diff --git a/cmd/package-server-manager/main.go b/cmd/package-server-manager/main.go
index 42506cf8f9..0ddd9f1182 100644
--- a/cmd/package-server-manager/main.go
+++ b/cmd/package-server-manager/main.go
@@ -67,6 +67,10 @@ func run(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+	metricsAddr, err := cmd.Flags().GetString("metrics")
+	if err != nil {
+		return err
+	}
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 	setupLog := ctrl.Log.WithName("setup")
@@ -78,7 +82,7 @@ func run(cmd *cobra.Command, args []string) error {
 	mgr, err := ctrl.NewManager(restConfig, manager.Options{
 		Scheme:                  setupScheme(),
 		Namespace:               namespace,
-		MetricsBindAddress:      defaultMetricsPort,
+		MetricsBindAddress:      metricsAddr,
 		LeaderElection:          !disableLeaderElection,
 		LeaderElectionNamespace: namespace,
 		LeaderElectionID:        leaderElectionConfigmapName,
diff --git a/cmd/package-server-manager/start.go b/cmd/package-server-manager/start.go
index 046fbb9c34..6c6fd238a7 100644
--- a/cmd/package-server-manager/start.go
+++ b/cmd/package-server-manager/start.go
@@ -17,6 +17,7 @@ func newStartCmd() *cobra.Command {
 	cmd.Flags().String("health", defaultHealthCheckPort, "configures the health check port that the kubelet is configured to probe")
 	cmd.Flags().String("pprof", defaultPprofPort, "configures the pprof port that the process exposes")
 	cmd.Flags().String("interval", defaultInterval, "configures the wakeup interval for the packageserver csc resource")
+	cmd.Flags().String("metrics", defaultMetricsPort, "configures the metrics port that the process exposes")
 	cmd.Flags().Bool("disable-leader-election", false, "configures whether leader election will be disabled")
 
 	return cmd
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
index cc73c816c9..696f91f35e 100644
--- a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
+++ b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
@@ -28,6 +28,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+            - --secure-listen-address=0.0.0.0:8443
+            - --upstream=http://127.0.0.1:9090/
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+            - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -43,6 +69,7 @@ spec:
             - $(PACKAGESERVER_NAMESPACE)
             - --interval
             - $(PACKAGESERVER_INTERVAL)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -89,3 +116,7 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+        - name: package-server-manager-serving-cert
+          secret:
+            secretName: package-server-manager-serving-cert
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml
index 8fbd639c73..5065366b82 100644
--- a/manifests/0000_50_olm_06-psm-operator.deployment.yaml
+++ b/manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -28,6 +28,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+            - --secure-listen-address=0.0.0.0:8443
+            - --upstream=http://127.0.0.1:9090/
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+            - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -43,6 +69,7 @@ spec:
             - $(PACKAGESERVER_NAMESPACE)
             - --interval
             - $(PACKAGESERVER_INTERVAL)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -90,3 +117,7 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+        - name: package-server-manager-serving-cert
+          secret:
+            secretName: package-server-manager-serving-cert
diff --git a/manifests/0000_50_olm_06-psm-operator.service.yaml b/manifests/0000_50_olm_06-psm-operator.service.yaml
new file mode 100644
index 0000000000..e0a180a2df
--- /dev/null
+++ b/manifests/0000_50_olm_06-psm-operator.service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.alpha.openshift.io/serving-cert-secret-name: package-server-manager-serving-cert
+    include.release.openshift.io/ibm-cloud-managed: "true"
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+spec:
+  ports:
+    - name: metrics
+      port: 8443
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app: package-server-manager
+  sessionAffinity: None
+  type: ClusterIP
diff --git a/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml b/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
new file mode 100644
index 0000000000..8fead98be1
--- /dev/null
+++ b/manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      interval: 30s
+      port: metrics
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  namespaceSelector:
+    matchNames:
+      - openshift-operator-lifecycle-manager
+  selector: {}
diff --git a/manifests/image-references b/manifests/image-references
index 0b2fd1f5de..09f0cde4d1 100644
--- a/manifests/image-references
+++ b/manifests/image-references
@@ -10,3 +10,7 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/operator-framework/configmap-operator-registry:latest
+  - name: kube-rbac-proxy
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-kube-rbac-proxy:latest
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
index 1de8cdc477..dafa3f3056 100755
--- a/scripts/generate_crds_manifests.sh
+++ b/scripts/generate_crds_manifests.sh
@@ -106,6 +106,10 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/operator-framework/configmap-operator-registry:latest
+  - name: kube-rbac-proxy
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-kube-rbac-proxy:latest
 EOF
 
 cat << EOF > manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -138,6 +142,32 @@ spec:
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
+        - args:
+          - --secure-listen-address=0.0.0.0:8443
+          - --upstream=http://127.0.0.1:9090/
+          - --tls-cert-file=/etc/tls/private/tls.crt
+          - --tls-private-key-file=/etc/tls/private/tls.key
+          - --logtostderr=true
+          image: quay.io/openshift/origin-kube-rbac-proxy:latest
+          imagePullPolicy: IfNotPresent
+          name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+          - containerPort: 8443
+            name: metrics
+            protocol: TCP
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+          - mountPath: /etc/tls/private
+            name: package-server-manager-serving-cert
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
@@ -153,6 +183,7 @@ spec:
             - \$(PACKAGESERVER_NAMESPACE)
             - --interval
             - \$(PACKAGESERVER_INTERVAL)
+            - "--metrics=:9090"
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           env:
@@ -200,6 +231,54 @@ spec:
           key: node.kubernetes.io/not-ready
           operator: Exists
           tolerationSeconds: 120
+      volumes:
+      - name: package-server-manager-serving-cert
+        secret:
+          secretName: package-server-manager-serving-cert
+EOF
+
+cat << EOF > manifests/0000_50_olm_06-psm-operator.service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    service.alpha.openshift.io/serving-cert-secret-name: package-server-manager-serving-cert
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+spec:
+  ports:
+  - name: metrics
+    port: 8443
+    protocol: TCP
+    targetPort: metrics
+  selector:
+    app: package-server-manager
+  sessionAffinity: None
+  type: ClusterIP
+EOF
+
+cat << EOF > manifests/0000_50_olm_06-psm-operator.servicemonitor.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: package-server-manager-metrics
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
+    port: metrics
+    scheme: https
+    tlsConfig:
+      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      serverName: package-server-manager-metrics.openshift-operator-lifecycle-manager.svc
+  namespaceSelector:
+    matchNames:
+    - openshift-operator-lifecycle-manager
+  selector: {}
 EOF
 
 cat << EOF > manifests/0000_50_olm_00-pprof-config.yaml