
+            - --secure-port=10250
+            - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+            - --kubelet-use-node-status-port
+            - --metric-resolution=15s
+            - --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt
+            - --kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt
+            - --kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+            - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+            - --shutdown-send-retry-after=true
+            - --shutdown-delay-duration=150s
+            - --disable-http2-serving=true
+          image: "quay.io/openshift/kube-metrics-server"
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /livez
+              port: https
+              scheme: HTTPS
+            periodSeconds: 10
+          name: metrics-server
+          ports:
+            - containerPort: 10250
+              name: https
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 6
+            httpGet:
+              path: /readyz
+              port: https
+              scheme: HTTPS
+            initialDelaySeconds: 20
+            periodSeconds: 20
+          resources:
+            requests:
+              cpu: 1m
+              memory: 40Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: secret-metrics-server-tls
+            - mountPath: /etc/tls/metrics-server-client-certs
+              name: secret-metrics-server-client-certs
+            - mountPath: /etc/tls/kubelet-serving-ca-bundle
+              name: configmap-kubelet-serving-ca-bundle
+            - mountPath: /etc/audit
+              name: metrics-server-audit-profiles
+              readOnly: true
+            - mountPath: /var/log/metrics-server
+              name: audit-log
+              readOnly: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      serviceAccountName: metrics-server
+      terminationGracePeriodSeconds: 170
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+      volumes:
+        - name: secret-metrics-server-client-certs
+          secret:
+            secretName: metrics-server-client-certs
+        - name: secret-metrics-server-tls
+          secret:
+            secretName: metrics-server-tls
+        - configMap:
+            name: kubelet-serving-ca-bundle
+          name: configmap-kubelet-serving-ca-bundle
+        - emptyDir: {}
+          name: audit-log
+        - configMap:
+            name: metrics-server-audit-profiles
+          name: metrics-server-audit-profiles

assets/optional/metrics-server/04-api-service.yaml

@@ -0,0 +1,21 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: v1beta1.metrics.k8s.io
+spec:
+  group: metrics.k8s.io
+  groupPriorityMinimum: 100
+  insecureSkipTLSVerify: false
+  service:
+    name: metrics-server
+    namespace: openshift-monitoring
+    port: 443
+  version: v1beta1
+  versionPriority: 100

assets/optional/metrics-server/04-service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    openshift.io/description: Expose the metrics-server web server on port 443. This port is for internal use, and no other usage is guaranteed.
+    service.beta.openshift.io/serving-cert-secret-name: metrics-server-tls
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server
+  namespace: openshift-monitoring
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring

assets/optional/metrics-server/kustomization.aarch64.yaml

@@ -0,0 +1,4 @@
+images:
+  - name: quay.io/openshift/kube-metrics-server
+    newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
+    digest: sha256:790dcea1d4cf5eb3a989bf3d14d460148d23a743951644668a300b7fc21f29ec

assets/optional/metrics-server/kustomization.x86_64.yaml

@@ -0,0 +1,4 @@
+images:
+  - name: quay.io/openshift/kube-metrics-server
+    newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
+    digest: sha256:0590e13d7955f71db964f601f5ce6c66416a1e2e5acee5c2831f41fb2b13435c

assets/optional/metrics-server/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - 00-namespace.yaml
+  - 01-service-account.yaml
+  - 01-cluster-role.yaml
+  - 01-cluster-role-binding.yaml
+  - 01-cluster-role-binding-auth-delegator.yaml
+  - 01-role-binding-auth-reader.yaml
+  - 02-configmap-audit-profiles.yaml
+  - 03-deployment.yaml
+  - 04-service.yaml
+  - 04-api-service.yaml