From 7fb47972488e8fc70db1419e8997b9418de34df7 Mon Sep 17 00:00:00 2001
From: Anik Bhattacharjee <anbhatta@redhat.com>
Date: Mon, 15 Sep 2025 13:23:41 -0400
Subject: [PATCH] (fix) bind metrics server to localhost interface only

Bind metrics server endpoints to 127.0.0.1 instead of all interfaces
to improve security by preventing direct external access to metrics endpoints.
This change supports downstream kube-rbac-proxy integration (see https://github.com/openshift/operator-framework-olm/pull/1061 for more info)
by ensuring metrics are only accessible locally within the pod.

Signed-off-by: Anik Bhattacharjee <anbhatta@redhat.com>
---
 pkg/lib/server/server.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/lib/server/server.go b/pkg/lib/server/server.go
index 3d79a192e0..03415f5a8e 100644
--- a/pkg/lib/server/server.go
+++ b/pkg/lib/server/server.go
@@ -78,9 +78,9 @@ func (sc *serverConfig) tlsEnabled() (bool, error) {
 
 func (sc *serverConfig) getAddress(tlsEnabled bool) string {
 	if tlsEnabled {
-		return ":8443"
+		return "127.0.0.1:8443"
 	}
-	return ":8080"
+	return "127.0.0.1:8080"
 }
 
 func (sc serverConfig) getListenAndServeFunc() (func() error, error) {