diff --git a/internal/cmd/helm-operator/run/cmd.go b/internal/cmd/helm-operator/run/cmd.go
index 4400ac98bb..0ae71a1ab5 100644
--- a/internal/cmd/helm-operator/run/cmd.go
+++ b/internal/cmd/helm-operator/run/cmd.go
@@ -83,6 +83,7 @@ func NewCmd() *cobra.Command {
 
 	f.AddTo(cmd.Flags())
 	cmd.Flags().AddGoFlagSet(zapfs)
+	cmd.MarkFlagsRequiredTogether("metrics-secure", "metrics-authn-authz")
 	return cmd
 }
 
diff --git a/internal/helm/flags/flag.go b/internal/helm/flags/flag.go
index 189391f4bc..3ef7c0142a 100644
--- a/internal/helm/flags/flag.go
+++ b/internal/helm/flags/flag.go
@@ -22,6 +22,7 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
@@ -38,6 +39,7 @@ type Flags struct {
 	SuppressOverrideValues  bool
 	EnableHTTP2             bool
 	SecureMetrics           bool
+	MetricsAuthNAuthZ       bool
 
 	// If not nil, used to deduce which flags were set in the CLI.
 	flagSet *pflag.FlagSet
@@ -76,14 +78,16 @@ see https://github.com/kubernetes-sigs/controller-runtime/issues/895 for more in
 	// TODO(2.0.0): remove
 	flagSet.StringVar(&f.MetricsBindAddress,
 		"metrics-addr",
-		":8080",
-		"The address the metric endpoint binds to",
+		"0",
+		"The address the metrics endpoint binds to. "+
+			"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.",
 	)
 	_ = flagSet.MarkDeprecated("metrics-addr", "use --metrics-bind-address instead")
 	flagSet.StringVar(&f.MetricsBindAddress,
 		"metrics-bind-address",
-		":8080",
-		"The address the metric endpoint binds to",
+		"0",
+		"The address the metrics endpoint binds to. "+
+			"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.",
 	)
 	// TODO(2.0.0): for Go/Helm the port used is: 8081
 	// update it to keep the project aligned to the other
@@ -133,6 +137,10 @@ see https://github.com/kubernetes-sigs/controller-runtime/issues/895 for more in
 		false,
 		"enables secure serving of the metrics endpoint",
 	)
+	flagSet.BoolVar(&f.MetricsAuthNAuthZ,
+		"metrics-authn-authz",
+		false,
+		"enables protection of the metrics endpoint with authn/authz")
 }
 
 // ToManagerOptions uses the flag set in f to configure options.
@@ -179,5 +187,13 @@ func (f *Flags) ToManagerOptions(options manager.Options) manager.Options {
 	}
 	options.Metrics.SecureServing = f.SecureMetrics
 
+	if f.MetricsAuthNAuthZ {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		options.Metrics.FilterProvider = filters.WithAuthenticationAndAuthorization
+	}
+
 	return options
 }
diff --git a/internal/helm/flags/flag_test.go b/internal/helm/flags/flag_test.go
index aa6d2392af..e2e3db6d65 100644
--- a/internal/helm/flags/flag_test.go
+++ b/internal/helm/flags/flag_test.go
@@ -52,7 +52,7 @@ var _ = Describe("Flags", func() {
 		})
 		When("the flag is not set", func() {
 			It("uses the default flag value when corresponding option value is empty", func() {
-				expOptionValue := ":8080"
+				expOptionValue := "0"
 				options.Metrics.BindAddress = ""
 				parseArgs(flagSet)
 				Expect(f.ToManagerOptions(options).Metrics.BindAddress).To(Equal(expOptionValue))
diff --git a/internal/plugins/helm/v1/init.go b/internal/plugins/helm/v1/init.go
index eeca7d2f28..546b72be43 100644
--- a/internal/plugins/helm/v1/init.go
+++ b/internal/plugins/helm/v1/init.go
@@ -179,6 +179,7 @@ func (p *initSubcommand) PostScaffold() error {
 // addInitCustomizations will perform the required customizations for this plugin on the common base
 func addInitCustomizations(projectName string) error {
 	managerFile := filepath.Join("config", "manager", "manager.yaml")
+	managerMetricsPatch := filepath.Join("config", "default", "manager_metrics_patch.yaml")
 
 	// todo: we ought to use afero instead. Replace this methods to insert/update
 	// by https://github.com/kubernetes-sigs/kubebuilder/pull/2119
@@ -200,6 +201,27 @@ func addInitCustomizations(projectName string) error {
 		return err
 	}
 
+	// Enable the proper auth/metrics flags for helm
+	err = util.ReplaceInFile(managerMetricsPatch,
+		`# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-bind-address=:8443`, `# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-bind-address=:8443
+# This patch adds the args to allow securing the metrics endpoint
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-secure
+# This patch adds the args to allow authn/authz the metrics endpoint
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-authn-authz`)
+	if err != nil {
+		return err
+	}
+
 	if err := sdkpluginutil.UpdateKustomizationsInit(); err != nil {
 		return fmt.Errorf("error updating kustomization.yaml files: %v", err)
 	}
diff --git a/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
index 9464d19fb5..1920679af7 100644
--- a/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
+++ b/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
@@ -267,6 +267,8 @@ spec:
             spec:
               containers:
               - args:
+                - --metrics-authn-authz
+                - --metrics-secure
                 - --metrics-bind-address=:8443
                 - --leader-elect
                 - --leader-election-id=memcached-operator
diff --git a/testdata/helm/memcached-operator/config/default/manager_metrics_patch.yaml b/testdata/helm/memcached-operator/config/default/manager_metrics_patch.yaml
index 2aaef6536f..f41cdc5e0c 100644
--- a/testdata/helm/memcached-operator/config/default/manager_metrics_patch.yaml
+++ b/testdata/helm/memcached-operator/config/default/manager_metrics_patch.yaml
@@ -2,3 +2,11 @@
 - op: add
   path: /spec/template/spec/containers/0/args/0
   value: --metrics-bind-address=:8443
+# This patch adds the args to allow securing the metrics endpoint
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-secure
+# This patch adds the args to allow authn/authz the metrics endpoint
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-authn-authz